Demystifying ITIL Greg Charles, Ph.D. Area Principal Consultant, CA June 2006 Pacific Northwest Digital Government Summit Today’s Objective -To provide a basic understanding (theory and concepts) of ITIL’s Service Management Framework (Service Support and Service Delivery components) 2 © 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies. Ever-Increasing Complexity 3 © 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies. Approaches Currently In Use -Business As Usual - “Firefighting” -Legislation - “Forced” -Best Practice Focused 4 © 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies. The Legislation Minefield - Privacy & Security - Finance - Sarbanes Oxley (US) - Personal Information Protection Electronic Document Act (PIPEDA) - FFIEC US Banking Standards - US Patriot Act \ Homeland Security - Basel II (World Bank) (Critical Infrastructure) - Turnbull Report (UK) - Personal Health Information Protection - Canadian Bill 198 (MI 52-109 & 52-111) Act (PHIPA) - Washington State Laws relating to IT - Health Insurance Portability and - Policy 403-R1, 400-P1, 401-S1, 402-G1; Accountability Act (HIPAA) Executive Order 00-03; RCW - SEC Rules 17a-3 & 17a-4 re: Securities 9A.52.110,120,130; RCW 9A.48.070, 080, 090; Transaction Retention RCW 9A.105.041 and many more - Gramm-Leach Bliley Act (GLBA) privacy - Other International IT Models of financial information - Corporate Governance for ICT DR 04198 - Children’s Online Privacy Protection Act (Australia) - Clinger-Cohen Act (US Gov.) - Intragob Quality Effort (Mexico) - Federal Information Security Mgmt. Act - Medical Information System Development (FISMA) (Medis-DC) (Japan) - Freedom of Information & Protection of - Authority for IT in the Public Administration Privacy (FOIPOP) BC Gov (AIPA) (Italy) - FDA Regulated IT Systems - Principles of accurate data processing supported accounting systems (GDPdu & GoBS) - Freedom Of Information Act (Germany) - Americans with Disabilities Act, Sec. - European Privacy Directive (Safe Harbor 508 (website accessibility) 5 © 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies. Framework) Best Practices Quality & Control Models • ISO 900x • COBIT • TQM • EFQM • Six Sigma • COSO • Deming • etc.. Process Frameworks • IT Infrastructure Library • Application Service Library • Gartner CSD • IBM Processes • EDS Digital Workflow • Microsoft MOF • Telecom Ops Map • etc.. •What is not defined cannot be controlled •What is not controlled cannot be measured •What is not measured cannot be improved - Define -- Improve - Measure -- Control And Stabilize 6 © 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies. What Is ITIL? - ITIL is a seven book series that guides business users through the planning, delivery and management of quality IT services Information Technology Infrastructure Library 7 © 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies. The ITIL Books T h e B u s i n e s s 8 Planning To Implement Service Management T h e Service Management Service Support The Business Perspective Service Delivery ICT Infrastructure Management Security Management Application Management © 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies. T e c h n o l o g y ITIL Simplified Business, Customers & Users Service Desk Service Level Management Incident Management Availability Management Problem Management Capacity Management Change Management Financial Management Release Management Service Continuity Configuration Management Service Support 9 Service Delivery © 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies. ITIL Service Support Model The Business, Customers or Users Monitoring Tools Difficulties Queries Enquiries Communications Updates Work-arounds Incidents Incidents Customer Service Desk Survey reports Incident Management Problem statistics Problem reports Problem reviews Diagnostic aids Audit reports Incidents 10 Customer Survey reports Problem Management Service reports Incident statistics Audit reports Changes Releases Change Management Change schedule CAB minutes Change statistics Change reviews Audit reports Problems Known Errors Release Management Release schedule Release statistics Release reviews Secure library’ Testing standards Audit reports Changes CMDB Releases © 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies. Configuration Management CMDB reports CMDB statistics Policy standards Audit reports Cls Relationships Service Desk -To provide a strategic central point of contact for customers and an operational single point of contact for managing incidents to resolution -In addition, the Service Desk handles Service Requests 11 © 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies. Incident Management - To restore normal service operation as quickly as possible and minimize the adverse impact on business operations 12 © 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies. Problem Management - 13 To minimize the adverse impact of incidents and problems on the business that are caused by errors in the IT Infrastructure and to prevent recurrence of incidents related to these errors © 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies. Change Management -To ensure that standardized methods and procedures are used for efficient and prompt handling of all changes to minimize the impact of change-related incidents and improve day-to-day operations 14 © 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies. Release Management • Release Management takes a holistic view of a change to an IT service and should ensure that all aspects of a Release, both technical and non-technical, are considered together 15 © 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies. Configuration Management - To identify, record and report on all IT components that are under the control and scope of Configuration Management 16 © 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies. ITIL Service Support 17 © 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies. ITIL Service Delivery Model Business, Customers and Users Communications Updates Reports Queries Enquiries Availability Management Availability plan AMDB Design criteria Targets/Thresholds Reports Audit reports Service Level Management Capacity Management Capacity plan CDV Targets/thresholds Capacity reports Schedules Audit reports Requirements Targets Achievements Financial Management For IT Services Financial plan Types and models Costs and charges Reports Budgets and forecasts Audit reports Management Tools 18 Alerts and Exceptions Changes © 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies. SLAs, SLRs OLAs Service reports Service catalogue SIP Exception reports Audit reports IT Service Continuity Management IT continuity plans BIS and risk analysis Requirements def’n Control centers DR contracts Reports Audit reports Service Level Management -To maintain and improve IT service quality through a constant cycle of agreeing, monitoring and reporting to meet the customers’ business objectives 19 © 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies. Availability Management -To optimize the capability of the IT infrastructure, services and supporting organization to deliver a cost effective and sustained level of availability enabling the business to meet their objectives 20 © 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies. Capacity Management -To ensure that all the current and future capacity and performance aspects of the business requirements are provided cost effectively 21 © 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies. Financial Management -To provide cost-effective stewardship of the IT assets and resources used in providing IT services 22 © 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies. IT Service Continuity Management - To ensure that the required IT technical and services facilities can be recovered within required, and agreed timescales - IT Service Continuity Planning is a systematic approach to create a plan and/or procedures to prevent, cope with and recover from the loss of critical services for extended periods 23 © 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies. Service Delivery 24 © 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies. What Is ITIL All About? - Aligning IT services with business requirements - A set of best practices, not a methodology - Providing guidance, not a step-by-step, how-to manual; the implementation of ITIL processes will vary from organization to organization - Providing optimal service provision at a justifiable cost - A non-proprietary, vendor-neutral, technology-agnostic set of best practices. 25 © 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies. IT Governance Model Audit Models SarbanesOxley COSO US Securities & Exchange Commission CobIT Quality System 26 IT Planning ISO 20000 Project Mgmt. BS 15000 IT Security ITIL App. Dev. (SDLC) CMMi Service Mgmt. Quality Systems & Mgmt. Frameworks IT OPERATIONS ASL ISO 17799 PMI © 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies. TSO IS Strategy ISO Six Sigma CobIT (Control Objectives for IT) -CobIT is an open standard control framework for IT Governance with a focus on IT Standards and Audit -Based on over 40 International standards and is supported by a network of 150 IT Governance Chapters operating in over 100 countries -CobIT describes standards, controls and maturity guidelines for four domains, and 34 control processes 27 © 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies. The CobiT Cube (Business Requirements) 4 Domains 34 Processes 318 Control Objectives 28 © 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies. CobiT Domains Plan & Organize Acquire & Implement (AI Process Domain) (PO Process Domain) Monitor (M Process Domain) Deliver & Support (DS Process Domain) 29 © 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies. Acquire & Implement Plan & Organize Define Strategic IT Plan Determine Define Information Technological Direction Architecture Define IT Organization & Relationships Manage IT Investment Manage Human Resource Ensure Compliance With External Standards Identify Automated Solutions Acquire & Maintain Application Software Manage Change Acquire & Maintain Technology Infrastructure Develop & Maintain IT Procedures Communicate Aims & Direction Manage Projects Assess Risks Manage Quality Monitor Monitor The Process Obtain Independent Assurance 30 Install & Accredit Systems Assess Internal Control Adequacy Provide Independent Audit Deliver & Support Define & Manage Service Levels Manage Third-Party Services Manage Performance & Capacity Ensure Continuous Service Ensure System Security Identify & Allocate Costs Educate & Train Users Assist & Advise IT Customers Manage Configuration Manage Problems & Incidents Manage Data Manage Facilities © 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies. Manage Operations COSO Components Control Activities • Policies that ensure management directives are carried out • Approval and authorizations, verifications, evaluations, safeguarding assets security and segregation of duties Monitoring • Assess control system performance over time • Ongoing and separate evaluations • Management and supervisory activities Information and Communication • Relevant information identified, captured and communicated timely • Access to internal and externally generated information • Information flow allows for management action 31 Control Environment • Sets “tone at the top” • Foundation for all other components of control • Integrity, ethical values, competence, authority, responsibility © 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies. Risk Assessment • Identify and analyze relevant risks to achieving the entity’s objectives COSO, CobiT & SOX Components 32 © 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies. Putting COSO, CobiT, and ITIL together -COSO defines the high level policies of a well governed organization -CobiT defines the control structures for evaluating the IT organization conforms to COSO policies. -ITIL defines the best practices that will satisfy the CobiT controls. 33 © 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies. How to Make ITIL a Reality? Key Success Factors Theory – ITIL/CobIT/COSO Guidelines for Best Practices Provides the theory but not the process Education is an important component Process Convert theory to process that is applicable to the unique needs of the organization Training & Education Tool configuration Technology – CA and others Provide the technology that enables and automates the process Repeatability, compliance and notifications Implement processes impossible without technology 34 © 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies. Making IT Easier 4-Business-Driven Ability to share your IT resources throughout the supply chain and dynamically reallocate resources based upon changing business needs 3-Responsive 2-Efficient 1-Active Ability to manage service levels and provide the services that are important to the business Ability to automate responses, streamline processes, consolidate resources Ability to respond to problems and faults ROI ROI ROI Quantitative Metrics NO New Asset? NO New Asset? NO New Asset? YES YES Agent Based Scanning Initiated Re-Test Notification to User Population Ensure Backup of Critical Assets New Incidents Network Scan Penetration Test Define Policy In Network Scanner Detect Vulnerabilities Document Post Scan Results Define Standard Builds Assess Business Impact Network Scan Group (scheduled) Assign Priority Generate Report Attack & Penetration Performed Patch Needed? YES Discover Assets Agent Based Scanning Initiated Ensure Backup of Critical Assets New Incidents Define Policy In Network Scanner Detect Vulnerabilities Re-Test Notification to User Population Discover Assets Discover Assets Agent Based Scanning Initiated Re-Test Notification to User Population Ensure Backup of Critical Assets New Incidents Network Scan Penetration Test Security To Incident Resolution NO Computer Incident Response Team Investigation In Progress Vulnerability Identified? IDS Security Incident YES Acceptable Use Violation Denial Of Service Information Theft Probe Social Engineering Unauthorized Use Resource Modification Update CMDB Level 4 Software Delivery Define Policy In Network Scanner Detect Vulnerabilities Assess Business Impact Network Scan Group (scheduled) Assign Priority YES Patch Available? YES Patch Tested? NO Attack & Penetration Performed Manual Process To Remove Vulnerabiliteis Level 1 Request for Change Define Standard Builds Assess Business Impact Network Scan Group (scheduled) Assign Priority Attack & Penetration Performed Patch Needed? YES Patch Available? YES YES Patch Tested? YES YES Patch Tested? Manual Process To Remove Vulnerabiliteis Document Post Scan Results Patches sent to Vulnerability Management Group NO Manual Process To Remove Vulnerabiliteis Generate Report NO Request for Change Document problems with incident ticket YES Fixed? Fixed? Audit Asset NO Request for Change Document problems with incident ticket YES Fixed? Initiate Change YES Order and complete Business Impact Analysis Systems configuration changed and rebooted NO Verification Rescan Restore Image NO Manual Process To Remove Vulnerabiliteis Manual Process To Remove Vulnerabiliteis NO YES YES Config.Change Needed? Initiate Change YES Order and complete Business Impact Analysis Systems configuration changed and rebooted Verification Rescan Document problems with incident ticket Restore Image Level 1 NO YES NO Audit Asset NO YES Config.Change Needed? YES Patch Available? Patches sent to Vulnerability Management Group NO Manual Process To Remove Vulnerabiliteis NO NO YES NO Document problems with incident ticket Patch Needed? Patches sent to Vulnerability Management Group YES NO Software Delivery Define Standard Builds Integrated Security Event Priortization YES Config.Change Needed? Initiate Change YES Order and complete Business Impact Analysis Systems configuration changed and rebooted Verification Rescan Document problems with incident ticket Restore Image NO Level 2 Level 3 NO Level 2 Level 1 Level 2 Level 3 Customer maturity isolates appropriate transition point, blueprint & ROI 35 © 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies. Next Steps - Focus on Customer Needs EITM • Complete • Integrated • Open Quantitative Metrics NO New Asset? YES Discover Assets Re-Test Notification to User Population Agent Based Scanning Initiated Security To Incident Resolution NO Computer Incident Response Team Investigation In Progress Vulnerability Identified? IDS Security Incident Integrated Security Event Priortization YES Ensure Backup of Critical Assets New Incidents Define Policy In Network Scanner Detect Vulnerabilities Define Standard Builds Assess Business Impact Network Scan Group (scheduled) Assign Priority Attack & Penetration Performed Patch Needed? Acceptable Use Violation Denial Of Service Information Theft Probe Social Engineering Unauthorized Use Resource Modification Network Scan Penetration Test Update CMDB Level 4 Software Delivery YES Document Post Scan Results NO YES Patch Available? YES Patch Tested? NO Level 1 Manual Process To Remove Vulnerabiliteis Generate Report NO Request for Change Document problems with incident ticket YES Fixed? Audit Asset NO YES NO Manual Process To Remove Vulnerabiliteis Patches sent to Vulnerability Management Group YES Config.Change Needed? Initiate Change YES Order and complete Business Impact Analysis Systems configuration changed and rebooted Verification Rescan Document problems with incident ticket Restore Image NO Level 2 Level 3 Business Flows • Proven Best Practices • High Quality • People • Process • Technology • Partners • Comprehensive • Enabling • Evolutionary • Efficient 36 © 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies. Solutions Respondent Scoring Proven Practice “Statements” 37 Typical Survey Section features… © 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies. Comparison Charts 3 Sets of Scores 38 Industry Comparison Role Comparison Overall Comparison Your Score © 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies. Tools to Aid Success Solution Sheets Maturity Model 4-Business-Driven Ability to share your IT resources throughout the supply chain and dynamically reallocate resources based upon changing business needs 3-Responsive 2-Efficient 1-Active Ability to manage service levels and provide the services that are important to the business Ability to automate responses, streamline processes, consolidate resources Ability to respond to problems and faults ROI ROI ROI Transitional Maturity ROI Tool Process Model Customer / Partner SAO/SAS SPML Request From Customer/ Partner Delegated User Creation Customer Relationship Manager New Customer (or Partner) Customer Defined HR Employee Business Manager Incident Manager Facilities Incident Closed Customer Entered in Customer/Partner Relationship System Obtain LAN/App ID & Passwords User Building Access Provisioned Automatically Efficient Service Delivery 0 Application Mgmt Infrastructure Mgmt Importance 39 Capability Services and Solutions Implementing IT Svc Mgmt Technical Capabilities Organizational Characteristics Active Service Support User Access Reviewed / Set-up Incident Closed Integration with Production Directory & Security Web Svcs • Certified Security Staff • Certified Security & IT Ops Staff • CISSP Training • Security Awareness Training (IT, HR, Dev) • Security Awareness Training (IT, HR, Dev) • Security Awareness Training Identify & Classify Assets Anti-Virus Scanning Manual Load OS Patches Identify & Classify Assets Configuration Management Process Tracking of Vulnerability Activities IT Governance Management Compliance Management & Reporting Integrated VM And Helpdesk CERT & Incident Resolution Process Tracking of Threat & Forensics Events Business Impact Correlation & Reporting Integrated Forensics Investigation Audit Collectors Integrated Security Event Prioritization Agent-based Vulnerability Management BCP/DR Management Automated Software Distribution Patch Process Periodic Vulnerability Assessments Agent-based Configuration Management ITIL Compliant IT Operations Process Compliance Management & Reporting Vulnerability Assessment CERT Training ISO17799 Program Development Security Standards Development Compliance Oriented Architecture Incident Response Program Development Attack and Penetration Testing Attack & Penetration Assessment CISSP Training Attack & Penetration Assessment Security Roadmap & Strategy Development Security Business Portal Development Policy and Process Monitoring Security Policies & Procedures eTrust VM Service ITIL Training Anti-Spyware Malware Solutions Compliance Architecture Development Business Correlation Rule Development Forensic Investigation Training eTrust VM Service Technology Design, Implementation, and Integration Services (AV, VM, etc.) Technology, Design, Implementation & Integration Services (VM, Backup/Recovery, Service Desk, etc.) Technology, Design, Implementation & Integration Services (Audit, SCC, Forensics, SCM, IDS, Pest Patrol.) Technology, Design, Implementation & Integration Services (Compliance Oriented Architecture.) © 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies. Define Policies & Stds for ID Provisioning, and Reporting Define Corporate Identity Directory Entitlement Mgt, & Security Web Services Define Federated Trust Stds Workflow for Security Review of Application User Access Enabled Automatically Delegated Request removal of Access Automated Synchronization Process Compares Authoritative User & Role List with LAN & App User accounts [Y] Incident Opened User Deprovisioned Incident Closed Employee access removed Automated Process to Deprovision User from Facilities Access Automated Process to Deprovision User from Systems/Apps Develop/Acquire App Validate App Using Directory Services Validate App With Role Stds Validate App with Provisioning System Validate with SPML Periodic Security Audit Scheduled Workflow to Request Remediation Employee Terminated/Retired New App Validate App with ID / Passwd Stds Produce Operations Manual for App Excess Entitlements / Accounts ? Incident Closed Use New Password Development Manager Periodic Policy Review Obtain Authoritative List of All Users/Roles Automatically Incident Opened Password Reset Employee removed from HR System Customer access removed Define Role Mgt Stds Incident Opened Access New App Resource Self-serve Set New Password Use New Password Developed Standard OS Configuration Backup/Recovery Security Road Map Assessment Workflow Approval Change in Application Access • Staff trained in Threat Detection Business Impact Analysis CISO Define ID and Password Stds Manage Application Security User Access Changed Incident Closed Self-serve Reset Password Customer/Partner User No Longer Needs Access Identity and Access Automatically Provisioned to - LAN, - Email, - Corporate Directory, - Authentication Technology, - Security Web Services, - Security Infrastructure, - Business Apps - External Federated Services Approve Access Request Change in Application Access for New Project Delegated Request Change in Application Access Access New App Resource • End User technology training in Anti-Spam prevention Basic Security Policy CMDB Change Impacting App deployment, Ownership, Access etc Customer/Partner Forgets Password Business-Driven Responsive • Dedicated Security Staff Approve Access Incldent Opened (if required by policy) New Hire Has Access to Business Applications Automatically Provide List of Employees from HR System Blueprints Security Manager Define IAM Policies, Processes, Workflows & Owners Authorized Customer / Partner Employees have Access Profilers IT Operations Manager Incident Opened ID Allocated Automatically Identity verified & Entered in HR Customer/ Partner Employee Enters Data Via Self-Serve Register Customer/Partner Changes Business Relationship e.g. Buys New Product/Service Application Manager New Hire User Entitlements Exceptions Report Generated Automatically Review current reports [N] Audit Reports Completed Meeting Customer Needs – Best Practices Best Practices: Six Sigma, etc. Best Practices: Industry and CA best practices are applied to all of our solutions to maximize standardization and quality 40 © 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies. Thank You Questions?