Demystifying ITIL
Greg Charles, Ph.D.
Area Principal Consultant, CA
June 2006
Pacific Northwest Digital Government Summit
Today’s Objective
-To provide a basic understanding
(theory and concepts) of ITIL’s Service
Management Framework (Service
Support and Service Delivery
components)
2
© 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.
Ever-Increasing Complexity
3
© 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.
Approaches Currently In Use
-Business As Usual - “Firefighting”
-Legislation - “Forced”
-Best Practice Focused
4
© 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.
The Legislation Minefield
- Privacy & Security
- Finance
- Sarbanes Oxley (US)
- Personal Information Protection
Electronic Document Act (PIPEDA)
- FFIEC US Banking Standards
- US Patriot Act \ Homeland Security
- Basel II (World Bank)
(Critical Infrastructure)
- Turnbull Report (UK)
- Personal Health Information Protection
- Canadian Bill 198 (MI 52-109 & 52-111)
Act (PHIPA)
- Washington State Laws relating to IT
- Health Insurance Portability and
- Policy 403-R1, 400-P1, 401-S1, 402-G1;
Accountability Act (HIPAA)
Executive Order 00-03; RCW
- SEC Rules 17a-3 & 17a-4 re: Securities
9A.52.110,120,130; RCW 9A.48.070, 080, 090;
Transaction Retention
RCW 9A.105.041 and many more
- Gramm-Leach Bliley Act (GLBA) privacy
- Other International IT Models
of financial information
- Corporate Governance for ICT DR 04198
- Children’s Online Privacy Protection Act
(Australia)
- Clinger-Cohen Act (US Gov.)
- Intragob Quality Effort (Mexico)
- Federal Information Security Mgmt. Act
- Medical Information System Development
(FISMA)
(Medis-DC) (Japan)
- Freedom of Information & Protection of
- Authority for IT in the Public Administration
Privacy (FOIPOP) BC Gov
(AIPA) (Italy)
- FDA Regulated IT Systems
- Principles of accurate data processing supported
accounting systems (GDPdu & GoBS)
- Freedom Of Information Act
(Germany)
- Americans with Disabilities Act, Sec.
- European Privacy Directive (Safe Harbor
508 (website accessibility)
5
© 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.
Framework)
Best Practices
Quality & Control Models
• ISO 900x
• COBIT
• TQM
• EFQM
• Six Sigma
• COSO
• Deming
• etc..
Process Frameworks
• IT Infrastructure Library
• Application Service Library
• Gartner CSD
• IBM Processes
• EDS Digital Workflow
• Microsoft MOF
• Telecom Ops Map
• etc..
•What is not defined cannot be controlled
•What is not controlled cannot be measured
•What is not measured cannot be improved
- Define
-- Improve
- Measure -- Control And Stabilize
6
© 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.
What Is ITIL?
- ITIL is a seven book series that guides
business users through the planning,
delivery and management of quality IT
services
Information Technology
Infrastructure Library
7
© 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.
The ITIL Books
T
h
e
B
u
s
i
n
e
s
s
8
Planning To Implement Service Management
T
h
e
Service Management
Service
Support
The
Business
Perspective
Service
Delivery
ICT
Infrastructure
Management
Security
Management
Application Management
© 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.
T
e
c
h
n
o
l
o
g
y
ITIL Simplified
Business, Customers & Users
Service
Desk
Service Level
Management
Incident
Management
Availability
Management
Problem
Management
Capacity
Management
Change
Management
Financial
Management
Release
Management
Service
Continuity
Configuration
Management
Service
Support
9
Service
Delivery
© 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.
ITIL Service Support Model
The Business, Customers or Users
Monitoring
Tools
Difficulties
Queries
Enquiries
Communications
Updates
Work-arounds
Incidents
Incidents
Customer
Service
Desk
Survey reports
Incident
Management
Problem statistics
Problem reports
Problem reviews
Diagnostic aids
Audit reports
Incidents
10
Customer
Survey
reports
Problem
Management
Service reports
Incident statistics
Audit reports
Changes
Releases
Change
Management
Change schedule
CAB minutes
Change statistics
Change reviews
Audit reports
Problems
Known Errors
Release
Management
Release schedule
Release statistics
Release reviews
Secure library’
Testing standards
Audit reports
Changes
CMDB
Releases
© 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.
Configuration
Management
CMDB reports
CMDB statistics
Policy standards
Audit reports
Cls
Relationships
Service Desk
-To provide a strategic central point of
contact for customers and an operational
single point of contact for managing
incidents to resolution
-In addition, the Service Desk handles
Service Requests
11
© 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.
Incident Management
- To restore normal service operation
as quickly as possible and minimize
the adverse impact on business
operations
12
© 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.
Problem Management
-
13
To minimize the adverse impact of
incidents and problems on the business
that are caused by errors in the IT
Infrastructure and to prevent recurrence
of incidents related to these errors
© 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.
Change Management
-To ensure that standardized methods and
procedures are used for efficient and
prompt handling of all changes to minimize
the impact of change-related incidents and
improve day-to-day operations
14
© 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.
Release Management
• Release Management takes a holistic view of a
change to an IT service and should ensure
that all aspects of a Release, both technical
and non-technical, are considered together
15
© 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.
Configuration Management
- To identify, record and report on
all IT components that are under
the control and scope of
Configuration Management
16
© 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.
ITIL Service Support
17
© 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.
ITIL Service Delivery Model
Business, Customers and Users
Communications
Updates
Reports
Queries
Enquiries
Availability
Management
Availability plan
AMDB
Design criteria
Targets/Thresholds
Reports
Audit reports
Service Level
Management
Capacity
Management
Capacity plan
CDV
Targets/thresholds
Capacity reports
Schedules
Audit reports
Requirements
Targets
Achievements
Financial
Management
For IT Services
Financial plan
Types and models
Costs and charges
Reports
Budgets and forecasts
Audit reports
Management
Tools
18
Alerts and
Exceptions
Changes
© 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.
SLAs, SLRs OLAs
Service reports
Service catalogue
SIP
Exception reports
Audit reports
IT Service
Continuity
Management
IT continuity plans
BIS and risk analysis
Requirements def’n
Control centers
DR contracts
Reports
Audit reports
Service Level Management
-To maintain and improve IT service quality
through a constant cycle of agreeing,
monitoring and reporting to meet the
customers’ business objectives
19
© 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.
Availability Management
-To optimize the capability of the IT
infrastructure, services and supporting
organization to deliver a cost effective and
sustained level of availability enabling the
business to meet their objectives
20
© 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.
Capacity Management
-To ensure that all the current and future
capacity and performance aspects of the
business requirements are provided cost
effectively
21
© 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.
Financial Management
-To provide cost-effective stewardship of the
IT assets and resources used in providing
IT services
22
© 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.
IT Service Continuity Management
- To ensure that the required IT technical
and services facilities can be recovered
within required, and agreed timescales
- IT Service Continuity Planning is a
systematic approach to create a plan
and/or procedures to prevent, cope with
and recover from the loss of critical
services for extended periods
23
© 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.
Service Delivery
24
© 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.
What Is ITIL All About?
- Aligning IT services with business requirements
- A set of best practices, not a methodology
- Providing guidance, not a step-by-step, how-to
manual; the implementation of ITIL processes will
vary from organization to organization
- Providing optimal service provision at a
justifiable cost
- A non-proprietary, vendor-neutral,
technology-agnostic set of best practices.
25
© 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.
IT Governance Model
Audit Models
SarbanesOxley
COSO
US Securities &
Exchange
Commission
CobIT
Quality System
26
IT Planning
ISO 20000
Project Mgmt.
BS 15000
IT Security
ITIL
App. Dev. (SDLC)
CMMi
Service Mgmt.
Quality Systems &
Mgmt. Frameworks
IT OPERATIONS
ASL
ISO
17799
PMI
© 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.
TSO
IS
Strategy
ISO
Six
Sigma
CobIT (Control Objectives for IT)
-CobIT is an open standard control
framework for IT Governance with a focus
on IT Standards and Audit
-Based on over 40 International standards
and is supported by a network of 150 IT
Governance Chapters operating in over 100
countries
-CobIT describes standards, controls and
maturity guidelines for four domains, and
34 control processes
27
© 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.
The CobiT Cube
(Business
Requirements)
4 Domains
34
Processes
318
Control
Objectives
28
© 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.
CobiT Domains
Plan &
Organize
Acquire & Implement
(AI Process Domain)
(PO Process Domain)
Monitor
(M Process Domain)
Deliver & Support
(DS Process Domain)
29
© 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.
Acquire & Implement
Plan & Organize
Define
Strategic
IT Plan
Determine
Define
Information Technological
Direction
Architecture
Define IT
Organization
&
Relationships
Manage IT
Investment
Manage
Human
Resource
Ensure
Compliance
With External
Standards
Identify
Automated
Solutions
Acquire &
Maintain
Application
Software
Manage
Change
Acquire &
Maintain
Technology
Infrastructure
Develop &
Maintain
IT
Procedures
Communicate
Aims &
Direction
Manage
Projects
Assess
Risks
Manage
Quality
Monitor
Monitor
The
Process
Obtain
Independent
Assurance
30
Install &
Accredit
Systems
Assess
Internal
Control
Adequacy
Provide
Independent
Audit
Deliver & Support
Define &
Manage
Service
Levels
Manage
Third-Party
Services
Manage
Performance
& Capacity
Ensure
Continuous
Service
Ensure
System
Security
Identify
& Allocate
Costs
Educate
&
Train Users
Assist &
Advise
IT
Customers
Manage
Configuration
Manage
Problems &
Incidents
Manage
Data
Manage
Facilities
© 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.
Manage
Operations
COSO Components
Control Activities
• Policies that ensure
management
directives are carried
out
• Approval and
authorizations,
verifications,
evaluations,
safeguarding assets
security and
segregation of duties
Monitoring
• Assess control system
performance over time
• Ongoing and separate
evaluations
• Management and
supervisory activities
Information and
Communication
• Relevant information
identified, captured and
communicated timely
• Access to internal and
externally generated
information
• Information flow allows
for management action
31
Control Environment
• Sets “tone at the top”
• Foundation for all other
components of control
• Integrity, ethical values,
competence, authority,
responsibility
© 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.
Risk Assessment
• Identify and analyze
relevant risks to
achieving the entity’s
objectives
COSO, CobiT & SOX
Components
32
© 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.
Putting COSO, CobiT, and ITIL
together
-COSO defines the high level policies of a
well governed organization
-CobiT defines the control structures for
evaluating the IT organization conforms to
COSO policies.
-ITIL defines the best practices that will
satisfy the CobiT controls.
33
© 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.
How to Make ITIL a Reality?
Key Success Factors
Theory – ITIL/CobIT/COSO
 Guidelines for Best Practices
 Provides the theory but not the
process
 Education is an important
component
Process
 Convert theory to process that is
applicable to the unique needs
of the organization
 Training & Education
 Tool configuration
Technology – CA and others
 Provide the technology that enables
and automates the process
 Repeatability, compliance and
notifications
 Implement processes impossible
without technology
34
© 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.
Making IT Easier
4-Business-Driven
Ability to
share your
IT resources
throughout
the supply
chain and
dynamically
reallocate
resources
based upon
changing
business
needs
3-Responsive
2-Efficient
1-Active
Ability to
manage
service levels
and provide
the services
that are
important to
the business
Ability to
automate
responses,
streamline
processes,
consolidate
resources
Ability to
respond to
problems
and faults
ROI
ROI
ROI
Quantitative
Metrics
NO
New Asset?
NO
New Asset?
NO
New Asset?
YES
YES
Agent Based
Scanning Initiated
Re-Test
Notification to User
Population
Ensure Backup of
Critical Assets
New
Incidents
Network Scan
Penetration Test
Define Policy In
Network Scanner
Detect
Vulnerabilities
Document Post
Scan Results
Define Standard
Builds
Assess Business
Impact
Network
Scan Group
(scheduled)
Assign Priority
Generate Report
Attack &
Penetration
Performed
Patch Needed?
YES
Discover Assets
Agent Based
Scanning Initiated
Ensure Backup of
Critical Assets
New
Incidents
Define Policy In
Network Scanner
Detect
Vulnerabilities
Re-Test
Notification to User
Population
Discover Assets
Discover Assets
Agent Based
Scanning Initiated
Re-Test
Notification to User
Population
Ensure Backup of
Critical Assets
New
Incidents
Network Scan
Penetration Test
Security To
Incident
Resolution
NO
Computer Incident
Response Team
Investigation In
Progress
Vulnerability
Identified?
IDS
Security
Incident
YES
Acceptable Use Violation
Denial Of Service
Information Theft
Probe
Social Engineering
Unauthorized Use
Resource Modification
Update
CMDB
Level 4
Software
Delivery
Define Policy In
Network Scanner
Detect
Vulnerabilities
Assess Business
Impact
Network
Scan Group
(scheduled)
Assign Priority
YES
Patch
Available?
YES
Patch Tested?
NO
Attack &
Penetration
Performed
Manual Process
To Remove
Vulnerabiliteis
Level 1
Request
for
Change
Define Standard
Builds
Assess Business
Impact
Network
Scan Group
(scheduled)
Assign Priority
Attack &
Penetration
Performed
Patch Needed?
YES
Patch
Available?
YES
YES
Patch Tested?
YES
YES
Patch Tested?
Manual Process
To Remove
Vulnerabiliteis
Document Post
Scan Results
Patches sent to
Vulnerability
Management
Group
NO
Manual Process
To Remove
Vulnerabiliteis
Generate Report
NO
Request
for
Change
Document
problems with
incident ticket
YES
Fixed?
Fixed?
Audit Asset
NO
Request
for
Change
Document
problems with
incident ticket
YES
Fixed?
Initiate Change
YES
Order and
complete Business
Impact Analysis
Systems
configuration
changed and
rebooted
NO
Verification Rescan
Restore Image
NO
Manual Process
To Remove
Vulnerabiliteis
Manual Process
To Remove
Vulnerabiliteis
NO
YES
YES
Config.Change
Needed?
Initiate Change
YES
Order and
complete Business
Impact Analysis
Systems
configuration
changed and
rebooted
Verification Rescan
Document
problems with
incident ticket
Restore Image
Level 1
NO
YES
NO
Audit Asset
NO
YES
Config.Change
Needed?
YES
Patch
Available?
Patches sent to
Vulnerability
Management
Group
NO
Manual Process
To Remove
Vulnerabiliteis
NO
NO
YES
NO
Document
problems with
incident ticket
Patch Needed?
Patches sent to
Vulnerability
Management
Group
YES
NO
Software
Delivery
Define Standard
Builds
Integrated Security
Event Priortization
YES
Config.Change
Needed?
Initiate Change
YES
Order and
complete Business
Impact Analysis
Systems
configuration
changed and
rebooted
Verification Rescan
Document
problems with
incident ticket
Restore Image
NO
Level 2
Level 3
NO
Level 2
Level 1
Level 2
Level 3
Customer maturity isolates appropriate transition point, blueprint & ROI
35
© 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.
Next Steps - Focus on Customer
Needs
EITM
• Complete
• Integrated
• Open
Quantitative
Metrics
NO
New Asset?
YES
Discover Assets
Re-Test
Notification to User
Population
Agent Based
Scanning Initiated
Security To
Incident
Resolution
NO
Computer Incident
Response Team
Investigation In
Progress
Vulnerability
Identified?
IDS
Security
Incident
Integrated Security
Event Priortization
YES
Ensure Backup of
Critical Assets
New
Incidents
Define Policy In
Network Scanner
Detect
Vulnerabilities
Define Standard
Builds
Assess Business
Impact
Network
Scan Group
(scheduled)
Assign Priority
Attack &
Penetration
Performed
Patch Needed?
Acceptable Use Violation
Denial Of Service
Information Theft
Probe
Social Engineering
Unauthorized Use
Resource Modification
Network Scan
Penetration Test
Update
CMDB
Level 4
Software
Delivery
YES
Document Post
Scan Results
NO
YES
Patch
Available?
YES
Patch Tested?
NO
Level 1
Manual Process
To Remove
Vulnerabiliteis
Generate Report
NO
Request
for
Change
Document
problems with
incident ticket
YES
Fixed?
Audit Asset
NO
YES
NO
Manual Process
To Remove
Vulnerabiliteis
Patches sent to
Vulnerability
Management
Group
YES
Config.Change
Needed?
Initiate Change
YES
Order and
complete Business
Impact Analysis
Systems
configuration
changed and
rebooted
Verification Rescan
Document
problems with
incident ticket
Restore Image
NO
Level 2
Level 3
Business
Flows
• Proven Best
Practices
• High Quality
• People
• Process
• Technology
• Partners
• Comprehensive
• Enabling
• Evolutionary
• Efficient
36
© 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.
Solutions
Respondent Scoring
Proven Practice “Statements”
37
Typical Survey Section features…
© 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.
Comparison Charts
3 Sets of
Scores
38
Industry
Comparison
Role
Comparison
Overall
Comparison
Your
Score
© 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.
Tools to Aid Success
Solution Sheets
Maturity Model
4-Business-Driven
Ability to
share your
IT resources
throughout
the supply
chain and
dynamically
reallocate
resources
based upon
changing
business
needs
3-Responsive
2-Efficient
1-Active
Ability to
manage
service levels
and provide
the services
that are
important to
the business
Ability to
automate
responses,
streamline
processes,
consolidate
resources
Ability to
respond to
problems
and faults
ROI
ROI
ROI
Transitional Maturity
ROI Tool
Process Model
Customer /
Partner
SAO/SAS
SPML
Request
From
Customer/
Partner
Delegated
User
Creation
Customer
Relationship
Manager
New
Customer
(or
Partner)
Customer
Defined
HR
Employee
Business
Manager
Incident
Manager
Facilities
Incident
Closed
Customer Entered in
Customer/Partner
Relationship
System
Obtain LAN/App
ID & Passwords
User Building
Access
Provisioned
Automatically
Efficient
Service Delivery
0
Application Mgmt
Infrastructure Mgmt
Importance
39
Capability
Services and Solutions
Implementing
IT Svc Mgmt
Technical Capabilities
Organizational
Characteristics
Active
Service Support
User Access
Reviewed /
Set-up
Incident Closed
Integration with Production
Directory & Security
Web Svcs
• Certified Security Staff
• Certified Security & IT Ops Staff
• CISSP Training
• Security Awareness Training (IT, HR, Dev)
• Security Awareness Training (IT, HR, Dev)
• Security Awareness Training
Identify & Classify
Assets
Anti-Virus
Scanning
Manual Load
OS Patches
Identify & Classify
Assets
Configuration
Management
Process
Tracking of
Vulnerability
Activities
IT Governance
Management
Compliance
Management &
Reporting
Integrated VM
And Helpdesk
CERT & Incident
Resolution
Process
Tracking of Threat
&
Forensics Events
Business
Impact Correlation
& Reporting
Integrated
Forensics
Investigation
Audit Collectors
Integrated
Security Event
Prioritization
Agent-based
Vulnerability
Management
BCP/DR
Management
Automated
Software Distribution
Patch Process
Periodic
Vulnerability
Assessments
Agent-based
Configuration
Management
ITIL Compliant IT
Operations
Process
Compliance
Management &
Reporting
Vulnerability
Assessment
CERT
Training
ISO17799
Program
Development
Security
Standards
Development
Compliance
Oriented
Architecture
Incident Response
Program
Development
Attack and
Penetration
Testing
Attack &
Penetration
Assessment
CISSP Training
Attack &
Penetration
Assessment
Security Roadmap
& Strategy
Development
Security
Business Portal
Development
Policy and
Process
Monitoring
Security Policies
&
Procedures
eTrust VM
Service
ITIL Training
Anti-Spyware
Malware
Solutions
Compliance
Architecture
Development
Business
Correlation Rule
Development
Forensic
Investigation
Training
eTrust VM
Service
Technology Design, Implementation,
and Integration Services
(AV, VM, etc.)
Technology, Design, Implementation
& Integration Services
(VM, Backup/Recovery, Service Desk, etc.)
Technology, Design, Implementation
& Integration Services
(Audit, SCC, Forensics, SCM, IDS, Pest Patrol.)
Technology, Design, Implementation
& Integration Services
(Compliance Oriented Architecture.)
© 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.
Define Policies
& Stds for ID
Provisioning,
and Reporting
Define Corporate
Identity Directory
Entitlement Mgt, &
Security Web Services
Define Federated
Trust Stds
Workflow for
Security Review
of Application
User Access
Enabled
Automatically
Delegated
Request removal
of Access
Automated
Synchronization
Process Compares
Authoritative User & Role
List with LAN & App
User accounts
[Y]
Incident Opened
User Deprovisioned
Incident Closed
Employee
access
removed
Automated
Process to
Deprovision User
from Facilities
Access
Automated
Process to
Deprovision User
from Systems/Apps
Develop/Acquire
App
Validate App Using
Directory Services
Validate App
With Role Stds
Validate App with
Provisioning System
Validate with SPML
Periodic
Security Audit
Scheduled
Workflow to
Request
Remediation
Employee
Terminated/Retired
New
App
Validate App with
ID / Passwd Stds
Produce Operations
Manual for App
Excess
Entitlements /
Accounts
?
Incident
Closed
Use New
Password
Development
Manager
Periodic Policy
Review
Obtain Authoritative List of
All Users/Roles Automatically
Incident Opened
Password Reset
Employee removed
from HR System
Customer
access
removed
Define Role Mgt
Stds
Incident
Opened
Access New
App Resource
Self-serve
Set New Password
Use New
Password
Developed
Standard OS
Configuration
Backup/Recovery
Security
Road Map
Assessment
Workflow Approval
Change in
Application Access
• Staff trained in Threat Detection
Business Impact
Analysis
CISO
Define ID and
Password Stds
Manage
Application Security
User
Access
Changed
Incident
Closed
Self-serve
Reset Password
Customer/Partner
User No Longer
Needs Access
Identity and
Access
Automatically
Provisioned to
- LAN, - Email,
- Corporate
Directory,
- Authentication
Technology,
- Security Web
Services,
- Security
Infrastructure,
- Business Apps
- External
Federated Services
Approve Access
Request Change in
Application Access
for New Project
Delegated
Request Change in
Application Access
Access New
App Resource
• End User technology training in Anti-Spam
prevention
Basic Security
Policy
CMDB Change
Impacting App
deployment,
Ownership, Access
etc
Customer/Partner
Forgets Password
Business-Driven
Responsive
• Dedicated Security Staff
Approve Access
Incldent Opened (if
required by policy)
New Hire Has
Access to Business
Applications
Automatically
Provide List
of Employees
from HR System
Blueprints
Security
Manager
Define IAM Policies,
Processes,
Workflows & Owners
Authorized Customer /
Partner
Employees have
Access
Profilers
IT Operations
Manager
Incident
Opened
ID Allocated
Automatically
Identity verified &
Entered in HR
Customer/
Partner
Employee
Enters Data
Via Self-Serve
Register
Customer/Partner
Changes Business
Relationship
e.g. Buys New
Product/Service
Application
Manager
New
Hire
User Entitlements
Exceptions Report
Generated Automatically
Review
current
reports
[N]
Audit
Reports
Completed
Meeting Customer Needs – Best
Practices
Best Practices:
Six Sigma, etc.
Best Practices:
Industry and CA best practices are applied to all of our solutions to maximize standardization and quality
40
© 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.
Thank You
Questions?