Commonwealth of Massachusetts Statewide Strategic IT Consolidation (ITC) Initiative Helpdesk and Desktop and LAN Strategy Deloitte Consulting LLP September 3, 2009 DRAFT – FOR DISCUSSION PURPOSES ONLY Agenda 1. 2. 3. 4. 5. 6. 7. Executive Summary…………………………………………………………………………..……………… 2 1.1 Current IT Management Technologies………….………………………………….…………………. 3 1.2 ITIL Process Maturity Baseline ………………………………………………….……………………. 4 1.3 Staffing Model Standards ………………………….………………………………………………….. 5 Technology……………………………………………….…………………………….……………………… 6 2.1 Section Overview…………………………………………………………….………………………….. 7 2.2 Inventory of Current Secretariat Tools…………………….…………………………………….…….. 8 2.3 Industry Leading Tools and Standards………………………………..………..……………………. 10 2.4 Transition Framework……………………………………………………………………………………15 Processes……………………………………………………………………………..……………………….. 17 3.1 Section Overview……………………………………………………..……………………………….. 18 3.2 ITIL Process Flows………………………………..………………..…………………………………. 19 3.3 Initial ITIL Readiness Assessment Framework…………….………………………………………. 60 Staffing……………………………………………………….……..…………………………………………. 69 4.1 Section Overview…………………………………………………………………………………………70 4.2 Change Impact Assessment Framework……..…………...…………………………………………. 71 4.3 Staffing Models from Industry...…………..…………………………………..……………………….. 72 Service Agreement…………………………….……………..……………………………………………… 74 5.1 Service Agreement Overview ..………….………………………………………………….………… 75 5.2 Service Agreement Content ……..…………………………………………………………………… 79 5.3 Service Agreement Maturity Model ………………………………………………….………...…… 92 Integration with ITD Processes……………………………………………………………………………... 95 6.1 Process Integration points with Agencies, Secretariats, and ITD………………………..………. 96 Appendix……………………………………………………………………………………………………… 97 DRAFT FOR DISCUSSION PURPOSES ONLY -1- Components of ITIL: Service Desk 1.0 Executive Summary DRAFT FOR DISCUSSION PURPOSES ONLY -2- 1.1 Current IT Management Technologies Below is a consolidated version of the Secretariat technologies that have been provided as part of the Secretariat plans and the infrastructure inventory template. Secretariat EOHED Helpdesk Tool • • • • • EOHHS EOPSS EOEEA ANF • • • • • • • • • • Custom Tool (HelpStar) SharePoint Ultimus CA Service Desk Legacy: • Lotus Notes • Remedy • Liberum • SugarCRM ACD Remedy AR Systems Custom Helpdesk Application Roundup Microsoft Access Database Open Source solution CA Service Desk (E2E) BMC Service Desk Express Numara Track-It MS Outlook Desktop and LAN Tool • N/A • N/A • N/A • N/A • CA Service Desk: E2E • FrontRange HEAT • GWI C.Support • Systems Center • Retrofit (Vendor) EOE • • • • • N/A EOT • N/A EOLWD Custom Solution (IT Requestor ) Remedy Numara Track-It Lotus/Domino DRAFT FOR DISCUSSION PURPOSES ONLY • N/A -3- 1.2 ITIL Process Maturity Baseline Below is the self-assessment from each Secretariat that was collected as part of the infrastructure data collection. Incident Mgmt. Request Fulfill. Change Mgmt. Asset and Config. Mgmt. Problem Mgmt. 2 2 2 3 2 3 4 1 3 3 ANF (PERAC) EOHHS EOHED EOLWD EOEEA EOPSS EOT EOE Maturity Stage Definitions 1 - Chaotic Processes are ad-hoc, chaotic, or actually few processes are defined 2 - Reactive Basic processes are established and there is a level of discipline to stick to these processes 3 - Stable All processes are defined, documented, standardized and integrated into each other 4 - Proactive Processes are measured by collecting detailed data on the processes and their quality 5 - Value Driven Continuous process improvement is adopted and in place by quantitative feedback and from piloting new ideas and technologies DRAFT FOR DISCUSSION PURPOSES ONLY -4- 1.3 Staffing Model Standards Below is a consolidated version of the industry leading staffing ratios for helpdesk, desktop/LAN, and website that will be used to develop Secretariat staffing models. Helpdesk Assumptions Website Assumptions Desktop/LAN Assumptions (Static and Dynamic) Computer Economics: Users per FTE Computer Economics: Desktops per FTE Computer Economics: % of IT Staff Small Organization (rev < $350 Million) Small Organization (< 750 desktops) Small Organization (rev < $350 Million) 25th Percentile 154 25th Percentile 184 25th Percentile 0.0% Median 220 Median 300 Median 2.5% 75th Percentile 338 75th Percentile 514 75th Percentile 5.4% Medium Organization ($350 < rev. < $ Medium Organization (750-2500 desktops) Medium Organization ($350 < rev. < $1billion) 25th Percentile 188 25th Percentile 203 25th Percentile 0.0% Median 357 Median 300 Median 1.3% 75th Percentile 750 75th Percentile 503 75th Percentile 3.4% Large Organizations (rev. > $1 billion) Large Organizations (> 2500 desktops) Large Organizations (rev. > $1 billion) 25th Percentile 236 25th Percentile 250 25th Percentile 0.0% Median 521 Median 450 Median 2.1% 75th Percentile 800 75th Percentile 1625 75th Percentile 3.9% Government Industry Average 375 Government Industry Average 237 Government Industry Average 4.3% DRAFT FOR DISCUSSION PURPOSES ONLY Source: Computer Economics -5- Components of ITIL: Service Desk 2.0 Technology DRAFT FOR DISCUSSION PURPOSES ONLY -6- 2.1 Section Overview The Technology section will cover three major areas (outlined below) to help prepare each Secretariat for consolidation Inventory of Current Commonwealth Tools • Overview of the template tools available to Secretariats to inventory their current helpdesk and desktop and LAN management tools Industry Leading Tools and Standards • The section provides an overview of the tools and standards for the software categories listed below. For each topic, the software analysis and considerations (vendor strengths and cautions are located in the appendix). • Helpdesk Tools and Standards - Service Desk and Interactive Voice Response • Desktop and LAN Tools and Standards - PC Lifecycle Configuration Management, PC Image Inventory, and Endpoint Protection Management Transition Framework • Overview of the prioritization tools available to Secretariats to identify potential helpdesk and desktop and LAN management software tools DRAFT FOR DISCUSSION PURPOSES ONLY -7- 2.2 Inventory of Current Secretariat Tools N Y ** 2 1 3 5 3 6 4 7 9 11 John Doe, DPH ABC Service Desk Version 3.1 $200,000.00 $150,000.00 10/15/2009 N N Y N N Y Y Asset Management Soft. Other 2 4 10 Y Interfaces Asset Management Soft. 1 8 Maintenance Expiration Remote Control N Maintenance Cost ITIL Compatible Y Capital Cost Software Distribution Y Version Port-Network N Application Nam e (full name and vendor) Patch N Ref. Ow ner Nam e and # Agency Financial Assessment Security Y Interfaces General Information Discovery N Other PC Image Y VOIP Compatible 10/15/2009 Remote Control $150,000.00 Interactive Voice Response $200,000.00 Maintenance Expiration Problem Version 3.1 Maintenance Cost Knowledge ABC Service Desk; XYZ Corp. Initial Capital Cost Functionality Functionality ITIL Compliant DPH Version Change ** Application Nam e (full name and vendor) Asset and Configuration Agency Nam e Incident Ref. # Financial Assessment Request Management Capabilities General Information 5 Helpdesk Software Inventory 12 6 7 8 Desktop and LAN Software Inventory 9 13 14 10 15 11 16 12 17 18 13 19 14 20 15 Overview The software inventories capture general application information (name, version, etc), financial information (capital and maintenance costs), and management capabilities and functionality (ITIL processes and service functionality). Purpose The templates are intended for the Secretariats to capture their current state for software. The information will be valuable for understanding the maturity of the agencies and the selection of Secretariat-wide applications. Additional Information The templates have been distributed to the SCIOs and are accessible on the wiki (https://wiki.state.ma.us/confluence/display/itconsolidation/Secretariat+Consolidation). DRAFT FOR DISCUSSION PURPOSES ONLY -8- 2.2 Inventory of Current Technologies (Based on Responses as of 8/28) Below is a consolidated version of the Secretariat technologies that have been provided as part of the infrastructure template. Management Capabilities EOHHS 3 EOPSS 4 EOEEA 5 ANF 6 EOLWD 7 EOE 8 EOT Ultimus v9 Y Y VOIP Compatible Y Interactive Voice Response Y ITIL Compliant Y Knowledge Maintenance Maintenance Cost Expiration Problem 2 Custom Tool (HelpStar), SharePoint, and Ultimus CA Service Desk, (Legacy: Lotus Notes applications, Remedy, Liberum, and SugarCRM) ACD, Remedy AR Systems, Custom helpdesk application Roundup, Microsoft Access Database, Open Source solution CA Service Desk (E2E), BMC Service Desk Express, Numara Track-It, and MS Outlook FrontRange HEAT and GWI C.Support Custom Solution (IT Requestor ), Remedy, Numara Track-It, and Lotus/Domino Initial Capital Cost Asset and Configuration EOHED Version Change 1 Application Name (full name and vendor) Request Ref. Secretariat # Financial Assessment Incident General Information Functionality Remote Control Overview Other Interfaces N/A DRAFT FOR DISCUSSION PURPOSES ONLY -9- 2.3 Industry Leading Tools and Standards: Service Desk Software Scope The IT service desk portion of a suite tends to include incident, problem and self-service modules. Many small business also include the change module. Industry Analysis Key Considerations •Ease of Deployment •Degree of customization: Significant customization can stifle enhancements, curb flexibility, and increase cost •Workflow alignment: Reliance on best-practice workflows and templates improves ROI •Module Integration •Within a single vendor, the extent to which service modules are pre-configured and integrated •Pricing •Scalability: Service modules can be purchased individually to expand functionality with the growth of the service desk (See Note) • Software as a Service (SaaS) •Attractive for constrained capital budgets, limited staff to administer the tool, and an evolving service desk strategy DRAFT FOR DISCUSSION PURPOSES ONLY Note: Business focused on only incident management should consider: BMC Software's Service Desk Express, FrontRange Solutions' HEAT, Hornbill's Supportworks, ManageEngine's ServiceDesk Plus, Numara Software's FootPrints, Altiris' Helpdesk Solution, for excellent incident management. Source: Gartner (October 2008) - 10 - 2.3 Industry Leading Tools and Standards: Interactive Voice Response (IVR) Scope Voice response platforms are systems that provide voice access to information and applications, and they can perform complex call routing based on information provided by the caller. Industry Analysis Key Considerations •Business Case •IVR solutions enable customers to perform tasks via the telephone that would otherwise require a call center agent, which can deliver significant return on investment. •Core Technology Considerations •Speech recognition: Improved user interface •Voice Extensible Markup Language (VoiceXML): Connectivity to a range of applications •VoIP Support •Session Initiation Protocol (SIP) •Call Control XML (CCXML) DRAFT FOR DISCUSSION PURPOSES ONLY Source: Gartner (January 2008) - 11 - 2.3 Industry Leading Tools and Standards: PC Lifecycle Configuration Management Industry Analysis Scope Core functions consist of software distribution, inventory, patch management, and OS deployment. Key Considerations •Tool Purpose •The primary purpose of the tool is to reduce the cost of performing tasks, which would otherwise be conducted manually •The tool also helps organizations improve the security state of endpoints and provide a higher quality of service to end users •Key Functionality • Deploy PC OSs, settings, and applications • Collect and manage hardware and software inventories • Monitor the use of software applications • Configure and deploy software, patches, and other system updates to PCs • Remotely control PCs for troubleshooting •Compliance • Compliance concerns have elevated the importance of functions such as software usage for license compliance and security configuration management. Note: Some PC lifecycle configuration management tools also include endpoint protection functionality. •Implementation Success Factors • Process maturity • Level of standardization across the PC systems DRAFT FOR DISCUSSION PURPOSES ONLY Source: Gartner (December 2008) - 12 - 2.3 Industry Leading Tools and Standards: Note: PC Image Inventory DPH John Doe 400 MB 700 Microsoft XP Professional Custom / Package Application v1.4 XYZ Health Technical Application v6.3 AutoCAD Security Antivirus v5.0 Norton Encryption v3 GardianEdge HR ERP v4 Oracle Financials Other Version ** Business Microsoft Office Version Operating System Version Users Version Size in MB Version Ow ner Version OS Agency Version General Information Ref. # Other Standard Applications Other Non-Standard Applications v2.0 WinZip, v2.0; Application B, v8.3; etc. Adobe Photoshop, v6.0; Application B, v2.8 1 2 3 4 5 6 7 8 9 10 PC Image Inventory 11 12 13 14 15 16 17 18 19 20 Overview The PC image inventory template is designed to help the Secretariat identify commonalities between PC images across all agencies. Purpose The template is intended to minimize the number of images that the Secretariat will have to maintain. Additional Instructions Common areas for consolidation: • Maintain the same version of software packages across all PC images • Identify significantly similar PC images across agencies and consolidate into a single image • Consolidate to one software package for generic software (such as compression software). Additional Information The template have been distributed to the SCIOs and are accessible on the wiki (https://wiki.state.ma.us/confluence/display/itconsolidation/Secretariat+Consolidation). DRAFT FOR DISCUSSION PURPOSES ONLY Source: Gartner (December 2008) - 13 - 2.3 Industry Leading Tools and Standards: Endpoint Protection Management (EPP) Scope Basic EPP suites include antivirus, anti-spyware, HIPS and a personal firewall. Advanced EPP suites will include network access control (NAC) and data protection technologies, such as DLP and full-disk encryption. Industry Analysis Key Considerations •Overlap with PC Configuration Management Tools •EPP suites to replicate some PC configuration life cycle management tasks, such as security configuration management, asset discovery, patching and software management. •General Selection Considerations •The management and reporting capability of EPP suites is a substantial differentiator, especially in large enterprises. •A modular architecture that enables selective configuration based on security requirements and device location is also critical. •Organizations should evaluate EPP firewalls and plan to phase out stand-alone personal firewall solutions. •Core Technology Considerations •Host intrusion prevention system (HIPS) and personal firewalls are increasingly critical to improve overall security. The convergence of these functions into a common management framework should increase the adoption of HIPS and desktop personal firewalls. •HIPS solutions must enable selection and configuration/tuning to balance the security level, transparency to end users and administration overhead. DRAFT FOR DISCUSSION PURPOSES ONLY Source: Gartner (December 2007) - 14 - 2.4 Transition Framework Prioritization Criteria: (Defined by Secretariat [examples below]) #1 #2 #3 #4 #5 Prioritization Weights: (Defined by Secretariat [examples below]) Cost: <$1,000, <$5,000, <$10,000 Functionality: <3 Processes, <5 Processes, <7 Processes Ease of Implementation Maintainability Other #1 #2 #3 #4 #5 Total Prioritization Criteria: (Defined by Secretariat [examples below]) 50% 15% 20% 10% 5% 100% #1 #2 #3 #4 #5 Scoring Guidance: the higher the score, the better the fit with the criteria ● ● ● ● Ref. # ** 1 Application Name ● ● ● ● Score Weight Score Weight Score Weight Score Weight Score Weight Prioritization Calculation 2 50% 50% 3 15% 15% 0 20% 20% 1 10% 10% 2 5% 5% 1.65 0 Criteria #1 Owner Name and Org. (Staff Name and Agency) John Doe; EOHHS Criteria #2 Criteria #3 Criteria #4 Criteria #5 2 50% 15% 20% 10% 5% 0 3 50% 15% 20% 10% 5% 4 5 6 7 8 9 10 #1 #2 #3 #4 #5 Total 50% 15% 20% 10% 5% 100% Scoring Guidance: the higher the score, the better the fit with the criteria 0 = Does not meet criteria at all 1 = Could meet criteria w ith some key changes 2 = Partially meets criteria (at least 50%) 3 = Meets majority or all terms of criteria (full name; and vendor) Application A Prioritization Weights: (Defined by Secretariat [examples below]) Cost: <$1,000, <$5,000, <$10,000 Functionality: <3 Processes, <5 Processes, <7 Processes Ease of Implementation Maintainability Other Other Comments Comment C Ref. # ** 1 0 = Does not meet criteria at all 1 = Could meet criteria w ith some key changes 2 = Partially meets criteria (at least 50%) 3 = Meets majority or all terms of criteria Application Name (full name; and vendor) Application A Owner Name and Org. (Staff Name and Agency) John Doe; EOHHS Score Weight Score Weight Score Weight Score Weight Score Weight Prioritization Calculation 2 50% 50% 3 15% 15% 0 20% 20% 1 10% 10% 2 5% 5% 1.65 0 Criteria #1 Criteria #2 Criteria #3 Criteria #4 Criteria #5 2 50% 15% 20% 10% 5% 0 0 3 50% 15% 20% 10% 5% 0 50% 15% 20% 10% 5% 0 4 50% 15% 20% 10% 5% 0 50% 15% 20% 10% 5% 0 5 50% 15% 20% 10% 5% 0 50% 15% 20% 10% 5% 0 6 50% 15% 20% 10% 5% 0 50% 15% 20% 10% 5% 0 7 50% 15% 20% 10% 5% 0 50% 15% 20% 10% 5% 0 8 50% 15% 20% 10% 5% 0 50% 15% 20% 10% 5% 0 9 50% 15% 20% 10% 5% 0 50% 15% 20% 10% 5% 0 10 50% 15% 20% 10% 5% 0 Helpdesk Software Prioritization Framework Other Comments Comment C Desktop and LAN Software Prioritization Framework Overview The prioritization template is designed to help the Secretariat determine which existing helpdesk and desktop and LAN management software packages may be well suited for use by the entire Secretariat. Purpose The templates are intended to provide direction for the Secretariats in selecting software packages. They can be populated with the current agency tools as well as the industry leading tools that are presented in the previous section. Additional Information The templates have been distributed to the SCIOs and are accessible on the wiki (https://wiki.state.ma.us/confluence/display/itconsolidation/Secretariat+Consolidation). The business criteria and weighting will be determined by the Secretariats; sample criteria have been provided as a reference. DRAFT FOR DISCUSSION PURPOSES ONLY - 15 - 2.4 Immediate Next Steps The checklist below to can be used to select the appropriate helpdesk and desktop and LAN management technology based on each Secretariats business and technical requirements # Activity Owner Due Date Status Helpdesk Team Desktop and LAN Team Develop the prioritization helpdesk framework Helpdesk Team 4 Develop the prioritization helpdesk framework Desktop and LAN Team 5 Incorporate industry leading tools and standards in the frameworks Helpdesk/ Desktop and LAN Team 6 Select the appropriate management software based on the results of the prioritization Helpdesk/ Desktop and LAN Team 1 Complete the helpdesk management software inventory 2 Complete the desktop and LAN management software inventory 3 DRAFT FOR DISCUSSION PURPOSES ONLY - 16 - Components of ITIL: Service Desk 3.0 Processes DRAFT FOR DISCUSSION PURPOSES ONLY - 17 - 3.1 Section Overview The Processes section will cover three major areas to help prepare each Secretariat for consolidation ITIL Overview • Basic ITIL overview • Process descriptions for: Service Desk, Incident Mgmt., Request Fulfilment, Change Mgmt., Asset and Configuration Mgmt., Problem Mgmt. • Descriptions include: the purpose and overview, key concepts, key roles, process flows, and benefits. Initial ITIL Readiness Assessment • Consolidated view of what processes are currently in place at each of the Secretariats. Transition Framework • A framework for developing the Secretariat’s helpdesk and desktop and LAN processes in line with the ITIL processes. A maturity model is included to facilitate an initial gap analysis. DRAFT FOR DISCUSSION PURPOSES ONLY - 18 - 3.2 ITIL Process Flows: Overview ITIL (the IT Infrastructure Library) is a set of books and documents that are used to aid the implementation of IT Service Management. It provides a comprehensive framework of processes and best practice advice for IT Service Management. ITIL is… What does that mean? A set of industry “Best Practices” (e.g., need for discipline around changes; need to link capacity planning and budgeting) Identify and reuse what has worked best in the past and currently at other organizations A framework, not a methodology Provides a body of concepts and resources to draw from, not specific required steps Adoptable and adaptable Select applicable parts of the framework and adapt them to fit local needs Not a standard ISO/IEC 20000 is a standard aligned with ITIL Scalable to the organization’s size and need Can be adapted to fit an organization’s specific size and situation Platform independent Flexible to all development and service efforts; not tied to any particular tool The following slides will discuss the key information regarding the primary ITIL processes related to the helpdesk. DRAFT FOR DISCUSSION PURPOSES ONLY - 19 - 3.2 ITIL Process Flows: ITIL Process/Procedure Development Levels At the end of the development process, all Secretariats should be at Level D. This document provides the information required to achieve Level B development. ITIL Level A Process Vision • Common definition and language for discussing the process • Clear responsibility for process ownership and implementation • Alignment on what the process should do and how it should be measured • Explicit linkage back to the business through business drivers providing a businessoriented value-proposition Maturity ITIL Level B Policies and Process Steps ITIL Level C Sub-process Steps ITIL Level D Procedures • Understanding of inter-relationships between this process and others through the identification of key inputs and outputs, enabling improved program management and process design activities • Understanding of key steps required to execute the process and ability to discuss not only ‘what’ the process is, but also ‘how’ it is executed. • Clear identification of technologies supporting this process and plans for these technologies • Refined detail explaining how each of the Level-B steps is executed (sub-process steps) • Understanding of the key decisions involved in the process • Clear mapping of process steps to roles providing a clear understanding of the expectations of who will be involved in executing the process • Develop all output templates, interface procedures, activities procedures, activity decision criteria • May eventually be used for operation manuals that outlines detailed, step-by-step procedure for performing related tasks DRAFT FOR DISCUSSION PURPOSES ONLY - 20 - 3.2 Service Desk: Overview The Service Desk (or Help Desk) is a Function, not a Process. Its role is crucial and central to the whole concept of Service Management. What is a “Service Desk?” What is the PURPOSE of the Service Desk? What are the OBJECTIVES of the Service Desk? DRAFT FOR DISCUSSION PURPOSES ONLY The point of contact between the customer/user and the IT service, responsible for service requests as well as incident control. • Provides a single point of contact for customers • Facilitates the restoration of normal operational service with minimal business impact on the customer within agreed service levels and business priorities • Manages each user contact/interaction with the IT Service provider throughout its lifecycle • • • • • • To promote customer satisfaction To restore normal service as quickly as possible when there is a fault To attain service level targets for user contact responsiveness and quality To articulate and route requests to the service provider accurately and appropriately To ensure accurate and timely communication of status To act as a strategic function to identify and lower the cost of ownership for supporting the computing and support infrastructure • To reduce costs by the efficient use of resource and technology - 21 - 3.2 Service Desk: Key Concepts Concept Contact Customer IT Infrastructure ITSM Toolset Definition A telephone call, email, fax, entry in a user self-service system, or other means of reporting faults or requesting services Someone who buys goods or Services. The Customer of an IT Service Provider is the person or group that defines and agrees the Service Level Targets. The term Customers is also sometimes informally used to mean Users, for example ‘this is a Customer-focused Organization’ All of the hardware, software, networks, facilities, etc. that are required to develop, Test, deliver, Monitor, Control or support IT Services. The term IT Infrastructure includes all of the Information Technology but not the associated people, Processes and documentation The system for recording customer contacts, service assets and other configurable items, Changes, Problems, etc. Also includes tools used by staff to diagnose or resolve incidents, discover assets, and monitor systems Record The “ticket” or “case” created in the ITSM system that records the information regarding the Incident or Service Request. (Note – the same term is used for any record in the ITSM tools, including those for Assets, Changes, Problems, etc.) Service Level A measured and reported achievement against one or more Service Level Targets. The term Service Level is sometimes used informally to mean Service Level Target Service Provider An Organization supplying Services to one or more Internal Customers or External Customers DRAFT FOR DISCUSSION PURPOSES ONLY - 22 - 3.2 Service Desk: Structure DRAFT FOR DISCUSSION PURPOSES ONLY - 23 - 3.2 Service Desk: Key Information The details of the service desk structure can be developed by each Secretariat using the following template. Based on the Key Information and Implications and Key Decisions, the structure of the service desk will change to accommodate the needs of the Secretariat. DRAFT FOR DISCUSSION PURPOSES ONLY - 24 - 3.2 Service Desk: Roles Roles Definition Service Desk Manager Manage overall desk activities, act as an escalation point for analysts, and take overall responsibility for Incident and Service Request handling on the Service Desk Service Desk Supervisor In larger organizations, in addition to a Manager there will be one or more Supervisors, often serving as the leader on shifts in 7x24 operations. Supervisors also act as an escalation point for analysts, and interface with the rest of IT Operations on day-to-day business. In small organizations the senior Service Desk Analyst may take this role Service Desk Analysts The primary Service Desk Analyst role is that of providing first-level support through taking calls and handling the resulting incidents or requests for service Super Users Business users who act as liaison points with IT, to facilitate communication between IT and the business at an operational level. These sometimes provide staff training in their area, or support for minor incidents or simple requests DRAFT FOR DISCUSSION PURPOSES ONLY - 25 - 3.2 Service Desk: Benefits The value of an effective Service Desk should not be underrated – a good Service Desk can often compensate for deficiencies elsewhere in the IT organization; but a poor Service Desk (or the lack of a Service Desk) can give a poor impression of an otherwise very effective IT organization! Specific Benefits include: • Improved customer understanding and satisfaction with IT Services • With what the Services are, and how to obtain them • With status on Incidents and Requests • Lower costs to the business through faster resolution of incidents and fulfillment of requests • Improved ability to attain service level targets through the management of the flow of work • Reduced costs by the efficient use of resources and technology – simpler work can be done by Service Desk Analysts rather than by the senior technical staff DRAFT FOR DISCUSSION PURPOSES ONLY - 26 - 3.2 Incident Management: Overview What is an “Incident?” • An incident is an unplanned interruption of a Service, or a reduction in the agreed-to quality of an IT Service. What is the PURPOSE of Incident Management? • The Incident Management process strives to restore normal service operation as quickly as possible and minimize the impact on business operations. What are the OBJECTIVES of Incident Management? • Restore services as quickly as possible following a deviation from agreed upon service levels • Log, track, capture and process all incidents in the IT environment according to existing SLA’s and defined interfaces with other processes and based on defined fault-specifications DRAFT FOR DISCUSSION PURPOSES ONLY - 27 - 3.2 Incident Management: Key Concepts Concept Classification Configuration Item Escalation Definition Grouping similar types of incidents into categories. Any Component that needs to be managed in order to deliver an IT Service. CIs typically include IT Services, hardware, software, buildings, people, and formal documentation such as Process documentation and SLAs Incidents that cannot be resolved by available resources are escalated either to those with greater skills (functional escalation) or to those at higher levels of management (hierarchical escalation). Incident Models Predefined workflows for specific types of incidents. Major Incidents Incidents of such a high urgency and impact that they are treated with special procedures. Prioritization Recovery Repair Resolution The impact and urgency of an incident. Impact is the effect the incident has on the business and urgency indicates how quickly the incident will have that effect. Returning a configuration item to its working state after resolution. Replacing or fixing a configuration item. Actions taken to repair the Cause of an Incident, or to implement a Workaround. DRAFT FOR DISCUSSION PURPOSES ONLY - 28 - 3.2 Incident Management: Process Diagram DRAFT FOR DISCUSSION PURPOSES ONLY - 29 - 3.2 Incident Management: Key Information Multi-level Categoriza tion Incident Prioritization Investigation and Diagnosis Resolution and Recovery Sample Incident Record Fields Sample Development Process and Categories Sample Prioritization Coding System Sample Processes Sample Resolution Processes Sample Closure Processes - Unique reference number - Incident categorization - Incident urgency - Incident impact - Incident prioritization - Date/time recorded - Name/ID of the person and/or group recoding the incident - Method of notification (telephone, automatic, e-mail, etc.) - Name/department/phone/location of user - Call-back method (telephone, mail, etc.) - Incident status (active, waiting, etc.) - Related Incidents - Support group/person to which the incident is allocated - Related problem/Known Error - Activities undertaken to resolve the incident - Resolution date and time - Closure category - Closure date and time 1. Develop top-level categories (including an ‘other’) category. Set up the relevant logging tools to use these categories for a trial period. 2. After a trial period, perform an analysis of the incidents logged during the trial period and identify gaps. 3. Perform a breakdown analysis of the incidents within each higher-level category to develop the lower-level categories. 4. Review and repeat periodically Clear guidance should be provided for all support staff to enable them to determine the correct urgency and impact levels, so the correct priority is assigned. Such guidance should be produced during service level negotiations. - Establishing exactly what has gone wrong or being sought by the user - Understanding the chronological order of events - Confirming the full impact of the incident, including the number and range of users affected - Identifying any events that could have triggered the incident (e.g. a recent change, some user action?) - Knowledge searches looking for previous occurrences by searching previous Incident/Problem Records and/or Known Error Databases or manufacturers’/suppliers’ Error Logs or Knowledge Databases. - Asking the user to undertake directed activities on their own desk top or remote equipment - The Service Desk implementing the resolution either centrally (say, rebooting a server) or remotely using software to take control of the user’s desktop to diagnose and implement a resolution - Specialist support groups being asked to implement specific recovery actions (e.g. Network Support reconfiguring a router) - A third-party supplier or maintainer being asked to resolve the fault. - Closure categorization. Check and confirm that the initial incident categorization was correct and update as necessary. - User satisfaction survey. Carry out a user satisfaction call-back or e-mail survey for an agreed percentage of incidents. - Incident documentation. Chase any outstanding details and ensure that the Incident Record is fully documented. - Ongoing or recurring problem? Determine whether it is likely that the incident could recur and decide whether any preventive action is necessary (if so, open a Problem Record). - Formal closure. Formally close the Incident Record. Software Application Administration DRAFT FOR DISCUSSION PURPOSES ONLY Time & Attendance Urgency Incident Record High Medium Low High 1 2 3 Priority Description Code 1 Critical 2 High 3 Medium 4 Low 5 Planning Impact Medium 2 3 4 Low 3 4 5 Target Res. Time 1 hour 8 hours 24 hours 48 hours Planned Incident Closure - 30 - 3.2 Incident Management: Roles Roles Incident Manager First Tier Definition Responsible for the Incident Management process and incident management staff The Service Desk: • Provides initial handling of user contact. • Responsible for identifying, logging, categorizing, prioritizing and providing initial diagnosis of an incident. • Will resolve the incident if it can, or will dispatch to the appropriate Support Group Second Tier Provides more technical expertise, and is usually given more time, for diagnosing and resolving incidents Third Tier Possesses highly specialized technical skills for the most in-depth support of incident resolution. These can be internal technical groups or 3rd party suppliers/maintainers DRAFT FOR DISCUSSION PURPOSES ONLY - 31 - 3.2 Incident Management: Tier Definitions Roles Definition • Users have a single number to call or web interface to request support • Call receipt First Tier (Helpdesk/Initial problem determination) • Ticket creation • Initial triage • Basic server and application page-outs • Basic application administration (password resets) • Application support • Interface support (ticketing services, ebonding, database) • Server & application monitoring • Operating system monitoring • Problem determination and implementing fixes including SQL data cleansing based on Business Second Tier (Detailed analysis of reported problem and trouble isolation) Support Team request • Configuration management • Application administration including Database Administration • Change coordination and implementation • Hardware coordination through standard change control process • Change coordination • Deployment coordination with operations & external customers • Application tuning so as to maintain DMOQs listed below • Initiation of vendor Service Requests (SRs) as required for continued management of platform Third Tier • Application and infrastructure development organizations or vendors DRAFT FOR DISCUSSION PURPOSES ONLY - 32 - 3.2 Incident Management: Priority Framework Impact High Medium Low (Broad impact to the Commonwealth, with one or more services, whole agencies, or major locations not functioning.) (Impact to a portion of an agency or office, with one or more services either not functioning or functioning at a degraded level, so the agency’s mission is impacted.) (Impact is to an individual or workgroup, or the service impacted is not significant.) Priority 1 (Example: Email is down) Priority 2 (Example: Network outage for an office) Priority 3 (Example: Network outage for a small workgroup) Priority 2 (Example: Poor email performance for multiple offices ) Priority 3 (Example: Poor email performance for a single office) Priority 4 (Example: Single user desktop failure) Priority 3 (Example: After hours network outage) Priority 4 (Example: After hours poor network performance for a single office) Priority 5 (Example: Service request) High (Immediate action is required to restore service or prevent the failure of a service. No workaround exists.) Medium Urgency (The service has not yet failed, though the potential is there for it to do so. Or a workaround is in effect, but it only provides degraded service.) Low (A workaround exists, or the service is not essential and the customer can wait for remediation of the incident.) DRAFT FOR DISCUSSION PURPOSES ONLY - 33 - 3.2 Incident Management: Commonwealth Priority Definitions Priority Target Resolution Time* 1 – Enterprise 1 hour Description • This loss of technology impacts multiple products or services, thereby compromising service delivery. There also may be an impact to external customers. • This incident impacts a single product or service which is affecting or compromising 2 – Critical 8 hours 3 – High 24 hours 4 – Medium 48 hours • Single User affected 5 - Low Planned • Service Request service delivery. • This incident impacts some users (NOT ALL) within an agency, building location, or floor. * ITILv3 Recommendation DRAFT FOR DISCUSSION PURPOSES ONLY - 34 - 3.2 Incident Management: Benefits Incident Management is highly visible to the business when it is needed. How well it is performed has a major impact on Customer Satisfaction with their IT support Benefits from the process included: • The ability to detect and resolve Incidents quickly, which results in lower downtime to the business • The ability to align IT activity to real-time business priorities • The ability to identify potential improvements to services • The Service Desk can, during its handling of Incidents, identify additional service or training requirements DRAFT FOR DISCUSSION PURPOSES ONLY - 35 - 3.2 Request Fulfillment: Overview What is a “Request?” What is the PURPOSE of Request Fulfillment? What are the OBJECTIVES of Request Fulfillment? DRAFT FOR DISCUSSION PURPOSES ONLY • A Request is any type of demand that is placed upon the IT Department by the users. Many of these are actually small changes: low risk, frequently occurring, or low cost, whose fulfillment can be standardized. • E.G., a request to change a password • The Request Fulfillment process seeks to manage the Lifecycle of all Service Requests to provide the prompt, complete, and cost effective provision of the Request. • To provide a channel for users to request and receive standard services for which a pre-defined approval and qualification process exists • To provide information to users and customers about the availability of services and the procedure for obtaining them • To source and deliver the components of requested standard services • To assist with general information, complaints or comments - 36 - 3.2 Request Fulfillment: Key Concepts Concept Fulfillment Service Service Catalog Service Level Supplier Support Group Definition Performing activities to meet a need or requirement, such as providing a new IT Service, or meeting a Service Request A means of delivering value to customers by providing outcomes to customers while insulating them from the ownership of specific Costs and Risks A database or structured Document, published to Customers, with information about all IT Services available for request. The Service catalog includes information about deliverables, prices, contact points, ordering and request Processes A measured and reported achievement against one or more Service Level Targets. The term Service Level is sometimes used informally to mean Service Level Target A Third Party responsible for supplying goods or Services that are required to deliver IT services A group of people with technical skills. Support Groups provide the technical support needed by all of the ITSM processes. Examples include Desktop Support, Security, support for a specific application, etc. DRAFT FOR DISCUSSION PURPOSES ONLY - 37 - 3.2 Request Fulfillment: Process Diagram DRAFT FOR DISCUSSION PURPOSES ONLY - 38 - 3.2 Request Fulfillment: Key Information Request Record Sample Request Record Fields - What service is being requested - Who requested and authorized the service - Which process will be used to fulfill the request - To whom it was assigned to and what action was taken - The date and time when the request was logged as well as the date and time of all actions taken - Closure details. DRAFT FOR DISCUSSION PURPOSES ONLY - 39 - 3.2 Request Fulfillment: Roles Roles Definition Support Group Manager The planning and oversight of their group’s fulfillment activities, starting with how the work is to be done, and then tracking through to completion, ensuring that service levels are met. Request Approver Request Fulfillment Analysts Third Tier Request Approvers are people with the authority to approve or reject a request for a given Service. Tier 1, 2, or 3 staff that perform the tasks required to provide the service. The functional areas of the analysts could include finance and procurement, for those requests requiring purchases. Possesses highly specialized technical skills for the most in-depth support of incident resolution. These can be internal technical groups or 3rd party suppliers/maintainers. DRAFT FOR DISCUSSION PURPOSES ONLY - 40 - 3.2 Request Fulfillment: Benefits The primary benefit of Request Fulfillment is to provide quick and effective access to standard services which business staff can use to improve their productivity or the quality of business services and products. Specific benefits include: • Reducing the bureaucracy involved in requesting and receiving access to existing or new services, thus also reducing the cost of providing these services. • Through centralizing fulfillment, Request Fulfillment also increases the level of control over these services. This facilitates aggregating demand for suppliers and can result in reduced costs through centralized negotiation. • Repeatable workflows for fulfilling requests can result in faster performance, fewer errors, and a lower cost to provision. DRAFT FOR DISCUSSION PURPOSES ONLY - 41 - 3.2 Change Management: Overview What is a “Change?” • ITIL defines a Change as the addition, modification or removal of anything that could have an effect on IT services, usually stated as a change to a configurable item or CI. What is the PURPOSE of Change Management? • Respond to changing customer and IT requirements, providing a structured avenue for implementing Change while minimizing risk, reducing incidents, and avoiding disruption and re-work What are the OBJECTIVES of Change Management? • Record changes and then evaluate, authorize, test, implement, document, and review results in a controlled manner • Manage and minimize the risk of disruption to the business from the implementation of Changes DRAFT FOR DISCUSSION PURPOSES ONLY - 42 - 3.2 Change Management: Key Concepts Concept Definition Change Assessment An evaluation of the change request from various points of view Change Authorization Approval of a change request. The approval levels for the change may be different based on the type of change being considered. Change Priority The order in which change requests are evaluated and considered for authorization. Change Process Model Change Record Forward Schedule of Changes Remediation Request for Change (RFC) Predefined workflows for various categories or types of changes. A record of a change throughout its lifecycle. A schedule that contains details of all the changes approved for implementation and their proposed dates The plan to be followed if a change is not successful. A record of a proposed change. Risk Categorization An evaluation of the overall risk of a proposed change to IT or business services. Standard Changes A pre-authorized change that has a well understood implementation plan and is typically very low risk. DRAFT FOR DISCUSSION PURPOSES ONLY - 43 - 3.2 Change Management: Process Diagram DRAFT FOR DISCUSSION PURPOSES ONLY - 44 - 3.2 Change Management: Key Information Review and Close Sample Closure Processes - The change has had the desired effect and met its objectives - Users, customers and other stakeholders are content with the results, or have identified any shortcomings - There are no unexpected or undesirable side-effects to functionality, service levels, warranties - The resources used to implement the change were as planned - The release and deployment plan worked correctly - The change was implemented on time and to cost - If needed, the remediation plan functioned correctly RFC Standard Change Asses & Evaluate Sample Request for Change (RFC) Fields Sample Standard Change Considerations Sample Considerations - Unique reference number - Trigger (e.g. business need, purchase order, etc.) - Description - Identity of items to be changed - Reason for change (business case) - Effect of not implementing the change (business, technical, financial) - Configuration items and baseline versions to be changes - Primary contact information of person proposing change - Date and time of proposed change - Change category (minor, major, etc.) - Predicted timeframe, resources, costs and quality of service - Change priority - Risk assessment and risk management plan - Back-out or remediation plan - Impact assessment and evaluation – resources, capacity, cost, benefits - Governance impact (continuity management) - Change decision body - Decision and recommendations accompanying the decision - Authorization signature - Authorization date and time - Target baseline or release to incorporate change into - Scheduled implementation time - Location/reference to release/ implementation plan - Details of change implementer - Change implementation details - Actual implementation date and time - Review dates - Review results - Closure DRAFT FOR DISCUSSION PURPOSES ONLY A standard change is a change to a service or infrastructure that is preauthorized by Change Management with an established procedure. Elements of a standard change: - There is a defined trigger to initiate the RFC - The tasks are well known, documented and proven - Authority is effectively given in advance - Budgetary approval will typically be preordained or within the control of the change requester - The risk is usually low and always well understood. Seven Rs of change management: - Who raised the change? - What is the reason for the change? - What is the return required from the change? - What are the risks involved in the change? - What resources are required to deliver the change? - Who is responsible for the build, test and implementation of the change? - What is the relationship between this change and other changes? Additional Considerations: - Impact on business operation - Effect on infrastructure services that share the infrastructure - Impact on customer service - Effect of no change - Impact on resources - Impact on future plans - Impact on current schedule Change Authorization Sample Change Authorization Model Escalation Path Change Authority Potential Impact Level 1 Business Executive Board High cost/risk change Level 2 IT Management Board Multiple services or orgs impacted Level 3 Change Advisory Board Single service or org impacted Level 4 Local Authorization Standard change Change Advisory Board Membership Membership Considerations - Composition based on the changes being considered - Should include business and technical representation - Should involve suppliers when that would be useful - Should reflect both users’ and customers’ views - Is likely to include the problem manager and service level manager and customer relations staff. - 45 - 3.2 Change Management: Roles Roles Definition Change Requestors Those submitting a request for an addition, modification, or removal of a item under configuration and change control. Change Authority Authorizes changes to be implemented based on impact assessments from various stakeholders. This is a function, and can be located in the CAB or in an individual. Change Manager Oversees the Change Management process. Receives, logs and allocates a priority, in collaboration with the initiator, to all RFCs; rejects any RFCs that are totally impractical. Chairs the CAB, and monitors the implementation of Changes. Change Advisory Board (CAB) A body that exists to support the authorization of changes and to assist Change Management in the assessment and prioritization of changes. As and when a CAB is convened, members should be chosen who are capable of ensuring that all changes within the scope of the CAB are adequately assessed from both a business and a technical viewpoint. DRAFT FOR DISCUSSION PURPOSES ONLY - 46 - 3.2 Change Management: Benefits Reliability and business continuity are essential for the success and survival of any organization. Service and infrastructure changes can have a negative impact on the business through service disruption. Change Management controls the risk and reality of disruption, through requiring all changes to be thoroughly analyzed, planned, tested, authorized, communicated, and implemented with appropriate back-out steps planned. Key benefits are: • Implementing changes that meet the customers’ agreed service requirements while optimizing costs • Reducing failed changes and therefore service disruption, defects and re-work • Delivering change promptly to meet business timescales • Aiding productivity of staff through minimizing disruptions due to high levels of unplanned or ‘emergency’ change and hence maximizing service availability DRAFT FOR DISCUSSION PURPOSES ONLY - 47 - 3.2 Service Asset and Configuration Management: Overview What is an “Asset?” • The hardware and software that IT uses to provide service to end users, in support of business functions and applications What is a “Configuration?” • The set of “items” (CIs) and their relationships that comprises IT services and is the object of most IT tasks What is the PURPOSE of Asset and Configuration Management? • Identify, control, record, report, audit and verify service assets and configuration items, including versions, baselines, constituent components, their attributes, and relationships • Ensure the integrity of the assets and configurations required to control the services and IT infrastructure by establishing and maintaining an accurate and complete Configuration Management System What are the OBJECTIVES of Asset and Configuration Management? DRAFT FOR DISCUSSION PURPOSES ONLY • Support efficient and effective Service Management processes by providing accurate configuration information to enable people to make decisions at the right time, with accurate information: to plan and authorize change and releases, resolve incidents and problems faster, etc. • Provide management with the information required to optimize IT resources - 48 - 3.2 Service Asset and Configuration Management: Key Concepts Concept Definition Configuration Management Database (CMDB) A database used to store Configuration Records throughout their Lifecycle. The Configuration Management System maintains one or more CMDBs, and each CMDB stores Attributes of CIs, and Relationships with other CIs. Configuration Management System (CMS) A set of tools and databases that are used to manage an IT Service Provider’s Configuration data. The CMS also includes information about Incidents, Problems, Known Errors, Changes and Releases; and may contain data about employees, Suppliers, locations, Business Units, Customers and Users. The CMS includes tools for collecting, storing, managing, updating, and presenting data about all Configuration Items and their Relationships. Configuration Item Any Component that needs to be managed in order to deliver an IT Service. CIs typically include IT Services, hardware, software, buildings, people, and formal documentation such as Process documentation and SLAs. Definitive Media Library One or more locations in which the definitive and approved versions of all software Configuration Items are securely stored. The DML may also contain associated CIs such as licenses and documentation. The DML is a single logical storage area even if there are multiple locations. All software in the DML is under the control of Change and Release Management and is recorded in the Configuration Management System. Relationship A link between two Configuration Items that identifies a dependency or connection between them. For example Applications may be linked to the Servers they run on, IT Services have many links to all the CIs that contribute to them. DRAFT FOR DISCUSSION PURPOSES ONLY - 49 - 3.2 Service Asset and Configuration Management: Process Diagram DRAFT FOR DISCUSSION PURPOSES ONLY - 50 - 3.2 Service Asset and Configuration Management: Key Information Configuration Identification Asset Record Sample Configuration Identification Procedures Asset Record Considerations - Define and document criteria for selecting configuration items and the components that compose them - Select the configuration items and the components that compose them based on documented criteria - Assign unique identifiers to configuration items - Specify the relevant attributes of each configuration item - Specify when each configuration item is placed under Configuration Management - Identify the owner responsible for each configuration item. The items placed under Configuration Management will typically include service bundles, service packages, service components, release packages and products that are delivered to the customer, designated internal work products, acquired services, products, tools, systems and other items that are used in creating and describing the configurations required to design, transition and operate the service. A baseline configuration should be developed. An example of a baseline is an approved description of a service that includes internally consistent versions of requirements, requirement traceability matrices, design, specific service components and user documentation. Choosing the right Configuration Item (CI) level is a matter of achieving a balance between information availability, the right level of control, and the resources and effort needed to support it. CI information is valuable only if it facilitates the management of change, the control of incidents and problems, or the control of assets that can be independently moved, copied or changed. DRAFT FOR DISCUSSION PURPOSES ONLY Sample Asset Record Attributes - Unique identifier - CI type - Name/description - Version (e.g. file, build, baseline, release) - Location - Supply date - License details, e.g. expiry date - Owner/custodian - Status - Supplier/source - Related document masters - Related software masters - Historical data, e.g. audit trail - Relationship type - Applicable SLA. Configuration Control Note: Asset Disposal Configuration Control Considerations Asset Disposal Considerations - License control, to ensure that the correct number of people are using licenses and that there is no unlicensed use and no wastage - Change Management - Version control of service asset, software and hardware versions, images/builds and releases - Access control, e.g. to facilities, storage areas and CMS - Build control, including the use of build specification from the CMS to perform a build - Promotion, migration of electronic data and information - Taking a configuration baseline of assets or CIs before performing a release (into system, acceptance test and production) in a manner that can be used for subsequent checking against actual deployment - Deployment control including distribution - Installation Security Disposal - PII and HIPAA - Sensitive information - Legislative mandates - Legal requirements Environmental Disposal - Precious metal recovery - Hazardous substance disposal - Legal requirements - External repurposing - 51 - 3.2 Service Asset and Configuration Management: Roles Roles Definition Asset manager Responsible for the management of the activities that record asset information throughout its lifecycle. Also plans and conducts audits of accuracy and completeness of asset records, and plans corrective actions with the responsible parties, to ensure the integrity of the data Configuration manager Responsible for the standards and procedures for identifying configuration items and their relationships, as well as for the Configuration Management System. (Similar to Asset Manager, but broader in scope) Asset / Configuration Analyst Responsible for reviewing asset and/or configuration data, conducting audits, preparing reports, and implementing large data transfers or corrections Configuration administrator/librarian The custodian and guardian of all master copies of software, assets and documentation CIs registered with Asset and Configuration Management CMS/tools administrator Ensures the integrity and operational performance of the Configuration Management systems DRAFT FOR DISCUSSION PURPOSES ONLY - 52 - 3.2 Service Asset and Configuration Management: Benefits Having complete and accurate information about IT assets and services enables effective management of those resources Benefits include: • Faster and less costly resolution of Incidents and Problems, through having configuration information available to support analysis and planning • Less costly forecasting and planning of Changes and Releases • Full enterprise-wide lifecycle management of IT assets, from specification of need, through procurement and installation, through disposal • Support for Supplier management, with regard to leases and warrantees, as well as software licenses • Appropriate protection of organizational information upon asset disposal • Better adherence to standards, legal and regulatory obligations (less non-conformances) DRAFT FOR DISCUSSION PURPOSES ONLY - 53 - 3.2 Problem Management: Overview What is a “Problem?” • The unknown cause of one or more incidents What is the PURPOSE of Problem Management? • • • • Reduce the number and impact of Incidents Identify the Root Cause of Incidents or faults in the IT environment Prevent incidents from re-occurring Record information that will improve the way in which IT deals with problems What are the OBJECTIVES of Problem Management? • • • • Find the root causes of errors Develop solutions to resolve known errors Plan and request changes to implement the solutions Prevent future incidents and problems DRAFT FOR DISCUSSION PURPOSES ONLY - 54 - 3.2 Problem Management: Key Concepts Concept Known Error Definition A problem for which the root cause has been determined and a workaround or resolution has been determined. Known Error Database (KEDB) A tool that maintains information about known errors and their workarounds. Proactive Problem Management Maintaining information about events, incidents, problems and the state of the production environment to determine potential problems before they are reported and resolve them. Problem Model Reactive Problem Management A predefined workflow for handling a specific category of problem. Activities required to diagnose the root cause of problems that have already been discovered by incident management. DRAFT FOR DISCUSSION PURPOSES ONLY - 55 - 3.2 Problem Management: Process Diagram DRAFT FOR DISCUSSION PURPOSES ONLY - 56 - 3.2 Problem Management: Key Information Problem Resolution Sample Problem Resolution - Develop fault elimination action plan - Track progress of problem resolution against plan - Document progress against plan - Close problem once plan is complete Investigation and Diagnosis Problem Detection Problem Record Problem Prioritization Sample Detection Procedures Sample Problem Record Fields Sample Prioritization Coding System Sample Approaches Priority and severity should be included in the Problem Prioritization process. Problems are prioritized using the same methodology as incidents. Severity can be determined using the following criteria: - Can the system be recovered, or does it need to be replaced? - How much will it cost? - How many people, with what skills, will be needed to fix the problem? - How long will it take to fix the problem? - How extensive is the problem? - Chronological Analysis: Briefly document all events in chronological order – to provide a timeline of events to help identify which events may have been triggered by others or to discount any claims that are not supported by the sequence of events. - Kepner and Tregoe: Charles Kepner and Benjamin Tregoe developed a useful way of problem analysis which can be used formally to investigate deeply rooted problems. They defined the following stages: ● defining the problem ● describing the problem in terms of identity, location, time and size ● establishing possible causes ● testing the most probable cause ● verifying the true cause. - Ishikawa Diagrams: A method of documenting causes and effects. The main goal is represented by the trunk of the diagram, and primary factors are represented as branches. Secondary factors are then added as stems, and so on. Creating the diagram stimulates discussion and often leads to increased understanding of a complex problem. - Pareto Analysis: This is a technique for separating important potential causes from more trivial issues. The following steps should be taken: 1 Form a table listing the causes and their frequency as a percentage. 2 Arrange the rows in the decreasing order of importance of the causes 3 Add a cumulative percentage column to the table. 4 Create a bar chart with the causes, in order of their percentage of total. Superimpose a line chart of the cumulative percentages. 6 Draw line at 80% on the y-axis parallel to the x-axis. All data elements below where the line intersects with the curve are important causes Cross-reference the related incident logs to capture details such as: - User details - Service details - Equipment details - Date/time initially logged - Priority and categorization details - Incident description - Details of all diagnostic or attempted recovery actions taken. Urgency - Suspicion or detection of an unknown cause of one or more incidents by the Service Desk - Analysis of an incident by a technical support group which reveals that an underlying problem exists, or is likely to exist. - A notification from a supplier or contractor that a problem exists. - Analysis the trend of incidents as part of proactive Problem Management. DRAFT FOR DISCUSSION PURPOSES ONLY High Medium Low High 1 2 3 Impact Medium 2 3 4 Low 3 4 5 - 57 - 3.2 Problem Management: Roles Roles Definition Problem Manager The single point of coordination and owner for the Problem Management process. Creates or reviews Problem records, assigns problem investigation and resolution tasks, closes Problem records, and manages the Known Error database. Problem Analyst A technical staff member assigned to investigate or resolve a problem, developing solutions or work-arounds for the Problem, and updating the Known Error database. Problem-Solving Group A team that takes responsibility for performing the analysis of the Problems in a technical area, such as Wintel server or desktop. DRAFT FOR DISCUSSION PURPOSES ONLY - 58 - 3.2 Problem Management: Benefits Problem Management is directed toward the stabilization and improvement of service availability and quality Benefits include: • Reduction in the number of Incidents due to more effective and efficient incident handling • Increase in user productivity and service quality • Improved reputation of IT Organization due to decrease in the repetition of incidents. • Increase in productivity of Support staff • Ability to proactively identify beneficial system enhancements, amendments and business opportunities • Improved resolution rates at the Service Desk DRAFT FOR DISCUSSION PURPOSES ONLY - 59 - 3.3 ITIL Readiness Assessment Framework - High Level Approach IT Governance & Strategy The development of ITIL V3 Service Strategy components. The construction of necessary governance structures to support ITIL processes Check and Drive Improvement Vision IT Process Define process objectives gap analysis and target objective for each ITIL process. Blueprint the ITIL processes and develop the roadmap and metrics Implement Current Position Technology Determine the functional requirements for the Service Tool. Select appropriate Tool, determine the Service Architecture and implement Design Desired People, Change, & Learning Position The development of roles and metrics to support new processes and activities to discover the needs for change and training DRAFT FOR DISCUSSION PURPOSES ONLY - 60 - 3.3 High Level Approach – IT Governance Project Initiation Visioning Current Position Desired Position Design Implement Current Role of Secretariat Service Desk Future Role of Secretariat Service Desk Governance Development Service Governance Development Check & Improve IT Governance IT Framework Alignment IT Service Strategy Plan Process - Role Alignment IT Process Technology People, Change & Learning DRAFT FOR DISCUSSION PURPOSES ONLY - 61 - 3.3 High Level Approach – IT Process Project Initiation Visioning Current Position Desired Position IT Service Assessments Gap Analysis and Roadmap Design Implement Check & Improve IT Governance IT Process Define Process Objectives Cycle through all ITIL Processes Process Blueprinting Process Implementation Post Implementation Assessment Process Integration Tool Requirements Development of Process Metrics Technology People, Change & Learning DRAFT FOR DISCUSSION PURPOSES ONLY - 62 - 3.3 High Level Approach - Technology Project Initiation Visioning Current Position Desired Position Design Implement Check & Improve IT Governance IT Process Technology Develop Functional Specification Develop Service Architecture Develop RFP Tool Installation and Configuration Tool Selection People, Change & Learning DRAFT FOR DISCUSSION PURPOSES ONLY - 63 - 3.3 High Level Approach - People, Change and Learning Project Initiation Visioning Current Position Desired Position Design Implement Check & Improve IT Governance IT Process Technology People, Change & Learning Leadership Alignment Capability Assessment Organization Role Impact Organizational Design Implement Organizational Structure Develop Performance Metrics Implement Performance Metrics Change Impact Assessment DRAFT FOR DISCUSSION PURPOSES ONLY - 64 - 3.3 Current Position - High-Level ITIL Process Maturity Model Process Standardization Business Alignment Strategic Integration Stage 5 Stage 4 Stage 3 Stage 2 Reactive Stage 1 Chaotic • Ad hoc • Undocumented • Unpredictable • Multiple Help Desks • Minimal IT Operations • User Call Notification • Fire Fights • Inventory • Desktop Software Distribution • Initiate Problem Management Processes • Alert and Event Management •Measure Component Availability Stable • Analyze Trends • Set Thresholds • Eliminate Problems • Measure Application Availability • Automate • Mature Problem Configuration, Change, Asset, and Performance Management Processes Proactive • IT as a Service Provider • Define Services, Classes, Pricing • Understand Costs • Guarantee SLAs • Measure and Report Service Availability • Integrate Processes • Capacity management Value Driven • IT as a Strategic Business Partner • IT and Business Metric Linkage • IT/Business Collaboration and Improves Business Process • Real-Time Infrastructure • Business Planning Manage IT as a Business Service and Account Management Service Delivery Process Engineering Operational Process Engineering Tool Leverage DRAFT FOR DISCUSSION PURPOSES ONLY - 65 - 3.3 ITIL Readiness Assessment Framework Below is the self-assessment from each Secretariat that was collected as part of the infrastructure data collection. Incident Mgmt. Request Fulfill. Change Mgmt. Asset and Config. Mgmt. Problem Mgmt. 2 2 2 3 2 3 4 1 3 3 ANF (PERAC) EOHHS EOHED EOLWD EOEEA EOPSS EOT EOE Maturity Stage Definitions 1 - Chaotic Processes are ad-hoc, chaotic, or actually few processes are defined 2 - Reactive Basic processes are established and there is a level of discipline to stick to these processes 3 - Stable All processes are defined, documented, standardized and integrated into each other 4 - Proactive Processes are measured by collecting detailed data on the processes and their quality 5 - Value Driven Continuous process improvement is adopted and in place by quantitative feedback and from piloting new ideas and technologies DRAFT FOR DISCUSSION PURPOSES ONLY - 66 - 3.3 ITIL Implementation Common Risks and Potential Mitigations Common Risks • Overall Lack of business commitment and funding/resources for process excellence Agency staff fail to buy-in to the need for global processes and standards • Existing best practices not considered during ITIL implementation Inconsistent assessment across agencies and fragmented adoption of new process • • • Discrepancies in software tools used across businesses, regions, “stacks” Service management processes are not sufficiently automated Perception that tools solves a problem • • • • Operational apathy against ITIL Lack of sponsorship from management Inability to organizationally realign staff Inability of strategic partners to adapt • • Unstructured implementation approach due to poor project management and lack of critical IT staff Excessive process documentation • • Process Engineering • • Technology Integration Communications and People Project Execution Mitigation Approach • • DRAFT FOR DISCUSSION PURPOSES ONLY • • • • • • • Focus on processes that will provide measurable/quantifiable benefits Implement a strong governance model backed up by a cultural change program Integrate proven practices and tailor to the structure of the organization Core and regional joint teams; local assessments with standard approaches Include technology analysis in the assessment phase Use integrated software tools where possible Make sure technology follows process Implement communications plan alongside technology/process deployment Appoint process owners within a larger governance framework Professional project setup (sponsorship, project manager, team, etc.) Pragmatic knowledge management/ documentation approaches - 67 - 3.3 Immediate Next Steps The checklist below to can be used to begin the alignment of the helpdesk with the ITIL framework. # Activity Owner Due Date Status 1 Finalize the service desk structure using the template provided Helpdesk Team 2 Complete current state assessment of all ITIL processes Helpdesk Team 3 Map ITIL-based best practice processes against current status (gap analysis) Helpdesk Team 4 Define business priorities for the service desk Secretariat Business Stakeholders 5 Derive and define key process improvement initiatives Helpdesk Team DRAFT FOR DISCUSSION PURPOSES ONLY - 68 - Components of ITIL: Service Desk 4.0 Helpdesk Staffing DRAFT FOR DISCUSSION PURPOSES ONLY - 69 - 4.1 Section Overview The Staffing section will cover two areas to help prepare each Secretariat for consolidation Change Impact Assessment Framework • An overview of the IT staff assessment that captures their functional duties Helpdesk Staffing Model • An overview of the staffing model template and industry leading practices for staffing ratios DRAFT FOR DISCUSSION PURPOSES ONLY - 70 - 4.2 Change Impact Assessment Framework Overview The Change Impact Assessment Framework is intended to capture a complete inventory of all IT staff working in the Commonwealth (including contractors) along with their specific functional duties. Purpose The Change Impact Assessment Framework is intended to capture the inventory of IT talent currently working within the Commonwealth. The information will be valuable for developing staffing models for each of the IT services and in helping the Commonwealth to better understand their inventory of skills. Additional Information Pre-populated Change Impact Assessment Tool templates have been distributed to the SCIOs on Friday, August 28. DRAFT FOR DISCUSSION PURPOSES ONLY - 71 - 4.3 Helpdesk Staffing Models from Industry Helpdesk Org. Model Helpdesk Staffing Model Development Helpdesk Org. Model • The helpdesk org. models are being developed by the Secretariats based on HR, finance, and service-based requirements. Staffing Ratios • The staffing ratios are based on industry leading practices. The appropriate staffing ratios will be selected based on the size and the maturity of the helpdesk organization for each Secretariat. Help Desk Staffing Ratios – 2009* PCs per Help Desk Staff Member by Organization Percentile Small Org. Medium Org. Large Org 25th Percentile 154 200 259 Median 239 292 421 75th Percentile 370 625 696 Staffing Model • The staffing model will identify how many staff will be required for each Secretariat’s helpdesk depending on their consolidation plan and the current maturity of their current helpdesk processes. Users per Help Desk Staff Member by Organization Percentile Small Org. Medium Org. Large Org. 25th Percentile 154 188 236 Median 220 357 521 75th Percentile 338 750 800 Staffing Allocation • The Secretariats will align the appropriate staff with the helpdesk based on the number of resources that are required in the staffing model. FY'10 Staff Total Secretariat ANF EOHHS EOHED EOLWD EOEEA EOPSS EOT EOE Total Staff DRAFT FOR DISCUSSION PURPOSES ONLY FY'10 Baseline 43 16 8 21 70 90 56 76 304 Q1 Q2 Q3 FY'11 Staff Total Q4 Q1 Q2 Q3 FY'12 Staff Total Q4 Q1 Q2 Q3 FY'13 Staff Total Q4 Q1 Q2 Q3 Q4 43 43 43 43 43 44 44 44 44 44 44 45 45 45 45 45 16 16 16 16 16 16 16 16 16 16 16 16 16 16 16 16 8 8 9 9 10 11 12 13 13 13 13 13 13 13 13 13 21 21 21 21 21 21 21 21 21 22 22 22 22 22 22 22 70 70 70 71 71 71 71 71 72 72 72 73 73 73 74 74 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 56 56 56 56 59 59 59 59 62 62 62 62 65 65 65 76 76 76 76 76 76 76 76 76 76 76 76 76 76 76 Helpdesk Staffing Model 304 304 305 306 310 312 313 314 318 318 319 320 324 324 *Source: Computer Economics (August 2009) 325 65 76 326 - 72 - 4.3 Immediate Next Steps The checklist below to can be used to develop the appropriate staffing for the helpdesk and desktop and LAN functions. # Activity Owner Due Date Status 1 Finalize Helpdesk Structure SCIO 2 Draft staffing models based in industry leading practices SCIO 3 Complete the Change Impact Assessment Framework HRD/SCIO 4 Allocate staff to the appropriate function HRD/SCIO DRAFT FOR DISCUSSION PURPOSES ONLY - 73 - Components of ITIL: Service Desk 5.0 Service Agreement DRAFT FOR DISCUSSION PURPOSES ONLY - 74 - 5.1 Section Overview The Service Agreement section will cover three major areas to help prepare each Secretariat for consolidation Service Agreement Overview • Basic service agreement overview • Process for developing a service agreement • Benefits of a service agreement Service Agreement Content Overview • Overview of the purpose, objective, and examples of each section of the service agreement Transition Framework • Service agreement maturity model • Service agreement management • Next Steps DRAFT FOR DISCUSSION PURPOSES ONLY - 75 - 5.1 Service Agreement: Overview Service agreements document the service design and management processes as well as the financial management. It includes all components of the SLA and it focuses on the definition of services, service levels, and the process for achieving those service levels. A Service Level Agreement is a formal agreement between the service provider and the customer on the minimum acceptable quality of service A Service Level is quantitative measure of the quality of services rendered by a Service Provider; it serves to objectively measure and continuously improve performance Service agreements help the service desk, its customers, and leadership agree on: Service Strategy • What services are important to the organization? • Are we trying to deliver high or low end levels of service, and in what ways? Service Levels And Performance • How much service is appropriate? And in what areas? • Where is our current performance adequate, and where is it not? • What is to be measured? • What the outcomes (rewards and penalties) of that measurement will be? • Do some of our services need to be increased or scaled back? Service Resources and Investment • Where do we need more investment? • Where are we over-invested? DRAFT FOR DISCUSSION PURPOSES ONLY - 76 - 5.1 Service Agreement: Development Process Who Prepares the Service Agreement? • Service agreement negotiation process should include representatives from both IT services and the Business, with participation from service level management How Should the Service Agreement be Written? • A collaborative perspective representing both the business and technology needs of the service. • Several iterations may be required before a balanced service agreement can be finalized. • Wording in service agreements should be clear, concise and leave no room for ambiguity. • An adequately detailed service agreement identifies the services to be provided, but leaves the opportunity to add or modify additional services as necessary • Note: There is no need for the service agreement to be written in legal terminology How Should the Metrics be Developed? Cautions DRAFT FOR DISCUSSION PURPOSES ONLY • Metrics should be developed that measure the efficiency and effectiveness of the services provided. • If there is any doubt in the target metrics, provisional metrics should be included during a pilot phase that can be monitored and adjusted during a warranty period. • All metrics should be measurable without significant cost. • The first time an service agreement is developed, the writers often focus on current issues rather than focusing on the long-term requirements. Allow for time to air current grievances before moving on to the rest of the service agreement. - 77 - 5.1 Potential Benefits from Using Service Agreements Benefits to the Organization • Provide a means for both parties to reach understanding and agreement on the quality of services that are required • Create common expectations that helps the IT service provider and its customers interact, avoid conflict, and jointly revise measures as needed • Simple, quantitative (objective) means of measuring and evaluating the IT service provider’s performance • Motivate the IT service provider and its customers to change behaviors and to drive efficiencies • Can help to drive lower costs, improve morale and increase service Benefits to the Service Provider Benefits to the Business • Provide a means for the IT service provider to selfevaluate • Can often help drive better service (e.g., faster response to, and resolution of, issues; improved accuracy) • Help the IT service provider management highlight clearly where they are doing a good job for the overall organization (e.g., keeping costs low, maximizing efficiency, etc.) • Allow the IT service provider to make informed and appropriate business decisions (e.g., capital investments, software acquisitions, training, methodology implementation, staffing, etc.) DRAFT FOR DISCUSSION PURPOSES ONLY • Increase understanding of what services will be provided, and what can be expected • Provide a strong incentive for IT service providers to meet or exceed service level expectations and continuously improve • Increase customers’ influence with IT service providers - 78 - 5.2 Service Agreement Content: Overview Role of the service agreement document • • • • • Describe the scope of the services provided Specify performance metrics and objectives for the delivery of those services Specify cost allocation / chargeback methodology, when applicable Document the business units and individuals within those units who are responsible for meeting service agreement conditions Drive continuous improvement and compliance Typical service agreement outline • • • • • • • • • • Section 1: Parties Involved Section 2: Statement of Purpose Section 3: Scope of Services Section 4: Service Details Section 5: Service Measurement and Reporting Section 6: Payment Process/Budget/Chargeback Methodology Section 7: Governance and Issue Resolution Section 8: Review Process and Amendments Section 9: Approvals and Signatures Appendix A: Definitions In effect, the service agreement codifies the operational working relationship between the user and the service desk. Because such relationships are unique, service agreements will differ significantly. Nevertheless, guidance for service agreement consist of: • Keep it simple • Ensure it does not become a overly ‘legalized’ document • Ensure it is flexible in the initial operational stages DRAFT FOR DISCUSSION PURPOSES ONLY - 79 - 5.2 Service Agreement Content: Parties Involved Scope Purpose Brief Example/Outline DRAFT FOR DISCUSSION PURPOSES ONLY • The key IT and business owners responsible for maintaining service continuity • List all agencies that are party to the service agreement and will be signatories, i.e. the Executive Office and all agencies within that secretariat that will receive IT services • The Executive Office of Health and Human Services (EOHHS) is the principal agency for all departments, commissions, offices, boards, divisions, institutions and other entities within the executive office pursuant to Massachusetts General Laws Chapter 6A Section 16. • The Department of Elder Affairs is a department within EOHHS pursuant to Massachusetts General Laws Chapter 6A Section 16. • The Department of Public Health is a department within EOHHS pursuant to Massachusetts General Laws Chapter 6A Section 16. - 80 - 5.2 Service Agreement Content: Statement of Purpose Scope Purpose • A general statement outlining the purpose or objective of the service agreement • Provide a high-level summary of business objectives addressed by the service agreement • Clarify the purpose of the service agreement document • Identify the customers to be served by the IT service provider, as well as any other key stakeholders • The purpose of this service agreement is to improve administrative efficiency and service delivery, better support department operations and preserve fiscal resources by centrally managing information technology functions that are common to the separate agencies, departments, offices, divisions and commissions within EOHHS. Brief Example/Outline DRAFT FOR DISCUSSION PURPOSES ONLY Or • This service agreement documents the details of Service X provided to the Business Unit Z. These details are mutually understood and agreed upon by all the representatives of the owner groups. This agreement is meant to compliment existing procedures. Service levels in this agreement have been decided mutually and will be communicated in an agreed upon format monthly. The owner groups can use this service agreement to facilitate their planning processes. - 81 - 5.2 Service Agreement Content: Scope of Services Scope Purpose Brief Example/Outline DRAFT FOR DISCUSSION PURPOSES ONLY • An overview of the services that will be provided by the service provider and the responsibilities of the business owners • Summarize the services covered by the service agreement and the responsibilities of the IT service provider at a high-level • Summarize the high-level responsibilities of the user • High-level overview of service provider‘s responsibilities including: • Itemization of in-scope processes and key activities • Hours of Operation • Call Center • Issue Resolution • Authorized Signatories • Contact List • Record Retention • Itemization of any tasks or information the IT organization needs from the user to deliver in-scope services - 82 - 5.2 Service Agreement Content: Service Details Scope • The scope of services should provide a detailed description of IT services that will be provided by the Secretariat. Purpose • Document the scope of the service agreement • Provide a detailed inventory of the services and support to be provided to customers by the IT service provider • Define which activities and tasks will be performed by the IT service provider and which will be performed by the user or business for each process • Document performance dependencies • Define any areas where successful completion and performance is dependent on the timely action of the customer • List of all tasks required to perform each in-scope process with responsibility assigned to the user, the service provider, or business function • List of activities where successful completion and performance is dependant on the timely action of the user Brief Example/Outline Service Standard Portal Service IT Responsibilities Includes: Content update availability Ensures integrity of Info Architecture Liaise with ITD for Portal availability/performance Usage statistics furnished on request Public Feedback referrals Availability Normal Business Hours as described above. Portal availability 24/7 Agency Liaison Administration Portal Team availability for: Answering Questions Presentations to agency SMEs Creating Feature Stories Respond to requests for consultations about content creation, information architecture re-design, agency communications strategies Normal Business Hours as described above Consulting and Training DRAFT FOR DISCUSSION PURPOSES ONLY EXAMPLE Normal Business Hours as described above Business Responsibilities Compliance with HHS & ITD standards.; Timely notice of malfunctions or defects in the environment. Timely removal of broken links, orphan files, or non-compliant content formats Agency appoints a Portal Liaison to work with agency content creators and provide single point of contact for Portal Team Agency appoints a Portal Liaison to work with agency content creators and provide single point of contact for Portal Team - 83 - 5.2 Service Agreement Content: Service Measurement and Reporting Scope Purpose Brief Example/Outline • Document the metrics and measures that will be used for performance management • Identify the standards against which the IT service provider’s performance will be evaluated • Clearly define the expectations of the customer and the enterprise • Ensure that service agreements can be monitored to meet both performance standards and that customer expectations Details of Key Performance Measures including: • Metric Definition • Type of Metric (e.g., customer satisfaction, productivity, quality, efficiency, cost, etc.) • Specific performance targets that the service provider has agreed to meet • What is to be measured in each function • Expected performance levels for those metrics • Minimum service levels for those metrics • Standards or benchmarks by which to measure performance and customer satisfaction • Mechanisms for tracking performance and customer satisfaction • Specific information or support the user must provide in order to for the IT function to meet the service level goal Reporting • Frequency (e.g. monthly, quarterly) of performance reports on service agreement achievement • For service agreements to be successful, the criteria for measuring service levels should be: attainable, meaningful, understandable, mutually acceptable, measurable, controllable and affordable. • The customers perspective is the most important, every metric should be selected from that perspective. DRAFT FOR DISCUSSION PURPOSES ONLY - 84 - 5.2 Service Agreement Content: Service Measurement and Reporting: Metric Development Performance-driven cultures are sustained by metrics Metric Development Objectives • Communication • Performance inside and outside the IT service provider • Feedback to people who can act upon the information • Convey information through as few and as simple measures as possible • Alignment with Goals • Aligned with business and technical goals • Balance all dimensions of the function; not just costs • Provide a basis for rewards and recognition • Continuous Improvement • Foster and encourage improvement • Quantify improvement initiative results Characteristics of Effective Metrics Validity Does the measure track true requirements or real productivity? Comparability Can the measure be compared across time or in different locations? Completeness Are all important sources that yield an output tracked by the measure? Usefulness Compatibility Cost Effectiveness Does the measure guide action? Is the measure compatible with existing data and information flows? What are the tradeoffs between the cost of measurement and the benefits to be gained? DRAFT FOR DISCUSSION PURPOSES ONLY - 85 - 5.2 Service Agreement Content: Payment Process/Budget/Chargeback Methodology Scope Purpose • Address budget and funding issues. In cases where the service agreement will also cover services that will be funded through a chargeback mechanism, this section should address the chargeback methodology and payment process. • Summarize all costs and potential fees and credits associated with the services provided • Document how these costs will be allocated to the user (if applicable) • Set service provider and user expectations for allocation of costs Payment Process: • Assess accounts through an Intergovernmental Payment Voucher (IV) on a quarterly basis at which time the transfer of funds will be requested from Departments. • Perform interim reconciliations of actual expenses to the Anticipated Budget not less than twice a year and conduct a final reconciliation by the end of the third quarter, or no later than April 30th. • Adjust the IE as appropriate if, in the determination of EOHHS, projected costs are more than or less than actual costs for the operation of the Core Administrative Activity charged at the beginning of each quarter or year. Brief Example/Outline DRAFT FOR DISCUSSION PURPOSES ONLY Budget/Chargeback Methodology: • Establish a consolidated Information Technology Core Administrative budget for EOHHS. • Ensure that the budget for the consolidated Information Technology Core Administrative is adequate and that funding is sufficient to cover the costs of salary and other employee related costs. • Include in the budget, the following employee related and administrative charges: • Payroll Related Fringe Benefit Costs (D09), Travel, Training, Voice and data related costs, and other contract costs • Assess a charge against each Department developed in accordance with the provisions of this Section - 86 - 5.2 Service Agreement Content: Governance and Issue Resolution Scope Purpose • A summary of roles and responsibilities of the governing body for the service agreement • Assign oversight structure, including determining who is responsible for overseeing relevant processes and making critical decisions (e.g., Governance / User Councils) • Assign roles and responsibilities • Specify the issue escalation process for: Dispute resolution regarding services provided; Dispute resolution regarding who is responsible for a given activity Governing body responsible for approving and maintaining the service agreement, including: • Those responsible for representing the customers • Those responsible for representing the IT service provider • Those responsible for ensuring that these two parties accomplish their stated objectives Brief Example/Outline Governing Body Responsibilities • Periodic reviews of the performance metrics • Periodic review and update of the service agreement • Review and decide on outstanding operational issues and special requests • Review of disputes pertaining to IT service provided • Review of targeted areas for process improvement (both IT and business) • Participate in “emergency” meetings as required Issue Resolution • Active issue management process and escalation procedures DRAFT FOR DISCUSSION PURPOSES ONLY - 87 - 5.2 Service Agreement Content: Review Process and Amendments Scope • Outlines the review process for amending the service agreement and approving new services Purpose • Outline a schedule and process for reviewing and amending the service agreement • New services are those services that the service provider does not normally process or complete Meeting schedule for the governing body (e.g., monthly or quarterly) Brief Example/Outline Procedure for reviewing services and service levels included in the service agreement, including: • Frequency with which review and revisions should occur • Process for requesting a review between scheduled review meetings Procedure for handling new services • Process for getting approval for the delivery of a new service DRAFT FOR DISCUSSION PURPOSES ONLY - 88 - 5.2 Service Agreement Content: Terms and Approvals Scope Purpose Brief Example/Outline DRAFT FOR DISCUSSION PURPOSES ONLY • Summary of the agreement duration and validation • Specify the duration of the agreement • Validate agreement between the IT service provider and the user • The effective dates of the agreement • Signatures from the designated service agreement contacts - 89 - 5.2 Service Agreement Content: Appendix: Common Definitions • Define terms that are referred to frequently throughout the service agreement Scope Term Definition Availability The target levels of service availability required. What is considered an “outage”? The service may be unavailable for a period of time, which may not constitute an “outage” Reliability The maximum number of outages that can be tolerated within an agreed period of time. What is the acceptable average time between “outages”? Specify the period of time that will be used to calculate Serviceability Ease in which service may be performed and completed on a system EXAMPLE Performance (Severity, Priority, Completion) Desired/required response times. Details of expected service output on which targets are based. Data Integrity Desired backup requirements needed to withhold the data integrity. Government regulations around backup (archives) or recovery. Recoverability Time to recover from an outage cause by an unplanned incident. Disaster recovery plan required? After what time period is an outage termed a disaster? Service Hours What hours do you require the service to be available? Are there times when you will need an extension of service? Hours of Support What are your required support hours (where these are not the same as Service hours)? Security and Privacy Details of any special conditions relating to security and privacy DRAFT FOR DISCUSSION PURPOSES ONLY - 90 - 5.2 Service Level Leading Practices Customer satisfaction - one of the most Critical Service Levels A consistent and reliable methodology is necessary − Annual surveys Enforceable Service Levels “Targets” used for performance assessments by management – “Targets” are not purely for illustrative purposes − Comparable classes of users − Customers and service providers agree upon the form Identify the class of users to be surveyed (e.g., management as well as end users) Require service provider to meet with customer to discuss the results of the surveys and the means for improving customer satisfaction DRAFT FOR DISCUSSION PURPOSES ONLY To be effective, Service Levels should be: • Capable of reliable, objective measurement; • Conducive to simple economic measurement with minimal administrative difficulty; and Manageable and reasonable number of Service Levels. • Business owners must clearly define desired Service Levels and standards based on their business objectives and requirements • Not every service provider function should be subject to a Service Level – try to limit to those services that are important to customers and will have a significant impact on its business • Keep in mind that there is an administrative cost to the management, measurement and reporting of Service Levels • Important relative to customer’s desired business drivers - 91 - 5.3 Service Agreement Maturity Model Early Maturity “Start-up” DEFINE • Define the business objectives and requirements for each customer group • Define the need for a new or revised service agreement • Priorities which service agreements need to be developed • Identify performance metrics to be tracked and applied • Articulate roles and responsibilities • Develop action and communication plans MEASURE • Track metrics for a defined period of time • Develop standard handling policies and procedures • Document escalation procedures according to severity level and chain of command • Define and assess accountability for the reporting, review and amendments processes DRAFT FOR DISCUSSION PURPOSES ONLY Mid Maturity “Transition” ANALYSE • Report measurements based on suggested targets, business objectives and customer needs • Analyze performance measurements • Set initial baseline for service levels • Reach agreement between customers, service desk, and management on service levels and terms • Develop and publish Service Agreements for relevant functions IMPROVE • Implement the completed service agreements; track and manage performance • Identify improvement opportunities • Perform root cause and other analyses to improve performance • Identify actions required to improve performance • Create and maintain ongoing service level performance reports High Maturity “Steady State” CONTROL • Manage and govern service agreements and performance • Periodically review business relevance of service levels contained in service agreement s • If a service level or service agreement is no longer valid, identify changes needed to better govern the IT Function’s relationship • Set and revise continuous improvement targets - 92 - 5.3 Service Agreement Management Successful service agreement management and continuous performance improvement will depend entirely on the quality of the tools, processes, and reporting implemented. Critical Success Factors • Educate all management and team leads on the service agreements and their respective responsibilities • Vendor operational level agreements should specify service timeframes and levels that are in line with the service agreement specifications • Do not underestimate the importance of fully understanding the processes and tools and how they integrate. Staff should understand how each workflow step corresponds to the service agreement calculation and reporting • Identify process and tool champions on each team • Create reporting that quickly enables teams to see the outcome of their actions. • Avoid complex reporting and metrics calculations, to be able to provide insightful analysis on the data quickly • Ensure reports are verifiable, and can be easily presented and explained • Ensure all call priority definitions are clear and relevant to the business • Perform root cause analysis when service level is breached, and learn from failures • Proactively monitor service agreements to see trends and take early action to avoid performance levels being missed DRAFT FOR DISCUSSION PURPOSES ONLY - 93 - 5.3 Immediate Next Steps The checklist below to can be used to develop service level agreement between the business and IT functions. # Activity Owner 1 Identify all parties (both business and technical) that need to be involved in the service agreement development SCIO/ Helpdesk Team 2 Develop a framework service agreement based on the information provided in the previous slides and the information provided by the IT Finance and Budget subcommittee SCIO/ Helpdesk Team 3 Develop a draft of the service levels for inclusion in the service agreement Helpdesk Team 4 Validate service levels with business and technical stakeholders All Parties 5 Develop a draft of metrics for each service level Helpdesk Team 6 Validate metrics with business and technical stakeholders All Parties 7 Draft all other components of the service agreement Helpdesk Team 8 Validate completed service agreement with business and technical stakeholders All Parties DRAFT FOR DISCUSSION PURPOSES ONLY Due Date Status - 94 - Components of ITIL: Service Desk 5.0 Integration With ITD Processes DRAFT FOR DISCUSSION PURPOSES ONLY - 95 - 6.0 Process Integration points with Agencies, Secretariats, and ITD Service Desk • • • • Incident Management • Coordination of communications and notifications • Coordination of Incident resolution actions Request Fulfillment Coordinate on incidents involving more than one organization Leverage shared tools Leverage shared knowledge Redirect callers to appropriate resources (ITD vs. Secretariat vs. Agency) • Calls to one organization for services that are the responsibility of another organization Change Management • Coordinate change planning and approval for resources hosted or managed by ITD Asset and Configuration Management • Ownership vs. custodianship (e.g., ITD hosts a server owned by Secretariat) Problem Management • Leverage knowledge beneficial to all: share Known Errors • Share responsibility for Root Cause Analysis and Problem elimination (e.g., application support and server management) DRAFT FOR DISCUSSION PURPOSES ONLY - 96 - Components of ITIL: Service Desk Appendix DRAFT FOR DISCUSSION PURPOSES ONLY - 97 - 2.3 Industry Leading Tools and Standards: Service Desk Vendor Analysis Company Avocent LANDesk (Touchpaper) Strengths • Strong out-of-the-box functionality • Ease of implementation • Robust knowledge management functionality • Credible best-practice and consulting services specific to ITSM • Strong brand and presence in the U.K. Axios Systems • Annual development cycle with attention to customer functional requests • Brand recognition, globally BMC Software • Broad suite of ITSM modules, including a strong CMDB offering (Remedy) • Sizeable, strategic third-party partnership • Migrating customers to new releases • Strong PPM position and integration road map with ITSM CA • Extending incident and problem management capability with support automation (formerly SupportBridge) • Good presentation and administration of workflow and business rules EMC (Infra) • Ease of implementation and configuration • Financial integrity from EMC acquisition • Financial backing of equity partner enables aggressive marketing, sales and acquisition FrontRange growth Solutions • User interface is easy to configure and administer (ITSM) • Installed HEAT service desk customer base provides long-term annuity • Strong and positive global presence and service organization • Depth of product relationship vision among ITSM, data center and application HP development tools • Functional capabilities of application dependency mapping and CMDB • Workflow and forms easy to customize and administer iET Solutions • IT service desk tool easy to implement and get into production • Valued advanced customer support services • IBM has a recognizable brand name in Fortune 2000 companies and a large installed base globally IBM • Compelling user interface, from an administration and presentation perspective • Range of channel options from IBM Global Services to resellers • Pricing model is straightforward and easy to understand Service• Compelling user interface, from an administration and presentation perspective now.com • SaaS delivery model DRAFT FOR DISCUSSION PURPOSES ONLY Cautions • Customers say product is difficult to customize and integrate with other vendors' ITSM tools • Touchpaper is less tested in large enterprises; most success has been with enterprises of less than 10,000 employees • Recent acquisition creates traditional remote management challenges • Difficult to work with in regard to pricing, contracts and billing • User interface and Web client are behind in presentation and administration capability • Privately owned business, with limited capital resources to support growth and remain competitive • Ease of customization encourages poorly planned customization activity • Large base of customers with heavily customized applications is still multiple versions behind because upgrade is deemed expensive and difficult • Product versioning and maintenance schedule are not well-understood • Cumbersome and costly if high degree of customization is required • Limited change management impact, risk and collision capability • Negative industry perception of CA brand continues with some customers • Limited IT service desk brand awareness and marketing • Lack of depth in strategic partnership and resellers • Inconsistent product road map since EMC acquisition • Company continues to struggle managing a dual product strategy • ITSM product suite lacks enterprise functional capabilities in change and CMDB • Successful large-enterprise ITSM product suite implementations slow to emerge in the market • Complex and difficult to use integration tools between Service Manager and other HP Business Technology Optimization (BTO) software applications • Flawed change and release management product-branding and road map • Service Manager clients report implementation and migration times may be long • User interface is lagging behind at the presentation layer • Lack of automated or wizard-driven version migration tools • Comparatively small revenue to support growth and remain competitive • Small number of successful enterprise-scale implementations • Tivoli Service Request Manager is not currently well-integrated with adjacent Tivoli products • Still a young company with limited resources; may affect range of services available to clients • Limited customers with complete suite of ITSM modules in production • Potential technology glitches within hosting environment Source: Gartner (October 2008) - 98 - 2.3 Industry Leading Tools and Standards: Interactive Voice Response Analysis Company Strengths Aspect Software • Long-standing market presence • Both a stand-alone IVR or a suite-based approach • Apply best practices for deployment of IVR, speech solutions, and self-service application development Avaya • Long-term vendor of contact center solutions with easy integration • Consider IR if you have a legacy Avaya IVR infrastructure Cisco • Financial strength enables long-term viability • Ability to create virtual contact centers; good for smaller deployments • Strong position in networking and IP telephony Envox Worldwide • Well-established relationships with value-added resellers, system integrators and developers • Open-standards-based platform • Price competitive and flexible on terms • Capable technical support service that is responsive to product feature requests • Choice of turnkey solutions or the custom IVR/voice portal solutions Genesys • Leader for features and functionality for implementing voice self-service within a Telecommunicatio multichannel strategy, integrated with live-agent support ns • Strong support for multitenancy features to support internal hosted service deployments • Strong support for standards, including SIP and VoiceXML • Software-centric products with an indirect fulfillment model • Multivendor support for third-party telephony and automatic call distribution Holly Connects • Carrier-grade, scalable, distributed, software-only platform • Industry standards, such as VoiceXML and SIP • Strong multitenancy and redundant architecture • Sophisticated reporting, speech-recognition call logging and recording, resource monitoring, and real-time tools for port allocation, service configuration, and service provisioning and decommissioning • Its engineering support organization is responsive to customer needs IBM • Offers a combined Web and voice processing solution • Strong management and reporting capabilities on a reliable operating system • Deep technical expertise to solve support issues • High-reliability scalable platform DRAFT FOR DISCUSSION PURPOSES ONLY Cautions • Aspect's primary investment focus is on its suite solution • IVR revenue is declining which will limit future investment. • Weak on scalability and multitenancy features; poor for multiple departments or business units. • Variable services staff quality. • Lacks an enterprise telephony offering • Avaya IVR solutions are rarely deployed outside of Avaya-based call centers. • Avaya solutions pricing is higher than that of some vendors. • Limited experience of complex call center deployments • Avaya has recently been privatized. • Product specifications limit vendor choices and increase dependence on Cisco • Virtual call centre routing requires additional Cisco software • Separate tools and management reporting increases the complexity • The skills and competencies to deploy solutions in large enterprises are available only through specialized Cisco partners. • Limited Scalability • Limited resources in all functions; quality of project management • Lacks a large customer base for contact center call routing and telephony solutions • Expensive compared with those of other vendors • Indirect fulfillment - relies on third parties for project management and implementation services • Does not directly offer a hybrid premises/hosted service offering • The merging of GVP and VGP could distract development efforts from other initiatives • Limited brand awareness and presence outside its home market of Australia • Small company with limited resources in North America and Europe • Lacks a broader call center and communications infrastructure • Features, reporting and integration are packaged for large-scale applications, such as telecom, rather than for enterprises • IBM's go-to-market and product strategy limits its opportunities for WVR • IBM has no telephony or call center product offering, nor an installed base • WVR runs only on AIX, and is not supported for other operating systems Source: Gartner (February 2008) - 99 - 2.3 Industry Leading Tools and Standards: Interactive Voice Response Analysis Company Interactive Intelligence Intervoice Nortel Syntellect Voxeo Strengths • Suite solution including IVR functionality. • Easy and intuitive to use with minimal training, and allows companies to create applications quickly • Supports time division multiplexing and SIP integrations • Ideal for small to medium size organizations • Provides an end-to-end services offering including hosted and managed services options • Proven record of integration in multivendor environments • Strong track record and experience in delivering IVR and speech applications • Open, scalable, switch-independent IVR platform Cautions • Limited in size • Lack features for large-scale developments and third-party tools and applications are not supported. • VoiceXML support is a recent enhancement and is not yet well proven • Specialist IVR vendor, with a limited portfolio of broader contact center and UC offerings • Occasionally fail to respond to the impact of service outage on customers' businesses. • Some evidence of rising prices • Limited third-party partner networks • Long-term commitment to IVR and self-service solutions • Application development, system integration and tools is weaker than that of • Professional services are well proven in delivering IVR-based solutions to enterprise call other leaders centers • Platforms depend on some proprietary components • Clear vision of how its IVR platform will migrate to a UC environment and become its general- • Platform upgrade proposals tend to carry premium prices purpose Media Server • Some dissatisfaction with Nortel project deployments • Has a switch-independent, standards-based IVR platform • Low market share hinders its ability to invest deteriorating long term viability • Proven applications and a strong professional services team • Limited choice of application provider and system integrator • Lacks multitenancy features that are often required for stand-alone IVR platforms in large enterprise environments • Voxeo's Prophecy IVR platform is a pure software platform, downloadable free with two ports • May be acquired if success continues, could lead to disrupted service. from its Web site and optimized to make it easy for developers to start developing applications. • Primarily a hosted services business model. • Offers a hybrid premises/hosted model • Limited reporting and tools • Web-centric and adheres strictly to standards such as VoiceXML and SIP. • Basic speech recognition and text-to-speech engines with the platform reduces costs — especially during development. • A low-cost, scalable, standards-based platform DRAFT FOR DISCUSSION PURPOSES ONLY Source: Gartner (February 2008) - 100 - 2.3 Industry Leading Tools and Standards: PC Lifecycle Configuration Analysis Company Strengths • High visibility and a good reputation Avocent • Additional investments in endpoint security enhancements (LANDesk) • Well-integrated suite of products, with particular strengths in usability, software distribution and patching. • Operational and security management functionality from a single scalable architecture. • Systems Lifecycle Management offers particular functional strengths in discovery BigFix and patch management. • Significant vision in this market, as demonstrated by its early movement in security/operational convergence, support for Mac clients, and PC power management. • Strong policy management and bandwidth control position to manage an increasingly mobile user population. BMC • Tight integration and workflows, and associated automation with the BMC service desk tool Software • Runs in a highly diverse environment; the support infrastructure can run on Windows, many variations of Unix and Linux, SQL Server, Oracle, etc. • Diverse platform support for organizations that are looking to support Windows, Unix, Linux, AIX and other platforms with a single set of tools. • Extensive PC migration capabilities — an area on which most competitors haven't CA focused. • CA offers a broad set of adjacent offerings (that is, service desk, asset management, service catalog, etc.) for organizations that are looking to consolidate and standardize on a single service management suite. FrontRange • Strong partnership with Citrix Solutions • Easy-to-use tool with installation templates, which appeal to SMBs. • Strong inventory and software usage management offering. (enteo Software) • Policy-based management ("desired state“) enables high degrees of successful software and patch deployments. HP • Very scalable with sophisticated bandwidth management capabilities. • Well-positioned to manage increasingly mobile clients. DRAFT FOR DISCUSSION PURPOSES ONLY Cautions • Primary customers have approximately 1,000 to 5,000 users. • Reliable discovery and inventory, but customers have reported issues with filtering and replicating inventory • Missing native capabilities in OS deployment, remote control and application packaging, for which it relies on partners. • Some functions within software distribution are immature — lacks some standard features to configure and manage • No differentiation in client or application virtualization. • Slowing focus on PC life cycle configuration management • Customers supplement BMC's solutions with third-party tools to conduct OS deployment/data and settings migration, remote control and application packaging • Focus on PC life cycle configuration management is waning, as evidenced by its falling behind on several major market trends (for example, endpoint security management, virtualization and green IT), • Eroding partner relationships and customer complaints about the quality of support. . • Stability issues with enteo Version 6 • Lacks an endpoint security strategy • Playing catch-up in some areas (for example, virtualization). • Customers tend not to use the full suite — for example, it's common for customers to use third-party tools for OS deployment/data and settings migration, remote control, and patch management. Source: Gartner (December 2008) - 101 - 2.3 Industry Leading Tools and Standards: PC Lifecycle Configuration Analysis Company Strengths • Maintained its focus on the core elements of PC life cycle configuration management — for example, software distribution and OS deployment. Matrix42 • Unique features for controlling and coordinating the release of software and patches to PCs • The IT configuration architecture enables reliable support for mobile and remote users; • Intuitive user interface and references report that it's easy to use. • The Compliance Manager product, which ties together usage, financial and ManageSoft physical inventory data, can also bring together disparate data sources in a single view for an asset. • Good option for organizations looking for strong configuration management and asset repository capabilities. • System Center Configuration Manager 2007 scalable product, with many customers managing more than 30,000 PCs. • Microsoft has generated interest in Application Virtualization (App-V) by including it in the Microsoft Desktop Optimization Pack Microsoft • There is wide availability of Systems Management Server (SMS)/ConfigMgr '07 technical skills. • Organizations are more likely to find talent with this experience, rather than with competitive products. Novell Symantec (Altiris) • Customers tend to use the entire suite — for example, OS deployment, remote control and software usage metering — in addition to the base functions. • One of the few products in this market that deploys applications to users rather than machines. • Offers functional strengths in inventory (with integration into its asset repository) and OS deployment. • Complete PC life cycle offering, and Symantec owns key emerging capabilities in endpoint security and virtualization. • Offers broad adjacent offerings — for example, endpoint security, asset management, service desk and workflow. DRAFT FOR DISCUSSION PURPOSES ONLY Cautions • Little visibility outside Europe • The response time for escalated support issues for U.S. customers can be delayed when help is required from Germany. • It lacks a service desk and an IT asset repository, which SMBs are increasingly requiring • Lack of investments in core life cycle management capabilities suggest a slowing focus on PC life cycle management. • Hasn't demonstrated a strategy for application virtualization and streaming. • Larger management server footprint than competitive tools. Many clients supplement with add-on tools to reduce this requirement and improve performance. • Customers continue to report that ConfigMgr '07 is difficult to implement and support • Higher staffing requirements than competitive tools. • Desired Configuration Management, Internet Facing Client Management and Branch Office Distribution — have complexities or functional limitations that are prohibiting their broad adoption. • Microsoft has had consistently longer gaps between major product releases (about four years). • The Novell brand is strongly associated with legacy technology. • Uptake has been slow, particularly because its early release lacked critical pieces, to support remote locations. • Customers have reported issues with support — that is, first level and escalated support. • Complex product to install and manage. Symantec has started to address this issue with Version 7. • Although endpoint security is a key growth trajectory for Symantec, patch management isn't a strong suit. Source: Gartner (December 2008) - 102 - 2.3 Industry Leading Tools and Standards: Endpoint Protection Management Analysis Company BigFix Bit9 CA Check Point Software Technologies eEye Digital Security Strengths • Integration of the security and operational tools enables more-concise reporting and rapid remediation. • The AntiThreat offering includes antivirus, personal firewall and anti-spyware engines that are licensed from CA and integrated into the BigFix agent and management console. • Strong management scalability and for control of off-LAN devices because of its intelligent agent architecture. • Device control is very complete, including capabilities to disable and enforce policies for removable media, USB devices, CD-ROMs/DVDs, floppy drives, parallel ports, infra red ports, Bluetooth and PC Card devices. • AntiThreat includes capabilities to conduct NAC assessments and self-quarantines at the endpoint. • Client-based DLP was recently licensed from a third party and added to the security product portfolio. • Cost-competitive with other EPP vendors. • Heavy focus on application control. • Blocks software execution or devices that are not on a corporate preapproved list from running and maintains the integrity of installed applications by cross-checking multiple file hashes before they execute. • Bit9 has developed a huge source of information on applications and files with Knowledgebase, its file and application identification system. • To reduce the overhead of maintaining whitelists, Bit9 ParityCenter, is a software-as-a-service (SaaS) offering provides context on more than 9 million applications and 4 billion individual files to help customers identify and assess the software applications • Bit9 has focused on limiting the management and usability challenges associated with application control. • The vendor offers Device and Application Reporting Tool, which is an agentless software and device audit tool. • Bit9 is appropriate for organizations that have the political clout to enforce an authorized-only software image on PCs or subsets of PCs with a high security requirement. • Mature malware research labs and broad portfolio of operational and security products. • CA EPP solutions include the basic components of anti-malware, HIPS and a personal firewall. CA also offers software-based e-mail and HTTP gateway solutions. • The personal firewall has many advanced features, such as support for one active NIC, VPN detection, and good event logging and device control. • CA's HIPS capability includes numerous system checks, as well as vulnerability shielding, sandbox execution and behavior anomaly detection. Its learning mode capability eases set up and policy creation. CA also maintains a known application database for broad industry wide whitelisting. • Reference customers and resellers often noted the low cost as a major benefit of the CA product. • CA customers and those looking for inexpensive EPP capabilities should consider CA's eTrust solutions. • ZoneAlarm provides a major source of data for malware research. • Check Point's firewall capabilities are much improved since 2006 and are very complete. • Check Point is also a significant provider of VPN clients. • Integrity includes an 802.1X supplicant and also supports self-enforcement native NAC solutions. An on-demand agent is available for unmanaged machines. • Existing Zone personal firewall, Pointsec encryption and Check Point VPN users should include Check Point on their shortlists. Others may want to wait for better integration and a more mature management capability. • More of an HIPS solution than a traditional antivirus product. • Its primary strength is in multiple styles of proactive HIPS-based protection. • The included firewall is complete with good advanced features • Blink does not depend on signature-based mechanisms as the primary mechanism for malware detection, but it does offer integrated signature-based antivirus and sandboxing, which is licensed from Norman. • The company has strong malware research capabilities. • Consider eEye Blink if you are an SMB looking for a tactical HIPS solution to supplement signature-based protection and native firewalls on Windows clients and servers. DRAFT FOR DISCUSSION PURPOSES ONLY Cautions • Smaller company with minimal customer presence outside North America. • Operations tools, such as software distribution, patch, vulnerability and configuration management, are not included with the AntiThreat solution pack. • It lacks a proven track record in the anti-malware protection side of the business. • Anti-malware capabilities are immature and dependent on CA and other partners. • It lacks HIPS capabilities in the current release (due the first half of 2008). • It doesn't have encryption capabilities. • mall vendor with a limited user base that is primarily in North America. • It does not have a personal firewall, antivirus or HIPS capability beyond application and device control. • If a malware manages to evade detection, then Bit9 cannot clean it up. • Bit9 has limited operating system platform support. Current versions only work on Windows. • It has limited resources to integrate wider EPP capabilities, such as NAC, DLP or encryption. • Outsource eTrust antivirus product development, engineering, support and threat research to HCL Technologies, while CA will continue to perform sales, marketing and product management tasks. • It took several years to integrate the PestPatrol anti-spyware capability. The HIPS solution is not yet integrated in the eTrust Management console. Correlation between different components is shallow. • Rootkit detection is weak. There is no capability to discover an installed rootkit in the corporate version. • NAC capabilities are limited to participation in Cisco NAC and Microsoft Network Access Protection infrastructure. • Although Check Point has an excellent reputation in the enterprise network space, it has not yet established this reputation with the desktop security buying center. • An advanced management capability is lacking. • Although Check Point has a small research lab, it is primarily dependent on antivirus partners (Kaspersky) for malware research. • Rootkit detection is limited to spotting traffic patterns. • Device control is in the Pointsec product, which is still being integrated. • One of the smallest companies in this market, with only 74 employees • It has limited application and device control capabilities. • The vendor doesn't have NAC capabilities. • eEye lacks the capability to detect installed rootkits, although it has techniques to prevent rootkit installation. • Platform support is limited to Windows. • It has expensive list pricing. Source: Gartner (December 2007) - 103 - 2.3 Industry Leading Tools and Standards: Endpoint Protection Management Analysis Company F-Secure IBM Kaspersky Lab LANDesk McAfee Strengths • Fast response times to malware outbreaks because of automated threat analysis and multiple sources of threat samples. • The vendor has the largest share of ISP customers, including a SaaS multitenant platform, F-Secure Protection Service for Business, which enables ISPs to offer SMBs a fully managed security solution. • Customers comment on the outstanding support from F-Secure. • F-Secure backlight provides a good rootkit scanning capability. • The personal firewall component, Internet Shield in F-Secure Client Security, uses Vista's Windows Filtering Platform. • It is a good alternative for SMBs, especially those in their direct service area of northern Europe and those looking for SaaS-type services. • IBM Proventia's main strength is in a variety of styles of HIPS protection • The personal firewall is full-featured and mature • Proventia offers an optional integrated antivirus signature engine from BitDefender • IBM/ISS has the broadest platform coverage of any HIPS vendor. • IBM's X-Force R&D labs have a strong reputation. • IBM's reputation and channel presence in large enterprises enable it to attract capable partners, such as BigFix and Sophos. We fully anticipate that several partners will become acquisition candidates in the near term. • IBM has announced strategic plans for a significant program to move into the data security market around the three pillars of data protection, system protection and an extensible management framework. • Kaspersky Lab is a smaller, but technically astute, organization with a strong reputation for fast signature response and high-malware detection rates. • Its primary client base has been in Europe, but it is rapidly expanding into North America and emerging markets, such as China. • The Kaspersky client has a relatively small disk and memory footprint for a comprehensive suite platform. • Starting with v.6.0, Kaspersky introduced advanced HIPS • The vendor has a strong OEM business with e-mail and Web gateway vendors. • SMBs that prefer to focus on signature-based defenses and HIPS should evaluate Kaspersky. Larger organizations should consider Kaspersky as a strong antivirus engine when offered in other vendors' e-mail and Web gateways. • The security suite includes several operations management capabilities • Some advanced firewall capabilities • Malware detection is provided by partners Lavasoft and Kaspersky. The management of other antivirus engines is provided by McAfee, Sophos, Trend Micro and Symantec. • One of LANDesk's main advantages is the ease of which it can find, assess and update any aspect of a PC, even when it is off a LAN. • LANDesk offers NAC (802.1X, DHCP, Cisco NAC and IPsec) to automate security assessments and remediation. • McAfee is a consistent leader in the antivirus market, with a high desktop penetration rate and a solid international threat research capability. • McAfee has demonstrated excellent vision, leading the market with the acquisition of DLP capabilities (Onigma) and full-disk encryption (Safeboot) to protect enterprise data. The vendor also offers a managed service (SaaS) for SMBs. • It is slowly acquiring some operations life cycle tools • McAfee's spyware detection rates are very good for a traditional antivirus vendor. • EPO has historically been the standard for centralized administration consoles DRAFT FOR DISCUSSION PURPOSES ONLY Cautions • Less advanced enterprise management features (distributed management console, role based administration and automated network scanning for agentless machines), which makes the use of this product in large environments challenging. • The HIPS solution is missing some basic capabilities, such as buffer overflow, vulnerability shielding or application whitelisting. • F-Secure only offers a Web-based, on-demand scanner. It does not have an enterprise version suitable for scanning unmanaged machines. • The personal firewall is basic and lacks features such as device control and expansive logs, and it has limited attack prevention to shield it from being disabled. • Advanced data protection, such as DLP and encryption, are not on F-Secure's road map. The vendor exited the encryption market. • NAC is limited to agent self-enforcement for signature file freshness. • Market presence is mostly in Europe, the Middle East and Africa, with limited presence in North America and Asia/Pacific. • F-Secure needs to enhance its quality control and alpha testing on new product version releases. • IBM's expansion plans for PC and data security are in the early stages and may change significantly. • High administration, careful tuning and exception handling are essential to the successful deployment of Provintia desktop. • Some HIPS techniques may have an impact on endpoint CPU, and memory use is relatively high. • There is slow support for Windows Vista for 64-bit Windows. • IBM's signature-based anti-malware capabilities are dependent on a smaller vendor, BitDefender • Minimal NAC support exists, and IBM doesn't have any encryption or DLP plans yet. • Small company relative to the market leaders, and its minor global enterprise market share is mostly in SMBs. • Its current solution lacks some visionary capabilities, including self-contained NAC, firewall controls for VPN enforcement, prevention of Wi-Fi bridging and device management, DLP, encryption and network gateways. • Rapid growth and global expansion will be difficult to manage and could have a negative impact on product quality. • The biggest drawback to LANDesk EPP is that the initial investment in infrastructure needs to be shared with operations administrators and their budgets. • The extensive management interface can be overwhelming at first; however, after training, it becomes intuitive. • LANDesk does not resell a firewall but can manage Windows XP and Vista firewalls. • It lacks a proven track record in the protection side of the business. • Visionary extended products, such as DLP and encryption, are lacking. • Users report that it can be difficult to navigate and use. Integration of new products into the console is often very slow. Also, we continue to get reports that EPO status reports are not always accurate. • Longtime EPO users report some frustration navigating the new Web version. • HIPS policy setting can be administration-intensive. • The McAfee agent can have an impact on PC startup and streaming media. • NAC capability is limited to self-enforced NAC or McAfee NAC 2.5 integrated with IntruShield Network IPS, and is lacking granular policy capability. • McAfee's Total Protection for Enterprise products suite has a high list price and includes gateway products (Web and e-mail) that enterprises should source separately. McAfeecan be aggressive in negotiating renewals. Source: Gartner (December 2007) - 104 - 2.3 Industry Leading Tools and Standards: Endpoint Protection Management Analysis Company Microsoft Panda Security Sophos Symantec Trend Micro Webroot Software Strengths • Strength in ease of use and manageability • The FCS management console provides excellent drill-down reporting of the security status of managed clients. • It has solid operating system knowledge and integration, which minimize the risk of operating system conflicts and destabilization. • Pricing is attractive, especially for enterprises that purchase Microsoft's Enterprise Client Access License. • Microsoft NAC support is embedded. • Consider Microsoft's FCS if you are an SMB looking for basic protection for Windows desktops and servers. • Panda Security has a mature malware lab and was early to embrace the EPP concept. • Broad array of HIPS techniques that enable it to catch malware prior to execution without relying on threat signatures. • The vendor also has some interesting plans for software identification in the cloud, which could improve malware signature speed and accuracy. • Panda has good platform support for handheld platforms. • SMBs that are looking for a more customer intimate alternative to the incumbent giants in the antivirus market should consider the EPP suite from Panda. • The acquisition of Endforce provided excellent integrated NAC capability • The management is significantly improved with its simple to manage and support SmartView filter that shows. • Reporting is also greatly expanded to include PC configuration and software status indicators. • The management console is able to monitor, assess and remediate some competitive EPP clients. • The Sophos EPP suite offers a good balance of malware, personal firewall and HIPS defenses that are deterministic and easy to deploy and manage. • Long-suffering Symantec Antivirus (SAV) 9 and 10 users will appreciate less-intrusive scheduled malware scanning with SEP 11.0, a task that formerly had a significant impact on system performance. • Improved directory integration and reporting. • Symantec On-Demand Agent is a solid (but optional) offering for scanning unmanaged machines with a light downloaded agent. • Consider Symantec for more complete protection platform that supports the selection of multiple styles of protection from an extensible agent framework and managed from a single console. • Excellent international malware research capabilities. • It gets high marks from its clients for service and support. • Trend Micro OfficeScan provides basic HIPS functionality • NAC capability is good • Trend Micro recently developed a plug-in architecture that enables more rapid integration of new technologies acquired by Trend Micro or offered by smaller innovative companies that do not have the management capability for enterprises. • Trend Micro's NeatSuite packaging/pricing is attractive. In some regions, Trend Micro resellers provide free protection software for employees' home PCs. • Enterprises looking for a reliable and conservative alternative to other leaders would do well to include Trend Micro on their shortlists. • Webroot Software's primary strength is its spyware and adware threat detection and filtering capabilities. The Phileas URL search engine is distinguished in the industry as an excellent site-oriented spyware detection system. • Its malware engine uses 17 real-time shields that identify and block malware from loading. • The vendor has leveraged its spyware niche into a profitable business with no debt, but larger incumbents are catching up in spyware detection rates. • Webroot will continue to fill the niche need of buyers who primarily seek to augment spyware defense until it can provide HIPS and personal firewall functionality. DRAFT FOR DISCUSSION PURPOSES ONLY Cautions • FCS only offers Microsoft Windows client and platform support. • Potential for a conflict of interest. • Microsoft is continuously challenged to choose between embedding security into Windows, which benefits all customers, or providing competitive security products. • FCS does not manage all Windows built-in security capabilities, such as the firewall • The FCS Security Management Console is not yet integrated into the other Forefront security products • Initial Microsoft malware lab weakness in early evaluations of OneCare • FCS is optimized for Active Directory Group Policy for configuring agents and Windows Server Update Services for distributing signatures. • Microsoft is missing visionary features, such as DLP, and encryption is only available in Windows Vista. • Overall, Panda is still a small regional vendor and needs to break out of its niche market in Spain. Its international growth plans may stretch corporate resources. • It lacks several visionary capabilities regarding its firewall, such as external media controls, VPN enforcement and the prevention of Wi-Fi bridging. • Future road maps for DLP and encryption are lacking. • The NAC platform is incomplete, although frequent compliance re-checks are a plus. • Some customers reported poor Office 2007 compatibility. • Sophos lacks several visionary capabilities, including agentless scanning, advanced firewall controls (to prevent Wi-Fi bridging), device control, DLP and encryption, although road map commitments for data encryption with basic media port controls are in place. • The EPP management console is not yet integrated with advanced NAC and e-mail and Web gateway products. • Ad hoc and scheduled reporting could be improved. • Overlap with Symantec Critical System Protection and Symantec Compliance Manager, which uses a separate management and reporting console, needs to be rationalized. • The SEP management console is completely new and slightly immature. • Buffer overflow technology from Sygate was not integrated. Most EPP competitors offer buffer overflow protection. • Client dissatisfaction with Symantec support continues to be an issue, • Add-ons to the SEP 11.0 foundation can become expensive. • Slow response to changing market conditions • OfficeScan's lack of advanced HIPS and personal firewall features had a significant impact on its vision score. • The company has no operations life cycle tool components, such as vulnerability scanning patch or security configuration management, nor does it have any integration with partners for this type of capability. • OfficeScan Client is relatively heavy, and scheduled scans can affect PC performance. • The product portfolio has only limited agentless scanning capabilities. • Native NAC capability is appliance-based, making it expensive and complex for large organizations. • Control Manager does not yet have the richness of reporting like some competitive solutions, and central management can be difficult. • Webroot is a relatively small company in this market, and it has experienced some management turnover. It will be difficult for it to compete in the broader EPP market with such small engineering and support capabilities. • The relative breadth of Webroot's EPP features is limited compared with the market average. • The Webroot enterprise client base is primarily U.S.-based SMBs (fewer than 500 seats). • Despite a relatively lightweight client, scheduled scans can have a noticeable performance impact on PCs. • Webroot lacks several visionary capabilities, including on-demand protection, NAC, device controls and DLP capabilities. Source: Gartner (December 2007) - 105 - 3.3 Current Position - Detailed ITIL Process Maturity Model (1 of 2) Maturity Stages Stage 1 (Chaotic) Service Desk No formal Service Desk or Service Desk roles are defined. Nobody has overall responsibility for receiving and owning Incidents. There is no supporting technology for logging calls. Stage 2 (Reactive) Stage 3 (Stable) Stage 4 (Proactive) A Service Desk role exists and there The Service Desk is recognized as the The Service Desk has the correct Processes are in place to continually are people who conduct some activities point of contact for all users/customers. balance of technical resource to ensure assess the effectiveness of the Service for the Service Desk. The Service Desk Communications are distributed via the efficient and effective handling of Desk and deliver ongoing is frequently by-passed. Service Desk Service Desk - such as informing users issues. improvements to performance. processes are not well defined and of planned service outages. The Service Desk has sophisticated The Service Desk is driven by the documented, allowing calls to be Basic service levels are in place to call handling technologies such as business needs and demand, providing handled differently. No Service Levels control the Service Desk, and regular knowledge bases, CMDB, IVR, ACD, comprehensive MI to allow IT to assist for the Service Desk are in place. customer satisfaction surveys are Self Help portal etc. the business in decision making. conducted. The Service Desk operates to tightly A single asset and user repository is controlled service levels. used. Incident Management Incidents are not identified, tracked and A basic Incident Management process A well structured and enforced Incident resolved in a structured and consistent exists has been documented. Management process is in place, with manner. No process exists, and there The process can be, and is regularly periodic reviews and updates made to is no supporting technology and loggingby-passed with issues being resolved inthe process to ensure effectiveness. system. a 'hero-based' approach. All incidents are logged, classified and A basic system is used to record most tracked in a common system. incidents, but this is not enforced for all Incident Management is well integrated incidents. with Problem Management and Event Management providing MI for Trend Analysis and delivering proactive resolutions. Basic SLAs are in place to monitor Incident resolution. Comprehensive SLAs and supporting OLAs exist and all Incidents are proactively tracked and escalated to ensure SLA agreements are met. Intelligent Incident resolution tools are in place such as comprehensive Knowledge Base, CBR, Self-help Incident Management is appropriately structured to best meet the requirements of the business. Request Fulfillment A Request Fulfillment process does not Request Fulfillment occurs either A formal Request Fulfillment process is Request Fulfillment provides exist, and no alternative process is in through a basic Request Fulfillment defined, implemented, communicated standardized services which result in place to manage requests. Requests process, or via an alternative process and enforced. minimized bureaucracy with highare therefore dealt with in an adsuch as Incident Management. Requests are differentiated from quality service. hoc/informal manner where there is no Requests may be regarded as low Incidents and RFCs Services are commoditized and well defined approach, or agreed service impact Incidents and processed against Request Models are defined to ensure managed, ensuring complete control targets. the Incident service level targets frequently required services are over licensing, media and IT handled consistently and within agreed infrastructure. service levels. Users are able to access information Efficient financial approvals are in place and services easily, and satisfaction to approve requests in a quick, results and metrics indicate widecontrolled manner. spread usage of the Request Users are clearly informed of the Fulfillment process. request services available and the Technology is used to assist in means by which they can request providing Request Fulfillment services them. such as self help portals. DRAFT FOR DISCUSSION PURPOSES ONLY Stage 5 (Value Driven) Incident Management is closely integrated with all key ITIL processes (such as Problem, Change, Configuration, Event, Financial Management etc) Cost to resolve Incidents is monitored and assessed with proactive action to continually reduce both the cost to IT and cost to the Business to resolve incidents Request Fulfillment allows the Business to gain quick and effective access to standard services, thereby greatly improving the Business efficiency and productivity. - - 106 - 3.3 Current Position - Detailed ITIL Process Maturity Model (2 of 2) Maturity Stages Stage 1 (Chaotic) Stage 2 (Reactive) Change Management The Change Management process and A standard process exists and is roles do not exist. Changes are not documented for issuing RFCs. The reviewed and approved. Changes to process is not always adhered to and the IT environment can occur without can be by-passed. A Change Manager intervention. is responsible for the process and convenes a regular CAB for assessing and approving changes. Stage 3 (Stable) Stage 4 (Proactive) Stage 5 (Value Driven) Service Asset & Config Mgmt Problem Management Change Management defines Standard Changes are assessed and prioritized Normal and Emergency procedures for against Business needs and impact on changes related SLAs . Standard changes are clearly identified Change Management is closely - such as in a Service Catalogue integrated with Configuration Change Management is fully enforced Management, assessing changes and provides a consistent and trusted against interdependencies of CIs. approval mechanism for change. Changes are assessed and grouped Changes are assessed for IT and into change releases in order to Business impact and are fully vetted for minimize disruption to services completeness of planning/testing/roll Changes are assessed post back etc. implementation by Change A forward schedule of change is Management. produced and updated The Change Process complies with relevant regulations and control structures (such as SOX, COBIT etc). Change Management is tightly integrated with other ITIL processes (e.g. Incident, Problem, Configuration, Capacity, Availability and Release Management) The change process is regularly monitored and improved upon as part of the Continual Service Improvement cycle, ensuring thorough vetting of changes whilst minimizing bureaucratic process administration. No process or repository for Asset and Configuration Items exist. Relationships between IT infrastructure and services is not clearly understood. A formal Service Asset and Config Formal procedures and processes exist There are links and interfaces between process does not exist. Some Asset for identifying, categorizing and the CMS and other Service data is collected, and some service recording Asset and Configuration Management systems. SACM relationships are understood, but these information in a CMS and Integrated information is routinely used to assess are not consistently stored in a CMDB. and reduce impact from Changes, repository, they are spread around in Standard naming conventions are used Incidents and Problems. databases and spreadsheets or held and CIs are uniquely tagged with an Comprehensive procedures exist to within individuals minds. SACM is more identifier. track and efficiently manage software akin to IT Asset Management purely for Technology is used to support SACM - and hardware deployment and license compliance requirements. such as automated CI discovery and usage. status tracking. Suppliers are required to comply with Relationships between CIs are well the SACM processes and standards. understood, recorded and updated by procedures to ensure 'house-keeping' of the SACM data. SACM is used to effectively manage all software, hardware and contracts held within IT. This includes managing hardware warranty, monitoring software usage and harvesting unused licenses, and assisting projects to determine refresh requirements for deployed hardware etc. Core Problem Management activities do not exist such as problem determination, problem analysis, problem resolution? Resolution of problems is entirely reactive based. Core Problem Management process exists and is documented. Problem Management occurs on an ad-hoc basics with no dedicated Problem Management team. Problem Management is fully proactive, working with suppliers to understand development roadmaps. Problem Management is closely involved with Architecture and Design group to ensure designs address current risks and deficiencies in IT. Problem Management is closely integrated with the Business to understand and prioritize problem areas in-line with Business requirements. DRAFT FOR DISCUSSION PURPOSES ONLY A dedicated Problem Management Problem Management effectiveness is team exists who are responsible for tracked and monitored with clearly proactive problem determination and defined targets for problem resolution resolution. Problems are classified for and incident avoidance. category, urgency, priority and impact Problem Management is closely and assigned for investigation. integrated with other ITIL processes The bulk of Problem Resolution is Problem Management conducts both such as Incident, Change, Config, recurring Incident-based as opposed to resolution of recurring Incidents and Availability and Continuity proactive Problem Management. also proactive Problem Management. Management. Problem Management is well integrated Problem Management proactively with the development cycle. works with development and suppliers to understand known issues and resolutions. - 107 -