Beginners Guide Foundation Certificate in IT Service Management with ITIL

advertisement
GPO 2673
Brisbane, QLD 4001
Australia
Phone: 1300 13 44 99
Version 5.0
Beginners Guide
Foundation Certificate in IT
Service Management with ITIL
Copyright: The Art of Service Pty Ltd 2003.
Version 5.0
GPO 2673
Brisbane, QLD 4001
Australia
Phone: 1300 13 44 99
Table of Contents
1
2
3
4
5
6
Foundation Certificate in IT Service Management .........................................................4
1.1 EXIN Exam requirements specifications .................................................................4
1.1.1 The importance of IT Service Management .......................................................4
1.1.2 Service Management processes .......................................................................4
1.1.3 The ITIL management model ..........................................................................5
1.1.4 Basic concepts of ITIL ....................................................................................6
IT Service Management .............................................................................................7
2.1 Introduction to IT Service Management .................................................................7
2.2 ITIL Service Management ....................................................................................8
2.2.1 Business Alignment .......................................................................................9
2.2.2 Processes .....................................................................................................9
2.2.3 Processes, Services and Functions ................................................................. 10
ITIL Overview ........................................................................................................ 12
3.1.1 History of ITIL ............................................................................................ 12
Implementing ITIL Service Management ................................................................... 19
4.1 Introduction ..................................................................................................... 19
4.2 Cultural change ................................................................................................ 19
4.3 Implementation Checklist .................................................................................. 20
4.4 Further reading ................................................................................................ 20
ITIL Service Management Processes ......................................................................... 21
5.1 Service Delivery Set .......................................................................................... 21
5.1.1 Service Level Management ........................................................................... 21
5.1.2 Financial Management for IT Services ............................................................ 22
5.1.3 Availability Management .............................................................................. 24
5.1.4 Capacity Management .................................................................................. 27
5.1.5 IT Service Continuity Management ................................................................ 28
5.2 Service Support Set .......................................................................................... 32
5.2.1 Service Desk .............................................................................................. 32
5.2.2 Incident Management .................................................................................. 35
5.2.3 Problem Management .................................................................................. 36
5.2.4 Change Management ................................................................................... 39
5.2.5 Release Management ................................................................................... 42
5.2.6 Configuration Management ........................................................................... 43
Security Management ............................................................................................. 46
6.1 Introduction ..................................................................................................... 46
6.1.1 Basic concepts ............................................................................................ 46
6.2 Objectives ........................................................................................................ 46
6.2.1 Benefits ..................................................................................................... 47
6.3 Process ............................................................................................................ 47
6.4 Activities.......................................................................................................... 48
6.4.1 Control - Information Security policy and organisation ..................................... 48
6.4.2 Plan ........................................................................................................... 49
6.4.3 Implement ................................................................................................. 49
6.4.4 Evaluate..................................................................................................... 50
6.4.5 Maintenance ............................................................................................... 51
6.4.6 Reporting ................................................................................................... 51
6.4.7 Relationships with other processes ................................................................ 52
6.4.8 Security section of the Service Level Agreement ............................................. 55
6.4.9 The Security section of the Operational Level Agreement ................................. 55
6.5 Process control ................................................................................................. 55
6.5.1 Critical success factors and performance indicators .......................................... 55
6.5.2 Functions and roles ..................................................................................... 56
6.6 Points of Attention and costs .............................................................................. 56
2
GPO 2673
Brisbane, QLD 4001
Australia
Phone: 1300 13 44 99
Version 5.0
7
6.6.1 Points of attention ....................................................................................... 56
6.6.2 Costs ......................................................................................................... 57
IT Service Management Tools .................................................................................. 59
7.1.1 Type of tools............................................................................................... 59
7.1.2 The Cost of a Tool ....................................................................................... 59
© The Art of Service Pty Ltd 2003
‘All of the information in this document is subject to copyright. No part of this
document may in any form or by any means (whether electronic or
mechanical or otherwise) be copied, reproduced, stored in a retrieval system,
transmitted or provided to any other person without the prior written
permission of The Art of Service Pty Ltd, who owns the copyright.’
Copyright: The Art of Service Pty Ltd, 2003
3
GPO 2673
Brisbane, QLD 4001
Australia
Phone: 1300 13 44 99
Version 5.0
1
Foundation Certificate in IT Service
Management
Let’s begin with the end in mind. A lot of people who first hear of ITIL are surprised to
learn that there are a variety of exams that can be taken. By far the most common is
called the Foundation Certificate in IT Service Management. We’ll cover just what Service
Management is later, but at this Foundation level, it is really the theory of the ITIL
Framework that is being tested.
1.1 EXIN Exam requirements specifications
EXIN are one of the global testing bodies authorised to set and mark questions to test
knowledge in the area of IT Service Management and the ITIL Framework.
The large majority of people who take this Foundations course are interested in also
sitting for the ITIL Foundation Certificate. The section discusses the factors that have to
be considered by those wishing to pass the exam.
1.1.1 The importance of IT Service Management
The candidate understands the importance of IT Service Management in the IT
Infrastructure environment.
The candidate is able to discuss the merits of a process driven approach to information
technology service provision both:
 users and customers of IT Service
 suppliers of IT Services.
1.1.2 Service Management processes
The candidate understands Service Management processes and the inter-relationships
between them.
The candidate is able to:
 Describe the benefits of Service Management processes for an organisation
 Distinguish between ITIL processes and organisational functions and business
processes
 Indicate the elements that contribute towards ITIL process implementation.
Copyright: The Art of Service Pty Ltd, 2003
4
GPO 2673
Brisbane, QLD 4001
Australia
Phone: 1300 13 44 99
Version 5.0
1.1.3 The ITIL management model
Using the following diagram as a guide the exam candidate will be able to:
-
Distinguish the objectives, activities and results of the various ITIL processes
-
Provide examples of the data/information flows from one process to every other
process.
Copyright: The Art of Service Pty Ltd, 2003
5
GPO 2673
Brisbane, QLD 4001
Australia
Phone: 1300 13 44 99
Version 5.0
1.1.4 Basic concepts of ITIL
The exam participants will also understand the following terms and concepts (note this is not a
comprehensive list, simply an indication):
Application Sizing
Asset Management
Assets
Audit
Availability
Availability Management
Budgeting
Business Process
Call
Capacity Database, CDB
Capacity Management
Capacity Planning
Category
Change
Change Advisory Board
Change Management
Chargeable Unit
Charging
CI Level
Financial Management
for IT Services
First Line Support
Forward Schedule of
Changes, FSC
Full Release
Functional Escalation
Help Desk
Hierarchical Escalation
Impact
Incident
Incident Life Cycle
Incident Management
Integrity
IT Infrastructure
IT Service
IT Service Continuity
Management
IT Service Management
Known Error
Classification
Maintainability
Mean Time Between
Failures
Mean Time To Repair
Confidentiality
Priority
Configuration Baseline
Proactive Problem
Management
Problem
Problem Control
Configuration Item, CI
Configuration
Management
Configuration
Management Database,
CMDB
Costing
Customer
Customer Liaison
Definitive Hardware
Store, DHS
Definitive Software
Library, DSL
Demand Management
Disaster
Downtime
Elapsed Time
Emergency Release
Error Control
Escalation
Failure
Fault
Request for Change, RFC
Resilience
Resource Management
Restoration of Service
Review
Risk
Rollout
Second Line Support
Security
Security Awareness
Security Incidents
Security Level
Security Management
Security Section
Service Catalogue
Service Desk
Service Improvement
Programme
Service Level
Service Level
Agreement, SLA
Service Level
Management
Service Level
Requirements
Service Request
Service Window
Serviceability
Problem Management
Software Item
Procedure
Process
Process Manager
Quality Assurance
Software Release
Status
Strategic
Tactical
Quality Control
Third Line Support
Recoverability
Recovery
Registration
Release Management
Release Policy
Threat
Underpinning Contract
Urgency
Urgent Change
User
Verification
Version
Vulnerability
Work-around
Release Unit
Reliability
Report
Copyright: The Art of Service Pty Ltd, 2003
6
GPO 2673
Brisbane, QLD 4001
Australia
Phone: 1300 13 44 99
Version 5.0
2
IT Service Management
2.1 Introduction to IT Service Management
Most organisations now understand the benefits of having Information Technology (IT)
supporting the majority of their business activities. Few realise the potential of truly
aligning the IT department’s objectives with the business objectives. However, more and
more organisations are beginning to recognize IT as being a crucial delivery mechanism
of services to their customers.
When the IT services are so critical, steps must be in place to ensure that the IT group
adds value and delivers consistently.
So the starting point for IT Service Management (ITSM) and the ITIL Framework is not
technology; it is the organisational objectives.
To meet organisational
objectives, the
organisation has
business processes in
place.
Examples of business
processes are sales,
admin and financial (who
have a “sales process”) or
logistics, customer service
and freight who have a
“customer returns
process”.
Each of the units involved
in these business
processes needs IT
Services (eg. CRM
application, e-mail, word
processing, financial
tools).
Each of these services runs on IT infrastructure that has to be properly managed
(Service Management). IT Infrastructure includes hardware, software, procedures,
policies, documentation, etc. This IT Infrastructure has to be managed.
ITIL provides a framework for the management of IT Infrastructure.
Question: Why should we manage our infrastructure properly?
Answer: Proper management of the IT Infrastructure will ensure that the services
required by the business processes are available, so that the organisational objectives
can be met.
Copyright: The Art of Service Pty Ltd, 2003
7
GPO 2673
Brisbane, QLD 4001
Australia
Phone: 1300 13 44 99
Version 5.0
Historically, these processes delivered products and services to clients in an off-line
environment (the ‘brick-and-mortar’ companies). The IT organisation provides support to
the back-office and admin processes. IT performance is measured internally as the
external clients are only indirectly influenced by the IT performance.
Today, with online service delivery, the IT component of the service delivery can be
much stronger. The way of delivering the service is IT based and therefore internal and
external clients consciously and unconsciously measure the performance of the IT group.
Service delivery is more important than a glimpse of brilliance every now and then. The
internal clients (business processes) and external clients need availability of the IT
services and to be able to expect a consistent performance. Consistency comes through
the ability to repeat what was done well in the past.
IT Service Management is a means to enable the IT group to provide reliable Information
Systems to meet the requirements of the business processes, irrespective of the way
these services are delivered to the external customers. This in turn enables the
organisation to meet its Business Objectives.
Definition:
IT Service Management is the effective and efficient process driven
management regarding the quality of IT services, provided to end-users.
2.2 ITIL Service Management
Any organisation that delivers IT services to their customers with a goal to support the
business processes, needs inherent structure in place. Historically, that structure was
based around functions and technical capabilities. With the ever-increasing speed of
change and the associated need for flexibility a technology driven approach is no longer
appropriate, in most situations.
That is why IT organisations are looking for alternatives. Some alternatives include:
Total Quality Management TQM processes and continuous improvement projects
COBIT as a control & measurement mechanism
CMM for control and structure in software (and system) development
ITIL for operational and tactical management of service delivery
Which single or combination of frameworks selected is entirely dependant on the needs
of the organisation.
For many IT organisations, ITIL is a very good way of managing service delivery and to
perform the IT activities in end-to-end processes.
Further reading on other models and frameworks:
Search on the internet for COBIT. ITIL, CMM, EFQM, Six Sigma, Deming, Balanced
Scorecard, Standards, IT Governance
Copyright: The Art of Service Pty Ltd, 2003
8
GPO 2673
Brisbane, QLD 4001
Australia
Phone: 1300 13 44 99
Version 5.0
2.2.1 Business Alignment
By implementing IT Service Management in your IT organisation you support the IT
objectives of delivering services that are required by the business.
You can’t do this without aligning the IT strategy with the business strategy.
You can’t deliver effective IT services without knowing about the demands, needs and
wishes of the customer. IT Service Management supports the IT organisation to align IT
activities and service delivery, with business requirements.
2.2.2 Processes
IT Service Management helps the IT organisation to manage the service delivery by
organising the IT activities into end-to-end processes. These processes have no
functional boundaries within the IT group.
A process is a series of activities carried out to convert an input into an output.
Information flow into and out of each process area will indicate the quality of the
particular process.
We have monitoring points in the processes to measure the quality of the products and
services provided.
Processes can be measured for effectiveness (did the process achieve its goal?) and
efficiency (did the process use the optimum amount of resources to achieve its goal?).
The measurement points are at the input, the activities or the output of the process.
The standards (or ‘norms’) for the output of each process have to be defined such that
the complete set of processes meets the corporate objectives.
If the result of a process meets the defined standard, then the process is effective. If
the activities in the process are also carried out with the minimum required effort and
cost, then the process is efficient.
The aim of process management is to use planning and control to ensure that processes
are effective and efficient.
Copyright: The Art of Service Pty Ltd, 2003
9
GPO 2673
Brisbane, QLD 4001
Australia
Phone: 1300 13 44 99
Version 5.0
2.2.3 Processes, Services and Functions
Most businesses are hierarchically organised. They have departments, which are
responsible for a group of employees. There are various ways of structuring
departments, for example by customer, product, region or discipline. IT services
generally depend on several departments, customers or disciplines. For example, if there
is an IT service to provide users with access to an accounting program on a central
computer, this will involve several disciplines.
To provide the accountancy program service the computer centre has to make the
program and associated database accessible. The data and telecommunications
department has to make the computer centre accessible, and the PC support department
has to provide users with an interface to access the application.
Processes that span several departments can monitor the quality of the service by
measuring aspects, such as availability, capacity, cost and stability. IT Service
Management to match these quality aspects with the customer’s demands.
ITIL provides a concise and commonsense set of processes to help with the
management, monitoring and delivery of services.
A process is a logically related series of activities for the benefit of a defined objective.
The following diagram illustrates cross functional process flows.
With ITIL we can study each process separately to optimise its quality. The process manager
is responsible for the process results (i.e. is the process effective).
The logical combination of activities results in clear transfer points where the quality of
processes can be monitored.
The management of the organisation can make decisions about the quality of an ITIL process
from data provided by each process. In most cases, the relevant performance indicators
and standards will already be agreed upon. The day-to-day control of the process can then be
left to the process manager. The process owner will assess the results based on a report of
performance indicators and whether they meet the agreed standard.
Copyright: The Art of Service Pty Ltd, 2003
10
GPO 2673
Brisbane, QLD 4001
Australia
Phone: 1300 13 44 99
Version 5.0
Without clear indicators, it would be difficult for a process owner to determine whether the
process is under control or if improvements are required.
We have discussed processes and we have positioned services. We have highlighted the
difference between functions and processes.
Functionally structured organisations are characterised by:




Somewhat fragmented
Focus on vertical and functional matters
With many control activities
Emphasis on high/low people relationships
In functionally driven organisations we may often see:





Concept of walls or silos; not my responsibility
A hint of arrogance - “We in IT know what’s good for you.”
Steering people instead of steering activities
Because we have to communication
Politically motivated decision making
In contrast once processes are introduced we often see a change towards:






Entire task focus
Horizontal processes focussed towards clients
Control measurements that add value
Interdependence and uniting leadership
Interdependence of independent persons
Accessibility of information
This leads to a culture of:






No boundaries, but interconnections
Customer focused: what is the added value?
Steering activities instead of steering people
Communication because it is useful (fulfilling the needs of the customer)
Decision making is matching & customising
IT service provision is a process
Copyright: The Art of Service Pty Ltd, 2003
11
GPO 2673
Brisbane, QLD 4001
Australia
Phone: 1300 13 44 99
Version 5.0
3
ITIL Overview
The IT Infrastructure Library is a set of books with good practice processes on how to
manage IT service delivery. The library consists of many books and CD-ROMs.
The core set of material is the following set of seven tightly coupled areas:







Service Delivery
Service Support
Security Management
The Business Perspective
Applications Management
ICT Infrastructure Management
Planning to implement Service Management
The Service Support, Service Delivery and Security Management manuals are regarded
as the central components of the framework.
These books cover the processes you will need to delivery customer-focused IT services
according to your customers’ needs, demands and wishes.
They help the IT group to be flexible and reliable enough to ensure consistent IT Service
Delivery. The other core books in the library support these central components.
Planning to Implement Service Management
T
h
e
B
u
s
i
n
e
s
s
T
h
The
Business
Perspective
Service
Support
ICT Infrastructure
Mgt.
Security
Management
Service
Delivery
Applications Management
3.1.1 History of ITIL
During the late 1980’s the CCTA (Central Computer and Telecommunication Agency) in
the UK started to work on what is now known as the Information Technology
Infrastructure Library (ITIL).
Large companies and government agencies in Europe adopted the framework very
quickly in the early 1990’s and the ITIL framework has since become known as an
industry best practice, for IT Service Management.
Copyright: The Art of Service Pty Ltd, 2003
12
GPO 2673
Brisbane, QLD 4001
Australia
Phone: 1300 13 44 99
Version 5.0
ITIL has become the de-facto standard in delivering IT Services for all types of
organisations. Both government and non-government organisations benefit from the
process driven approach, regardless of the size of the IT department.
ITIL is used globally. ITIL has no geographic boundaries. It is used extensively
throughout Europe, Australia, Canada, USA, United Kingdom and many emerging
countries in Asia.
In 2000 the British Treasury set up the OGC – Office for Government Commerce – to
deal with all commercial activities within the government. All activities formerly under
the control of the CCTA (Central Computer and Telecommunications Agency) were also
taken up by the new department. Even though the CCTA no longer exists, it is noted that
they were the original developers of the ITIL framework.
In 2000, Microsoft used ITIL as the basis to develop their proprietary Microsoft
Operations Framework (MOF).
In 2001, ITIL version 2 was released. In this version the Service Support Book and the
Service Delivery book were redeveloped into much more concise volumes.
ITIL is a pseudo Public Domain framework. ITIL is copyright protected. Copyright is
owned by the OGC. However, any organisation can use the intellectual property to
implement the processes in their own organisation. Training, tools and consultancy
services support this. The framework is independent of any of the vendors.
EXIN and ISEB are the examination bodies that organise and control the entire
certification scheme. They guarantee that the personal certification is fair and honest and
independent from the organisations that delivered the course. Both bodies accredit
training organisations to guarantee a consistent level of quality in course delivery.
At the time of writing the only generally recognised certification is awarded to individuals
There is no independent tool certification or organisational certification.
Copyright: The Art of Service Pty Ltd, 2003
13
GPO 2673
Brisbane, QLD 4001
Australia
Phone: 1300 13 44 99
Version 5.0
People and organisations that wish to discuss their experiences with ITIL Service
Management implementation can become a member of the IT Service Management
Forum. The itSMF, just like ISEB and EXIN, aim to stimulate & encourage the best
practice component of ITIL and to support the sharing of ‘war stories’ and to further the
development of the framework.
There is an itSMF chapter in every country that is actively involved with ITIL Service
Management.
Further reading on ITIL:
ITIL website: www.itil.co.uk
OGC website:www.ogc.gov.uk
Buy the ITIL books: www.itsmdirect.com
Examination boards:
EXIN: www.exin-exams.com
ISEB: www.bcs.org.uk/iseb/
ITIL Portal: www.itil-itsm-world.com/
EXTRA READING
The following story is about British Telecom. This is an organisation that faced major
organisational change. As you read the following story, think about the implications on
the delivery of IT Services. At the end of the story, one specific implication is introduced.
Case study: Service Management implementation: British Telecom
The Emergence of BT.
British Telecom (BT) is an international private sector company operating in the field of telecommunications.
From 1912 telecommunications was as part of the Post Office, held in public ownership. It was originally
nationalised to ensure the provision of an integrated telegraphic and telephonic service . British Telecom was
split off from the Post Office in 1981 as a prelude to its own privatisation three years later. The aim was to
make it easier for the management of the two organisations to focus on the business strategies of their
respective operations.
Since 1981 BT has undergone major changes first with privatisation in 1984 and then because of Project
Sovereign in the early 1990’s. What follows concentrates on the build up to and changes associated with
Project Sovereign from the late 1980’s. It is arguable however that this represents some continuation of the
earlier corporate restructuring that surrounded privatisation. The climate for these changes continues to be
shaped by several significant factors including: the development of new technology which has changed the
nature of telecommunications work; the opening up of the market for telecommunications to competition and
the requirement for BT to be able to exploit new international markets for information technology.
BT no longer enjoys the monopoly it once had. At home, competition from Mercury, the cable industry, and an
increasing number of niche telephone operators is taking its toll. For example, it is estimated that 40,000
customers a month are being lost to the cable companies who offer cheaper calls, connections and rentals, as
well as clearer lines and the advantages of new technology. Cable firms claim to have won 470,000 customers
in the three years since they were permitted to offer telephone services. Internationally BT's rivals, such as
AT&T and France Telecom, are battling for the custom of the multinationals that want one supplier to service all
their telecommunication needs.
As well as new competitors such as Mercury and the cable companies who are attacking BT on price, the
regulatory regime is also becoming harsher. OFTEL have recently stated that prices on BT's basic services must
now be kept to 7.5% below the rate of inflation. Although many of the same pressures affect BT's rivals, BT
argues that it suffers most because it maintains a network that runs the length and breadth of the UK.
Copyright: The Art of Service Pty Ltd, 2003
14
GPO 2673
Brisbane, QLD 4001
Australia
Phone: 1300 13 44 99
Version 5.0
Symptoms
Project Sovereign and change of culture in BT.
BT have launched several initiatives to transform the company however the most significant was the Project
Sovereign which involved both adopting total quality management values and encouraging employees to focus
on customers needs. In March 1990, the Chairman of BT announced fundamental changes to the organisational
structure of BT. These emerged from the findings of the Scoop Project undertaken by a team of BT Senior
Managers into how the company should tackle the telecommunications business of the 1990’s. This suggested
that BT’s existing structure would prevent the company from achieving its full potential. Based largely on
geography rather than customers or markets, it lacked the flexibility and integration necessary to meet
changing market conditions.
The plan for change was called Project Sovereign because according to the Chairman it was:
“The single most important thing that we are ever likely to do because it puts the customer at the top of our
organisation".
Over the following 12 months the old structure of BT based on geographical districts and product divisions gave
way to 3 customer facing divisions: Business Communications Division to serve the needs of business
customers; Personal Communications Division to meet the requirements of the individual customer; and a
Special Business Division to manage a range of facilities such as Yellow Pages and Cellnet.
These new ‘customer facing’ Divisions were to be supported by a division with responsibility for the coordination of BT’s portfolio of products and services; a World-wide Networks Division to plan, build, operate and
maintain the switching and transmission network in the UK and globally; a Development and Procurement
Division to provide a broad spectrum of technical services including research, development and design,
fabrication, testing, problem-solving, planning and consultancy. In addition, this division was given
responsibility for developing and managing a group wide supplier strategy and procurement service. Finally
functions such as strategy, finance, personnel running across the business were to be handled by Group HQ.
Figure 1 summarises the organisation structure introduced under Project Sovereign.
Customers/Markets
Business
Communications.
Personal
Communications
Special
Businesses.
Products and Services Management
World Wide Networks.
Development and Procurement.
Group HQ (Strategy, Finance, Personnel, etc.)
Figure 1. Organisational structure on 1 April 1991.
In a briefing session on the changes given by BT Directors to top BT managers the factors which shaped the
new structure and its essential features emerged. The new BT required radical change and a more flexible
approach to organisation and management. The Group Finance Director explained that:
“BT is seeking a fundamental change in its approach to the markets it serves - it is a massive change and not
tinkering at the edges. Moreover, it is ultimately linked to a change in our cost base - a leaner organisation and
flatter management structure. The most successful telecommunications company in the world has to be flexible
around a low cost-base.”
In a presentation entitled “Management and Culture” BT’s UK Managing Director argued that surveys in the
company showed that many employees wanted radical change and the opportunity to contribute more to the
company. Managerial leadership he suggested would need to release these pent-up energies. The key will be
providing the managerial leadership that will release and make use of these pent-up energies. However, he
noted a substantial reduction in the numbers of managers will be inevitable in order to “flatten” the company’s
multi-layered pyramidal organisation and quicken response between management and workforce. Project
Sovereign has reduced the total number of layers of management in BT from twelve to six.
One of the first changes to take effect with Sovereign was the integration of the UK and international marketing
and sales organisation under a unified management structure. This was intended as a very visible indicator of
the customer orientation of Project Sovereign. This was stressed by the Sales and Marketing Director:
“This change allows our people to direct their energies towards meeting customer needs and nowhere is this
more true than with the marketing and sales community that we will be bringing together into one structure.
Copyright: The Art of Service Pty Ltd, 2003
15
GPO 2673
Brisbane, QLD 4001
Australia
Phone: 1300 13 44 99
Version 5.0
This group of people will be at the forefront of the organisational change, demonstrating our determination
and commitment to put the customer first.”
In summary, Project Sovereign was to lead to:
· A flexible market-driven structure for business and personal customers, with the necessary technical and
commercial functions to meet their needs.
· A single interface for all BT’s customers backed up by systems and specialised support.
· An increased sales revenue through protection of BT’s largest business customers, capturing the substantial
opportunities available in the smaller business market and from the information-intensive personal customer.
· An integrated approach for business customers, to meet their rapidly expanding
international needs.
· Consistency for both business and personal customers, with the target to deliver uniform excellence across
the customer base.
· Integrated product management, removing duplication, eliminating gaps and managing potential conflicts to
the benefit of customers and the company.
Cultural change and the impact on employment in BT.
BT, in common with many other telecommunications companies, has been faced with having to make the
transition from a vast state-owned, public-service, bureaucracy to a flexible and responsive, private sector,
high-technology company. The challenge of transforming an organisation that was rumoured to have more
vehicles than the Red Army is huge. Not only do work practices have to be changed, but the culture also has to
be shifted so that the staff are focused on providing services demanded by customers.
In practice, this “cultural shift” has involved a huge reduction in staff numbers. Many employees who did not
like the new ethos, or found it difficult to adapt, simply left in one or other of the company's generous
redundancy programmes.
As a consequence of the increased competitive pressures outlined above costs have had to be reduced and the
company has to move faster and become more flexible. BT, like many other companies are finding that speed is
now a crucial competitive weapon and that several layers of management can slow down the decision making
process.
Another source of pressure on management jobs stems directly from the job losses lower down the hierarchy.
Technology has had an important role here, as the company no longer needs as many operators, and
consequently, it no longer needs as many managers to supervise them. Similarly, as junior staff have left, the
company has found itself with too many managers at higher levels. BT currently employs 32,000 managers to
organise its workforce of 153,000. The ratio of managers to staff has fallen to one to five although BT plans to
lower that to one manager to ten workers.
When the company was privatised in 1984 it employed 244,000 people and reached a peak of 245,700
employees in 1990. In 1994 it employed 185,000 people. Between 1992 and 1994 almost 28,000 engineers
and telephone operators, more than 5,000 middle managers and 876 senior managers accepted voluntary
redundancy.
The Voluntary redundancy schemes, Release 92 and 93, proved to be run away successes.
For example, BT indicated that it wanted to shed 20,500 jobs under Release 92. John Steele, BT's personnel
director, later commented in a newspaper article:
“We were told we would never get rid of 20,000 jobs in a year “We were told it's impossible, it's never been
done before”. In fact, as many as 45,000 applied to go with 85 per cent of the formal complaints, registered
after the redundancy programme, coming from those who were not selected to leave.”
Release 92 in particular proved to be almost too successful. Incentive payments to leave before the end of July,
worth 25 per cent of salary, caused 19,500 staff to leave on the same day almost causing the company's
administration to collapse under the weight of work and causing severe disruption to customer services. More
than 16,000 people were rejected for severance and courses to maintain morale were instituted in those areas,
mainly the operator service and telephone customer contact jobs, that were particularly oversubscribed.
Redundancy payments range from 40 weeks' pay for 10 years of service to a maximum of 72 weeks' pay for 14
years. Staff who were with the company before 1971 get three years' pay.
An engineer with long service could qualify for a payment of £60,000 while a manager on £35,000 could
receive more than £100,000. Most schemes involved a combination of lump sum and early pension entitlement.
The average package of benefits for those leaving cost BT is about £38,000, although a small number of senior
managers are believed to have received more than £200,000.
The scheme cost an estimated £1.15bn. Although BT has not revealed a final price of the scheme it did explain
that even with more than 40 per cent more people being accepted for severance the total bill did not rise in
proportion as ‘the unit cost was lower than BT expected’ .
Copyright: The Art of Service Pty Ltd, 2003
16
GPO 2673
Brisbane, QLD 4001
Australia
Phone: 1300 13 44 99
Version 5.0
Publicly BT has always said that it tried to make the package of benefits attractive to all ages.
However, in 1993, unions representing workers at BT claimed that the company had introduced a grading
system that could be used to target older staff. The system was based upon an individual's annual performance
assessment, their attendance records and whether or not disciplinary action has been taken against them. The
proposal that age should form part of the points system was dropped by BT after complaints from the National
Communications Union and the Society of Telecom Executives. At that time 15,300 people under 45 had taken
severance, of the older workers, 4,000 were aged 45-50 and 10,000 were 50-60. The company's standard
retirement age is 60. In January 1994 the chairman, Sir Iain Vallance was able to state :
“It is now almost exactly 10 years since BT was privatised, the natural turnover of staff means that many
staff have never worked in the public sector. We now have the younger more responsive workforce that this
industry needs.”
In 1992 and 1993 the majority of the cuts were voluntary and had fallen on lower and middle management,
operators, clerical staff and engineers. However in March 1994 BT announced that 6,900 senior managers out
of BT's 32,000 management-grade employees will be targeted for ‘significant compulsory reductions’ as not
enough were volunteering to leave under its job reduction programme. It also announced that it was
considering compulsory redundancies for its most senior managers as part of a drive to lose 35 of its 170
managers at director level.
All managers at this level earn over £50,000 a year with the average wage being £76,000 a year.
Although the logic of de-layering and downsizing may be clear, it seems that managers that are more senior
are reluctant to go and, until recently, BT has been loath to sack them. The reluctance to accept voluntary
redundancy may be because senior managers have more agreeable, and better-paid jobs or it may be because
they are more worried about finding another job elsewhere - although figures from the International Labour
Office show that only 3% of professionals and only 5% of managers in the UK are unemployed in comparison
to 13% of plant and machine operators and 13% of craft workers.
The Customer Service System (CSS).
In the late 1970's, BT (then part of the GPO) had six mainframe sites and very little local computing. When BT
split from the Post Office in the early 80's BT began to set up local computing centres. Each area had set up its
own databases and soon similar information was being held in two or even three different places. The cost of
attempting to keep all of this information consistent and up to date was spiralling out of control.
The decision was taken to centralise all of the information at a district level and telephone areas began to be
amalgamated into districts. This process marked the beginnings of CSS. Essentially CSS was conceived as a
“Customer Service System”, i.e. the aim was to provide a single source for all of the information relating to a
single customer. An operator could access all relevant information for that customer by telephone number,
address or name and could call up the customer's details on to a screen almost instantaneously.
After privatisation BT looked at several systems from a number of vendors and began setting up CSS's in 1985.
People from the districts were seconded to the headquarters and a National User Group (NUG) formed to aid
the setting up of the various CSS's.
At a national level Setting up CSS involved creating 29 databases for the 29 separate districts that existed at
that time with each database containing information about 12 specific areas such as customer records, line
records, billing information, etc. Each CSS needed to hold the details of over 1 million customers and service
around 2000 terminals. The installation of CSS into the various districts was spread over several years.
The CSS system was initially created as a system to support operations within individual districts and although
CSS was almost universally acknowledged as a great help in providing customer support many felt that the
management information aspect of the system appeared to have been added almost as an afterthought. While
CSS was an efficient in certain respects, such as tracking installations or repair work, it did not really provide
the information needed by managers or, if it did, it was in a form that was of little use to them.
The announcement of Project Sovereign in 1990 and the move to three new ‘customer facing’ divisions:
-
Personal Customers (PC),
Business Customers (BC)
Special Businesses (SB)
provided a new impetus to the development of CSS although this was not without problems.
Previously every CSS had been set up on the basis that all customers were treated in more or less the same
way. There was no distinction made between, for example, business customers or personal customers. The
amount of time and effort that had gone into setting up the existing CSS, and the technical problems of
splitting the 29 existing databases into three – one for BC, one for PC and one for SB - meant that another way
Copyright: The Art of Service Pty Ltd, 2003
17
GPO 2673
Brisbane, QLD 4001
Australia
Phone: 1300 13 44 99
Version 5.0
had to be found to make the existing Information Systems work within the new company structure. The
solution was to keep the same databases but give more access to people who required it. Thus the decision to
create three new divisions meant that in order for CSS to continue to function managers, even at relatively
junior levels, had to have the ability to ‘have visibility of other work areas’.
Previously there had been a bureaucratic system of passwords and access codes that limited access to the
various areas of a CSS. However, once the principle of greater visibility was established improvements in
technology opened other areas for organisational change. It now became possible to switch automatically
information between districts so that a person based in one district could update or amend records held in
another district. Similarly it also became possible to monitor work loads and allocate resources across the
functional and geographic divisions in BT.
Although all of this was now technically possible, some organisational problems remained as, in the past BT had
relied on local expertise and each region had done things in a slightly different way. CSS provided an
infrastructure that was relatively tightly controlled in terms of what it allowed a manager to do. However, in
order to bring about some of the proposed new changes it would, in some senses, need to be even more tightly
controlled as every region would now have to operate in the same way.
The need to ensure consistency between regions lead to some dissatisfaction with the speed with which the
system could be changed or modified. In the past when the system needed to be changed or updated this could
often be accommodated at a local level, now however, each change or update needed to be worked out and
agreed across the whole of the national network.
Copyright: The Art of Service Pty Ltd, 2003
18
Version 5.0
4
GPO 2673
Brisbane, QLD 4001
Australia
Phone: 1300 13 44 99
Implementing ITIL Service
Management
4.1 Introduction
ITIL Service Management is something that impacts the entire IT organisation.
Implementation of end-to-end processes can have a big impact on the way things are
done and can initiate a lot of uncertainty and resistance with staff.
For these reasons, it is important to implement ITIL Service Management with a step-bystep and steady approach.
The following model is an example of such an approach.
Developing ITIL processes is a fairly easy job to do! Making sure everybody understands
the processes and uses them is more difficult and requires serious planning.
It is advisable to use a project management approach to ITIL Service Management
implementation and stay focused on the clearly defined end results (many different
Project Management methodologies exist. The Trademark owners of ITIL (the OGC)
publish PRINCE2 (Projects in Controlled Environments)).
4.2 Cultural change
A small part percentage of the implementation project will be about process design. Most
of the challenge lies in cultural change and personal motivation of staff to use the endto-end processes as the better way to do business.
Any change leads to feelings of vulnerability and loss of control. These feelings generally
manifest themselves through feelings of resistance. The most important thing in this
stage of the ITIL implementation is to keep the focus on the reason why your
organisation needs ITIL Service Management in the first place.
19
GPO 2673
Brisbane, QLD 4001
Australia
Phone: 1300 13 44 99
Version 5.0
4.3 Implementation Checklist
DO:










Perform a feasibility study first
Use what is already good in the organisation
Take it slowly
Stay focused
Appoint a strong project manager with end-to-end focus to drive this
implementation program
Be brave enough to ask for help when you need it
Keep in mind that you are dealing with personal issues
Keep communicating WHY your organisation needs this
Measure your successes continuously
Enjoy the milestones and share them with the IT group
DON’T:
 Try to mature all the processes at the same time
 Start with a tool
 Start without management commitment and/or budget
 Force ITIL upon people
 ‘ITILISE’ your organisation, keep thinking…
 Rush, take your time to do it well
 Go on without a reason
 Blindly follow the herd
 Ignore the positive activities already in place
4.4 Further reading
Planning to Implement Service Management – an OGC publication.
Copyright: The Art of Service Pty Ltd, 2003
20
GPO 2673
Brisbane, QLD 4001
Australia
Phone: 1300 13 44 99
Version 5.0
5
ITIL Service Management Processes
5.1 Service Delivery Set
The following chapters describe in brief the Service Delivery processes. These processes
are generally referred to as “tactical” processes.
5.1.1 Service Level Management
This process provides the contact point between the IT organisation and the customer.
Within the ITIL books, ‘the customer’ is defined as being the person who pays for the
services. It should therefore be someone with decision-making authority, e.g. business
manager.
Service Level Management is the process that ensures that the IT organisation knows
what services they can deliver and organises for the IT group and the customer to agree
on the levels of service that need to be delivered.
It also ensures that the IT group can consistently deliver these services to the customer
by ongoing monitoring the service achievements and reporting these to the customer.
Extra reading
To report or not to report
A lot of the organisations that start implementing Service Level Management fall into the
trap of over-reporting. Everything is monitored, and all results are reported back to the
client.
Negotiate the reporting strategy with your customer during the SLA-negotiations. A
report is only valuable if your clients use it for their own work.
Another pitfall is the fact that some people only report when things are going wrong. The
image you build with an agreement like that is a negative one. The client only hears from
IT when there is a problem or when service levels aren’t met. ALWAYS report on the
positive things as well!
It’s OK to say NO…
Often, when you start implementing Service Level Management in your organisation
you’ll find that you can’t deliver a lot of the user’s requests. You can’t deliver because
you don’t have the underpinning processes in place, you don’t have enough budget and
other required resources.
Service Level Management is all about managing the expectations of your clients.
Internal and external agreements
The beauty of implementing ITIL is that everybody in the organisation speaks the same
language, and therefore you need to be very strict with your choice of words. A Service
Level Agreement is an internal agreement with your clients. An agreement with an
external party is called an underpinning contract. An agreement within the IT group
itself is called an OLA (Operational Level Agreement).
Copyright: The Art of Service Pty Ltd, 2003
21
GPO 2673
Brisbane, QLD 4001
Australia
Phone: 1300 13 44 99
Version 5.0
5.1.2 Financial Management for IT Services
When Service Level Management agrees with the customer on Service Levels, it has to
be able know how much money is involved in delivering this service. Especially when the
cost for IT services is to be charged on to the customer.
Financial Management for IT Services allows the IT organisation to clearly articulate the
costs of delivering IT Services.
There are 3 fundamental components with this process.



Budgets
IT Accounting
Charging
Note: Charging is an optional activity and is dependant on the charging policy of the
organisation as a whole.
Financial Management needs input from all other processes regarding the costs that form
part of the service delivery. It will also deliver input to the other processes, e.g. financial
information for the cost-benefits analysis within Problem Management and Change
Management.
EXTRA READING
Q. Why is business financial management important to the IT professional?
Isn't that the CFO's responsibility?
Competent financial management is critical to the success and very survival of a wide
variety of organizations. In the technology community, it is common to select the chief
financial officer or the chief information officer for advancement to the CEO position.
For the CIO professional looking for a promotion or a greater understanding of the IT
arena, an understanding of the basics of financial management has become invaluable.
The goal of business financial management is to maximize value. Successful financial
management requires a balance of a number of factors, and there are no simple rules
or solution algorithms that will ensure financial success under all circumstances. The
overall goal toward which corporate financial and IT managers should strive, is the
maximization of earnings per share, subject to considerations of business and financial
risk, timing of earnings, and dividend policy.
The basic concepts of the fundamental principles of accounting, analytical techniques
for interpretation of financial data, basic budgeting concepts, financial planning and
control and the analysis of long-term investment opportunities are applicable to IT as
well as finance. Financial and IT professionals who can profitably harness the principles
and techniques of financial and information resources will be able to manage their
organizations more effectively than their competitors.
Copyright: The Art of Service Pty Ltd, 2003
22
GPO 2673
Brisbane, QLD 4001
Australia
Phone: 1300 13 44 99
Version 5.0
Exchanging wooden dollars?
Many organisations decide not to do a physical charge out to their internal clients because
it would only add up to the administrative procedures within the organisation.
Financial management in this type of organisations is used to gain insight into the cost
involved in the delivery of IT services and to raise the awareness with the clients. Instead
of invoicing the client, a monthly report is sent out to update the client on their ITexpenditure.
Copyright: The Art of Service Pty Ltd, 2003
23
GPO 2673
Brisbane, QLD 4001
Australia
Phone: 1300 13 44 99
Version 5.0
5.1.3 Availability Management
Contrary to popular belief, Availability management deals with ensuring that the services
are available according to agreed levels.
It does not set out to guarantee the maximum level of availability, nor is it about
reporting on server availability as a stand-alone issue.
This process ultimately links all IT components together and manages the links and
weaknesses between the IT components to ensure the availability of the service delivery
to the customer.
Availability works closely together with Capacity Management. This is a logical connection
as you can’t ensure the availability of the service when the capacity is insufficient. There
is also a close link to Problem Management as the availability expert is often technically
skilled and able to analyse root cause analysis.
EXTRA READING
Distributed Availability (IBMs approach (technical document))
Introduction
Distributed availability is the ability to ensure predictable, reliable user access to key
applications and computing resources. Maintaining distributed availability in
client/server environments is a complex and expensive proposition, yet it plays a
critical role in maximizing your investment in client/server computing.
Businesses that have embraced and deployed client/server computing face major
challenges such as keeping mission-critical applications up and running. This document
addresses why this is difficult, compares different approaches to solving this challenge
and describes why Tivoli's automated solution to distributed availability is uniquely
suited for enterprise client/server management.
Distributed Availability
Client/server computing puts mission-critical computing resources such as systems,
databases and applications in the hands of those who need them most, end users.
However, without the proper management tools, it is difficult to maximize the
availability of these crucial resources.
Providing distributed availability gives information technology (IT) staff an efficient,
automated way to ensure the high availability of key computing resources. It allows IT
staff to meet its service-level commitments. It ensures that company personnel who
depend on uninterrupted access to mission-critical business applications are more
productive. It allows organizations or individual business units to minimize lost revenue
opportunities that can occur when mission-critical applications and computing resources
are not up and running efficiently.
Why It's Difficult
Leading global corporations have embraced distributed client/server computing as their
vehicle for implementing mission-critical applications. However, distributed
environments and applications are much more complex and dynamic than their
mainframe predecessors.
It is easier to track the performance level of computing resources in a centralized data
centre environment because there are only a few large systems--typically from one
vendor and located in one place. In contrast, the distributed client/server environment
has a large number of dispersed, heterogeneous systems that grow and change at a
Copyright: The Art of Service Pty Ltd, 2003
24
GPO 2673
Brisbane, QLD 4001
Australia
Phone: 1300 13 44 99
Version 5.0
rapid rate. For example, IT staff are often unaware that individual workgroups have
installed their own systems or reconfigured their environments.
With many remote sites, different types of systems from multiple vendors and a
constantly changing environment, the challenge is to provide application and computer
resource availability without requiring system administration experts at each remote
site.
Providing distributed availability includes the following activities:
 Automatic configuration and deployment of policy-based resource monitors and
actions
 Automatic problem detection through distributed monitoring
 Automatic preventive and corrective actions
Traditional Solutions
The major problem with most of today's monitoring tools is that they are not scalable-they simply do not work in a large, distributed client/server environment.
While a mature set of mainframe performance tools exist, these tools only work well for
monitoring a centralized computing shop. They are simply not designed to handle
enterprise-wide monitoring.
With the advent of LAN computing, a second type of monitoring tool has emerged. LANbased monitoring tools typically focus on presenting many, often hundreds, of alerts
per system. These tools work within one LAN segment and assume that a server or
workgroup administrator exists for each LAN. This scenario is suitable for small
computing environments but does not work for an enterprise with hundreds of LANs at
many remote locations.
Typical problems with LAN-based monitoring tools include:
 Many tools focus solely on alerting
 Filtering capabilities are often absent, causing alert-information overload
 IT staff must handle each alert manually
 Tools must be configured individually on each monitored machine at the remote site
 Many tools can not initiate automatic corrective actions
 Most tools are not extensible, restricting the addition of monitors or corrective
actions
 Many tools are SNMP-based. These tools work well monitoring network devices but
are dependent on a central collection point, are not secure and not scalable.
Further, they generate polling and network traffic.
 Most existing monitoring tools have severe limitations in distributed client/server
computing environments, especially in the areas of scalability and efficient central
configuration. The limitations of existing monitoring tools make it difficult to monitor
a large, dynamic computing environment.
The Right Approach for Client/Server
Tools that work for mainframe or for individual LAN environments do not provide a
scalable solution for large, distributed computing environments. To meet the unique
requirements of client/server computing, the solution must:
 Configure and deploy monitoring agents from a central site
 Be easy to configure so that deployment does not become labour-intensive
 Provide alarm filtering at the source
 Avoid generating an excessive amount of network traffic
 Provide a method of automatically correcting repetitive problems at the source
 Alert staff only for serious exception conditions
 Allow you to build policy for monitoring a group of similar systems or applications
 Allow you to build policy for corrective actions on a group of similar systems or
applications
 Be easily extensible, allowing you to add customised or third-party monitors
Copyright: The Art of Service Pty Ltd, 2003
25
GPO 2673
Brisbane, QLD 4001
Australia
Phone: 1300 13 44 99
Version 5.0

Provide an easy method to launch third-party debug or performance tools on an
exception condition
Conclusion
Providing distributed availability in the client/server environment can be a complex and
expensive proposition; yet it plays a pivotal role in the maximisation of an
organisation's investment in client/server computing. Without the proper management
tools, it is difficult to maximise the availability of these distributed resources.
Copyright: The Art of Service Pty Ltd, 2003
26
GPO 2673
Brisbane, QLD 4001
Australia
Phone: 1300 13 44 99
Version 5.0
5.1.4 Capacity Management
The essence of Capacity Management is to ensure that the right amount of capacity is at
the right location, for the right customer, at the right time and at the right price.
Capacity Management aims to optimise the amount of capacity needed to deliver a
consistent level of service to the customer. Balancing or spreading workload is a key
method to avoid wasting money on excess capacity that is unnecessary.
Capacity Management has a very close relationship to Availability Management,
Configuration Management and Service Level Management.
EXTRA READING
Why a Capacity Plan?
With cheap hardware prices, capacity planning may be seen to have lost its importance.
You can always upgrade later!
The fact that hardware systems can be upgraded easily has, in recent times, diverted
attention away from this key process area.
There are two main concerns that make capacity planning critical.
The first is the rate of technical change in the distributing computing sector. We now
measure progress in "Internet years" -- equivalent to about 90 days of a calendar year.
The second is that today’s systems are primarily being developed within complex 3-tier
architectures.
This rapid change, coupled with the increase in complexity of 3-tier architecture, is
causing system designers to pay closer attention to capacity.
Five years ago, a designer could roll out a new system with a rough estimate of
capacity and performance. The system could then be tuned or more capacity added
before all of the users had been converted to the new system. The process was
reasonable because the systems were typically not mission-critical.
Today, there’s no time for this approach. Once systems are in place they become an
integral part of the overall operation. Upgrade downtime is increasingly expensive in
both time and resources. In addition, the added complexity of the environment typically
requires more care, due to the interdependency between various application
components.
Capacity planning is driven purely by financial considerations. Proper capacity planning
can significantly reduce the overall cost of ownership of a system. Although formal
capacity planning takes time, internal and external staff resources, software and
hardware tools, the potential losses incurred without capacity planning are staggering.
Lost productivity of end users in critical business functions, overpaying for network
equipment or services and the costs of upgrading systems already in production more
than justify the cost of capacity planning.
Copyright: The Art of Service Pty Ltd, 2003
27
GPO 2673
Brisbane, QLD 4001
Australia
Phone: 1300 13 44 99
Version 5.0
5.1.5 IT Service Continuity Management
IT Service Continuity Management prepares for the worst case scenario.
ITSCM investigates, develops and implements recovery options when an interruption to
service reaches a pre-defined point.
The ultimate choice of which option to choose, is made by the customer as part of the
SLA agreements. Price has an obvious factor in selected the appropriate recovery option.
In the current global situation, a structured approach to IT Service Continuity
Management has become more and more important. Business processes rely more and
more on IT Services and IT components are more under ‘attack’.
Defining the pre-conditions that constitute a disaster is part of the ITSCM process. Such
definitions form an integral part of any Service Level Agreement relating to the provision
of services.
EXTRA READING
Availability Solutions: What Do You Need? (source: www.contingencyplanning.com)
Run New Search by: Bill Merchantz
Pages: 22-25; September, 2002
There are many options available to you when selecting a managed availability solution. The following review of
products, services, and technologies will help you choose the best one for your needs.
The previous articles in this series have provided the foundation for choosing a managed availability solution.
As they explained, the search for availability solutions begins with a thorough understanding of the nature of
the problem. How much does an hour of downtime cost? Are your needs application-centric or data-centric?
What is the absolute and relative importance of recovery time objectives (RTO) and recovery point objectives
(RPO) in your business? The answers to these and other questions determine the appropriate size of your
managed availability investment and where you should direct it.
Once the objectives and scope of your solution are defined, a wide range of services, foundation technologies,
and products are available with which to build it. In fact, some of the foundation technologies, such as
journaling, may already be available in your database management or operating systems but have been
deemed, until now, unnecessary or inappropriate for implementation in your systems. When developing a
managed availability solution, all options and approaches should be carefully considered in order to build the
optimum solution.
Services
Assessment — The first step in managing availability is to assess the current environment and seek availability
options. Using an outside vendor to provide this service adds an objective viewpoint and a wealth of preexisting
knowledge, skills, and experience.
Planning — In addition to a high-level plan that describes the overall direction and desired end goal, a program
also needs separate plans for each step along the way.
Education, Training, and Documentation — Human error is a major contributor to unplanned downtime.
Education, training, and documentation on the use and maintenance of each system and its components can
help reduce this type of problem.
Copyright: The Art of Service Pty Ltd, 2003
28
GPO 2673
Brisbane, QLD 4001
Australia
Phone: 1300 13 44 99
Version 5.0
Auditing — Business requirements constantly evolve in ways that directly impact internal systems. Add staff
turnover into the equation and the result is a volatile environment that can create unexpected availability
exposures. A partial- or full-system failure will certainly highlight these new vulnerabilities, but a less-costly
approach is ongoing vigilance through regular audits of the managed availability plan and its implementation.
Foundation Technologies
Backup and Restore — The most basic level of data protection is to back up data so that it can be easily
restored. Backups are generally performed on a regular schedule, such as nightly.
Journaling — Database journaling allows a destroyed database to be recovered up to the last committed
transaction. Journaling eliminates the problem of “orphan data” — data added or updated since the last backup
preceding a destruction event. Of course, like backup data sets, journals must be stored separately (preferably
remotely) from the production database to ensure that both are not destroyed in the same disaster.
Commitment Control — The commitment-control function of most commercial database-management software
protects the integrity of transactions in general by rolling back to their previous state any specific transactions
that were not completed at the point of an outage. The complete series of updates can then be reentered upon
system recovery.
Products
Uninterruptible Power Supplies — Power outages are the most common cause of abrupt system failures.
Therefore, uninterruptible power supplies (UPSs) go a long way toward reducing downtime frequency. When
configured properly, they can also reduce the duration of downtime. When a primary power outage occurs, the
UPS can maintain system operation long enough to save main storage, thus protecting data and simplifying
system startup when the power returns.
Fault-Tolerant Hardware — Some hardware includes internal redundancy, along with the means to monitor
each component’s operating status and seamlessly switch to a backup component when necessary. Inoperable
components can typically be replaced without stopping the system.
RAID (Redundant Arrays of Independent Disks) — RAID spreads enough information across multiple disks to
allow the disk subsystem controller to recalculate any missing information in case of a disk failure. It does not,
however, protect against the failure of other disk-related hardware, such as a controller, an I/O processor, or a
bus.
Disk Mirroring — When properly configured, disk mirroring can eliminate single points of failure. Often used in
combination with RAID5, this approach requires that data be concurrently written to each unit in a set of
identical disks, incurring minimal CPU overhead or increase in system complexity. However, mirroring all data
requires at least twice as many disks.
Alternate Communication Paths — Core business functions often depend on a variety of systems and sites. For
example, a company may take orders at one facility and fulfill them at a remote warehouse, with order data
transmitted between the two over communication lines. If the line is disrupted, orders will have to be sent to
the warehouse manually or, worse, not transmitted at all. The only way to combat these exposures is to
maintain alternate communication paths.
Redundant Systems — A multiple-systems approach that continuously maintains real-time replica systems
offers the highest possible level of availability. It duplicates applications, user data, and system data on two or
more systems that may be geographically dispersed. In addition, it can quickly switch users from the primary
Copyright: The Art of Service Pty Ltd, 2003
29
GPO 2673
Brisbane, QLD 4001
Australia
Phone: 1300 13 44 99
Version 5.0
system to a backup system when necessary. Thus, unlike backups and disk mirroring, this approach can
eliminate all types of user-processing interruptions.
Redundant systems can be coupled with third-party software assuming full responsibility for system
resiliency. Or, they can be tightly coupled in a cluster, with the operating system assuming primary
responsibility for monitoring and managing the cluster.
Although a backup system can be located in the same building or on the same site as the primary system, it is
highly recommended that the backup system be located in a geographically distant location so that an event or
disaster affecting a wide area, such as a storm, flood, or earthquake, will not affect both systems.
Because such disasters are rare, most companies justify the investment in redundant systems based not on
disaster recovery but on their ability to provide continuous operations. In a single system environment,
database saves and reorganizations may shut down applications or, at best, severely impair their performance.
Worse, hardware and software upgrades can shut down applications for hours or even days. These problems
are avoided in a redundant-system environment. Users are simply switched to the backup system whenever the
primary system requires maintenance. Furthermore, database saves and read-only access tasks, such as query
and reporting jobs, can be done on the backup system, thus eliminating their burden on the production
environment.
When considering a replication solution as part of a full managed availability solution, include these questions in
your evaluation worksheet:

Does the solution allow for seamless, real-time replication of data to a backup system?

Does the solution also replicate system objects? If not, it may not be possible to recreate the application and
user environment on the backup system. If, for example, a user profile is changed on the primary system,
that change should be reflected on the backup.

Is the replication technology application-independent? If not, costly and error-prone application modifications
will be required.

Does the solution provide system monitoring to automatically detect failures?

If the solution provides monitoring, can it automatically initiate a failover to the backup system in case of an
outage on the primary system, without the need for any user or operator intervention?

Does the solution offer a way to quickly and easily switch to a backup system, with minimal user interruption,
when maintenance is required on the primary system?

Does the solution enable activities normally associated with planned downtime, such as software and
hardware upgrades or database reconfigurations, to be conducted in the background while applications stay
in production and users stay online?
Blended Products/Services
Third-Party Recovery Sites — The purchase and maintenance of a complete set of duplicate hardware and
software and the off-site facility to house them is cost-prohibitive for many companies. Third-party recovery
sites, which share costs among a number of customers, provide an affordable alternative.
Copyright: The Art of Service Pty Ltd, 2003
30
GPO 2673
Brisbane, QLD 4001
Australia
Phone: 1300 13 44 99
Version 5.0
Data Vaulting — Journaling does not fully protect orphan data, since a disaster that destroys a system would
likely also destroy the journal files in the system. Data vaulting eliminates this vulnerability by capturing
changes made to production databases and immediately transmitting them over a network to a recovery site. If
no problems occur during the day, the vaulted data can be discarded when a new backup tape arrives at the
recovery site. Should a disaster occur at the primary site, the vaulted data can be applied to the recovery site’s
database after the most recent backup tape has been loaded. The result is a database that is current up to the
point of failure.
Solutions that Fit
Because of the diversity of data topologies, hardware, software, and application platforms, few elements in the
managed availability toolkit can be delivered as a shrink-wrapped offering. A purely off-the-shelf product would
have to be so generic as to be far from optimal in any installation. Therefore, companies should look for a total
solution that includes methodologies, software, processes, training, support, and services that allow them to
effectively tailor and adapt the solution to their unique environments.
Foundation Questions
Clearly, business needs and technology architecture determine the optimal managed availability solution.
However, planners should ask some general questions about each of the options they evaluate:

Is the solution a comprehensive, end-to-end offering built upon a proven methodology, incorporating the
software, services, support, documentation, and overall expertise necessary to provide full managed
availability?

Does the solution manage all operation-critical elements of application availability (e.g., data, objects,
security, work management, and user connectivity) and server requirements (e.g., environment configuration
and power)?

Is the solution proven and supported by the company’s platform manufacturer(s) and/or application
developer(s)?

Does the solution support new and emerging technologies?

Is the solution capable of handling the full-transaction volumes and complexity of the company’s systems? Is
it scalable and flexible enough to keep pace with growth?

How long has the solution been in the market? What is its market share?

Has the solution been rigorously proven in a number of real-life installations? Can reference sites be visited?
Addressing these questions can help planners ensure that they select the solutions that best fulfill their
organizations’ requirements. The next article in this series will take the process one step further by providing
some suggestions on evaluating solution providers.
About the Author
Bill Merchantz is the founder, president, and CEO of Lakeview Technology, a provider of managed availability
software solutions. He has many years of hands-on experience as a customer/manager of IT solutions.
Copyright: The Art of Service Pty Ltd, 2003
31
GPO 2673
Brisbane, QLD 4001
Australia
Phone: 1300 13 44 99
Version 5.0
5.2 Service Support Set
The following chapters describe in brief the Service Support processes. These processes
are generally referred to as “operational” processes.
5.2.1 Service Desk
The business users / end-users need IT services to improve the efficiency of their own
business processes. When they can’t use the IT services, they have trouble achieving
their objectives.
End-users of services need a single point of contact with the IT organisation.
The Service Desk should be the single point of contact for all end-users. This is where
ALL questions, issues and requests are logged and recorded.
The type of Service Desk you need depends on the requirements of your customer base.
ITIL defines Service desk types in terms of skill and structure.
Skill levels:




Call Centre
Unskilled Service Desk
Skilled Service Desk
Expert Service Desk
Service Desk structures:
 Centralised Service Desk
 Distributed Service Desk
 Virtual Service Desk
 Split Function Service Desk
EXTRA READING
Extract from a Public Discussion forum regarding Service Desk costs.
Question: How do you calculate the cost of a call?
JJ - 3/26/01 3:26:00 AM
How do you calculate your cost of call or cost of a service request? What types of
costs do you include in the total and how often are the costs measured?
Answers:
PM - 3/28/01 7:25:00 AM
Several years ago, I purchased a white paper from Help Desk Institute, which
reviewed different calculations for cost per call. While the paper is somewhat
outdated, it does give you an idea of some basics. Our cost per call includes: salaries,
benefits, utilities, rent, insurance, phones, training, office supplies, etc. Basically we
include any cost related to the support centre. We complete the calculation quarterly.
JF - 3/29/01 2:46:00 PM
Evidently the META and Gartner Groups have done studies to show that password
reset calls cost somewhere between 25-35 dollars per call that lasts an average of
11.5-14.5 minutes. Furthermore, depending on security policies, an employee has an
Copyright: The Art of Service Pty Ltd, 2003
32
GPO 2673
Brisbane, QLD 4001
Australia
Phone: 1300 13 44 99
Version 5.0
average of 3-4 reset requests per year. So, the average cost in that area is fairly
easily definable.
AN - 4/1/01 9:45:00 AM
Suggest you take a look at the "Interactive Help Desk tool" recently posted in the HDI
Superstore. The tool calculates the cost per call for given Service Levels very quickly
and accurately.
RF - 4/2/01 11:36:00 AM
In addition to the departmental costs that can apply to all departments, a few other
factors must be taken into consideration. These include length of call, quality of
assistance received, whether the issue was adequately resolved, and whether or not
the user must call back for additional assistance. For example, if the user must call
back and has to rehash the situation, costs escalate and are difficult to control. If,
however, the support technician is continually and adequately trained, even if he
must stay on the phone for some time to resolve the call, this will result in a lower
number of calls, a higher number of satisfied users, and an overall lower help desk
budget.
DM - 4/4/01 3:29:00 PM
We use a simple calculation that works well for us. We take the entire dollar value of
my annual budget and divide it by the number of customer contacts we have. This
includes all inbound e-mails, voice mails and phone calls. In addition, we add in the
number of outbound phone calls we make to get a problem resolved. Using just the
inbound calls, we average $13-$16/call. If we add in the outbound calls (a very large
number - representing a significant amount of time and therefore money) we are
under $9.00/customer contact. This calculation method may not be "according to the
book," but we have used it for years and as I said earlier, it works for us.
DS - 4/10/01 12:35:00 PM
One thing most help desk organizations do NOT do in calculating cost per call is,
include the support cost beyond the help desk (i.e. second and third level support
whether captive or outsourced). This leads to misleading and even detrimental
management information.
In the extreme, the lowest cost per call would be seen in the help desk that
dispatched out the most of their service incidents the quickest, thus saving greatly on
their own labour and phone costs while driving total costs up as the inefficiencies from
buck-passing creep in. Any cost per unit measurement that focuses only on a portion
of the whole is worthless without the full picture.
JC - 4/11/01 4:59:00 PM
One individual mentions the cost for handling a password reset and one suggestion
for handling such calls would be to give your users the option to do the reset
themselves via an IVR, which is what we do. It thus lowers the cost per such call to
less than a dollar versus it being done thru the help desk, that cost is in the 7.50
range. Our IVR is our first level of support for the client with the Response Centre
being the 2nd level and so on. Our cost per call is calculated based on the total
monthly expense for running the Response Centre, which includes salaries, fringe,
supplies, etc. This versus the total number of calls handled gives us a cost per call
that we can manage to.
BC - 4/11/01 5:17:00 PM
Combining several statements already posted, the budget of ALL support levels that
are involved in Incident Resolution (Level 1, 2 etc.) divided by the number of
Incidents may deliver a cost per call. A further breakdown may be used in which Level
1 calls are calculated using their average resolution time, Level 2 calls are calculated
Copyright: The Art of Service Pty Ltd, 2003
33
GPO 2673
Brisbane, QLD 4001
Australia
Phone: 1300 13 44 99
Version 5.0
using their resolution time, etc. This would lead to a more accurate calculation of cost
per call, depending on level of resolution. However, outbound calls are not included in
this case either.
GF - 6/5/01 9:48:00 AM
In a previous note Justin Farmer sites some statistics from Gartner and Meta reports
that I found very interesting.
Source: www.thinkhdi.com
Copyright: The Art of Service Pty Ltd, 2003
34
Version 5.0
GPO 2673
Brisbane, QLD 4001
Australia
Phone: 1300 13 44 99
5.2.2 Incident Management
This process is in place to get the end-user back to work – following an interruption to
normal service delivery - as soon as possible. It is symptom-driven and the only concern
is speed of response, and the continuation of the business process.
Incident Management uses information out of the Problem Management process (work
arounds and Known Errors) and the Configuration Management process (linking Incidents
to Configuration Items)
A large component of Incident Management is the administration and tracking of the
incident itself.
EXTRA READING
The line between the function of the Service Desk and the Incident Management process
is perhaps the area of greatest confusion for most people regarding ITIL.
It is best explained by making the point again that the Service Desk is a function and
that Incident Management typically lies inside that function.
If an end user calls the Service Desk they are making contact with a functional part of
the IT Service Delivery. What takes place after the call is made and the end user is being
looked after is part of the Incident Management process.
Generally, most organisations have their Service Desk staff conducting Level 1 incident
management support. However, this is not a caveat and the decision is dependant on the
selected skill level of staff and Service Desk structure selected.
Level 2 and beyond Incident Management staff can be tightly integrated into the Service
Desk area, or they may be recognisable as a separate group of staff.
In a lot of organisations who have adopted ITIL, the concept of Level 3 support has given
way to the Problem Management process.
35
GPO 2673
Brisbane, QLD 4001
Australia
Phone: 1300 13 44 99
Version 5.0
5.2.3 Problem Management
It is the intent of Problem Management to find Known Errors in the IT Infrastructure.
Everything you do within this process is focused on:
o
o
o
o
Finding what the Known Error is (Problem Control  diagnosis)
Identifying alternative solutions for the removal of the Known Error (Error
control)
Raising a request for change (RFC) to request for the deletion to happen
Checks after a change is performed to see that the Known Error is gone
The Problem Management process also has an element of proactive troubleshooting. The
concept here is to identify and facilitate the removal of errors before they manifest
themselves as end-user complaints or queries.
EXTRA READING
Getting to the Root Problem
Event correlation and root-cause analysis tools promise a lot, but real-world results are mixed, say
users.
Automated network management software - sophisticated stuff that promises an unprecedented ability to
monitor a corporate network - is on the horizon.
But skeptical IT managers say the tools still aren't smart enough. They want
artificial intelligence that can diagnose a network problem and get it right at
least seven out of 10 times.
Such automation relies on event correlation and root-cause analysis tools.
The concept behind the tools is simple: keep track of network devices and
relationships, automatically fix minor problems and refer more complex
snafus to the network manager.
But skeptical IT managers are demanding proof of better automation,
bedrock interoperability and broader usefulness before they will buy such
tools.
"We've looked at these tools," says Tom Revak, domain architect at
pharmaceutical company GlaxoSmithKline PLC in Research Triangle Park,
N.C. But "until the artificial intelligence exists that can automatically update
a dynamically changing network, it's just one more pretty little map of what
could be."
Historically, users have been "skeptical that software can meaningfully
achieve what human expertise has achieved," says Dennis Drogseth, an
analyst at IT consultancy Enterprise Management Associates Inc. in Boulder,
Colo. Drogseth researched and wrote the consultancy's report on root-cause
analysis and event correlation that was released in December.
Who’s Using It
Of 135 companies surveyed by
Enterprise Management
Associates, 60% are doing
event correlation.
Those 81 companies use it to:
Speed problem resolution 33%
Improve service delivery27%
Reduce staff, overhead 24%
They’re spending:
More than $200,00027%
$100,000 to $200,00016%
$10,000 to $100,00044%
They consider acceptable a rate
of:
75% to 90% accuracy43%
More than 90% accuracy40%
But how satisfied are they?
Very48%
Somewhat
Exactly, says Kristina Victoreen, senior network engineer at the University of
Pennsylvania in Philadelphia. "We tried building on the autodiscovery that
source: Enterprise Management
Spectrum does, but we spent more time fixing what it had discovered,"
Associates Inc., Boulder, Colo.
Victoreen says. "The guys who do [the model building] found it was quicker
to build the topological model of the network by hand, which is very timeconsuming." Spectrum is a management tool from Aprisma Management Technologies in Durham, N.H.
The tools "need to sense when something out of the norm occurs, such as a critical deadline that forces people
to work around the clock, and normally noncritical failures become critical and require immediate response,"
says Revak. "If they can't do this automatically, the administrative overhead greatly outweighs the return on
investment."
The moment of truth for users seems to come when the software tools "can successfully automate problem
diagnostics 70% of the time or better," Drogseth says in the report. At that point, "users believe they are
justified in the investment.
"That 70% mark is being met today by most of the better products," Drogseth says.
The benefits can be substantial, he says: smoother-running networks, better service-level delivery, reduced
staff requirements and lower overhead. These benefits, together with advancements in the software and a
Copyright: The Art of Service Pty Ltd, 2003
36
GPO 2673
Brisbane, QLD 4001
Australia
Phone: 1300 13 44 99
Version 5.0
reduction in the costs of deployment, are driving an increase in the use of root-cause analysis and eventcorrelation tools, Drogseth says in the report.
"There's no way we could manage without it," says Chris Vecchiolla, IT
project manager at Royal Caribbean Cruises Ltd. in Miami. Each of Royal
Caribbean's 18 ocean liners has an IT staff of two people, but most systems
management is handled remotely from Miami via satellite.
Royal Caribbean uses Compaq Insight Manager and Unicenter from Islandia,
N.Y.-based Computer Associates International Inc. to manage and monitor
"about 170 items, such as SCSI card failure and out-of-threshold notices on
servers," Vecchiolla says.
Escalating alarms notify both onboard and Miami-based IT staffers of
problems. When the system detects a virus, it automatically destroys it and
notifies onboard IT staff of the action via a banner on a monitor, Vecchiolla
says. But should a server exceed a predetermined threshold, Miami staff
could be paged to handle the problem, he says.
Because Royal Caribbean's ships cruise around the globe through every time
zone, remote management from Miami sometimes occurs while onboard
staffers are off-duty. When the Miami staff works on a ship's systems,
"Unicenter automatically picks it up and generates a banner that goes to the
onboard systems manager that tells them the date, time, workstation
accessed, what was done," Vecchiolla says. "The [onboard IT staffers] like
that a lot."
Drogseth says that more than half of the enterprise-level companies with
which he spoke are beginning with automation's "lowest common
denominator, alarm deduplication."
If a server goes down, each attempt by any user or device to access it can
generate a separate alarm, which doesn't describe the root cause of the
problem. Deduplication lets a network manager see a single, server-down
alarm instead.
A Kansas City, Mo.-based unit of Boston-based financial services company
State Street Corp. isn't doing root-cause analysis, but it does use Spectrum
for alarm deduplication, says David Lembke, State Street's network services
manager.
The University of Pennsylvania has been using Spectrum for five years to
reduce the number of alarms reported by a single event, Victoreen says. "It
works reasonably well, assuming we've built the model correctly," she says.
But "it turns out [that] a big map with red dots flashing to show alarms is
not that useful for us."
Drogseth says that in his interviews with 40 midsize to large companies,
most IT managers said they know they must start automating, because
networks have grown too large and complex to manage without automation
tools.
Though Revak is skeptical, "that's not to say we're not interested," he says.
"We're rethinking trying to model all of our networks and maybe moving to
trap aggregators or event correlation engines," Victoreen says.
IT managers are looking beyond the network focus that most vendors have
stressed and are seeing extended uses for the tools, such as to support
performance, help desk functions, inventory and asset management, change
management, and security. Not all tools support all such extensions,
Drogseth says.
Users have viewed automation
for root-cause analysis and
event correlation as "more work
than it's worth, requiring too
much labor and knowledge for
rules to be appropriately
defined for a specific
environment," says Drogseth.
Glossary:
Advanced correlative
intelligence: A problemisolation method cloaked in
secrecy by most root-cause
analysis tool vendors. This is
where language is most
likely to become obscure or
insubstantial.
Event correlation: Examines
the relationship among
events across an IT
infrastructure to narrow the
search for the cause of a
problem.
Object data store:
Knowledge specific to
devices, applications and
connections that provides a
database of codified detail
for understanding objects
and their relationships. An
extensive object data store
can contain object
performance data for use in
modeling routine
interactions across device
types such as servers and
routers.
Polling and
instrumentation: Provide
ongoing event data about
infrastructure availability,
performance and topology.
They can include common
availability metrics, as well
as CPU utilization or even
remote monitoring.
Presentation and context:
Encompass issues around
what you see, how it looks
and what it tells you. No
matter how detailed the
reporting, unless it’s
presented in a way that
suggests a solution, it’s just
so much noise.
Vendors of most of the tools also claim some kind of predictive capabilities.
A network that learns over time can not only help prevent problems, but it
can also increase job satisfaction by releasing IT staffers from grunt work
and calling on them only for more difficult questions.
But where most such artificial intelligence efforts fall short is in detecting
subtle changes, Revak says. "Through repeated small changes, the norm
[can] shift very near the failure point, setting up a significant failure
situation for the next small deviation from the newly established norm," he
says.
Predictive capabilities vary greatly, and not all are based on sophisticated artificial intelligence techniques,
Drogseth says.
Copyright: The Art of Service Pty Ltd, 2003
37
GPO 2673
Brisbane, QLD 4001
Australia
Phone: 1300 13 44 99
Version 5.0
At the bottom of the range is basic linear trending. An algorithm can
determine how long it will take a server to reach capacity if usage
increases by, say, 20% per month.
At the other end are sophisticated tools like CA's neural network-based
Neugents, Drogseth says.
A Neugent can look at historical data about network resource usage and a
company's business cycle, says a CA spokeswoman. By aggregating and
correlating data on network infrastructure and business relationships, the
Neugent might predict that a server would reach capacity in six weeks but
drop back to 30% in the seventh week, she says.
Royal Caribbean plans to implement CA's Neugent for Windows NT
networks, which "will take us to another level of management," Vecchiolla
says.
Root cause analysis: Isolates
the cause of failure or poor
performance.
Topology: The map of where
things are. It can detail both
the physical (Layer 2) and
logical (Layer 3) network, and
move on up the Open Systems
Interconnection stack to
include configuration
information relevant to systems
and applications.
Before the root-cause analysis industry achieves that new level of management, however, it must hurdle the
stumbling block of standards, Drogseth says.
Part of why the University of Pennsylvania isn't "getting as much back as we'd hoped for is that we have a lot of
different software from different vendors, and they have a lot of different proprietary schemes and interfaces,"
Victoreen says.
"The systems management industry must develop the standards and interoperability capabilities required for
the tools in the event, problem, change, configuration, inventory, workload management, capacity [planning],
performance [monitoring] and security areas to work together," Revak says. "Each of these disciplines contains
some part of the overall equation."
Root-cause analysis and event-correlation tools aren't layered onto a network so much as they are woven into
its fabric, Drogseth says.
De facto standards such as Java, HTML and XML help provide a cooperative interface between different vendors'
products.
But true interoperability demands a common thread, "a standard structure of data maintained in the object
store" - a database of network devices, applications and relationships, Drogseth says.
"At its most esoteric, standards refers to that platonically perfect state that never gets achieved," he says.
"What we're seeing is some adoption of some standards by some vendors."
Users should look for vendor partnerships to ease root cause tool deployment and management, he says.
That's easier now than several years ago, when one New York-based financial services firm began doing rootcause analysis. "We had to build a lot of things ourselves because they weren't available at the time," says the
firm's IT vice president, Gary Butler.
"We're using the [System Management ARTS Inc.] correlation engine, and we're feeding it with data from
Tibco's smart agents" and San Francisco-based Micromuse Inc.'s NetCool presentation software, says Butler.
"We can't always find the root cause 100% of the time, but we can at least find the more serious event, and
that keeps us from wasting time with all the symptoms."
Revak says, "As the industry matures, the best bet is for companies to focus on developing their event
infrastructure technology - a prerequisite for any advanced management - their people and their processes.
Technology is not the most important. [Vendors] dislike it when I say this, but most important are the people
and the processes" and the relationship between them.
Source: Computerworld
Copyright: The Art of Service Pty Ltd, 2003
38
GPO 2673
Brisbane, QLD 4001
Australia
Phone: 1300 13 44 99
Version 5.0
5.2.4 Change Management
A robust Change Management process ensures that the Change Manager is in full control
of the changes to the IT infrastructure.
Change Management is NOT about performing changes risk free. It is about performing
changes with a minimal risk OR consciously taken risk.
It is therefore important to involve the clients or client representatives in the change
management process.
All projects start through Change Management as all projects wish to change something
to the IT Infrastructure: they either modify the current infrastructure or add/remove a
component.
Change Management is more than just Change Control. The Change Management
process starts with the RFC being raised and keeps control from the assessment and
acceptance of the RFC through to the Post Implementation Review.
All other processes issue RFC’s to Change Management for necessary upgrades to
improve their effectiveness and efficiency. Change Management needs information from
all other processes in order to perform the risk assessment regarding requested changes.
EXTRA READING
Five Intranet Management Problems You Can Solve With a Change Management System
(Source: www.earthweb.com)
Remarks made around the office:
"I updated that document yesterday, but it's not appearing on the Intranet. What happened?"
"The new version's wrong! Did we back up the old one?"
"Chris and I were editing the same file at the same time, but I finished first. His changes overwrote mine!
"Who made that change?"
"Only the Webmaster is allowed to change any files, so your changes might be implemented by Christmas."
If you hear statements like these on a regular basis, you may be suffering from change out of control. Changes
in files are necessary and beneficial, but they also have to be controlled. People in a development environment
know all about this problem, and have devised a sound way of managing the volume of changes to software
files. The discipline of managing, controlling, and automating changes in your files is called software change
management.
The Five Problems
You only need to go as far as your Webmaster to learn all about the volume of change in a Web or Intranet
environment. Just like their developer cousins, Webmasters struggle to manage the magnitude of change to a
Web site. Now, with new integrated authoring and browsing tools like those available from Netscape
Communications, making changes to a Web site is as easy as saving a file and pressing a "one-button publish."
This technology opens the Web up to a whole new breed of content providers making changes to a site. Before
the technology, changes had to go through the Webmaster because of the difficulty in executing the changes.
Now, these new tools have empowered everyone to make their own changes. And consequently, new change
problems have emerged. The following are some examples of common change problems affecting Intranet
sites.
1. Your update didn't appear. Even though you've made a change to a document, the old version remains on
the Web. Until the new version appears, the time you spent updating it is wasted. If you can't find the new
version, you will have to redo the work. This problem typically happens because two copies of the same file
exist and the file you updated is not the file copied to the Web site. Say, you make a private copy "just in
case." A commendable precaution but prone to problems. This private copy will often by-pass scripts and
automated update tools. You may not notice that two long pathnames differ in a single component and you
alter the wrong file. With two copies of a file, mistakes will happen. Or to put it another way, duplicate files
diverge.
Copyright: The Art of Service Pty Ltd, 2003
39
GPO 2673
Brisbane, QLD 4001
Australia
Phone: 1300 13 44 99
Version 5.0
You can solve this problem by controlling both how you change the original source document and how you
make those changes available on your Intranet site. Some kind of approval or promotion mechanism is most
useful. One of the first rules of change management states that you store each source file in only one place.
2. You can't restore an old version. You need to examine an old version, but you can't. The backup has failed,
or the changes were made during the time period between backups, or no backup exists for that directory.
You usually discover this problem when you realize someone has made a mistake in the new version or
released information before its time. For example, suppose you plan to change your internal purchasing system
and, with it, the related forms on the Web site. If the new forms are incompatible with the old forms, then new
page on the Web won't work with the old system. If you haven't put the new system in place yet, chaos will
follow. Prevention is the best solution to this problem. One clear method of prevention requires having a
backup methodology and an archive of all versions of the files on the Web server. Then, when a mistake does
occur, the older version can quickly replace the mistaken version. This ideal archiving system is simple,
automatic (or nearly so) and easy-to-use.
3. Multiple authors, multiple overwrites. Two people opening the same file at the same time for editing creates
an opportunity for file overwrites. In this situation, one person may save a file every minute while the other
makes changes over a couple of hours before saving. Consequently, that file is a free-fire zone. As soon as the
second person saves the file, all of the first person's changes disappear. Neither is careless, but a single save
command has erased two hours of work.
A change management system saves changes sequentially. It allows anyone to read a file at any time but
controls the ability to save changes to that file. If you want to change the file, you must lock it first. This lock
warns others that the file is being changed and prevents them from making changes. Then, when you finish
changing the file, you unlock it making it available for someone else to lock, edit, and unlock.
4. You don't know who changed what or when you discover a mistake in a document; you have no way of
knowing who changed the file. With most systems you have difficulty determining who changed a file and
when. Even if a file system records that last changed a file and at what time, that's usually all the information
the system provides. This kind of system rarely keeps a history of all the changes or of the reasons for those
changes.
Since a proper change management system keeps a record of all the changes, it's easy to add who changed the
files and when to the record. Ideally, you will enter a reason for the change like, "Fred added a new section to
the white paper on change management." On an Intranet site, every object should have its own history. A
single page may contain many different objects (graphical images, audio files, applets, etc.) each with its own
history. For example, if your corporate logo changes, regular visitors to your home page will recognize the
change. However, the change will actually take place in the image file not to the home page itself. A record of
changes to the home page won't help track changes to the logo.
5. Your Webmaster does all the work Organizations solve the problem of managing change to a Web site by
assigning the responsibility for change to their Webmaster. If an organization funnels all the work through a
single person, the Webmaster, then it automatically assumes that he or she is accountable for the accuracy of
the content. That funnel soon turns into a bottleneck, and the Webmaster who must do everything soon finds
he or she has no time to do anything.
A change management system approaches change in a more reasonable way. It evens out responsibility for
change by enabling multiple, authorized people to make changes to Web content. Much of the work involved in
putting files on a Web site is quite simple. It involves changing content, copying files, and confirming the links
are correct. These kinds of changes users can make for themselves rather than requiring the Webmaster do it
except for the possibility of mistakes.
By protecting the files on your Web site against unwanted changes, a sound change management policy
empowers users to make changes to documents in a structured, managed way. People can then work without
the fear of losing data and the Webmaster can have a moment or two of peace of mind.
Advanced features
As already mentioned, some users find the basic features of version control are not enough for their needs.
Typically, these people deal with the files rather than their content. They include team leaders, project
managers and Web site managers. The problems faced by these more sophisticated users include:
Finding differences: A user often needs to visualize the differences between any two versions of a file.
Object re-use: Some components of the Web pages on a site are standard for the site (i.e., graphics and logos)
and should be re-used as much as possible. Other parts are solutions to common problems and the program
should re-use these as well. Can the software handle groups of files? Synchronizing groups of files: Files
change at different rates; a team or project leader must ensure that particular sets of file revisions are kept
together.
Security: Large development projects require enhanced security. Some project maintenance actions should be
restricted to qualified or approved users.
Copyright: The Art of Service Pty Ltd, 2003
40
GPO 2673
Brisbane, QLD 4001
Australia
Phone: 1300 13 44 99
Version 5.0
Approving content: If the Intranet is used as a staging ground for documents that will later appear on the
external Web site, there must be some way of distinguishing approved files and documents from those not
approved, provisionally approved or under review.
Team management: A Webmaster or a team leader cares about all the changes made to a group of files and all
the files locked for editing at any one time. This person requires a "group-view" of the file system that differs
from the narrowly focused view of a single user.
A Policy for Change
Begin with a sound policy when applying a change management system to Web development. Policy is the
rationale behind tools and procedures, and without a sound one, the tools won't be nearly as helpful as they
could be.
When drawing up a policy, consider both the organizational structure and the logical structure of the Web site
or sites:

Are people organized into teams, departments or, perhaps, in a flat structure? How does that reflect the
Web site?

Are files under a version control of any sort?

Is there both an Intranet and Internet site? If so, how do the content standards differ?
Once you determine the site's structure and needs, consider the process by which documents get to the site the approval cycle. Different organizations have different procedures. The common history of a published piece
of dynamic content is:

New content is generated. This may mean modifying old content or creating new content.

Content is approved. The person who created the content may be the only approving body, or there may
be a formal review process.

The Web page is tested. Again, the person who created it may handle this strictly, or there may be an
official tester or testing body.

The new content is made public.
The order may occur in a slightly different sequence, but these four steps happen. Some may even happen
more than once. If the content is not approved, new content must be generated again.
You must also ask specific questions when formulating a policy that identifies responsibility at different stages
in the process of documents getting to the site.
1. Who approves documents or file content?
In order to streamline the use of new content on a Web site, there needs to be an approval process in place.
The approval process will depend upon the nature of the content. For example, an art director may have
approval over the use of images or logos, especially if they apply across the entire organization, and a
development team leader may have to approve a new Java application.
2. Who will test the changed pages to ensure they are correct? How will the test be done?
This is an important part of the approval and validation process. Web pages on the Internet represent an
organization and mistakes do not reflect well even if they're relatively minor ones such as spelling errors or
incorrect links.
3. Who has access? In other words, who can replace or write to the files?
Even on an internal site it may be useful to establish a process for approval and access. On the external site,
perhaps only the Webmaster may change files, or perhaps the Webmaster and team leaders. In most
organizations, the person who places the file on the external server essentially approves it for publication.
Conclusion
The World Wide Web is almost synonymous with change. Essentially, every time you save a document you
create a new version of a Web document or applet -- you make change. Mastering the Web depends upon
managing that change properly. The ability to manage change depends, in turn, upon an effective version
control system. Version control reduces lost information, eliminates confusion and duplication of effort creating
bottlenecks, and keeps productivity up.
The growth of the Intranet has brought in a new breed of content providers: people not interested in learning
the technical details of version control. Therefore, version control must be made convenient, easy and invisible
to them. The key lies in integrating version control tightly with the Web server.
Of course basic version control isn't enough for Webmasters or professional developers who develop
complicated applications for the Web or organize large Web sites. These people require advanced version
control to deal with internal and external servers, firewalls, multiple source files and approval cycles. Advanced
version control is built upon a sound policy and understanding of the site's needs. It requires additional features
such as extensive audit trails, access control, and organizational tools such as projects and sandbox directories.
With a sound policy and the right tools, both the new breed of content providers and the old suppliers can
manage change effortlessly and with integrity.
Copyright: The Art of Service Pty Ltd, 2003
41
GPO 2673
Brisbane, QLD 4001
Australia
Phone: 1300 13 44 99
Version 5.0
5.2.5 Release Management
As soon as Change Management has approved a change, where appropriate, it hands it
over to Release management to release the change into the appropriate environment.
Release Management performs version control and controls the movement of software,
hardware and other infrastructure components from the development environment to the
test environment and into production.
Release management also manages the Definitive Software Library (DSL), in which it
stores all master copies of the software CIs. The Definitive Hardware Store (DHS) is a
physical storage area with the authorised spare parts and other components of the nonsoftware CIs.
All products that go into the DSL of DHS need to be checked for damage and viruses
before they are stored.
The management of impending release notifications is an important part of this process
(especially with regard to advance warnings to the Service Desk).
EXTRA READING
Example of a release notice to end-users:
KDE 2.2 Release Plan
The following is the outline for our KDE 2.2 release schedule.
The 2.2 release, unlike the 2.1.1 release, will come with new functionality and improvements in many areas of
KDE.
We aim for the following improvements among others:
Better printing framework
IMAP support in kmail
All dates given here are subject to revision, but we will try our best to stick to them.
A.Guy is acting as release coordinator for the 2.2 releases.
KOffice 1.1 will be released independent from KDE 2.2. The KOffice 1.1 release schedule can be found here.
KDE 2.2 final
Monday July 16
The HEAD branch goes into deep-freeze. All commits should be posted for review _BEFORE_ commiting.
Sunday July 29
Last day for translations, documentation, icons and critical bugfixes commits.
Monday July 30
The HEAD branch of CVS is tagged KDE_2_2_RELEASE and the day is spent testing the release a final time.
Tuesday July 31
The tarballs are made and released to the packagers.
The rest of the week is spent testing the tarballs, packaging and writing the announcement and changelog.
Friday August 3
The source and binary packages are uploaded to ftp.kde.org to give some time for the mirrors to get them.
Monday August 6
Announce KDE 2.2.
Frequently Asked Questions
Which packages are included?
The current list of packages that will be in the 2.2 release is:
kdegraphics
kdeadmin
kdemultimedia
kdegames
kdeutils
kdetoys
kdepim
kdesdk
kdebindings
kdevelop
kdoc
New package: kdeaddons
New package: kdeartwork
Copyright: The Art of Service Pty Ltd, 2003
42
GPO 2673
Brisbane, QLD 4001
Australia
Phone: 1300 13 44 99
Version 5.0
5.2.6 Configuration Management
There is no easy way to manage your IT service Delivery in a consistent manner, when
you don’t know all the resources that you have at your disposal.
Lot’s of IT organisations don’t know what they own, or what they use to deliver the IT
services to their customers.
Configuration Management is the process that keeps a track of all the Configuration
Items you need in order to deliver the IT Services.
Information about Configuration Items (CIs) is held in a Configuration Management Data
Base (CMDB).
CIs include –and are not limited to- Hardware items, software items, SLAs, Disaster
Recovery Plans, policy statements, etc.
Crucially a CMDB also defines relationships between CI’s. That is, whether a CI “is part
of”, “is connected to”, “belongs to”, “joins with”, etc. another CI.
Configuration Management makes sure that the information about the CIs, stored in the
CMDB, is accurate and up to date. All other processes rely heavily on this process.
EXTRA READING
Building a CM Database:
Nine Years at Boeing
Susan Grosjean
Boeing Electronic Products
A Boeing organization developed an Oracle-based database to track problems during the life cycle of the Boeing
777 airplane. Over nine years, it has evolved from mainframe to web implementation as technology has
become available. This article reviews some basic approaches to developing configuration management
databases and includes resulting lessons learned.
The Need for a Database System
Boeing Electronic Products (EP) designs and develops some of the avionics 1 for Boeing Commercial Airplanes
(BCAG).
About 1990, when the 777-airplane program was getting started 2, EP was instructed to develop an
electronic database to track and record problems encountered during design and development of EP electronics.
BCAG wanted a database it could access. After the 777 was fielded, all airplanes were to use this database.
The existing problem reporting system was paper-based. One paper copy of each problem report (PR) was
stamped "original." Multiple copies were made for each person assigned to work the problem. Each person
would record his or her response by writing on the hard copy. Periodically, the Integrated Product Team (IPT)
leader, responsible for a given piece of avionics, would call together all members of the team, known as the
Engineering Review Board. These meetings could last for hours, trying to take all inputs and create one original
PR. An easier way was needed to consolidate board members' input.
Requirements Definition and Implementation
Engineers, IPT leaders, and other potential customers did not seem to know what they wanted/needed in a
problem reporting system. All the organizational requirements were surveyed (EP Configuration Management
Plan, RTCA/DO-178B "Software Considerations in Airborne Systems and Equipment Certification," EP Software
Quality Assurance procedures, etc.). Using the PR as a guide, the existing process was captured in a flowchart
representation with a text description of each block. A requirements document was developed from this process
document.
The numbering scheme for the PRs was used in conjunction with automation of the problem reporting
process. A two-field scheme was used. The first field was an Avionics Product (LRU)3 designation such as 7WEU
(777 Airplane Warning Electronics Unit). The IPT leaders and auditors needed a list of all PRs for a desired
component. A search on this first field would provide that list. The second field was a four-digit number that
was assigned sequentially. Once a PR receives this two-field dash number, it cannot be deleted, so there is no
break in the numbering sequence. This simplified the IPT leader's control and made any audit process easier.
Four text fields, as well as signature blocks, were associated with each PR. Each text field needed to
Copyright: The Art of Service Pty Ltd, 2003
43
GPO 2673
Brisbane, QLD 4001
Australia
Phone: 1300 13 44 99
Version 5.0
accommodate extensive data (20,000 characters each). In the PR heading were smaller fields for pertinent data
needed for tracking and reporting. The entry of valid data to these fields was enforced through the use of pulldown lists that provided all valid options for a given field.
Because of the size and quantity of PRs, the speed and capacity of a mainframe was needed. EP chose to
use Oracle on a VAX mainframe rather than an IBM due to the availability of VAX programmers in EP. EP was
unable to find an existing user interface to meet its requirements. User access to the mainframe was via dumb
monochrome monitors or by loading an access icon to the personal computers
A major implementation complication was the need to have five variations of the PR (i.e. variations on the
fields and associated process). The struggle to agree on a uniform PR form and process was futile; each user
organization wanted its own little corner of the world. The result was five different PR databases. Maintaining
requirements, processes, procedures, updates, and training for five different databases was a nightmare.
Throughout the PR process (see Figure 1), e-mail messages were to be triggered to inform personnel and to
assign tasks. There are now 43 possible messages for each PR. For instance, after an originator of a PR has
completed the appropriate "title" and "description" fields, the system sends the PR as an e-mail message to
those responsible for the product (component) in question. The length of these e-mail messages was a
challenge, since they included the 20,000-character-length text fields. This will be solved by e-mailing only a
brief message that includes a URL access to the web site that the assigned can access to see the complete PR
and perform the applicable function.
The system also automatically changes the status of the PR as it moves through the phases shown in Figure
1. Portions of a PR are approved in each phase. After approval, the status changes and fields are locked,
preventing changes by unauthorized persons. Engineers, configuration management specialists, and IPT leaders
have different levels of authorization.
User Acceptance of the System
After implementation of the requirements and extensive testing, the database was given to the users. A
program directive and a users manual were written. Hands-on training was also conducted—not an intensive
course, but intended to acquaint the user with the database and convey some of the rationale used for its
creation.
Function Keys
The users' first reaction was, "This database is not user friendly." No one liked using the function keys to move
around the database. Many keyboards did not support the function keys we were using, and corresponding
control keys, ^B or F10 = Exit had to be developed. These keystrokes were displayed at the bottom of each
screen.
Unlike the paper PR, the electronic version forced the entry of required information. The IPT leaders did not
like the fact that the database forced everyone to do business the same way, and that it had checks and
balances in place to ensure this practice.
But users liked the information the system provided: the position of a given PR in the life cycle, e-mail
notification of PR status, who was assigned to work PR related tasks, and visibility into process bottlenecks. If a
PR had languished on someone's desk for months, the IPT leader needed to know that. Sometimes the IPT
leader was surprised to find that the languishing occurred on his or her own desk. Canned reports included
listings of all PRs by responsible IPT leader or by assignee, and totals of the quantity of PRs by open and closed
status.
Windows
Three years ago, Oracle offered Developer/2000, allowing a user-friendlier front end. We needed to retain the
VAX, as by now all four-text fields had increased to 65,000 characters each. With high-level management
backing during the implementation of the front end, all Seattle-based groups adopted a single PR form. The
groups also agreed with using basically the same process.
The Parts Engineering Organization in Seattle levied additional requirements, as it wanted a way to track
and record problem reports involving obsolete parts.
Since single part obsolescence is often common to several LRUs, a process enhancement was created to
generate multiple corresponding PRs. A parent PR (the first PR written) is created and duplicate copies are
made for each impacted LRU. These child copies retain a link to the parent. When the child PRs are closed, the
parent PR can be closed.
Requirements expanded beyond Seattle to Irving, Texas—our manufacturing site. Irving has a problemreporting system also implemented in Oracle. A requirement to transmit engineering problems between the
Seattle and Irving databases was accomplished by developing an interface that transfers the PR from their
database to Seattle's.
The Seattle system now has approximately 1,000 users with about 40,000-recorded problems. The
database tracks and creates reports for any type of problem encountered by EP (product, test, obsolete parts,
production) as well as lessons learned, action items, corrective actions, and PRs against the database itself.
Intranet
Access via the Boeing web is partially implemented. This provides access from more locations but with slower
response times than those experienced by users who access the system directly using the software application
windows front end. The database is migrated off the VAX to a Unix operating system.
Copyright: The Art of Service Pty Ltd, 2003
44
GPO 2673
Brisbane, QLD 4001
Australia
Phone: 1300 13 44 99
Version 5.0
Lessons Learned
You might consider commercial off-the-shelf tools that may meet most of your requirements or investigate
other organizations or divisions using a tool similar to your requirements. Implementing this system has been a
lot of work spread sporadically over nine years. Remember, EP had in-house Oracle developers; many
organizations do not have similar resources.
Establish a team to consider new requirements. One result of nine years of experience is EP's use of an
Engineering Review Board that helps determine if a change or enhancement will benefit all users. This database
has a PR type, which enables the users to write a PR against the PR system. These PRs include problems
encountered and enhancements.
Designate a focal point to write and transmit requirements to the database programmer. This should be one
or two people who are familiar with the database and who interface well with the programmer. Once approved
by the Engineering Review Board, the focal point writes or rewrites the requirements to ensure the programmer
easily understands them. The change/enhancement is added to the users manual and if the
change/enhancement is substantial, training is scheduled.
Consider the importance of your testing approach. For the first four years, a separate test database was
maintained. Later, the test database was dropped because of the work required to maintain it. Testing is now
performed on the production database. This has been a cost-effective compromise that has resulted in few
bugs.
Make sure there is room to grow. In this case, text fields have grown from 20,000 characters to 65,000.
Other organizations may decide to use the database once it has proven itself. Also, the more you give users,
the more they seem to want.
Sponsorship can make it easier. Once senior management saw the benefit of using a standard process, a
single PR, and a single database, EP no longer had to maintain separate requirements, processes, procedures,
and updates.
Technology improvements can make it easier. By providing pull-down and pop-up lists within the PR fields,
diverse users could live with the generic PR.
Training is essential to the effectiveness of the database and the user. It saves users hours of time by not
having to struggle with an unknown element, and gives them hands-on experience.
Help lines and training manuals are important in helping users further understand what they are expected
to do. Help lines appear throughout most of the screens to inform and ensure that the PR is completed
accurately. The training manual for this database is set up for step-by-step instructions with visual aids.
Summary
Boeing's need for a CM database has been outlined. Defining the database requirements in specific terms for
design and implementation presented some challenges. The implementation presented user interface
challenges. The system has evolved to meet new requirements and to exploit new technology.
About the Author
Susan C. Grosjean is a configuration management specialist with the Electronic Products Group. She has 20
years of configuration management experience at Boeing. Prior to developing the database described in this
article, she developed status accounting databases for the B1-B and B2 bombers.
Boeing Commercial Airplane Group
P.O. Box 3707, No. MS OU-47
Seattle, Wash. 98124-2207
425-266-3731
Susan.Grosjean@PSS.Boeing.com
Notes
1. Electrical and electronic devices in aviation, including the software embedded in those devices.
2. For BCAG, the 777 airplanes represented an unprecedented software challenge in terms of the size and
complexity of the airplane's systems. The 2.5 million lines of newly developed software were approximately
six times more than any previous Boeing commercial airplane development program. Including
commercial-off-the- shelf and optional software, the total size is more than 4 million lines of code. This
software was implemented in 79 different systems produced by various suppliers throughout the world.
CrossTalk January 1996, "Software Development for the Boeing 777."
3. Line replaceable unit is the terminology for the circuit board, drawer, or cabinet that can be removed and
replaced when hardware failure occurs.
4. Class I Changes are called Engineering Change Proposals (ECPs) and consist of changes that are so
extensive that additional customer funds must be contracted to implement the change. Changes smaller
that Class I are called Class II.
Copyright: The Art of Service Pty Ltd, 2003
45
GPO 2673
Brisbane, QLD 4001
Australia
Phone: 1300 13 44 99
Version 5.0
6 Security Management
6.1 Introduction
Business processes can no longer operate without a supply of information. In fact, more
and more business processes consist purely of one or more information systems.
Information Security Management is an important activity, which aims to control the
provision of information, and to prevent unauthorised use of information. For many
years, Information Security Management was largely ignored. However, this is changing.
Security is now considered as one of the main management challenges for the coming
years. The interest in this discipline is increasing because of the growing use of the
Internet and e-commerce in particular.
More and more businesses are opening electronic gateways into their business. This
introduces the risk of intrusion. What risks do we want to cover, and what measures
should we take now and in the next budgeting round? Senior Management has to take
decisions and these decisions can only be taken if a thorough risk analysis is undertaken.
This analysis should provide input to Security Management to determine the security
requirements. These requirements affect IT service providers and should be laid down in
Service Level Agreements. Security Management aims to ensure that the security
aspects of services are provided at the level agreed with the customer at all times.
Security is now an essential quality aspect of management. Security Management
integrates security in the IT organisation from the service provider’s point of view. The
Code of Practice for Information Security Management (BS 7799) provides guidance for
the development, introduction and evaluation of security measures.
6.1.1 Basic concepts
Security Management comes under the umbrella of Information Security, which aims to
ensure the safety of information. Safety refers to not being vulnerable to known risks,
and avoiding unknown risks where possible. The tool to provide this is security. The aim
is to protect the value of the information. This value depends on confidentiality, integrity
and availability.



Confidentiality: protecting information against unauthorised access and use.
Integrity: accuracy, completeness and timeliness of the information.
Availability: the information should be accessible at any agreed time.
This depends on the continuity provided by the information processing systems.
Secondary aspects include privacy (confidentiality and integrity of information relating
to individuals), anonymity, and verifiability (being able to verify that the information is
used correctly and that the security measures are effective).
6.2 Objectives
In recent decades, almost all businesses have become more dependent on information
systems. The use of computer networks has also grown, not only within businesses but
also between them, and between businesses and the world outside. The increasing
complexity of IT infrastructure means that businesses are now more vulnerable to
technical failures, human error, intentional human acts, hackers and crackers, computer
viruses, etc. This growing complexity requires a unified management approach. Security
Management has important ties with other processes. Other ITIL processes, under the
supervision of Security Management, carry out some security activities.
Security Management has two objectives:
Copyright: The Art of Service Pty Ltd, 2003
46
GPO 2673
Brisbane, QLD 4001
Australia
Phone: 1300 13 44 99
Version 5.0


To meet the security requirements of the SLAs and other external requirements
further to contracts, legislation and externally imposed policies.
To provide a basic level of security, independent of external requirements Security
Management is essential to maintaining the uninterrupted operation of the IT
organisation.
It also helps to simplify Information Security Service Level Management, as it is much
more difficult to manage a large number of different SLAs than a limited number.
The process input is provided by the SLAs, which specify security requirements, possibly
supplemented by policy documents and other external requirements. The process also
receives information about relevant security issues in other processes, such as security
incidents. The output includes information about the achieved implementation of the
SLAs, including exception reports and routine security planning.
At present, many organisations deal with Information Security at the strategic level in
information policy and information plans, and at the operational level by purchasing tools
and other security products. Insufficient attention is given to the active management of
Information Security, the continuous analysis and translation of policies into technical
options, and ensuring that the security measures continue to be effective when the
requirements and environment change. The consequence of this missing link is that, at
the tactical management level, significant investments are made in measures that are no
longer relevant, at a time when new, more effective measures ought to be taken.
Security Management aims to ensure that effective Information Security measures are
taken at the strategic, tactical and operational levels.
6.2.1 Benefits
Information Security is not a goal in itself; it aims to serve the interests of the business
or organisation. Some information and information services will be more important to the
organisation than others. Information Security must be appropriate to the importance of
the information. Striking a balance between security measures and the value of the
information, and threats in the processing environment develops tailor-made security.
An effective information supply, with adequate Information Security is important to an
organisation for two reasons:
 Internal reasons: an organisation can only operate effectively if correct and
complete information is available when required. The level of Information Security
should be appropriate for this.
 External reasons: the processes in an organisation create products and services,
which are made available to the market or society, to meet defined objectives. An
inadequate information supply will lead to substandard products and services,
which cannot be used to meet the objectives and which will threaten the survival
of the organisation. Adequate Information Security is an important condition for
having an adequate information supply. The external significance of Information
Security is therefore determined in part by the internal significance. Security can
provide significant added value to an information system. Effective security
contributes to the continuity of the organisation and helps to meet its objectives.
6.3 Process
Organisations and their information systems change. Checklists such as the Code of
Practice for Information Security Management are static and insufficiently address rapid
changes in IT. For this reason, Security Management activities must be reviewed
continuously to ensure their effectiveness. Security Management amounts to a neverending cycle of plan, do, check, and act. The activities undertaken by Security
Management, or undertaken in other processes under the control of Security
Management are discussed below. The security section of the Service Level Agreement
defines these requirements in terms of the security services and the level of security to
be provided.
Copyright: The Art of Service Pty Ltd, 2003
47
GPO 2673
Brisbane, QLD 4001
Australia
Phone: 1300 13 44 99
Version 5.0
The service provider communicates these agreements to his organisation in the form of a
Security Plan, defining the security standards or Operational Level Agreements. This plan
is implemented, and the implementation is evaluated. The plan and its implementation
are then updated. Service Level Management reports about these activities to the
customer. Thus, the customer and the service provider together form a complete cyclical
process. The customer can modify his requirements on the basis of the reports. And the
service provider can adjust the plan or its implementation on the basis of these
observations, or aim to change the agreements defined in the SLA.
Diagram: The Security Management Cycle
6.4 Activities
6.4.1 Control - Information Security policy and organisation
The Control activity in the centre of diagram above is the first activity of Security
Management and relates to the organisation and management of the process. This
includes the Information Security management framework. This framework describes the
sub processes: the definition of security plans, their implementation, evaluation of the
implementation, and incorporation of the evaluation in the annual security plans (action
plans). The reports provided to the customer, via Service Level Management, are also
addressed. This activity defines the sub processes, security functions, and roles and
responsibilities. It also describes the organisational structure, reporting arrangements,
Copyright: The Art of Service Pty Ltd, 2003
48
GPO 2673
Brisbane, QLD 4001
Australia
Phone: 1300 13 44 99
Version 5.0
and line of control (who instructs who, who does what, how is the implementation
reported).
The following measures from the Code of Practice are implemented by this activity.
Policy:
 Policy development and implementation, links with other policies.
 Objectives, general principles and significance.
 Description of the sub processes.
 Allocating functions and responsibilities for sub processes.
 Links with other ITIL processes and their management.
 General responsibility of personnel.
 Dealing with security incidents.
Information Security organisation:
 Management framework.
 Management structure (organisational structure).
 Allocation of responsibilities in greater detail.
 Setting up an Information Security Steering Committee.
 Information Security coordination.
 Agreeing tools (e.g. for risk analysis and improving awareness).
 Description of the IT facilities authorisation process, in consultation with the
customer.
 Specialist advice.
 Cooperation between organisations, internal and external communications.
 Independent EDP audit.
 Security principles for access by third parties.
 Information Security in contracts with third parties.
6.4.2 Plan
The Planning activity includes defining the security section of the SLA in consultation with
Service Level Management, and the activities in the Underpinning Contracts related to
security. The objectives in the SLA, which are defined in general terms, are detailed and
specified in the form of an Operational Level Agreement. An OLA can be considered as
the security plan for an organisational unit of the service provider, and as a specific
security plan, for example for each IT platform, application and network. The Planning
activity not only receives input from the SLA but also from the service provider's policy
principles (from the Control activity). Examples of these principles include: ‘Every user
should be uniquely identifiable’, and ‘A basic security level is provided to all customers,
at all times.’ The Operational Level Agreements for Information Security (specific security
plans) are drafted and implemented using the normal procedures. This means that,
should activities be required in other processes, there will have to be coordination with
these processes. Change Management using input provided by Security Management
makes any required Changes to the IT infrastructure. The Change Manager is responsible
for the Change Management process. The Planning activity is discussed with Service
Level Management to define, update and comply with the security section of the SLA.
The Service Level Manager is responsible for this coordination. The SLA should define the
security requirements, where possible in measurable terms. The customer's security
requirements and standards have to be verified, realistic and achievable.
6.4.3 Implement
The Implementation sub process aims to implement all the measures specified in the
plans.
The following checklist can support this activity.
Classification and management of IT resources:
Copyright: The Art of Service Pty Ltd, 2003
49
GPO 2673
Brisbane, QLD 4001
Australia
Phone: 1300 13 44 99
Version 5.0


Providing input for maintaining the CIs in the CMDB
Classifying IT resources in accordance with agreed guidelines
Personnel security:
 Tasks and responsibilities in job descriptions.
 Screening.
 Confidentiality agreements for personnel.
 Training.
 Guidelines for personnel for dealing with security incidents and observed security
weaknesses.
 Disciplinary measures.
 Increasing security awareness.
Managing security:
 Implementation of responsibilities, implementation of job separation.
 Written operating instructions.
 Internal regulations.
 Security should cover the entire life cycle; there should be security guidelines for
system development, testing, acceptance, operations, maintenance and phasing
out.
 Separating the development and test environments from the production
environment.
 Procedures for dealing with incidents (handled by Incident Management).
 Implementation of recovery facilities.
 Providing input for Change Management.
 Implementation of virus protection measures.
 Implementation of management measures for computers, applications, networks
and network services.
 Handling and security of data media.
Access control:
 Implementation of access and access control policy.
 Maintenance of access privileges of users and applications to networks, network
services, computers, and applications.
 Maintenance of network security barriers (firewalls, dial-in services, bridges and
routers).
 Implementation of measures for the identification and authentication of computer
systems, workstations and PCs on the network.
6.4.4 Evaluate
An independent evaluation of the implementation of the planned measures is essential.
This evaluation is needed to assess the performance and is also required by customers
and third parties. The results of the Evaluation activity can be used to update the agreed
measures in consultation with the customers, and also for their implementation. The
results of the evaluation may suggest changes, in which case an RFC is defined and
submitted to the Change Management process.
There are three forms of evaluation:
 Self-assessments: primarily implemented by the line organisation of the
processes.
 Internal audits: undertaken by internal EDP auditors.
 External audits: undertaken by external EDP auditors.
Unlike self-assessments, the same personnel that act in the other sub processes do not
undertake audits. This is to ensure that the responsibilities are separated.
Copyright: The Art of Service Pty Ltd, 2003
50
GPO 2673
Brisbane, QLD 4001
Australia
Phone: 1300 13 44 99
Version 5.0
Evaluations are also carried out in response to security incidents.
The main activities are:
 Verifying compliance with the security policy and implementation of security
plans.
 Performing security audits on IT systems.
 Identifying and responding to inappropriate use of IT resources.
 Undertaking the security aspects of other EDP audits.
6.4.5 Maintenance
Security requires maintenance, as risks change due to changes in the IT infrastructure,
organisation and business processes. Security maintenance includes the maintenance of
the security section of the SLA and maintenance of the detailed security plans.
Maintenance is carried out on the basis of the results of the Evaluation activity and an
assessment of changes in the risks. These proposals can either be introduced into the
Planning activity, or included in the maintenance of the SLA as a whole. In either case,
the proposals can result in including activities in the annual security plan. Any changes
are subject to the normal Change Management process.
6.4.6 Reporting
Reporting is not a activity, but an output of the other sub processes. Reports are
produced to provide information about the achieved security performance and to inform
the customers about security issues. These reports are generally required under
agreement with the customer.
Reporting is important, both to the customer and to the service provider. Customers
must be informed correctly about the efficiency of the efforts (e.g. with respect to
implementing security measures), and the actual security measures. The customer is
also informed about any security incidents.
A list with some suggestions for reporting options is included below.
Examples of scheduled reports and reportable events:
The Planning activity
 Reports about the extent of compliance with the SLA and agreed Key Performance
Indicators for security.
 Reports about Underpinning Contracts and any problems associated with them.
 Reports about Operational Level Agreements (internal security plans) and the
provider's own security principles (e.g. in the baseline).
 Reports about annual security plans and action plans.
The Implementation activity
 Status reports about the implementation of Information Security. This includes
progress reports about the implementation of the annual security plan, possibly a
list of measures which have been implemented or are yet to be implemented,
training, outcome of additional risk analyses, etc.
 A list of security incidents and responses to these incidents, optionally a
comparison with the previous reporting period.
 Identification of incident trends.
 Status of the awareness programme.
The Evaluation activity
 Reports about the sub process as such.
 Results of audits, reviews, and internal assessments.
 Warnings, identification of new threats.
Copyright: The Art of Service Pty Ltd, 2003
51
GPO 2673
Brisbane, QLD 4001
Australia
Phone: 1300 13 44 99
Version 5.0
Specific reports
To report on security incidents defined in the SLA, the service provider must have a
direct channel of communication to a customer representative (possibly the Corporate
Information Security Officer) through the Service Level Manager, Incident Manager or
Security Manager. A procedure should also be defined for communication in special
circumstances.
Apart from the exception in the event of special circumstances, reports are
communicated through Service Level Management.
6.4.7 Relationships with other processes
Security Management has links with the other ITIL processes. This is because the other
processes undertake security-related activities. These activities are carried out in the
normal way, under the responsibility of the relevant process and process manager.
However, Security Management gives instructions about the structure of the securityrelated activities to the other processes. Normally, these agreements are defined after
consultation between the Security Manager and the other process managers.
Configuration Management
In the context of Information Security, Configuration Management is primarily relevant
because it can classify Configuration Items. This classification links the CI with specified
security measures or procedures.
The classification of a CI indicates its required confidentiality, integrity and availability.
This classification is based on the security requirements of the SLA. The customer of the
IT organisation determines the classification, as only the customer can decide how
important the information or information systems are to the business processes. The
customer bases the classification on an analysis of the extent to which the business
processes depend on the information systems and the information. The IT organisation
then associates the classification with the relevant CIs. The IT organisation must also
implement this set of security measures for each classification level. These sets of
measures can be described in procedures. Example: ‘Procedure for handling storage
media with personal data’. The SLA can define the sets of security measures for each
classification level. The classification system should always be tailored to the customer's
organisation. However, to simplify management it is advisable to aim for one unified
classification system, even when the IT organisation has more than one customer.
In summary, classification is a key issue. The CMDB should indicate the classification of
each CI. This classification links the CI with the relevant set of security measures or
procedure.
Incident Management
Incident Management is an important process for reporting security incidents. Depending
on the nature of the incident, security incidents may be covered by a different procedure
than other Incidents. It is therefore essential that Incident Management recognise
security incidents as such. Any Incident, which may interfere with achieving the SLA
security requirements, is classified as a security incident. It is useful to include a
description in the SLA of the type of Incidents to be considered as security incidents. An
Incident that interferes with achieving the basic internal security level (baseline) is also
always classified as a security incident. Incidents reports are generated not only by
users, but also by the management process, possibly on the basis of alarms or audit data
from the systems. It is clearly essential that Incident Management recognise all security
incidents. This is to ensure that the appropriate procedures are initiated for dealing with
security incidents. It is advisable to include the procedures for different types of security
incidents in the SLA plans and to practice the procedure. It is also advisable to agree a
procedure for communicating about security incidents. It is not unusual for panic to be
created by rumours blown out of proportion.
Copyright: The Art of Service Pty Ltd, 2003
52
GPO 2673
Brisbane, QLD 4001
Australia
Phone: 1300 13 44 99
Version 5.0
Similarly, it is not unusual for damage to result from a failure to communicate in time
about security incidents. It is advisable to route all external communications related to
security incidents through the Security Manager.
Problem Management
Problem Management is responsible for identifying and solving structural security
failings. A Problem may also introduce a security risk. In that case, Problem Management
must involve Security Management in resolving the Problem. Finally, the solution or
workaround for a Problem or Known Error must always be checked to ensure that it does
not introduce new security problems. This verification should be based on compliance
with the SLA and internal security requirements.
Change Management
Change Management activities are often closely associated with security because Change
Management and Security Management are interdependent. If an acceptable security
level has been achieved and is managed by the Change Management process, then it can
be ensured that this level of security will also be provided after Changes. There are a
number of standard operations to ensure that this security level is maintained. Each RFCs
is associated with a number of parameters, which govern the acceptance procedure. The
urgency and impact parameters can be supplemented by a security parameter. If an
RFCs can have a significant impact on Information Security then more extensive
acceptance tests and procedures will be required.
The RFCs should also include a proposal for dealing with security issues. Again, this
should be based on the SLA requirements and the basic level of internal security required
by the IT organisation. Thus, the proposal will include a set of security measures, based
on the Code of Practice.
Preferably, the Security Manager (and possibly also the customer’s Security Officer)
should be a member of the Change Advisory Board (CAB).
Nevertheless, the Security Manager need not be consulted for all Changes. Security
should normally be integrated with routine operations. The Change Manager should be
able to decide if they or the CAB need input from the Security Manager. Similarly, the
Security Manager need not necessarily be involved in the selection of measures for the
CIs covered by the RFCs.
This is because the framework for the relevant measures should already exist. Any
questions should only relate to the way in which the measures are implemented.
Any security measures associated with a Change should be implemented at the same
time as the Change itself, and be included in the tests. Security tests differ from normal
functional tests. Normal tests aim to investigate if defined functions are available.
Security tests not only address the availability of security functions, but also the absence
of other, undesirable functions as these could reduce the security of the system.
In terms of security, Change Management is one of the most important processes. This is
because Change Management introduces new security measures in the IT infrastructure,
together with Changes to the IT infrastructure.
Release Management
All new versions of software, hardware, data communications equipment, etc. should be
controlled and rolled out by Release Management. This process will ensure that:






The correct hardware and software are used.
The hardware and software are tested before use.
The introduction is correctly authorised using a Change.
The software is legal.
The software is free from viruses and that viruses are not introduced during its
distribution.
The version numbers are known, and recorded in the CMDB by Configuration
Management.
Copyright: The Art of Service Pty Ltd, 2003
53
GPO 2673
Brisbane, QLD 4001
Australia
Phone: 1300 13 44 99
Version 5.0

The rollout is managed effectively.
This process also uses a regular acceptance procedure, which should include Information
Security aspects. It is particularly important to consider security aspects during testing
and acceptance. This means that the security requirements and measures defined in the
SLA should be complied with at all times.
Service Level Management
Service Level Management ensures that agreements about the services to be provided to
customers are defined and achieved. The Service Level Agreements should also address
security measures. The objective is to optimise the level of service provided.
Service Level Management includes a number of related security activities, in which
Security Management plays an important role:
1. Identification of the security needs of the customer. Naturally, determining the
security needs is the responsibility of the customer as these needs are based on their
business interests.
2. Verifying the feasibility of the customer's security requirements.
3. Proposing, discussing and defining the security level of the IT services in the SLA.
4. Identifying, developing and defining the internal security requirements for IT services
(Operational Level Agreements).
5. Monitoring the security standards (OLAs).
6. Reporting on the IT services provided.
Security Management provides input and support to Service Level Management for
activities 1 - 3. Security Management carries out activities 4 and 5. Security Management
and other processes provide input for activity 6. The Service Level Manager and the
Security Manager decide in consultation that actually undertakes the activities.
When defining an SLA it is normally assumed that there is a general basic level of
security (baseline). Additional security requirements of the customer should be clearly
defined in the SLA.
Availability Management
Availability Management addresses the technical availability of IT components in relation
to the availability of the service. The quality of availability is assured by continuity,
maintainability and resilience. Availability Management is the most important process
related to availability. As many security measures benefit both availability and the
security aspects confidentiality and integrity, effective coordination of the measures
between Availability Management, IT Service Continuity Management, and Security
Management is essential.
Capacity Management
Capacity Management is responsible for the best possible use of IT resources, as agreed
with the customer. The performance requirements are based on the qualitative and
quantitative standards defined by Service Level Management. Almost all Capacity
Management activities affect availability and therefore also Security Management.
IT Service Continuity Management
IT Service Continuity Management ensures that the impact of any contingencies is
limited to the level agreed with the customer. Contingencies need not necessarily turn
into disasters. The major activities are defining, maintaining, implementing, and testing
the contingency plan, and taking preventive action. Because of the security aspects,
there are ties with Security Management. On the other hand, failure to fulfil the basic
security requirements may be considered itself as a contingency.
Copyright: The Art of Service Pty Ltd, 2003
54
GPO 2673
Brisbane, QLD 4001
Australia
Phone: 1300 13 44 99
Version 5.0
6.4.8 Security section of the Service Level Agreement
The Service Level Agreement (SLA) defines the agreements with the customer. The
Service Level Management process is responsible for the SLA. The SLA is the most
important driver for all ITIL processes. The IT organisation indicates to what extent the
requirements of the SLA are achieved, including security requirements. The security
elements addressed in the SLA should correspond to the security needs of the customer.
The customer should identify the significance of all business processes. These business
processes depend on IT services, and therefore on the IT organisation. The customer
determines the security requirements on the basis of a risk analysis. The security
elements are discussed between the representative of the customer and the
representative of the service provider. The service provider compares the customer's
Service Level Requirements with their own Service Catalogue, which describes their
standard security measures (the Security Baseline). The customer may have additional
requirements. The customer and provider compare the Service Level Requirements and
the Service Catalogue. The security section of the SLA can address issues such as the
general Information Security policy, a list of authorised personnel, asset protection
procedures, restrictions on copying data, etc.
6.4.9 The Security section of the Operational Level Agreement
The Operational Level Agreement is another important document. It describes the
services provided by the service provider. The provider must associate these agreements
with responsibilities within the organisation. The Service Catalogue gives a general
description of the services. The Operational Level Agreement translates these and
general descriptions into all services and their components, and the way in which the
agreements about the service levels are assured within the organisation.
Example: the Service Catalogue refers to ‘managing authorisations per user and per
individual’. The Operational Level Agreements details this for all relevant services
provided by the IT organisation. In this way, the implementation of the measure is
defined for the departments providing UNIX, VMS, NT, Oracle services, etc. Where
possible, the customer's Service Level Requirements are interpreted in terms of the
provider's Service Catalogue, and additional agreements are concluded where necessary.
Such additional measurements exceed the standard security level. When drafting the
SLA, measurable Key Performance Indicators (KPI) and criteria must also be agreed for
Security Management. KPIs are measurable parameters (metrics), and performance
criteria are set at achievable levels. In some cases it will be difficult to agree on
measurable security parameters. This is easier for availability, which can generally be
expressed numerically. However, this is much more difficult for integrity and
confidentiality. For this reason, the security section of the SLA normally describes the
required measures in abstract terms. The Code of Practice for Information Security
Management is used as a basic set of security measures. The SLA also describes how
performance is measured. The IT organisation (service provider) must regularly provide
reports to the user organisation (customer).
6.5 Process control
6.5.1 Critical success factors and performance indicators
The critical success factors are:
 Full management commitment and involvement.
 User involvement when developing the process.
 Clear and separated responsibilities.
The Security Management performance indicators correspond with the Service Level
Management performance indicators, in so far as these relate to security issues covered
by the SLA.
Copyright: The Art of Service Pty Ltd, 2003
55
GPO 2673
Brisbane, QLD 4001
Australia
Phone: 1300 13 44 99
Version 5.0
6.5.2 Functions and roles
In small IT organisations, one person may manage several processes. While in large
organisations, several persons will be working on one process, such as Security
Management. In this case there is normally one person appointed as Security Manager.
The Security Manager is responsible for the effective operation of the Security
Management process. Their counterpart in the customer's organisation is the Information
Security Officer, or Corporate Information Security Officer.
6.6 Points of Attention and costs
As with any process there are areas that could undermine the successful implementation.
The following section details some of the areas that must be covered to make the
process implementation worthwhile.
The final section looks briefly at some of the cost areas when it comes to the introduction
of Security Management.
6.6.1 Points of attention
The following issues are essential to the successful implementation of Security
Management:
 Commitment: security measures are rarely accepted immediately, resistance is
more common than acceptance. Users resent losing certain privileges due to
security measures, even if these facilities are not essential to their work. This is
because the privileges give them a certain status. A special effort will therefore
have to be made to motivate users, and to ensure that management complies
with the security measures. In the field of Security Management in particular,
management must set an example (‘walk the talk’ and ‘lead by example’). If there
are no security incidents, then management may be tempted to reduce the
Security Management budget.
 Attitude: information systems are not insecure due to technical weaknesses, but
due to the failure to use the technology. This is generally related to attitude and
human behaviour. This means that security procedures must be integrated with
routine operations.
 Awareness: awareness, or rather communication, is a key concept. There
sometimes appears to be a conflict of interest between communication and
security – communication paves the road, while security creates obstacles. This
means that implementing security measures requires the use of all
communication methods to ensure that users adopt the required behaviour.
 Verification: it should be possible to check and verify security. This concerns
both the measures introduced, and the reasons for taking these measures. It
should be possible to verify that the correct decisions have been taken in certain
circumstances. For example, it should also be possible to verify the authority of
the decision-makers.
 Change Management: frequently the verification of continued compliance with
the basic level of security wanes over time when assessing Changes.
 Ambition: when an organisation wants to do everything at once, mistakes are
often made. When introducing Security Management, the implementation of
technical measures is much less important than organisational measures.
Changing an organisation requires a gradual approach and will take a long time.
 Lack of detection systems: new systems, such as the Internet, were not
designed for security and intruder detection. This is because developing a secure
system takes more time than developing a non-secure system, and conflicts with
the business requirements of low development costs and a short time-to-market.
Copyright: The Art of Service Pty Ltd, 2003
56
GPO 2673
Brisbane, QLD 4001
Australia
Phone: 1300 13 44 99
Version 5.0
6.6.2 Costs
Securing the IT infrastructure demands personnel, and therefore money, to take,
maintain and verify measures. However, failing to secure the IT infrastructure also costs
money (cost of lost production; cost of replacement; damage to data, software, or
hardware; loss of reputation; fines or compensation relating to failure to fulfil contractual
obligations). As always, a balance will have to be struck.
Copyright: The Art of Service Pty Ltd, 2003
57
GPO 2673
Brisbane, QLD 4001
Australia
Phone: 1300 13 44 99
Version 5.0
EXTRA READING
Central Command Releases Its Annual Computer Security Survey Results for 2002
Virus protection concerns continue to increase among P2P users; Cyber-warfare likely according to
respondents
MEDINA, Ohio, September 24, 2002 - Central Command, Inc., a leading provider of PC anti-virus software and
computer security services announced today the findings of its annual security survey. The survey, reflecting
up-to-date industry trends, was e-mailed to 943,026 PC users worldwide and explored individual's computer
security settings and behaviours with known computer security vulnerabilities. With a 7% response rate, the
survey provides valuable insight on the constant battle with computer viruses.
Given the horrific events of September 11, 2001, multiple questions were given seeking user opinion on the
world's war on terror in regards to online security. The survey surprisingly showed that nearly three-fourths of
the respondents felt that some form of cyber-warfare is likely to occur in the near future. In a related question,
67% strongly feel that their respective country is not yet prepared to combat against such a major threat. The
top response rate came out of North America.
The results also displayed a significant increase in virus awareness. For the first time, responses showed that
users are beginning to understand the importance of protecting themselves from computer viruses and other
forms of malicious software (malware).
When asked about the handling of email attachments from an unknown source, the results showed that 58% of
the respondents would delete the attachment immediately and 41% expressed they practiced extreme caution
when viewing any attachment regardless of the sender. "These numbers mark a great improvement from a
year ago. We have relentlessly preached about the risks associated with email attachments and we're finally
seeing that message sticking in users minds. Unfortunately, the lesson doesn't end with email-based worms
as other types of applications are now being targeted," said Steven Sundermeier, product manager at Central
Command, Inc. On a similar note, 29% claim to have all the latest security patches installed, up 15% from a
year ago.
As file-sharing applications like KaZaA, iMesh, Napster continue to increase in popularity so does the number of
malicious programs (ie. trojans, worms) written to exploit these networks. Of the 65% of surveyed users who
regularly use these types of applications, over 39% responded that they were unaware of any dangers
associated with file sharing and the security holes they can open. An increase in P2P instant messaging
software as the preferred form of online communication raised concern about the future of virus writing trends
in these channels.
The number one reported virus, according to the survey, was Worm/Klez.E,G. Nearly one-forth of home and
office PC users responding claimed Klez infected their system over the last year. One in every ten responses
claimed to have had a W32/Nimda infection. "This statistic closely mirrors the number of virus occurrences
confirmed through our Emergency Virus Response Team. Based on the percentage of all tracked viruses, our
top five tracked viruses for the summer of 2002 included Worm/Klez.E,G (52.1%), W32/Elkern.C (13.8%),
W32/Yaha.E (9.6%), Worm/W32.Sircam (5.7%), and W32/Nimda (2.4%)."
Central Command noted that over the past year infection reports, factoring out the top five infectors, have
dropped 3.2% over the past year.
The full results of the survey are published on Central Command's website at:
http://www.centralcommand.com/safesurvey2002.html
Vexira Antivirus starts at $29.95, and a free 30-day trial version may be downloaded by clicking here or
obtained by contacting Central Command at +1-330 723-2062.
About Central Command: A leader in the anti-virus industry, Central Command, Inc., a privately held company,
serves home PC users and industrial, financial, government, education and service firms with virus protection
software, services, and information. The company services customers in over 91 countries and is
headquartered in Medina, Ohio. Visit Central Command online at (www.centralcommand.com) or call 1-330723-2062 for more information.
Central Command, EVRT, Vexira, and Emergency Virus Response Team are trademarks of Central Command,
Inc. All other trademarks, trade names, and products referenced herein are property of their respective owners.
Copyright: The Art of Service Pty Ltd, 2003
58
GPO 2673
Brisbane, QLD 4001
Australia
Phone: 1300 13 44 99
Version 5.0
7
IT Service Management Tools
Every IT organisation uses tools to support its ability to deliver services and perform
processes. The type of tool you need, is dependent on what you want to get out of it.
For small organisations, the tool can be an Excel Spreadsheet. For larger organisations,
there are a great number of commercial tools to select from.
Try to design your processes before you start looking for a tool. This gives you the
opportunity to really do a thorough Functional and technical specification before talking
to the vendors.
A lot of research can be done using the Internet. Many (tool) vendors have a list of
appropriate tools listed with the specifications.
7.1.1 Type of tools
There are many tools on the market. The following list gives an example of some of the
tools that organisations use:
Service Desk Tools / Support Tools
o Heat
o Infra
o Peregrine Service Centre
o Remedy
System Management tools
o HP Openview
o Qualiparc
o CA Unicentre
7.1.2 The Cost of a Tool
When you have decided on a tool, you really need to have a close look at the cost. Most
of the expenses are in getting the tool to work for you, the way you want it to.
The following are some examples of the implementation cost of any tool:








Initial Purchase Price
Additional Licenses
Maintenance contract
Warranty
Training of staff in using the tool
Implementation expenses (consultancy hours)
Fine-tuning the tool to your needs (consultancy and engineering hours)
Updating the internal processes to fit the tool (consultancy and internal staff
hours)
Copyright: The Art of Service Pty Ltd, 2003
59
GPO 2673
Brisbane, QLD 4001
Australia
Phone: 1300 13 44 99
Version 5.0
EXTRA READING
Field notes: Choosing a tool that fits.
Varian Semiconductor Equipment Associates Inc. has plants in more than 40 locations in the U.S., Europe and
the Far East, but the Gloucester, Mass.-based manufacturer had no way to monitor connections between
facilities, says Troy Preble, manager of networks and technology.
"Limited visibility meant managing the network whenever users called," says Preble.
The company investigated several options, including outsourcing and using management framework products
from IBM's Tivoli and HP before deciding on the WebNM network management suite from Somix Technologies
Inc. in Sanford, Maine.
Installing the suite took three days, including two spent on training. Immediately, Varian discovered one T1 line
constantly operating at full capacity and an overprovisioned connection to Japan, which was running at less
than 60% of capacity. Varian added a second T1 and cut back on the international line, drastically cutting costs
and improving service.
In addition to monitoring WAN connections, Varian also uses WebNM to monitor server uptime, performance
statistics, hard-drive and CPU utilization, as well as monitoring all switches and routers.
Preble acknowledges that WebNM doesn't have the full range of features available in a package from one of the
big network management framework vendors but says the package met all of Varian's needs at a lower cost.
"For what we wanted to do, WebNM cost one-tenth what we would have spent on Tivoli or OpenView," he says.
Source: Computerworld
Copyright: The Art of Service Pty Ltd, 2003
60
Version 5.0
GPO 2673
Brisbane, QLD 4001
Australia
Phone: 1300 13 44 99
This page left blank.
61
Download