Commonwealth of Massachusetts
Statewide Strategic IT Consolidation (ITC) Initiative
Helpdesk and Desktop and LAN Strategy
Deloitte Consulting LLP
September 3, 2009
DRAFT – FOR DISCUSSION PURPOSES ONLY
Agenda
1.
2.
3.
4.
5.
6.
7.
Executive Summary…………………………………………………………………………..……………… 2
1.1 Current IT Management Technologies………….………………………………….…………………. 3
1.2 ITIL Process Maturity Baseline ………………………………………………….……………………. 4
1.3 Staffing Model Standards ………………………….………………………………………………….. 5
Technology……………………………………………….…………………………….……………………… 6
2.1 Section Overview…………………………………………………………….………………………….. 7
2.2 Inventory of Current Secretariat Tools…………………….…………………………………….…….. 8
2.3 Industry Leading Tools and Standards………………………………..………..……………………. 10
2.4 Transition Framework……………………………………………………………………………………15
Processes……………………………………………………………………………..……………………….. 17
3.1 Section Overview……………………………………………………..……………………………….. 18
3.2 ITIL Process Flows………………………………..………………..…………………………………. 19
3.3 Initial ITIL Readiness Assessment Framework…………….………………………………………. 60
Staffing……………………………………………………….……..…………………………………………. 69
4.1 Section Overview…………………………………………………………………………………………70
4.2 Change Impact Assessment Framework……..…………...…………………………………………. 71
4.3 Staffing Models from Industry...…………..…………………………………..……………………….. 72
Service Agreement…………………………….……………..……………………………………………… 74
5.1 Service Agreement Overview ..………….………………………………………………….………… 75
5.2 Service Agreement Content ……..…………………………………………………………………… 79
5.3 Service Agreement Maturity Model ………………………………………………….………...…… 92
Integration with ITD Processes……………………………………………………………………………... 95
6.1 Process Integration points with Agencies, Secretariats, and ITD………………………..………. 96
Appendix……………………………………………………………………………………………………… 97
DRAFT FOR DISCUSSION PURPOSES ONLY
-1-
Components of ITIL: Service Desk
1.0 Executive Summary
DRAFT FOR DISCUSSION PURPOSES ONLY
-2-
1.1 Current IT Management Technologies
Below is a consolidated version of the Secretariat technologies that have been provided
as part of the Secretariat plans and the infrastructure inventory template.
Secretariat
EOHED
Helpdesk Tool
•
•
•
•
•
EOHHS
EOPSS
EOEEA
ANF
•
•
•
•
•
•
•
•
•
•
Custom Tool (HelpStar)
SharePoint
Ultimus
CA Service Desk
Legacy:
• Lotus Notes
• Remedy
• Liberum
• SugarCRM
ACD
Remedy AR Systems
Custom Helpdesk Application
Roundup
Microsoft Access Database
Open Source solution
CA Service Desk (E2E)
BMC Service Desk Express
Numara Track-It
MS Outlook
Desktop and LAN Tool
• N/A
• N/A
• N/A
• N/A
• CA Service Desk: E2E
• FrontRange HEAT
• GWI C.Support
• Systems Center
• Retrofit (Vendor)
EOE
•
•
•
•
• N/A
EOT
• N/A
EOLWD
Custom Solution (IT Requestor )
Remedy
Numara Track-It
Lotus/Domino
DRAFT FOR DISCUSSION PURPOSES ONLY
• N/A
-3-
1.2 ITIL Process Maturity Baseline
Below is the self-assessment from each Secretariat that was collected as part of the
infrastructure data collection.
Incident Mgmt.
Request Fulfill.
Change Mgmt.
Asset and
Config. Mgmt.
Problem Mgmt.
2
2
2
3
2
3
4
1
3
3
ANF (PERAC)
EOHHS
EOHED
EOLWD
EOEEA
EOPSS
EOT
EOE
Maturity Stage Definitions
1 - Chaotic
Processes are ad-hoc, chaotic, or actually few processes are defined
2 - Reactive
Basic processes are established and there is a level of discipline to stick to these processes
3 - Stable
All processes are defined, documented, standardized and integrated into each other
4 - Proactive
Processes are measured by collecting detailed data on the processes and their quality
5 - Value Driven
Continuous process improvement is adopted and in place by quantitative feedback and
from piloting new ideas and technologies
DRAFT FOR DISCUSSION PURPOSES ONLY
-4-
1.3 Staffing Model Standards
Below is a consolidated version of the industry leading staffing ratios for helpdesk,
desktop/LAN, and website that will be used to develop Secretariat staffing models.
Helpdesk Assumptions
Website Assumptions
Desktop/LAN Assumptions
(Static and Dynamic)
Computer Economics: Users per FTE
Computer Economics: Desktops per FTE
Computer Economics: % of IT Staff
Small Organization (rev < $350 Million)
Small Organization (< 750 desktops)
Small Organization (rev < $350 Million)
25th Percentile
154
25th Percentile
184
25th Percentile
0.0%
Median
220
Median
300
Median
2.5%
75th Percentile
338
75th Percentile
514
75th Percentile
5.4%
Medium Organization ($350 < rev. < $
Medium Organization (750-2500 desktops)
Medium Organization ($350 < rev. < $1billion)
25th Percentile
188
25th Percentile
203
25th Percentile
0.0%
Median
357
Median
300
Median
1.3%
75th Percentile
750
75th Percentile
503
75th Percentile
3.4%
Large Organizations (rev. > $1 billion)
Large Organizations (> 2500 desktops)
Large Organizations (rev. > $1 billion)
25th Percentile
236
25th Percentile
250
25th Percentile
0.0%
Median
521
Median
450
Median
2.1%
75th Percentile
800
75th Percentile
1625
75th Percentile
3.9%
Government Industry Average
375
Government Industry Average
237
Government Industry Average
4.3%
DRAFT FOR DISCUSSION PURPOSES ONLY
Source: Computer Economics
-5-
Components of ITIL: Service Desk
2.0 Technology
DRAFT FOR DISCUSSION PURPOSES ONLY
-6-
2.1 Section Overview
The Technology section will cover three major areas (outlined below) to help prepare each
Secretariat for consolidation
Inventory of Current Commonwealth Tools
• Overview of the template tools available to Secretariats to inventory their current helpdesk
and desktop and LAN management tools
Industry Leading Tools and Standards
• The section provides an overview of the tools and standards for the software categories
listed below. For each topic, the software analysis and considerations (vendor strengths
and cautions are located in the appendix).
• Helpdesk Tools and Standards - Service Desk and Interactive Voice Response
• Desktop and LAN Tools and Standards - PC Lifecycle Configuration Management, PC
Image Inventory, and Endpoint Protection Management
Transition Framework
• Overview of the prioritization tools available to Secretariats to identify potential helpdesk
and desktop and LAN management software tools
DRAFT FOR DISCUSSION PURPOSES ONLY
-7-
2.2 Inventory of Current Secretariat Tools
N
Y
**
2
1
3
5
3
6
4
7
9
11
John Doe, DPH
ABC Service Desk
Version 3.1
$200,000.00
$150,000.00
10/15/2009
N
N
Y
N
N
Y
Y
Asset Management Soft.
Other
2
4
10
Y
Interfaces
Asset Management Soft.
1
8
Maintenance
Expiration
Remote
Control
N
Maintenance
Cost
ITIL
Compatible
Y
Capital Cost
Software
Distribution
Y
Version
Port-Network
N
Application Nam e
(full name and vendor)
Patch
N
Ref. Ow ner Nam e and
#
Agency
Financial Assessment
Security
Y
Interfaces
General Information
Discovery
N
Other
PC Image
Y
VOIP
Compatible
10/15/2009
Remote
Control
$150,000.00
Interactive
Voice
Response
$200,000.00
Maintenance
Expiration
Problem
Version 3.1
Maintenance
Cost
Knowledge
ABC Service Desk; XYZ Corp.
Initial Capital
Cost
Functionality
Functionality
ITIL Compliant
DPH
Version
Change
**
Application Nam e
(full name and vendor)
Asset and
Configuration
Agency
Nam e
Incident
Ref.
#
Financial Assessment
Request
Management Capabilities
General Information
5
Helpdesk Software Inventory
12
6
7
8
Desktop and LAN Software Inventory
9
13
14
10
15
11
16
12
17
18
13
19
14
20
15
Overview
The software inventories capture general application information (name, version, etc),
financial information (capital and maintenance costs), and management capabilities and
functionality (ITIL processes and service functionality).
Purpose
The templates are intended for the Secretariats to capture their current state for software.
The information will be valuable for understanding the maturity of the agencies and the
selection of Secretariat-wide applications.
Additional
Information
The templates have been distributed to the SCIOs and are accessible on the wiki
(https://wiki.state.ma.us/confluence/display/itconsolidation/Secretariat+Consolidation).
DRAFT FOR DISCUSSION PURPOSES ONLY
-8-
2.2 Inventory of Current Technologies (Based on Responses as of 8/28)
Below is a consolidated version of the Secretariat technologies that have been provided as
part of the infrastructure template.
Management
Capabilities
EOHHS
3
EOPSS
4
EOEEA
5
ANF
6
EOLWD
7
EOE
8
EOT
Ultimus v9
Y
Y
VOIP Compatible
Y
Interactive Voice
Response
Y
ITIL Compliant
Y
Knowledge
Maintenance Maintenance
Cost
Expiration
Problem
2
Custom Tool (HelpStar),
SharePoint, and Ultimus
CA Service Desk, (Legacy: Lotus
Notes applications, Remedy,
Liberum, and SugarCRM)
ACD, Remedy AR Systems,
Custom helpdesk application
Roundup, Microsoft Access
Database, Open Source solution
CA Service Desk (E2E), BMC
Service Desk Express, Numara
Track-It, and MS Outlook
FrontRange HEAT and GWI
C.Support
Custom Solution (IT Requestor ),
Remedy, Numara Track-It, and
Lotus/Domino
Initial Capital
Cost
Asset and
Configuration
EOHED
Version
Change
1
Application Name
(full name and vendor)
Request
Ref.
Secretariat
#
Financial Assessment
Incident
General Information
Functionality
Remote Control
Overview
Other
Interfaces
N/A
DRAFT FOR DISCUSSION PURPOSES ONLY
-9-
2.3 Industry Leading Tools and Standards: Service Desk Software
Scope
The IT service desk portion of a suite tends to include
incident, problem and self-service modules. Many small
business also include the change module.
Industry Analysis
Key Considerations
•Ease of Deployment
•Degree of customization: Significant customization can stifle
enhancements, curb flexibility, and increase cost
•Workflow alignment: Reliance on best-practice workflows and
templates improves ROI
•Module Integration
•Within a single vendor, the extent to which service modules are
pre-configured and integrated
•Pricing
•Scalability: Service modules can be purchased individually to
expand functionality with the growth of the service desk (See
Note)
• Software as a Service (SaaS)
•Attractive for constrained capital budgets, limited staff to
administer the tool, and an evolving service desk strategy
DRAFT FOR DISCUSSION PURPOSES ONLY
Note: Business focused on only incident
management should consider: BMC Software's
Service Desk Express, FrontRange Solutions'
HEAT, Hornbill's Supportworks, ManageEngine's
ServiceDesk Plus, Numara Software's FootPrints,
Altiris' Helpdesk Solution, for excellent incident
management.
Source: Gartner (October 2008)
- 10 -
2.3 Industry Leading Tools and Standards: Interactive Voice Response (IVR)
Scope
Voice response platforms are systems that provide voice
access to information and applications, and they can
perform complex call routing based on information
provided by the caller.
Industry Analysis
Key Considerations
•Business Case
•IVR solutions enable customers to perform tasks via the
telephone that would otherwise require a call center agent, which
can deliver significant return on investment.
•Core Technology Considerations
•Speech recognition: Improved user interface
•Voice Extensible Markup Language (VoiceXML): Connectivity to a
range of applications
•VoIP Support
•Session Initiation Protocol (SIP)
•Call Control XML (CCXML)
DRAFT FOR DISCUSSION PURPOSES ONLY
Source: Gartner (January 2008)
- 11 -
2.3 Industry Leading Tools and Standards: PC Lifecycle Configuration Management
Industry Analysis
Scope
Core functions consist of software distribution, inventory,
patch management, and OS deployment.
Key Considerations
•Tool Purpose
•The primary purpose of the tool is to reduce the cost of
performing tasks, which would otherwise be conducted manually
•The tool also helps organizations improve the security state of
endpoints and provide a higher quality of service to end users
•Key Functionality
• Deploy PC OSs, settings, and applications
• Collect and manage hardware and software inventories
• Monitor the use of software applications
• Configure and deploy software, patches, and other system
updates to PCs
• Remotely control PCs for troubleshooting
•Compliance
• Compliance concerns have elevated the importance of functions
such as software usage for license compliance and security
configuration management.
Note: Some PC lifecycle configuration
management tools also include endpoint protection
functionality.
•Implementation Success Factors
• Process maturity
• Level of standardization across the PC systems
DRAFT FOR DISCUSSION PURPOSES ONLY
Source: Gartner (December 2008)
- 12 -
2.3 Industry Leading Tools and Standards: Note: PC Image Inventory
DPH
John Doe
400 MB
700
Microsoft
XP
Professional
Custom /
Package
Application
v1.4
XYZ Health
Technical
Application
v6.3
AutoCAD
Security
Antivirus
v5.0
Norton
Encryption
v3
GardianEdge
HR
ERP
v4
Oracle
Financials
Other
Version
**
Business
Microsoft
Office
Version
Operating
System
Version
Users
Version
Size in MB
Version
Ow ner
Version
OS
Agency
Version
General Information
Ref.
#
Other Standard Applications
Other Non-Standard Applications
v2.0
WinZip, v2.0; Application B, v8.3; etc.
Adobe Photoshop, v6.0; Application B, v2.8
1
2
3
4
5
6
7
8
9
10
PC Image Inventory
11
12
13
14
15
16
17
18
19
20
Overview
The PC image inventory template is designed to help the Secretariat identify commonalities
between PC images across all agencies.
Purpose
The template is intended to minimize the number of images that the Secretariat will have to
maintain.
Additional
Instructions
Common areas for consolidation:
• Maintain the same version of software packages across all PC images
• Identify significantly similar PC images across agencies and consolidate into a single
image
• Consolidate to one software package for generic software (such as compression software).
Additional
Information
The template have been distributed to the SCIOs and are accessible on the wiki
(https://wiki.state.ma.us/confluence/display/itconsolidation/Secretariat+Consolidation).
DRAFT FOR DISCUSSION PURPOSES ONLY
Source: Gartner (December 2008)
- 13 -
2.3 Industry Leading Tools and Standards: Endpoint Protection Management (EPP)
Scope
Basic EPP suites include antivirus, anti-spyware, HIPS
and a personal firewall. Advanced EPP suites will include
network access control (NAC) and data protection
technologies, such as DLP and full-disk encryption.
Industry Analysis
Key Considerations
•Overlap with PC Configuration Management Tools
•EPP suites to replicate some PC configuration life cycle
management tasks, such as security configuration management,
asset discovery, patching and software management.
•General Selection Considerations
•The management and reporting capability of EPP suites is a
substantial differentiator, especially in large enterprises.
•A modular architecture that enables selective configuration based
on security requirements and device location is also critical.
•Organizations should evaluate EPP firewalls and plan to phase
out stand-alone personal firewall solutions.
•Core Technology Considerations
•Host intrusion prevention system (HIPS) and personal firewalls
are increasingly critical to improve overall security. The
convergence of these functions into a common management
framework should increase the adoption of HIPS and desktop
personal firewalls.
•HIPS solutions must enable selection and configuration/tuning to
balance the security level, transparency to end users and
administration overhead.
DRAFT FOR DISCUSSION PURPOSES ONLY
Source: Gartner (December 2007)
- 14 -
2.4 Transition Framework
Prioritization Criteria: (Defined by Secretariat [examples below])
#1
#2
#3
#4
#5
Prioritization Weights: (Defined by Secretariat [examples below])
Cost: <$1,000, <$5,000, <$10,000
Functionality: <3 Processes, <5 Processes, <7 Processes
Ease of Implementation
Maintainability
Other
#1
#2
#3
#4
#5
Total
Prioritization Criteria: (Defined by Secretariat [examples below])
50%
15%
20%
10%
5%
100%
#1
#2
#3
#4
#5
Scoring Guidance: the higher the score, the better the fit with the criteria
●
●
●
●
Ref.
#
**
1
Application Name
●
●
●
●
Score
Weight
Score
Weight
Score
Weight
Score
Weight
Score
Weight
Prioritization
Calculation
2
50%
50%
3
15%
15%
0
20%
20%
1
10%
10%
2
5%
5%
1.65
0
Criteria #1
Owner Name and Org.
(Staff Name and Agency)
John Doe; EOHHS
Criteria #2
Criteria #3
Criteria #4
Criteria #5
2
50%
15%
20%
10%
5%
0
3
50%
15%
20%
10%
5%
4
5
6
7
8
9
10
#1
#2
#3
#4
#5
Total
50%
15%
20%
10%
5%
100%
Scoring Guidance: the higher the score, the better the fit with the criteria
0 = Does not meet criteria at all
1 = Could meet criteria w ith some key changes
2 = Partially meets criteria (at least 50%)
3 = Meets majority or all terms of criteria
(full name; and vendor)
Application A
Prioritization Weights: (Defined by Secretariat [examples below])
Cost: <$1,000, <$5,000, <$10,000
Functionality: <3 Processes, <5 Processes, <7 Processes
Ease of Implementation
Maintainability
Other
Other Comments
Comment C
Ref.
#
**
1
0 = Does not meet criteria at all
1 = Could meet criteria w ith some key changes
2 = Partially meets criteria (at least 50%)
3 = Meets majority or all terms of criteria
Application Name
(full name; and vendor)
Application A
Owner Name and Org.
(Staff Name and Agency)
John Doe; EOHHS
Score
Weight
Score
Weight
Score
Weight
Score
Weight
Score
Weight
Prioritization
Calculation
2
50%
50%
3
15%
15%
0
20%
20%
1
10%
10%
2
5%
5%
1.65
0
Criteria #1
Criteria #2
Criteria #3
Criteria #4
Criteria #5
2
50%
15%
20%
10%
5%
0
0
3
50%
15%
20%
10%
5%
0
50%
15%
20%
10%
5%
0
4
50%
15%
20%
10%
5%
0
50%
15%
20%
10%
5%
0
5
50%
15%
20%
10%
5%
0
50%
15%
20%
10%
5%
0
6
50%
15%
20%
10%
5%
0
50%
15%
20%
10%
5%
0
7
50%
15%
20%
10%
5%
0
50%
15%
20%
10%
5%
0
8
50%
15%
20%
10%
5%
0
50%
15%
20%
10%
5%
0
9
50%
15%
20%
10%
5%
0
50%
15%
20%
10%
5%
0
10
50%
15%
20%
10%
5%
0
Helpdesk Software
Prioritization Framework
Other Comments
Comment C
Desktop and LAN Software
Prioritization Framework
Overview
The prioritization template is designed to help the Secretariat determine which existing
helpdesk and desktop and LAN management software packages may be well suited for use
by the entire Secretariat.
Purpose
The templates are intended to provide direction for the Secretariats in selecting software
packages. They can be populated with the current agency tools as well as the industry
leading tools that are presented in the previous section.
Additional
Information
The templates have been distributed to the SCIOs and are accessible on the wiki
(https://wiki.state.ma.us/confluence/display/itconsolidation/Secretariat+Consolidation). The
business criteria and weighting will be determined by the Secretariats; sample criteria have
been provided as a reference.
DRAFT FOR DISCUSSION PURPOSES ONLY
- 15 -
2.4 Immediate Next Steps
The checklist below to can be used to select the appropriate helpdesk and desktop and LAN
management technology based on each Secretariats business and technical requirements
#
Activity
Owner
Due Date
Status
Helpdesk Team

Desktop and LAN
Team

Develop the prioritization helpdesk framework
Helpdesk Team

4
Develop the prioritization helpdesk framework
Desktop and LAN
Team

5
Incorporate industry leading tools and standards in the frameworks
Helpdesk/
Desktop and LAN
Team

6
Select the appropriate management software based on the results of the prioritization
Helpdesk/
Desktop and LAN
Team

1
Complete the helpdesk management software inventory
2
Complete the desktop and LAN management software inventory
3
DRAFT FOR DISCUSSION PURPOSES ONLY
- 16 -
Components of ITIL: Service Desk
3.0 Processes
DRAFT FOR DISCUSSION PURPOSES ONLY
- 17 -
3.1 Section Overview
The Processes section will cover three major areas to help prepare each Secretariat for
consolidation
ITIL Overview
• Basic ITIL overview
• Process descriptions for: Service Desk, Incident Mgmt., Request Fulfilment, Change Mgmt.,
Asset and Configuration Mgmt., Problem Mgmt.
• Descriptions include: the purpose and overview, key concepts, key roles, process flows, and
benefits.
Initial ITIL Readiness Assessment
•
Consolidated view of what processes are currently in place at each of the Secretariats.
Transition Framework
• A framework for developing the Secretariat’s helpdesk and desktop and LAN processes in
line with the ITIL processes. A maturity model is included to facilitate an initial gap analysis.
DRAFT FOR DISCUSSION PURPOSES ONLY
- 18 -
3.2 ITIL Process Flows: Overview
ITIL (the IT Infrastructure Library) is a set of books and documents that are used to aid the
implementation of IT Service Management. It provides a comprehensive framework of
processes and best practice advice for IT Service Management.
ITIL is…
What does that mean?
A set of industry “Best Practices”
(e.g., need for discipline around changes; need to link
capacity planning and budgeting)
Identify and reuse what has worked best in the past and
currently at other organizations
A framework, not a methodology
Provides a body of concepts and resources to draw from,
not specific required steps
Adoptable and adaptable
Select applicable parts of the framework and adapt them
to fit local needs
Not a standard
ISO/IEC 20000 is a standard aligned
with ITIL
Scalable to the organization’s
size and need
Can be adapted to fit an organization’s specific size and
situation
Platform independent
Flexible to all development and service efforts; not tied to
any particular tool
The following slides will discuss the key information regarding the primary ITIL processes
related to the helpdesk.
DRAFT FOR DISCUSSION PURPOSES ONLY
- 19 -
3.2 ITIL Process Flows: ITIL Process/Procedure Development Levels
At the end of the development process, all Secretariats should be at Level D. This document provides the
information required to achieve Level B development.
ITIL Level A
Process
Vision
• Common definition and language for discussing the process
• Clear responsibility for process ownership and implementation
• Alignment on what the process should do and how it should be measured
• Explicit linkage back to the business through business drivers providing a businessoriented value-proposition
Maturity
ITIL Level B
Policies and
Process
Steps
ITIL Level C
Sub-process
Steps
ITIL Level D
Procedures
• Understanding of inter-relationships between this process and others through the
identification of key inputs and outputs, enabling improved program management and
process design activities
• Understanding of key steps required to execute the process and ability to discuss not only
‘what’ the process is, but also ‘how’ it is executed.
• Clear identification of technologies supporting this process and plans for these technologies
• Refined detail explaining how each of the Level-B steps is executed (sub-process steps)
• Understanding of the key decisions involved in the process
• Clear mapping of process steps to roles providing a clear understanding of the
expectations of who will be involved in executing the process
• Develop all output templates, interface procedures, activities procedures, activity decision
criteria
• May eventually be used for operation manuals that outlines detailed, step-by-step
procedure for performing related tasks
DRAFT FOR DISCUSSION PURPOSES ONLY
- 20 -
3.2 Service Desk: Overview
The Service Desk (or Help Desk) is a Function, not a Process. Its role is crucial and central to the
whole concept of Service Management.
What is a “Service
Desk?”
What is the
PURPOSE of the
Service Desk?
What are the
OBJECTIVES of the
Service Desk?
DRAFT FOR DISCUSSION PURPOSES ONLY
The point of contact between the customer/user and the IT service, responsible for
service requests as well as incident control.
• Provides a single point of contact for customers
• Facilitates the restoration of normal operational service with minimal business impact
on the customer within agreed service levels and business priorities
• Manages each user contact/interaction with the IT Service provider throughout its
lifecycle
•
•
•
•
•
•
To promote customer satisfaction
To restore normal service as quickly as possible when there is a fault
To attain service level targets for user contact responsiveness and quality
To articulate and route requests to the service provider accurately and appropriately
To ensure accurate and timely communication of status
To act as a strategic function to identify and lower the cost of ownership for
supporting the computing and support infrastructure
• To reduce costs by the efficient use of resource and technology
- 21 -
3.2 Service Desk: Key Concepts
Concept
Contact
Customer
IT Infrastructure
ITSM Toolset
Definition
A telephone call, email, fax, entry in a user self-service system, or other means of
reporting faults or requesting services
Someone who buys goods or Services. The Customer of an IT Service Provider is the person
or group that defines and agrees the Service Level Targets. The term Customers is also
sometimes informally used to mean Users, for example ‘this is a Customer-focused
Organization’
All of the hardware, software, networks, facilities, etc. that are required to develop, Test,
deliver, Monitor, Control or support IT Services. The term IT Infrastructure includes all of the
Information Technology but not the associated people, Processes and documentation
The system for recording customer contacts, service assets and other
configurable items, Changes, Problems, etc. Also includes tools used by staff to
diagnose or resolve incidents, discover assets, and monitor systems
Record
The “ticket” or “case” created in the ITSM system that records the information regarding the
Incident or Service Request. (Note – the same term is used for any record in the ITSM tools,
including those for Assets, Changes, Problems, etc.)
Service Level
A measured and reported achievement against one or more Service Level Targets. The term
Service Level is sometimes used informally to mean Service Level Target
Service Provider
An Organization supplying Services to one or more Internal Customers or External Customers
DRAFT FOR DISCUSSION PURPOSES ONLY
- 22 -
3.2 Service Desk: Structure
DRAFT FOR DISCUSSION PURPOSES ONLY
- 23 -
3.2 Service Desk: Key Information
The details of the service desk structure can be developed by each Secretariat using the following
template. Based on the Key Information and Implications and Key Decisions, the structure of the service
desk will change to accommodate the needs of the Secretariat.
DRAFT FOR DISCUSSION PURPOSES ONLY
- 24 -
3.2 Service Desk: Roles
Roles
Definition
Service Desk
Manager
Manage overall desk activities, act as an escalation point for analysts, and take overall
responsibility for Incident and Service Request handling on the Service Desk
Service Desk
Supervisor
In larger organizations, in addition to a Manager there will be one or more Supervisors, often
serving as the leader on shifts in 7x24 operations. Supervisors also act as an escalation point
for analysts, and interface with the rest of IT Operations on day-to-day business. In small
organizations the senior Service Desk Analyst may take this role
Service Desk
Analysts
The primary Service Desk Analyst role is that of providing first-level support through taking
calls and handling the resulting incidents or requests for service
Super Users
Business users who act as liaison points with IT, to facilitate communication between IT and
the business at an operational level. These sometimes provide staff training in their area, or
support for minor incidents or simple requests
DRAFT FOR DISCUSSION PURPOSES ONLY
- 25 -
3.2 Service Desk: Benefits
The value of an effective Service Desk should not be underrated – a good Service Desk can often
compensate for deficiencies elsewhere in the IT organization; but a poor Service Desk (or the lack of a
Service Desk) can give a poor impression of an otherwise very effective IT organization!
Specific Benefits include:
• Improved customer understanding and satisfaction with IT Services
• With what the Services are, and how to obtain them
• With status on Incidents and Requests
• Lower costs to the business through faster resolution of incidents and fulfillment of requests
• Improved ability to attain service level targets through the management of the flow of work
• Reduced costs by the efficient use of resources and technology – simpler work can be done by Service Desk Analysts
rather than by the senior technical staff
DRAFT FOR DISCUSSION PURPOSES ONLY
- 26 -
3.2 Incident Management: Overview
What is an
“Incident?”
• An incident is an unplanned interruption of a Service, or a reduction in the agreed-to
quality of an IT Service.
What is the
PURPOSE of
Incident
Management?
• The Incident Management process strives to restore normal service operation as
quickly as possible and minimize the impact on business operations.
What are the
OBJECTIVES of
Incident
Management?
• Restore services as quickly as possible following a deviation from agreed upon
service levels
• Log, track, capture and process all incidents in the IT environment according to
existing SLA’s and defined interfaces with other processes and based on defined
fault-specifications
DRAFT FOR DISCUSSION PURPOSES ONLY
- 27 -
3.2 Incident Management: Key Concepts
Concept
Classification
Configuration Item
Escalation
Definition
Grouping similar types of incidents into categories.
Any Component that needs to be managed in order to deliver an IT Service. CIs typically
include IT Services, hardware, software, buildings, people, and formal documentation such as
Process documentation and SLAs
Incidents that cannot be resolved by available resources are escalated either to those with
greater skills (functional escalation) or to those at higher levels of management (hierarchical
escalation).
Incident Models
Predefined workflows for specific types of incidents.
Major Incidents
Incidents of such a high urgency and impact that they are treated with special procedures.
Prioritization
Recovery
Repair
Resolution
The impact and urgency of an incident. Impact is the effect the incident has on the business
and urgency indicates how quickly the incident will have that effect.
Returning a configuration item to its working state after resolution.
Replacing or fixing a configuration item.
Actions taken to repair the Cause of an Incident, or to implement a Workaround.
DRAFT FOR DISCUSSION PURPOSES ONLY
- 28 -
3.2 Incident Management: Process Diagram
DRAFT FOR DISCUSSION PURPOSES ONLY
- 29 -
3.2 Incident Management: Key Information
Multi-level
Categoriza
tion
Incident
Prioritization
Investigation and
Diagnosis
Resolution
and
Recovery
Sample Incident Record
Fields
Sample Development
Process and Categories
Sample Prioritization
Coding System
Sample Processes
Sample Resolution
Processes
Sample Closure Processes
- Unique reference number
- Incident categorization
- Incident urgency
- Incident impact
- Incident prioritization
- Date/time recorded
- Name/ID of the person and/or group
recoding the incident
- Method of notification (telephone,
automatic, e-mail, etc.)
- Name/department/phone/location of
user
- Call-back method (telephone, mail,
etc.)
- Incident status (active, waiting, etc.)
- Related Incidents
- Support group/person to which the
incident is allocated
- Related problem/Known Error
- Activities undertaken to resolve the
incident
- Resolution date and time
- Closure category
- Closure date and time
1. Develop top-level categories
(including an ‘other’) category. Set up
the relevant logging tools to use these
categories for a trial period.
2. After a trial period, perform an
analysis of the incidents logged during
the trial period and identify gaps.
3. Perform a breakdown analysis of
the incidents within each higher-level
category to develop the lower-level
categories.
4. Review and repeat periodically
Clear guidance should be provided for
all support staff to enable them to
determine the correct urgency and
impact levels, so the correct priority is
assigned. Such guidance should be
produced during service level
negotiations.
- Establishing exactly what has gone
wrong or being sought by the user
- Understanding the chronological
order of events
- Confirming the full impact of the
incident, including the number and
range of users affected
- Identifying any events that could
have triggered the incident (e.g. a
recent change, some user action?)
- Knowledge searches looking for
previous occurrences by searching
previous Incident/Problem Records
and/or Known Error Databases or
manufacturers’/suppliers’ Error Logs or
Knowledge Databases.
- Asking the user to undertake directed
activities on their own desk top or
remote equipment
- The Service Desk implementing the
resolution either centrally (say,
rebooting a server) or remotely using
software to take control of the user’s
desktop to
diagnose and implement a resolution
- Specialist support groups being
asked to implement specific recovery
actions (e.g. Network Support
reconfiguring a router)
- A third-party supplier or maintainer
being asked to resolve the fault.
- Closure categorization. Check and
confirm that the initial incident
categorization was correct and update
as necessary.
- User satisfaction survey. Carry out
a user satisfaction call-back or e-mail
survey for an agreed percentage of
incidents.
- Incident documentation. Chase any
outstanding details and ensure that the
Incident Record is fully documented.
- Ongoing or recurring problem?
Determine whether it is likely that the
incident could recur and decide
whether any preventive action is
necessary (if so, open a Problem
Record).
- Formal closure. Formally close the
Incident Record.
Software
Application
Administration
DRAFT FOR DISCUSSION PURPOSES ONLY
Time &
Attendance
Urgency
Incident
Record
High
Medium
Low
High
1
2
3
Priority Description
Code
1
Critical
2
High
3
Medium
4
Low
5
Planning
Impact
Medium
2
3
4
Low
3
4
5
Target
Res. Time
1 hour
8 hours
24 hours
48 hours
Planned
Incident
Closure
- 30 -
3.2 Incident Management: Roles
Roles
Incident Manager
First Tier
Definition
Responsible for the Incident Management process and incident management staff
The Service Desk:
• Provides initial handling of user contact.
• Responsible for identifying, logging, categorizing, prioritizing and providing initial diagnosis
of an incident.
• Will resolve the incident if it can, or will dispatch to the appropriate Support Group
Second Tier
Provides more technical expertise, and is usually given more time, for diagnosing and
resolving incidents
Third Tier
Possesses highly specialized technical skills for the most in-depth support of incident
resolution. These can be internal technical groups or 3rd party suppliers/maintainers
DRAFT FOR DISCUSSION PURPOSES ONLY
- 31 -
3.2 Incident Management: Tier Definitions
Roles
Definition
• Users have a single number to call or web interface to request support
• Call receipt
First Tier
(Helpdesk/Initial
problem determination)
• Ticket creation
• Initial triage
• Basic server and application page-outs
• Basic application administration (password resets)
• Application support
• Interface support (ticketing services, ebonding, database)
• Server & application monitoring
• Operating system monitoring
• Problem determination and implementing fixes including SQL data cleansing based on Business
Second Tier
(Detailed analysis of
reported problem and
trouble isolation)
Support Team request
• Configuration management
• Application administration including Database Administration
• Change coordination and implementation
• Hardware coordination through standard change control process
• Change coordination
• Deployment coordination with operations & external customers
• Application tuning so as to maintain DMOQs listed below
• Initiation of vendor Service Requests (SRs) as required for continued management of platform
Third Tier
• Application and infrastructure development organizations or vendors
DRAFT FOR DISCUSSION PURPOSES ONLY
- 32 -
3.2 Incident Management: Priority Framework
Impact
High
Medium
Low
(Broad impact to the
Commonwealth, with one or
more services, whole agencies,
or major locations not
functioning.)
(Impact to a portion of an agency
or office, with one or more
services either not functioning or
functioning at a degraded level,
so the agency’s mission is
impacted.)
(Impact is to an individual or
workgroup, or the service
impacted is not significant.)
Priority 1
(Example: Email is down)
Priority 2
(Example: Network outage for an
office)
Priority 3
(Example: Network outage for a
small workgroup)
Priority 2
(Example: Poor email performance
for multiple offices )
Priority 3
(Example: Poor email performance
for a single office)
Priority 4
(Example: Single user desktop
failure)
Priority 3
(Example: After hours network
outage)
Priority 4
(Example: After hours poor network
performance for a single office)
Priority 5
(Example: Service request)
High
(Immediate action is
required to restore
service or prevent the
failure of a service. No
workaround exists.)
Medium
Urgency
(The service has not yet
failed, though the
potential is there for it to
do so. Or a workaround
is in effect, but it only
provides degraded
service.)
Low
(A workaround exists, or
the service is not
essential and the
customer can wait for
remediation of the
incident.)
DRAFT FOR DISCUSSION PURPOSES ONLY
- 33 -
3.2 Incident Management: Commonwealth Priority Definitions
Priority
Target Resolution
Time*
1 – Enterprise
1 hour
Description
• This loss of technology impacts multiple products or services, thereby compromising
service delivery. There also may be an impact to external customers.
• This incident impacts a single product or service which is affecting or compromising
2 – Critical
8 hours
3 – High
24 hours
4 – Medium
48 hours
• Single User affected
5 - Low
Planned
• Service Request
service delivery.
• This incident impacts some users (NOT ALL) within an agency, building location, or
floor.
* ITILv3 Recommendation
DRAFT FOR DISCUSSION PURPOSES ONLY
- 34 -
3.2 Incident Management: Benefits
Incident Management is highly visible to the business when it is needed. How well it is performed has a
major impact on Customer Satisfaction with their IT support
Benefits from the process included:
• The ability to detect and resolve Incidents quickly, which results in lower downtime to the business
• The ability to align IT activity to real-time business priorities
• The ability to identify potential improvements to services
• The Service Desk can, during its handling of Incidents, identify additional service or training requirements
DRAFT FOR DISCUSSION PURPOSES ONLY
- 35 -
3.2 Request Fulfillment: Overview
What is a
“Request?”
What is the
PURPOSE of
Request
Fulfillment?
What are the
OBJECTIVES of
Request
Fulfillment?
DRAFT FOR DISCUSSION PURPOSES ONLY
• A Request is any type of demand that is placed upon the IT Department by the users.
Many of these are actually small changes: low risk, frequently occurring, or low cost,
whose fulfillment can be standardized.
• E.G., a request to change a password
• The Request Fulfillment process seeks to manage the Lifecycle of all Service
Requests to provide the prompt, complete, and cost effective provision of the
Request.
• To provide a channel for users to request and receive standard services for which a
pre-defined approval and qualification process exists
• To provide information to users and customers about the availability of services and
the procedure for obtaining them
• To source and deliver the components of requested standard services
• To assist with general information, complaints or comments
- 36 -
3.2 Request Fulfillment: Key Concepts
Concept
Fulfillment
Service
Service Catalog
Service Level
Supplier
Support Group
Definition
Performing activities to meet a need or requirement, such as providing a new IT
Service, or meeting a Service Request
A means of delivering value to customers by providing outcomes to customers while insulating
them from the ownership of specific Costs and Risks
A database or structured Document, published to Customers, with information
about all IT Services available for request. The Service catalog includes
information about deliverables, prices, contact points, ordering and request
Processes
A measured and reported achievement against one or more Service Level Targets. The term
Service Level is sometimes used informally to mean Service Level Target
A Third Party responsible for supplying goods or Services that are required to deliver IT
services
A group of people with technical skills. Support Groups provide the technical support needed
by all of the ITSM processes. Examples include Desktop Support, Security, support for a
specific application, etc.
DRAFT FOR DISCUSSION PURPOSES ONLY
- 37 -
3.2 Request Fulfillment: Process Diagram
DRAFT FOR DISCUSSION PURPOSES ONLY
- 38 -
3.2 Request Fulfillment: Key Information
Request
Record
Sample Request Record
Fields
- What service is being requested
- Who requested and authorized the
service
- Which process will be used to fulfill
the request
- To whom it was assigned to and
what action was taken
- The date and time when the request
was logged as well as the date and
time of all actions taken
- Closure details.
DRAFT FOR DISCUSSION PURPOSES ONLY
- 39 -
3.2 Request Fulfillment: Roles
Roles
Definition
Support Group
Manager
The planning and oversight of their group’s fulfillment activities, starting with how the work is to
be done, and then tracking through to completion, ensuring that service levels are met.
Request Approver
Request Fulfillment
Analysts
Third Tier
Request Approvers are people with the authority to approve or reject a request for a given
Service.
Tier 1, 2, or 3 staff that perform the tasks required to provide the service. The functional areas
of the analysts could include finance and procurement, for those requests requiring purchases.
Possesses highly specialized technical skills for the most in-depth support of incident
resolution. These can be internal technical groups or 3rd party suppliers/maintainers.
DRAFT FOR DISCUSSION PURPOSES ONLY
- 40 -
3.2 Request Fulfillment: Benefits
The primary benefit of Request Fulfillment is to provide quick and effective access to standard services
which business staff can use to improve their productivity or the quality of business services and products.
Specific benefits include:
• Reducing the bureaucracy involved in requesting and receiving access to existing or new services, thus also
reducing the cost of providing these services.
• Through centralizing fulfillment, Request Fulfillment also increases the level of control over these services. This
facilitates aggregating demand for suppliers and can result in reduced costs through centralized negotiation.
• Repeatable workflows for fulfilling requests can result in faster performance, fewer errors, and a lower cost to
provision.
DRAFT FOR DISCUSSION PURPOSES ONLY
- 41 -
3.2 Change Management: Overview
What is a
“Change?”
• ITIL defines a Change as the addition, modification or removal of anything that could
have an effect on IT services, usually stated as a change to a configurable item or CI.
What is the
PURPOSE of
Change
Management?
• Respond to changing customer and IT requirements, providing a structured avenue
for implementing Change while minimizing risk, reducing incidents, and avoiding
disruption and re-work
What are the
OBJECTIVES of
Change
Management?
• Record changes and then evaluate, authorize, test, implement, document, and
review results in a controlled manner
• Manage and minimize the risk of disruption to the business from the implementation
of Changes
DRAFT FOR DISCUSSION PURPOSES ONLY
- 42 -
3.2 Change Management: Key Concepts
Concept
Definition
Change Assessment
An evaluation of the change request from various points of view
Change Authorization
Approval of a change request. The approval levels for the change may be different
based on the type of change being considered.
Change Priority
The order in which change requests are evaluated and considered for authorization.
Change Process Model
Change Record
Forward Schedule of
Changes
Remediation
Request for Change (RFC)
Predefined workflows for various categories or types of changes.
A record of a change throughout its lifecycle.
A schedule that contains details of all the changes approved for implementation and their
proposed dates
The plan to be followed if a change is not successful.
A record of a proposed change.
Risk Categorization
An evaluation of the overall risk of a proposed change to IT or business services.
Standard Changes
A pre-authorized change that has a well understood implementation plan and is typically
very low risk.
DRAFT FOR DISCUSSION PURPOSES ONLY
- 43 -
3.2 Change Management: Process Diagram
DRAFT FOR DISCUSSION PURPOSES ONLY
- 44 -
3.2 Change Management: Key Information
Review
and Close
Sample Closure Processes
- The change has had the desired
effect and met its objectives
- Users, customers and other
stakeholders are content with the
results, or have identified any
shortcomings
- There are no unexpected or
undesirable side-effects to
functionality, service levels,
warranties
- The resources used to implement the
change were as planned
- The release and deployment plan
worked correctly
- The change was implemented on
time and to cost
- If needed, the remediation plan
functioned correctly
RFC
Standard
Change
Asses &
Evaluate
Sample Request for Change (RFC) Fields
Sample Standard Change
Considerations
Sample Considerations
- Unique reference number
- Trigger (e.g. business need,
purchase order, etc.)
- Description
- Identity of items to be changed
- Reason for change (business case)
- Effect of not implementing the
change (business, technical, financial)
- Configuration items and baseline
versions to be changes
- Primary contact information of person
proposing change
- Date and time of proposed change
- Change category (minor, major, etc.)
- Predicted timeframe, resources,
costs and quality of service
- Change priority
- Risk assessment and risk
management plan
- Back-out or remediation plan
- Impact assessment and evaluation –
resources, capacity, cost, benefits
- Governance impact (continuity
management)
- Change decision body
- Decision and recommendations
accompanying the decision
- Authorization signature
- Authorization date and time
- Target baseline or release to
incorporate change into
- Scheduled implementation time
- Location/reference to release/
implementation plan
- Details of change implementer
- Change implementation details
- Actual implementation date and time
- Review dates
- Review results
- Closure
DRAFT FOR DISCUSSION PURPOSES ONLY
A standard change is a change to a
service or infrastructure that is preauthorized by Change Management
with an established procedure.
Elements of a standard change:
- There is a defined trigger to initiate
the RFC
- The tasks are well known,
documented and proven
- Authority is effectively given in
advance
- Budgetary approval will typically be
preordained or within the control of the
change requester
- The risk is usually low and always
well understood.
Seven Rs of change management:
- Who raised the change?
- What is the reason for the change?
- What is the return required from the
change?
- What are the risks involved in the
change?
- What resources are required to
deliver the change?
- Who is responsible for the build, test
and implementation of the change?
- What is the relationship between this
change and other changes?
Additional Considerations:
- Impact on business operation
- Effect on infrastructure services that
share the infrastructure
- Impact on customer service
- Effect of no change
- Impact on resources
- Impact on future plans
- Impact on current schedule
Change
Authorization
Sample Change Authorization Model
Escalation
Path
Change
Authority
Potential
Impact
Level 1
Business
Executive
Board
High cost/risk
change
Level 2
IT Management
Board
Multiple
services or orgs
impacted
Level 3
Change
Advisory Board
Single service
or org impacted
Level 4
Local
Authorization
Standard
change
Change Advisory Board
Membership
Membership Considerations
- Composition based on the changes
being considered
- Should include business and
technical representation
- Should involve suppliers when that
would be useful
- Should reflect both users’ and
customers’ views
- Is likely to include the problem
manager and service level manager
and customer relations staff.
- 45 -
3.2 Change Management: Roles
Roles
Definition
Change Requestors
Those submitting a request for an addition, modification, or removal of a item under
configuration and change control.
Change Authority
Authorizes changes to be implemented based on impact assessments from various
stakeholders. This is a function, and can be located in the CAB or in an individual.
Change Manager
Oversees the Change Management process. Receives, logs and allocates a priority, in
collaboration with the initiator, to all RFCs; rejects any RFCs that are totally impractical.
Chairs the CAB, and monitors the implementation of Changes.
Change Advisory
Board (CAB)
A body that exists to support the authorization of changes and to assist Change Management
in the assessment and prioritization of changes. As and when a CAB is convened, members
should be chosen who are capable of ensuring that all changes within the scope of the CAB
are adequately assessed from both a business and a technical viewpoint.
DRAFT FOR DISCUSSION PURPOSES ONLY
- 46 -
3.2 Change Management: Benefits
Reliability and business continuity are essential for the success and survival of any organization.
Service and infrastructure changes can have a negative impact on the business through service
disruption.
Change Management controls the risk and reality of disruption, through requiring all changes to be
thoroughly analyzed, planned, tested, authorized, communicated, and implemented with appropriate
back-out steps planned.
Key benefits are:
• Implementing changes that meet the customers’ agreed service requirements while optimizing costs
• Reducing failed changes and therefore service disruption, defects and re-work
• Delivering change promptly to meet business timescales
• Aiding productivity of staff through minimizing disruptions due to high levels of unplanned or ‘emergency’
change and hence maximizing service availability
DRAFT FOR DISCUSSION PURPOSES ONLY
- 47 -
3.2 Service Asset and Configuration Management: Overview
What is an
“Asset?”
• The hardware and software that IT uses to provide service to end users, in support of
business functions and applications
What is a
“Configuration?”
• The set of “items” (CIs) and their relationships that comprises IT services and is the
object of most IT tasks
What is the
PURPOSE of Asset
and Configuration
Management?
• Identify, control, record, report, audit and verify service assets and configuration
items, including versions, baselines, constituent components, their attributes, and
relationships
• Ensure the integrity of the assets and configurations required to control the services
and IT infrastructure by establishing and maintaining an accurate and complete
Configuration Management System
What are the
OBJECTIVES of
Asset and
Configuration
Management?
DRAFT FOR DISCUSSION PURPOSES ONLY
• Support efficient and effective Service Management processes by providing accurate
configuration information to enable people to make decisions at the right time, with
accurate information: to plan and authorize change and releases, resolve incidents
and problems faster, etc.
• Provide management with the information required to optimize IT resources
- 48 -
3.2 Service Asset and Configuration Management: Key Concepts
Concept
Definition
Configuration
Management
Database (CMDB)
A database used to store Configuration Records throughout their Lifecycle. The Configuration
Management System maintains one or more CMDBs, and each CMDB stores Attributes of
CIs, and Relationships with other CIs.
Configuration
Management System
(CMS)
A set of tools and databases that are used to manage an IT Service Provider’s Configuration
data. The CMS also includes information about Incidents, Problems, Known Errors, Changes
and Releases; and may contain data about employees, Suppliers, locations, Business Units,
Customers and Users. The CMS includes tools for collecting, storing, managing, updating, and
presenting data about all Configuration Items and their Relationships.
Configuration Item
Any Component that needs to be managed in order to deliver an IT Service. CIs typically
include IT Services, hardware, software, buildings, people, and formal documentation such as
Process documentation and SLAs.
Definitive Media
Library
One or more locations in which the definitive and approved versions of all software
Configuration Items are securely stored. The DML may also contain associated CIs such as
licenses and documentation. The DML is a single logical storage area even if there are
multiple locations. All software in the DML is under the control of Change and Release
Management and is recorded in the Configuration Management System.
Relationship
A link between two Configuration Items that identifies a dependency or connection between
them. For example Applications may be linked to the Servers they run on, IT Services have
many links to all the CIs that contribute to them.
DRAFT FOR DISCUSSION PURPOSES ONLY
- 49 -
3.2 Service Asset and Configuration Management: Process Diagram
DRAFT FOR DISCUSSION PURPOSES ONLY
- 50 -
3.2 Service Asset and Configuration Management: Key Information
Configuration
Identification
Asset
Record
Sample Configuration
Identification Procedures
Asset Record
Considerations
- Define and document criteria for
selecting configuration items and the
components that compose them
- Select the configuration items and
the components that compose them
based on documented criteria
- Assign unique identifiers to
configuration items
- Specify the relevant attributes of
each configuration item
- Specify when each configuration item
is placed under Configuration
Management
- Identify the owner responsible for
each configuration item.
The items placed under Configuration
Management will typically include
service bundles, service packages,
service components, release
packages and products that are
delivered to the customer, designated
internal work products, acquired
services, products, tools, systems and
other items that are used in creating
and describing the configurations
required to design, transition and
operate the service.
A baseline configuration should be
developed. An example of a baseline
is an approved description of a service
that includes internally consistent
versions of requirements, requirement
traceability matrices, design, specific
service components and user
documentation.
Choosing the right Configuration Item
(CI) level is a matter of achieving a
balance between information
availability, the right level of control,
and the resources and effort needed to
support it. CI information is valuable
only if it facilitates the management of
change, the control of incidents and
problems, or the control of assets that
can be independently moved, copied
or changed.
DRAFT FOR DISCUSSION PURPOSES ONLY
Sample Asset Record
Attributes
- Unique identifier
- CI type
- Name/description
- Version (e.g. file, build, baseline,
release)
- Location
- Supply date
- License details, e.g. expiry date
- Owner/custodian
- Status
- Supplier/source
- Related document masters
- Related software masters
- Historical data, e.g. audit trail
- Relationship type
- Applicable SLA.
Configuration
Control
Note:
Asset
Disposal
Configuration Control
Considerations
Asset Disposal
Considerations
- License control, to ensure that the
correct number of people are using
licenses and that there is no
unlicensed use and no wastage
- Change Management
- Version control of service asset,
software and hardware versions,
images/builds and releases
- Access control, e.g. to facilities,
storage areas and CMS
- Build control, including the use of
build specification from the CMS to
perform a build
- Promotion, migration of electronic
data and information
- Taking a configuration baseline of
assets or CIs before performing a
release (into system, acceptance test
and production) in a manner that can
be used for subsequent checking
against actual deployment
- Deployment control including
distribution
- Installation
Security Disposal
- PII and HIPAA
- Sensitive information
- Legislative mandates
- Legal requirements
Environmental Disposal
- Precious metal recovery
- Hazardous substance disposal
- Legal requirements
- External repurposing
- 51 -
3.2 Service Asset and Configuration Management: Roles
Roles
Definition
Asset manager
Responsible for the management of the activities that record asset information throughout its
lifecycle. Also plans and conducts audits of accuracy and completeness of asset records,
and plans corrective actions with the responsible parties, to ensure the integrity of the data
Configuration
manager
Responsible for the standards and procedures for identifying configuration items and their
relationships, as well as for the Configuration Management System. (Similar to Asset
Manager, but broader in scope)
Asset /
Configuration Analyst
Responsible for reviewing asset and/or configuration data, conducting audits, preparing
reports, and implementing large data transfers or corrections
Configuration
administrator/librarian
The custodian and guardian of all master copies of software, assets and documentation CIs
registered with Asset and Configuration Management
CMS/tools
administrator
Ensures the integrity and operational performance of the Configuration Management systems
DRAFT FOR DISCUSSION PURPOSES ONLY
- 52 -
3.2 Service Asset and Configuration Management: Benefits
Having complete and accurate information about IT assets and services enables effective
management of those resources
Benefits include:
• Faster and less costly resolution of Incidents and Problems, through having configuration information
available to support analysis and planning
• Less costly forecasting and planning of Changes and Releases
• Full enterprise-wide lifecycle management of IT assets, from specification of need, through procurement and
installation, through disposal
• Support for Supplier management, with regard to leases and warrantees, as well as software licenses
• Appropriate protection of organizational information upon asset disposal
• Better adherence to standards, legal and regulatory obligations (less non-conformances)
DRAFT FOR DISCUSSION PURPOSES ONLY
- 53 -
3.2 Problem Management: Overview
What is a
“Problem?”
• The unknown cause of one or more incidents
What is the
PURPOSE of
Problem
Management?
•
•
•
•
Reduce the number and impact of Incidents
Identify the Root Cause of Incidents or faults in the IT environment
Prevent incidents from re-occurring
Record information that will improve the way in which IT deals with problems
What are the
OBJECTIVES of
Problem
Management?
•
•
•
•
Find the root causes of errors
Develop solutions to resolve known errors
Plan and request changes to implement the solutions
Prevent future incidents and problems
DRAFT FOR DISCUSSION PURPOSES ONLY
- 54 -
3.2 Problem Management: Key Concepts
Concept
Known Error
Definition
A problem for which the root cause has been determined and a workaround or resolution has
been determined.
Known Error
Database (KEDB)
A tool that maintains information about known errors and their workarounds.
Proactive Problem
Management
Maintaining information about events, incidents, problems and the state of the production
environment to determine potential problems before they are reported and resolve them.
Problem Model
Reactive Problem
Management
A predefined workflow for handling a specific category of problem.
Activities required to diagnose the root cause of problems that have already been discovered
by incident management.
DRAFT FOR DISCUSSION PURPOSES ONLY
- 55 -
3.2 Problem Management: Process Diagram
DRAFT FOR DISCUSSION PURPOSES ONLY
- 56 -
3.2 Problem Management: Key Information
Problem
Resolution
Sample Problem
Resolution
- Develop fault elimination action plan
- Track progress of problem resolution
against plan
- Document progress against plan
- Close problem once plan is complete
Investigation and
Diagnosis
Problem
Detection
Problem
Record
Problem
Prioritization
Sample Detection
Procedures
Sample Problem Record
Fields
Sample Prioritization
Coding System
Sample Approaches
Priority and severity should be
included in the Problem Prioritization
process. Problems are prioritized
using the same methodology as
incidents. Severity can be determined
using the following criteria:
- Can the system be recovered, or
does it need to be replaced?
- How much will it cost?
- How many people, with what skills,
will be needed to fix the problem?
- How long will it take to fix the
problem?
- How extensive is the problem?
- Chronological Analysis: Briefly document all events in chronological order – to provide a timeline of
events to help identify which events may have been triggered by others or to discount any claims that
are not supported by the sequence of events.
- Kepner and Tregoe: Charles Kepner and Benjamin Tregoe developed a useful way of problem
analysis which can be used formally to investigate deeply rooted problems. They defined the following
stages:
● defining the problem
● describing the problem in terms of identity, location, time and size
● establishing possible causes
● testing the most probable cause
● verifying the true cause.
- Ishikawa Diagrams: A method of documenting causes and effects. The main goal is represented by
the trunk of the diagram, and primary factors are represented as branches. Secondary factors are then
added as stems, and so on. Creating the diagram stimulates discussion and often leads to increased
understanding of a complex problem.
- Pareto Analysis: This is a technique for separating important potential causes from more trivial
issues. The following steps should be taken:
1 Form a table listing the causes and their frequency as a percentage.
2 Arrange the rows in the decreasing order of importance of the causes
3 Add a cumulative percentage column to the table.
4 Create a bar chart with the causes, in order of their percentage of total. Superimpose a line
chart of the cumulative percentages.
6 Draw line at 80% on the y-axis parallel to the x-axis. All data elements below where the line
intersects with the curve are important causes
Cross-reference the related incident
logs to capture details such as:
- User details
- Service details
- Equipment details
- Date/time initially logged
- Priority and categorization details
- Incident description
- Details of all diagnostic or attempted
recovery actions taken.
Urgency
- Suspicion or detection of an unknown
cause of one or more incidents by the
Service Desk
- Analysis of an incident by a technical
support group which reveals that an
underlying problem exists, or is likely
to exist.
- A notification from a supplier or
contractor that a problem exists.
- Analysis the trend of incidents as
part of proactive Problem
Management.
DRAFT FOR DISCUSSION PURPOSES ONLY
High
Medium
Low
High
1
2
3
Impact
Medium
2
3
4
Low
3
4
5
- 57 -
3.2 Problem Management: Roles
Roles
Definition
Problem Manager
The single point of coordination and owner for the Problem Management process. Creates or
reviews Problem records, assigns problem investigation and resolution tasks, closes Problem
records, and manages the Known Error database.
Problem Analyst
A technical staff member assigned to investigate or resolve a problem, developing solutions or
work-arounds for the Problem, and updating the Known Error database.
Problem-Solving
Group
A team that takes responsibility for performing the analysis of the Problems in a technical area,
such as Wintel server or desktop.
DRAFT FOR DISCUSSION PURPOSES ONLY
- 58 -
3.2 Problem Management: Benefits
Problem Management is directed toward the stabilization and improvement of service availability and
quality
Benefits include:
• Reduction in the number of Incidents due to more effective and efficient incident handling
• Increase in user productivity and service quality
• Improved reputation of IT Organization due to decrease in the repetition of incidents.
• Increase in productivity of Support staff
• Ability to proactively identify beneficial system enhancements, amendments and business opportunities
• Improved resolution rates at the Service Desk
DRAFT FOR DISCUSSION PURPOSES ONLY
- 59 -
3.3 ITIL Readiness Assessment Framework - High Level Approach
IT Governance & Strategy
The development of ITIL V3 Service Strategy components. The
construction of necessary governance structures to support ITIL
processes
Check and Drive
Improvement
Vision
IT Process
Define process objectives gap analysis and target objective for
each ITIL process. Blueprint the ITIL processes and develop
the roadmap and metrics
Implement
Current
Position
Technology
Determine the functional requirements for the Service Tool.
Select appropriate Tool, determine the Service Architecture and
implement
Design
Desired
People, Change, & Learning
Position
The development of roles and metrics to support new processes and
activities to discover the needs for change and training
DRAFT FOR DISCUSSION PURPOSES ONLY
- 60 -
3.3 High Level Approach – IT Governance
Project
Initiation
Visioning
Current
Position
Desired
Position
Design
Implement
Current Role
of Secretariat
Service Desk
Future Role
of Secretariat
Service Desk
Governance
Development
Service Governance
Development
Check &
Improve
IT Governance
IT Framework
Alignment
IT Service
Strategy Plan
Process - Role
Alignment
IT Process
Technology
People, Change & Learning
DRAFT FOR DISCUSSION PURPOSES ONLY
- 61 -
3.3 High Level Approach – IT Process
Project
Initiation
Visioning
Current
Position
Desired
Position
IT Service
Assessments
Gap Analysis
and Roadmap
Design
Implement
Check &
Improve
IT Governance
IT Process
Define Process
Objectives
Cycle
through all
ITIL Processes
Process
Blueprinting
Process
Implementation
Post
Implementation
Assessment
Process Integration
Tool
Requirements
Development of
Process Metrics
Technology
People, Change & Learning
DRAFT FOR DISCUSSION PURPOSES ONLY
- 62 -
3.3 High Level Approach - Technology
Project
Initiation
Visioning
Current
Position
Desired
Position
Design
Implement
Check &
Improve
IT Governance
IT Process
Technology
Develop Functional
Specification
Develop Service
Architecture
Develop RFP
Tool Installation
and Configuration
Tool Selection
People, Change & Learning
DRAFT FOR DISCUSSION PURPOSES ONLY
- 63 -
3.3 High Level Approach - People, Change and Learning
Project
Initiation
Visioning
Current
Position
Desired
Position
Design
Implement
Check &
Improve
IT Governance
IT Process
Technology
People, Change & Learning
Leadership
Alignment
Capability
Assessment
Organization
Role Impact
Organizational
Design
Implement
Organizational
Structure
Develop
Performance
Metrics
Implement
Performance
Metrics
Change Impact
Assessment
DRAFT FOR DISCUSSION PURPOSES ONLY
- 64 -
3.3 Current Position - High-Level ITIL Process Maturity Model
Process Standardization
Business Alignment
Strategic
Integration
Stage 5
Stage 4
Stage 3
Stage 2
Reactive
Stage 1
Chaotic
• Ad hoc
• Undocumented
• Unpredictable
• Multiple Help Desks
• Minimal IT Operations
• User Call Notification
• Fire Fights
• Inventory
• Desktop Software
Distribution
• Initiate Problem
Management Processes
• Alert and Event
Management
•Measure Component
Availability
Stable
• Analyze Trends
• Set Thresholds
• Eliminate Problems
• Measure Application
Availability
• Automate
• Mature Problem
Configuration, Change,
Asset, and Performance
Management Processes
Proactive
• IT as a Service Provider
• Define Services,
Classes, Pricing
• Understand Costs
• Guarantee SLAs
• Measure and Report
Service Availability
• Integrate Processes
• Capacity management
Value Driven
• IT as a Strategic
Business Partner
• IT and Business Metric
Linkage
• IT/Business
Collaboration and
Improves Business
Process
• Real-Time Infrastructure
• Business Planning
Manage IT as a Business
Service and Account
Management
Service Delivery Process
Engineering
Operational Process
Engineering
Tool Leverage
DRAFT FOR DISCUSSION PURPOSES ONLY
- 65 -
3.3 ITIL Readiness Assessment Framework
Below is the self-assessment from each Secretariat that was collected as part of the
infrastructure data collection.
Incident Mgmt.
Request Fulfill.
Change Mgmt.
Asset and
Config. Mgmt.
Problem Mgmt.
2
2
2
3
2
3
4
1
3
3
ANF (PERAC)
EOHHS
EOHED
EOLWD
EOEEA
EOPSS
EOT
EOE
Maturity Stage Definitions
1 - Chaotic
Processes are ad-hoc, chaotic, or actually few processes are defined
2 - Reactive
Basic processes are established and there is a level of discipline to stick to these processes
3 - Stable
All processes are defined, documented, standardized and integrated into each other
4 - Proactive
Processes are measured by collecting detailed data on the processes and their quality
5 - Value Driven
Continuous process improvement is adopted and in place by quantitative feedback and
from piloting new ideas and technologies
DRAFT FOR DISCUSSION PURPOSES ONLY
- 66 -
3.3 ITIL Implementation Common Risks and Potential Mitigations
Common Risks
•
Overall
Lack of business commitment and
funding/resources for process excellence
Agency staff fail to buy-in to the need for global
processes and standards
•
Existing best practices not considered during ITIL
implementation
Inconsistent assessment across agencies and
fragmented adoption of new process
•
•
•
Discrepancies in software tools used across
businesses, regions, “stacks”
Service management processes are not sufficiently
automated
Perception that tools solves a problem
•
•
•
•
Operational apathy against ITIL
Lack of sponsorship from management
Inability to organizationally realign staff
Inability of strategic partners to adapt
•
•
Unstructured implementation approach due to poor
project management and lack of critical IT staff
Excessive process documentation
•
•
Process
Engineering
•
•
Technology
Integration
Communications and
People
Project
Execution
Mitigation Approach
•
•
DRAFT FOR DISCUSSION PURPOSES ONLY
•
•
•
•
•
•
•
Focus on processes that will provide
measurable/quantifiable benefits
Implement a strong governance model backed up
by a cultural change program
Integrate proven practices and tailor to the
structure of the organization
Core and regional joint teams; local assessments
with standard approaches
Include technology analysis in the assessment
phase
Use integrated software tools where possible
Make sure technology follows process
Implement communications plan alongside
technology/process deployment
Appoint process owners within a larger governance
framework
Professional project setup (sponsorship, project
manager, team, etc.)
Pragmatic knowledge management/
documentation approaches
- 67 -
3.3 Immediate Next Steps
The checklist below to can be used to begin the alignment of the helpdesk with the ITIL
framework.
#
Activity
Owner
Due Date
Status
1
Finalize the service desk structure using the template provided
Helpdesk Team

2
Complete current state assessment of all ITIL processes
Helpdesk Team

3
Map ITIL-based best practice processes against current status (gap analysis)
Helpdesk Team

4
Define business priorities for the service desk
Secretariat
Business
Stakeholders

5
Derive and define key process improvement initiatives
Helpdesk Team

DRAFT FOR DISCUSSION PURPOSES ONLY
- 68 -
Components of ITIL: Service Desk
4.0 Helpdesk Staffing
DRAFT FOR DISCUSSION PURPOSES ONLY
- 69 -
4.1 Section Overview
The Staffing section will cover two areas to help prepare each Secretariat for consolidation
Change Impact Assessment Framework
• An overview of the IT staff assessment that captures their functional duties
Helpdesk Staffing Model
•
An overview of the staffing model template and industry leading practices for staffing ratios
DRAFT FOR DISCUSSION PURPOSES ONLY
- 70 -
4.2 Change Impact Assessment Framework
Overview
The Change Impact Assessment Framework is intended to capture a complete inventory of
all IT staff working in the Commonwealth (including contractors) along with their specific
functional duties.
Purpose
The Change Impact Assessment Framework is intended to capture the inventory of IT talent
currently working within the Commonwealth. The information will be valuable for developing
staffing models for each of the IT services and in helping the Commonwealth to better
understand their inventory of skills.
Additional
Information
Pre-populated Change Impact Assessment Tool templates have been distributed to the
SCIOs on Friday, August 28.
DRAFT FOR DISCUSSION PURPOSES ONLY
- 71 -
4.3 Helpdesk Staffing Models from Industry
Helpdesk Org. Model
Helpdesk Staffing Model Development
Helpdesk Org. Model
• The helpdesk org. models are being developed by the
Secretariats based on HR, finance, and service-based
requirements.
Staffing Ratios
• The staffing ratios are based on industry leading
practices. The appropriate staffing ratios will be
selected based on the size and the maturity of the
helpdesk organization for each Secretariat.
Help Desk Staffing Ratios – 2009*
PCs per Help Desk Staff Member by Organization
Percentile
Small Org.
Medium Org.
Large Org
25th Percentile
154
200
259
Median
239
292
421
75th Percentile
370
625
696
Staffing Model
• The staffing model will identify how many staff will be
required for each Secretariat’s helpdesk depending on
their consolidation plan and the current maturity of
their current helpdesk processes.
Users per Help Desk Staff Member by Organization
Percentile
Small Org.
Medium Org.
Large Org.
25th Percentile
154
188
236
Median
220
357
521
75th Percentile
338
750
800
Staffing Allocation
• The Secretariats will align the appropriate staff with the
helpdesk based on the number of resources that are
required in the staffing model.
FY'10 Staff Total
Secretariat
ANF
EOHHS
EOHED
EOLWD
EOEEA
EOPSS
EOT
EOE
Total Staff
DRAFT FOR DISCUSSION PURPOSES ONLY
FY'10
Baseline
43
16
8
21
70
90
56
76
304
Q1
Q2
Q3
FY'11 Staff Total
Q4
Q1
Q2
Q3
FY'12 Staff Total
Q4
Q1
Q2
Q3
FY'13 Staff Total
Q4
Q1
Q2
Q3
Q4
43
43
43
43
43
44
44
44
44
44
44
45
45
45
45
45
16
16
16
16
16
16
16
16
16
16
16
16
16
16
16
16
8
8
9
9
10
11
12
13
13
13
13
13
13
13
13
13
21
21
21
21
21
21
21
21
21
22
22
22
22
22
22
22
70
70
70
71
71
71
71
71
72
72
72
73
73
73
74
74
90
90
90
90
90
90
90
90
90
90
90
90
90
90
90
90
56
56
56
56
59
59
59
59
62
62
62
62
65
65
65
76
76
76
76
76
76
76
76
76
76
76
76
76
76
76
Helpdesk Staffing Model
304
304
305
306
310
312
313
314
318
318
319
320
324
324
*Source: Computer Economics (August 2009)
325
65
76
326
- 72 -
4.3 Immediate Next Steps
The checklist below to can be used to develop the appropriate staffing for the helpdesk and
desktop and LAN functions.
#
Activity
Owner
Due Date
Status
1
Finalize Helpdesk Structure
SCIO

2
Draft staffing models based in industry leading practices
SCIO

3
Complete the Change Impact Assessment Framework
HRD/SCIO

4
Allocate staff to the appropriate function
HRD/SCIO

DRAFT FOR DISCUSSION PURPOSES ONLY
- 73 -
Components of ITIL: Service Desk
5.0 Service Agreement
DRAFT FOR DISCUSSION PURPOSES ONLY
- 74 -
5.1 Section Overview
The Service Agreement section will cover three major areas to help prepare each
Secretariat for consolidation
Service Agreement Overview
• Basic service agreement overview
• Process for developing a service agreement
• Benefits of a service agreement
Service Agreement Content Overview
• Overview of the purpose, objective, and examples of each section of the service agreement
Transition Framework
• Service agreement maturity model
• Service agreement management
• Next Steps
DRAFT FOR DISCUSSION PURPOSES ONLY
- 75 -
5.1 Service Agreement: Overview
Service agreements document the service design and management processes as well as the
financial management. It includes all components of the SLA and it focuses on the definition of
services, service levels, and the process for achieving those service levels.
A Service Level Agreement is a formal agreement between the service provider and the customer on
the minimum acceptable quality of service
A Service Level is quantitative measure of the quality of services rendered by a Service Provider; it
serves to objectively measure and continuously improve performance
Service agreements help the service desk, its customers, and leadership agree on:
Service Strategy
• What services are important to the organization?
• Are we trying to deliver high or low end levels of service, and in what ways?
Service Levels And
Performance
• How much service is appropriate? And in what areas?
• Where is our current performance adequate, and where is it not?
• What is to be measured?
• What the outcomes (rewards and penalties) of that measurement will be?
• Do some of our services need to be increased or scaled back?
Service Resources
and Investment
• Where do we need more investment?
• Where are we over-invested?
DRAFT FOR DISCUSSION PURPOSES ONLY
- 76 -
5.1 Service Agreement: Development Process
Who Prepares the
Service
Agreement?
• Service agreement negotiation process should include representatives from both IT
services and the Business, with participation from service level management
How Should the
Service Agreement
be Written?
• A collaborative perspective representing both the business and technology needs of
the service.
• Several iterations may be required before a balanced service agreement can be
finalized.
• Wording in service agreements should be clear, concise and leave no room for
ambiguity.
• An adequately detailed service agreement identifies the services to be provided, but
leaves the opportunity to add or modify additional services as necessary
• Note: There is no need for the service agreement to be written in legal terminology
How Should the
Metrics be
Developed?
Cautions
DRAFT FOR DISCUSSION PURPOSES ONLY
• Metrics should be developed that measure the efficiency and effectiveness of the
services provided.
• If there is any doubt in the target metrics, provisional metrics should be included
during a pilot phase that can be monitored and adjusted during a warranty period.
• All metrics should be measurable without significant cost.
• The first time an service agreement is developed, the writers often focus on current
issues rather than focusing on the long-term requirements. Allow for time to air
current grievances before moving on to the rest of the service agreement.
- 77 -
5.1 Potential Benefits from Using Service Agreements
Benefits to the Organization
• Provide a means for both parties to reach understanding and agreement on the quality of services that are required
• Create common expectations that helps the IT service provider and its customers interact, avoid conflict, and jointly
revise measures as needed
• Simple, quantitative (objective) means of measuring and evaluating the IT service provider’s performance
• Motivate the IT service provider and its customers to change behaviors and to drive efficiencies
• Can help to drive lower costs, improve morale and increase service
Benefits to the Service Provider
Benefits to the Business
• Provide a means for the IT service provider to selfevaluate
• Can often help drive better service (e.g., faster
response to, and resolution of, issues; improved
accuracy)
• Help the IT service provider management highlight
clearly where they are doing a good job for the overall
organization (e.g., keeping costs low, maximizing
efficiency, etc.)
• Allow the IT service provider to make informed and
appropriate business decisions (e.g., capital
investments, software acquisitions, training,
methodology implementation,
staffing, etc.)
DRAFT FOR DISCUSSION PURPOSES ONLY
• Increase understanding of what services will be
provided, and what can be expected
• Provide a strong incentive for IT service providers to
meet or exceed service level expectations and
continuously improve
• Increase customers’ influence with
IT service providers
- 78 -
5.2 Service Agreement Content: Overview
Role of the service agreement document
•
•
•
•
•
Describe the scope of the services provided
Specify performance metrics and objectives for the
delivery of those services
Specify cost allocation / chargeback methodology,
when applicable
Document the business units and individuals within
those units who are responsible for meeting service
agreement conditions
Drive continuous improvement and compliance
Typical service agreement outline
•
•
•
•
•
•
•
•
•
•
Section 1: Parties Involved
Section 2: Statement of Purpose
Section 3: Scope of Services
Section 4: Service Details
Section 5: Service Measurement and Reporting
Section 6: Payment Process/Budget/Chargeback
Methodology
Section 7: Governance and Issue Resolution
Section 8: Review Process and Amendments
Section 9: Approvals and Signatures
Appendix A: Definitions
In effect, the service agreement codifies the operational working relationship between the user and the service desk.
Because such relationships are unique, service agreements will differ significantly.
Nevertheless, guidance for service agreement consist of:
• Keep it simple
• Ensure it does not become a overly ‘legalized’ document
• Ensure it is flexible in the initial operational stages
DRAFT FOR DISCUSSION PURPOSES ONLY
- 79 -
5.2 Service Agreement Content: Parties Involved
Scope
Purpose
Brief
Example/Outline
DRAFT FOR DISCUSSION PURPOSES ONLY
• The key IT and business owners responsible for maintaining service continuity
• List all agencies that are party to the service agreement and will be signatories, i.e.
the Executive Office and all agencies within that secretariat that will receive IT
services
• The Executive Office of Health and Human Services (EOHHS) is the principal agency
for all departments, commissions, offices, boards, divisions, institutions and other
entities within the executive office pursuant to Massachusetts General Laws Chapter
6A Section 16.
• The Department of Elder Affairs is a department within EOHHS pursuant to
Massachusetts General Laws Chapter 6A Section 16.
• The Department of Public Health is a department within EOHHS pursuant to
Massachusetts General Laws Chapter 6A Section 16.
- 80 -
5.2 Service Agreement Content: Statement of Purpose
Scope
Purpose
• A general statement outlining the purpose or objective of the service agreement
• Provide a high-level summary of business objectives addressed by the service
agreement
• Clarify the purpose of the service agreement document
• Identify the customers to be served by the IT service provider, as well as any other
key stakeholders
• The purpose of this service agreement is to improve administrative efficiency and
service delivery, better support department operations and preserve fiscal resources
by centrally managing information technology functions that are common to the
separate agencies, departments, offices, divisions and commissions within EOHHS.
Brief
Example/Outline
DRAFT FOR DISCUSSION PURPOSES ONLY
Or
• This service agreement documents the details of Service X provided to the Business
Unit Z. These details are mutually understood and agreed upon by all the
representatives of the owner groups. This agreement is meant to compliment
existing procedures. Service levels in this agreement have been decided mutually
and will be communicated in an agreed upon format monthly. The owner groups can
use this service agreement to facilitate their planning processes.
- 81 -
5.2 Service Agreement Content: Scope of Services
Scope
Purpose
Brief
Example/Outline
DRAFT FOR DISCUSSION PURPOSES ONLY
• An overview of the services that will be provided by the service provider and the
responsibilities of the business owners
• Summarize the services covered by the service agreement and the responsibilities of
the IT service provider at a high-level
• Summarize the high-level responsibilities of the user
• High-level overview of service provider‘s responsibilities including:
• Itemization of in-scope processes and key activities
• Hours of Operation
• Call Center
• Issue Resolution
• Authorized Signatories
• Contact List
• Record Retention
• Itemization of any tasks or information the IT organization needs from the user to
deliver in-scope services
- 82 -
5.2 Service Agreement Content: Service Details
Scope
• The scope of services should provide a detailed description of IT services that will be
provided by the Secretariat.
Purpose
• Document the scope of the service agreement
• Provide a detailed inventory of the services and support to be provided to
customers by the IT service provider
• Define which activities and tasks will be performed by the IT service provider
and which will be performed by the user or business for each process
• Document performance dependencies
• Define any areas where successful completion and performance is dependent
on the timely action of the customer
• List of all tasks required to perform each in-scope process with responsibility
assigned to the user, the service provider, or business function
• List of activities where successful completion and performance is dependant on the
timely action of the user
Brief
Example/Outline
Service
Standard Portal
Service
IT Responsibilities
Includes:

Content update availability

Ensures integrity of Info Architecture

Liaise with ITD for Portal availability/performance

Usage statistics furnished on request

Public Feedback referrals
Availability
Normal Business Hours as
described above.
Portal availability 24/7
Agency Liaison Administration
Portal Team availability for:

Answering Questions

Presentations to agency SMEs

Creating Feature Stories
Respond to requests for consultations about content creation,
information architecture re-design, agency communications
strategies
Normal Business Hours as
described above
Consulting and Training
DRAFT FOR DISCUSSION PURPOSES ONLY
EXAMPLE
Normal Business Hours as
described above
Business Responsibilities
Compliance with HHS & ITD
standards.;
Timely notice of malfunctions or
defects in the environment.
Timely removal of broken links,
orphan files, or non-compliant content
formats
Agency appoints a Portal Liaison to
work with agency content creators
and provide single point of contact for
Portal Team
Agency appoints a Portal Liaison to
work with agency content creators
and provide single point of contact for
Portal Team
- 83 -
5.2 Service Agreement Content: Service Measurement and Reporting
Scope
Purpose
Brief
Example/Outline
• Document the metrics and measures that will be used for performance management
• Identify the standards against which the IT service provider’s performance will be
evaluated
• Clearly define the expectations of the customer and the enterprise
• Ensure that service agreements can be monitored to meet both performance
standards and that customer expectations
Details of Key Performance Measures including:
• Metric Definition
• Type of Metric (e.g., customer satisfaction, productivity, quality, efficiency, cost, etc.)
• Specific performance targets that the service provider has agreed to meet
• What is to be measured in each function
• Expected performance levels for those metrics
• Minimum service levels for those metrics
• Standards or benchmarks by which to measure performance and customer
satisfaction
• Mechanisms for tracking performance and customer satisfaction
• Specific information or support the user must provide in order to for the IT function to
meet the service level goal
Reporting
• Frequency (e.g. monthly, quarterly) of performance reports on service agreement
achievement
• For service agreements to be successful, the criteria for measuring service levels should be: attainable, meaningful,
understandable, mutually acceptable, measurable, controllable and affordable.
• The customers perspective is the most important, every metric should be selected from that perspective.
DRAFT FOR DISCUSSION PURPOSES ONLY
- 84 -
5.2 Service Agreement Content: Service Measurement and Reporting: Metric Development
Performance-driven cultures are sustained by metrics
Metric Development Objectives
• Communication
• Performance inside and outside the IT service provider
• Feedback to people who can act upon the information
• Convey information through as few and as simple measures as possible
• Alignment with Goals
• Aligned with business and technical goals
• Balance all dimensions of the function; not just costs
• Provide a basis for rewards and recognition
• Continuous Improvement
• Foster and encourage improvement
• Quantify improvement initiative results
Characteristics of Effective Metrics
Validity
Does the measure track true requirements or real productivity?
Comparability
Can the measure be compared across time or in different locations?
Completeness
Are all important sources that yield an output tracked by the measure?
Usefulness
Compatibility
Cost Effectiveness
Does the measure guide action?
Is the measure compatible with existing data and information flows?
What are the tradeoffs between the cost of measurement and the benefits to be gained?
DRAFT FOR DISCUSSION PURPOSES ONLY
- 85 -
5.2 Service Agreement Content: Payment Process/Budget/Chargeback Methodology
Scope
Purpose
• Address budget and funding issues. In cases where the service agreement will also
cover services that will be funded through a chargeback mechanism, this section
should address the chargeback methodology and payment process.
• Summarize all costs and potential fees and credits associated with the services
provided
• Document how these costs will be allocated to the user (if applicable)
• Set service provider and user expectations for allocation of costs
Payment Process:
• Assess accounts through an Intergovernmental Payment Voucher (IV) on a quarterly
basis at which time the transfer of funds will be requested from Departments.
• Perform interim reconciliations of actual expenses to the Anticipated Budget not less
than twice a year and conduct a final reconciliation by the end of the third quarter, or
no later than April 30th.
• Adjust the IE as appropriate if, in the determination of EOHHS, projected costs are
more than or less than actual costs for the operation of the Core Administrative
Activity charged at the beginning of each quarter or year.
Brief
Example/Outline
DRAFT FOR DISCUSSION PURPOSES ONLY
Budget/Chargeback Methodology:
• Establish a consolidated Information Technology Core Administrative budget for
EOHHS.
• Ensure that the budget for the consolidated Information Technology Core
Administrative is adequate and that funding is sufficient to cover the costs of salary
and other employee related costs.
• Include in the budget, the following employee related and administrative charges:
• Payroll Related Fringe Benefit Costs (D09), Travel, Training, Voice and data related
costs, and other contract costs
• Assess a charge against each Department developed in accordance with the
provisions of this Section
- 86 -
5.2 Service Agreement Content: Governance and Issue Resolution
Scope
Purpose
• A summary of roles and responsibilities of the governing body for the service
agreement
• Assign oversight structure, including determining who is responsible for overseeing
relevant processes and making critical decisions (e.g., Governance / User Councils)
• Assign roles and responsibilities
• Specify the issue escalation process for: Dispute resolution regarding services
provided; Dispute resolution regarding who is responsible for a given activity
Governing body responsible for approving and maintaining the service
agreement, including:
• Those responsible for representing the customers
• Those responsible for representing the IT service provider
• Those responsible for ensuring that these two parties accomplish their stated
objectives
Brief
Example/Outline
Governing Body Responsibilities
• Periodic reviews of the performance metrics
• Periodic review and update of the service agreement
• Review and decide on outstanding operational issues and special requests
• Review of disputes pertaining to IT service provided
• Review of targeted areas for process improvement (both IT and business)
• Participate in “emergency” meetings as required
Issue Resolution
• Active issue management process and escalation procedures
DRAFT FOR DISCUSSION PURPOSES ONLY
- 87 -
5.2 Service Agreement Content: Review Process and Amendments
Scope
• Outlines the review process for amending the service agreement and approving new
services
Purpose
• Outline a schedule and process for reviewing and amending the service agreement
• New services are those services that the service provider does not normally process
or complete
Meeting schedule for the governing body (e.g., monthly or quarterly)
Brief
Example/Outline
Procedure for reviewing services and service levels included in the service
agreement, including:
• Frequency with which review and revisions should occur
• Process for requesting a review between scheduled review meetings
Procedure for handling new services
• Process for getting approval for the delivery of a new service
DRAFT FOR DISCUSSION PURPOSES ONLY
- 88 -
5.2 Service Agreement Content: Terms and Approvals
Scope
Purpose
Brief
Example/Outline
DRAFT FOR DISCUSSION PURPOSES ONLY
• Summary of the agreement duration and validation
• Specify the duration of the agreement
• Validate agreement between the IT service provider and the user
• The effective dates of the agreement
• Signatures from the designated service agreement contacts
- 89 -
5.2 Service Agreement Content: Appendix: Common Definitions
• Define terms that are referred to frequently throughout the service agreement
Scope
Term
Definition
Availability
The target levels of service availability required. What is considered an
“outage”? The service may be unavailable for a period of time, which
may not constitute an “outage”
Reliability
The maximum number of outages that can be tolerated within an agreed
period of time. What is the acceptable average time between “outages”?
Specify the period of time that will be used to calculate
Serviceability
Ease in which service may be performed and completed on a system
EXAMPLE
Performance (Severity,
Priority, Completion)
Desired/required response times. Details of expected service output on
which targets are based.
Data Integrity
Desired backup requirements needed to withhold the data integrity.
Government regulations around backup (archives) or recovery.
Recoverability
Time to recover from an outage cause by an unplanned incident.
Disaster recovery plan required? After what time period is an outage
termed a disaster?
Service Hours
What hours do you require the service to be available? Are there times
when you will need an extension of service?
Hours of Support
What are your required support hours (where these are not the same as
Service hours)?
Security and Privacy
Details of any special conditions relating to security and privacy
DRAFT FOR DISCUSSION PURPOSES ONLY
- 90 -
5.2 Service Level Leading Practices
Customer satisfaction - one of
the most Critical Service Levels
A consistent and reliable
methodology is necessary
− Annual surveys
Enforceable Service Levels
“Targets” used for performance
assessments by management –
“Targets” are not purely for
illustrative purposes
− Comparable classes of users
− Customers and service providers
agree upon the form
Identify the class of users to be
surveyed (e.g., management as
well as end users)
Require service provider to meet
with customer to discuss the results
of the surveys and the means for
improving customer satisfaction
DRAFT FOR DISCUSSION PURPOSES ONLY
To be effective, Service Levels
should be:
• Capable of reliable, objective
measurement;
• Conducive to simple economic
measurement with minimal
administrative difficulty; and
Manageable and reasonable
number of Service Levels.
• Business owners must clearly
define desired Service Levels
and standards based on their
business objectives and
requirements
• Not every service provider
function should be subject to a
Service Level – try to limit to
those services that are important
to customers and will have a
significant impact on its business
• Keep in mind that there is an
administrative cost to the
management, measurement and
reporting of Service Levels
• Important relative to customer’s
desired business drivers
- 91 -
5.3 Service Agreement Maturity Model
Early Maturity
“Start-up”
DEFINE
• Define the business
objectives and
requirements for
each customer
group
• Define the need for
a new or revised
service agreement
• Priorities which
service agreements
need to be
developed
• Identify performance
metrics to be
tracked and applied
• Articulate roles and
responsibilities
• Develop action and
communication
plans
MEASURE
• Track metrics for a
defined period of
time
• Develop standard
handling policies
and procedures
• Document
escalation
procedures
according to severity
level and chain of
command
• Define and assess
accountability for the
reporting, review
and amendments
processes
DRAFT FOR DISCUSSION PURPOSES ONLY
Mid Maturity
“Transition”
ANALYSE
• Report
measurements
based on suggested
targets, business
objectives and
customer needs
• Analyze
performance
measurements
• Set initial baseline
for service levels
• Reach agreement
between customers,
service desk, and
management on
service levels and
terms
• Develop and publish
Service Agreements
for relevant
functions
IMPROVE
• Implement the
completed service
agreements; track
and manage
performance
• Identify
improvement
opportunities
• Perform root cause
and other analyses
to improve
performance
• Identify actions
required to improve
performance
• Create and maintain
ongoing service
level performance
reports
High Maturity
“Steady State”
CONTROL
• Manage and govern
service agreements
and performance
• Periodically review
business relevance
of service levels
contained in service
agreement s
• If a service level or
service agreement
is no longer valid,
identify changes
needed to better
govern the IT
Function’s
relationship
• Set and revise
continuous
improvement targets
- 92 -
5.3 Service Agreement Management
Successful service agreement management and continuous performance improvement will depend
entirely on the quality of the tools, processes, and reporting implemented.
Critical Success Factors
• Educate all management and team leads on the service agreements and their respective responsibilities
• Vendor operational level agreements should specify service timeframes and levels that are in line with the service
agreement specifications
• Do not underestimate the importance of fully understanding the processes and tools and how they integrate. Staff
should understand how each workflow step corresponds to the service agreement calculation and reporting
• Identify process and tool champions on each team
• Create reporting that quickly enables teams to see the outcome of their actions.
• Avoid complex reporting and metrics calculations, to be able to provide insightful analysis on the data quickly
• Ensure reports are verifiable, and can be easily presented and explained
• Ensure all call priority definitions are clear and relevant to the business
• Perform root cause analysis when service level is breached, and learn from failures
• Proactively monitor service agreements to see trends and take early action to avoid performance levels being missed
DRAFT FOR DISCUSSION PURPOSES ONLY
- 93 -
5.3 Immediate Next Steps
The checklist below to can be used to develop service level agreement between the business
and IT functions.
#
Activity
Owner
1
Identify all parties (both business and technical) that need to be involved in the service
agreement development
SCIO/ Helpdesk
Team

2
Develop a framework service agreement based on the information provided in the
previous slides and the information provided by the IT Finance and Budget
subcommittee
SCIO/ Helpdesk
Team

3
Develop a draft of the service levels for inclusion in the service agreement
Helpdesk Team

4
Validate service levels with business and technical stakeholders
All Parties

5
Develop a draft of metrics for each service level
Helpdesk Team

6
Validate metrics with business and technical stakeholders
All Parties

7
Draft all other components of the service agreement
Helpdesk Team

8
Validate completed service agreement with business and technical stakeholders
All Parties

DRAFT FOR DISCUSSION PURPOSES ONLY
Due Date
Status
- 94 -
Components of ITIL: Service Desk
5.0 Integration With ITD Processes
DRAFT FOR DISCUSSION PURPOSES ONLY
- 95 -
6.0 Process Integration points with Agencies, Secretariats, and ITD
Service Desk
•
•
•
•
Incident
Management
• Coordination of communications and notifications
• Coordination of Incident resolution actions
Request Fulfillment
Coordinate on incidents involving more than one organization
Leverage shared tools
Leverage shared knowledge
Redirect callers to appropriate resources (ITD vs. Secretariat vs. Agency)
• Calls to one organization for services that are the responsibility of another
organization
Change
Management
• Coordinate change planning and approval for resources hosted or managed by ITD
Asset and
Configuration
Management
• Ownership vs. custodianship (e.g., ITD hosts a server owned by Secretariat)
Problem
Management
• Leverage knowledge beneficial to all: share Known Errors
• Share responsibility for Root Cause Analysis and Problem elimination (e.g.,
application support and server management)
DRAFT FOR DISCUSSION PURPOSES ONLY
- 96 -
Components of ITIL: Service Desk
Appendix
DRAFT FOR DISCUSSION PURPOSES ONLY
- 97 -
2.3 Industry Leading Tools and Standards: Service Desk Vendor Analysis
Company
Avocent
LANDesk
(Touchpaper)
Strengths
• Strong out-of-the-box functionality
• Ease of implementation
• Robust knowledge management functionality
• Credible best-practice and consulting services specific to ITSM
• Strong brand and presence in the U.K.
Axios Systems
• Annual development cycle with attention to customer functional requests
• Brand recognition, globally
BMC Software • Broad suite of ITSM modules, including a strong CMDB offering
(Remedy)
• Sizeable, strategic third-party partnership
• Migrating customers to new releases
• Strong PPM position and integration road map with ITSM
CA
• Extending incident and problem management capability with support automation
(formerly SupportBridge)
• Good presentation and administration of workflow and business rules
EMC (Infra) • Ease of implementation and configuration
• Financial integrity from EMC acquisition
• Financial backing of equity partner enables aggressive marketing, sales and acquisition
FrontRange
growth
Solutions
• User interface is easy to configure and administer
(ITSM)
• Installed HEAT service desk customer base provides long-term annuity
• Strong and positive global presence and service organization
• Depth of product relationship vision among ITSM, data center and application
HP
development tools
• Functional capabilities of application dependency mapping and CMDB
• Workflow and forms easy to customize and administer
iET Solutions • IT service desk tool easy to implement and get into production
• Valued advanced customer support services
• IBM has a recognizable brand name in Fortune 2000 companies and a large installed
base globally
IBM
• Compelling user interface, from an administration and presentation perspective
• Range of channel options from IBM Global Services to resellers
• Pricing model is straightforward and easy to understand
Service• Compelling user interface, from an administration and presentation perspective
now.com
• SaaS delivery model
DRAFT FOR DISCUSSION PURPOSES ONLY
Cautions
• Customers say product is difficult to customize and integrate with other vendors' ITSM
tools
• Touchpaper is less tested in large enterprises; most success has been with enterprises
of less than 10,000 employees
• Recent acquisition creates traditional remote management challenges
• Difficult to work with in regard to pricing, contracts and billing
• User interface and Web client are behind in presentation and administration capability
• Privately owned business, with limited capital resources to support growth and remain
competitive
• Ease of customization encourages poorly planned customization activity
• Large base of customers with heavily customized applications is still multiple versions behind
because upgrade is deemed expensive and difficult
• Product versioning and maintenance schedule are not well-understood
• Cumbersome and costly if high degree of customization is required
• Limited change management impact, risk and collision capability
• Negative industry perception of CA brand continues with some customers
• Limited IT service desk brand awareness and marketing
• Lack of depth in strategic partnership and resellers
• Inconsistent product road map since EMC acquisition
• Company continues to struggle managing a dual product strategy
• ITSM product suite lacks enterprise functional capabilities in change and CMDB
• Successful large-enterprise ITSM product suite implementations slow to emerge in the
market
• Complex and difficult to use integration tools between Service Manager and other HP Business
Technology Optimization (BTO) software applications
• Flawed change and release management product-branding and road map
• Service Manager clients report implementation and migration times may be long
• User interface is lagging behind at the presentation layer
• Lack of automated or wizard-driven version migration tools
• Comparatively small revenue to support growth and remain competitive
• Small number of successful enterprise-scale implementations
• Tivoli Service Request Manager is not currently well-integrated with adjacent Tivoli
products
• Still a young company with limited resources; may affect range of services available to clients
• Limited customers with complete suite of ITSM modules in production
• Potential technology glitches within hosting environment
Source: Gartner (October 2008)
- 98 -
2.3 Industry Leading Tools and Standards: Interactive Voice Response Analysis
Company
Strengths
Aspect Software • Long-standing market presence
• Both a stand-alone IVR or a suite-based approach
• Apply best practices for deployment of IVR, speech solutions, and self-service
application development
Avaya
• Long-term vendor of contact center solutions with easy integration
• Consider IR if you have a legacy Avaya IVR infrastructure
Cisco
• Financial strength enables long-term viability
• Ability to create virtual contact centers; good for smaller deployments
• Strong position in networking and IP telephony
Envox Worldwide • Well-established relationships with value-added resellers, system integrators and
developers
• Open-standards-based platform
• Price competitive and flexible on terms
• Capable technical support service that is responsive to product feature requests
• Choice of turnkey solutions or the custom IVR/voice portal solutions
Genesys
• Leader for features and functionality for implementing voice self-service within a
Telecommunicatio multichannel strategy, integrated with live-agent support
ns
• Strong support for multitenancy features to support internal hosted service
deployments
• Strong support for standards, including SIP and VoiceXML
• Software-centric products with an indirect fulfillment model
• Multivendor support for third-party telephony and automatic call distribution
Holly Connects • Carrier-grade, scalable, distributed, software-only platform
• Industry standards, such as VoiceXML and SIP
• Strong multitenancy and redundant architecture
• Sophisticated reporting, speech-recognition call logging and recording, resource
monitoring, and real-time tools for port allocation, service configuration, and service
provisioning and decommissioning
• Its engineering support organization is responsive to customer needs
IBM
• Offers a combined Web and voice processing solution
• Strong management and reporting capabilities on a reliable operating system
• Deep technical expertise to solve support issues
• High-reliability scalable platform
DRAFT FOR DISCUSSION PURPOSES ONLY
Cautions
• Aspect's primary investment focus is on its suite solution
• IVR revenue is declining which will limit future investment.
• Weak on scalability and multitenancy features; poor for multiple departments or
business units.
• Variable services staff quality.
• Lacks an enterprise telephony offering
• Avaya IVR solutions are rarely deployed outside of Avaya-based call centers.
• Avaya solutions pricing is higher than that of some vendors.
• Limited experience of complex call center deployments
• Avaya has recently been privatized.
• Product specifications limit vendor choices and increase dependence on Cisco
• Virtual call centre routing requires additional Cisco software
• Separate tools and management reporting increases the complexity
• The skills and competencies to deploy solutions in large enterprises are available
only through specialized Cisco partners.
• Limited Scalability
• Limited resources in all functions; quality of project management
• Lacks a large customer base for contact center call routing and telephony
solutions
• Expensive compared with those of other vendors
• Indirect fulfillment - relies on third parties for project management and
implementation services
• Does not directly offer a hybrid premises/hosted service offering
• The merging of GVP and VGP could distract development efforts from other
initiatives
• Limited brand awareness and presence outside its home market of Australia
• Small company with limited resources in North America and Europe
• Lacks a broader call center and communications infrastructure
• Features, reporting and integration are packaged for large-scale applications,
such as telecom, rather than for enterprises
• IBM's go-to-market and product strategy limits its opportunities for WVR
• IBM has no telephony or call center product offering, nor an installed base
• WVR runs only on AIX, and is not supported for other operating systems
Source: Gartner (February 2008)
- 99 -
2.3 Industry Leading Tools and Standards: Interactive Voice Response Analysis
Company
Interactive
Intelligence
Intervoice
Nortel
Syntellect
Voxeo
Strengths
• Suite solution including IVR functionality.
• Easy and intuitive to use with minimal training, and allows companies to create applications
quickly
• Supports time division multiplexing and SIP integrations
• Ideal for small to medium size organizations
• Provides an end-to-end services offering including hosted and managed services options
• Proven record of integration in multivendor environments
• Strong track record and experience in delivering IVR and speech applications
• Open, scalable, switch-independent IVR platform
Cautions
• Limited in size
• Lack features for large-scale developments and third-party tools and
applications are not supported.
• VoiceXML support is a recent enhancement and is not yet well proven
• Specialist IVR vendor, with a limited portfolio of broader contact center and UC
offerings
• Occasionally fail to respond to the impact of service outage on customers'
businesses.
• Some evidence of rising prices
• Limited third-party partner networks
• Long-term commitment to IVR and self-service solutions
• Application development, system integration and tools is weaker than that of
• Professional services are well proven in delivering IVR-based solutions to enterprise call
other leaders
centers
• Platforms depend on some proprietary components
• Clear vision of how its IVR platform will migrate to a UC environment and become its general- • Platform upgrade proposals tend to carry premium prices
purpose Media Server
• Some dissatisfaction with Nortel project deployments
• Has a switch-independent, standards-based IVR platform
• Low market share hinders its ability to invest deteriorating long term viability
• Proven applications and a strong professional services team
• Limited choice of application provider and system integrator
• Lacks multitenancy features that are often required for stand-alone IVR
platforms in large enterprise environments
• Voxeo's Prophecy IVR platform is a pure software platform, downloadable free with two ports • May be acquired if success continues, could lead to disrupted service.
from its Web site and optimized to make it easy for developers to start developing applications. • Primarily a hosted services business model.
• Offers a hybrid premises/hosted model
• Limited reporting and tools
• Web-centric and adheres strictly to standards such as VoiceXML and SIP.
• Basic speech recognition and text-to-speech engines with the platform reduces costs —
especially during development.
• A low-cost, scalable, standards-based platform
DRAFT FOR DISCUSSION PURPOSES ONLY
Source: Gartner (February 2008)
- 100 -
2.3 Industry Leading Tools and Standards: PC Lifecycle Configuration Analysis
Company
Strengths
• High visibility and a good reputation
Avocent
• Additional investments in endpoint security enhancements
(LANDesk) • Well-integrated suite of products, with particular strengths in usability, software
distribution and patching.
• Operational and security management functionality from a single scalable
architecture.
• Systems Lifecycle Management offers particular functional strengths in discovery
BigFix
and patch management.
• Significant vision in this market, as demonstrated by its early movement in
security/operational convergence, support for Mac clients, and PC power
management.
• Strong policy management and bandwidth control position to manage an
increasingly mobile user population.
BMC
• Tight integration and workflows, and associated automation with the BMC service
desk tool
Software
• Runs in a highly diverse environment; the support infrastructure can run on
Windows, many variations of Unix and Linux, SQL Server, Oracle, etc.
• Diverse platform support for organizations that are looking to support Windows,
Unix, Linux, AIX and other platforms with a single set of tools.
• Extensive PC migration capabilities — an area on which most competitors haven't
CA
focused.
• CA offers a broad set of adjacent offerings (that is, service desk, asset
management, service catalog, etc.) for organizations that are looking to consolidate
and standardize on a single service management suite.
FrontRange • Strong partnership with Citrix
Solutions • Easy-to-use tool with installation templates, which appeal to SMBs.
• Strong inventory and software usage management offering.
(enteo
Software)
• Policy-based management ("desired state“) enables high degrees of successful
software and patch deployments.
HP
• Very scalable with sophisticated bandwidth management capabilities.
• Well-positioned to manage increasingly mobile clients.
DRAFT FOR DISCUSSION PURPOSES ONLY
Cautions
• Primary customers have approximately 1,000 to 5,000 users.
• Reliable discovery and inventory, but customers have reported issues with filtering and
replicating inventory
• Missing native capabilities in OS deployment, remote control and application packaging, for
which it relies on partners.
• Some functions within software distribution are immature — lacks some standard features to
configure and manage
• No differentiation in client or application virtualization.
• Slowing focus on PC life cycle configuration management
• Customers supplement BMC's solutions with third-party tools to conduct OS
deployment/data and settings migration, remote control and application packaging
• Focus on PC life cycle configuration management is waning, as evidenced by its falling
behind on several major market trends (for example, endpoint security management,
virtualization and green IT),
• Eroding partner relationships and customer complaints about the quality of support.
.
• Stability issues with enteo Version 6
• Lacks an endpoint security strategy
• Playing catch-up in some areas (for example, virtualization).
• Customers tend not to use the full suite — for example, it's common for customers to use
third-party tools for OS deployment/data and settings migration, remote control, and patch
management.
Source: Gartner (December 2008)
- 101 -
2.3 Industry Leading Tools and Standards: PC Lifecycle Configuration Analysis
Company
Strengths
• Maintained its focus on the core elements of PC life cycle configuration
management — for example, software distribution and OS deployment.
Matrix42
• Unique features for controlling and coordinating the release of software and
patches to PCs
• The IT configuration architecture enables reliable support for mobile and remote
users;
• Intuitive user interface and references report that it's easy to use.
• The Compliance Manager product, which ties together usage, financial and
ManageSoft
physical inventory data, can also bring together disparate data sources in a single
view for an asset.
• Good option for organizations looking for strong configuration management and
asset repository capabilities.
• System Center Configuration Manager 2007 scalable product, with many
customers managing more than 30,000 PCs.
• Microsoft has generated interest in Application Virtualization (App-V) by including it
in the Microsoft Desktop Optimization Pack
Microsoft • There is wide availability of Systems Management Server (SMS)/ConfigMgr '07
technical skills.
• Organizations are more likely to find talent with this experience, rather than with
competitive products.
Novell
Symantec
(Altiris)
• Customers tend to use the entire suite — for example, OS deployment, remote
control and software usage metering — in addition to the base functions.
• One of the few products in this market that deploys applications to users rather
than machines.
• Offers functional strengths in inventory (with integration into its asset repository)
and OS deployment.
• Complete PC life cycle offering, and Symantec owns key emerging capabilities in
endpoint security and virtualization.
• Offers broad adjacent offerings — for example, endpoint security, asset
management, service desk and workflow.
DRAFT FOR DISCUSSION PURPOSES ONLY
Cautions
• Little visibility outside Europe
• The response time for escalated support issues for U.S. customers can be delayed when
help is required from Germany.
• It lacks a service desk and an IT asset repository, which SMBs are increasingly requiring
• Lack of investments in core life cycle management capabilities suggest a slowing focus on
PC life cycle management.
• Hasn't demonstrated a strategy for application virtualization and streaming.
• Larger management server footprint than competitive tools. Many clients supplement with
add-on tools to reduce this requirement and improve performance.
• Customers continue to report that ConfigMgr '07 is difficult to implement and support
• Higher staffing requirements than competitive tools.
• Desired Configuration Management, Internet Facing Client Management and Branch Office
Distribution — have complexities or functional limitations that are prohibiting their broad
adoption.
• Microsoft has had consistently longer gaps between major product releases (about four
years).
• The Novell brand is strongly associated with legacy technology.
• Uptake has been slow, particularly because its early release lacked critical pieces, to
support remote locations.
• Customers have reported issues with support — that is, first level and escalated support.
• Complex product to install and manage. Symantec has started to address this issue with
Version 7.
• Although endpoint security is a key growth trajectory for Symantec, patch management isn't
a strong suit.
Source: Gartner (December 2008)
- 102 -
2.3 Industry Leading Tools and Standards: Endpoint Protection Management Analysis
Company
BigFix
Bit9
CA
Check Point
Software
Technologies
eEye Digital
Security
Strengths
• Integration of the security and operational tools enables more-concise reporting and rapid remediation.
• The AntiThreat offering includes antivirus, personal firewall and anti-spyware engines that are licensed
from CA and integrated into the BigFix agent and management console.
• Strong management scalability and for control of off-LAN devices because of its intelligent agent
architecture.
• Device control is very complete, including capabilities to disable and enforce policies for
removable media, USB devices, CD-ROMs/DVDs, floppy drives, parallel ports, infra red ports, Bluetooth
and PC Card devices.
• AntiThreat includes capabilities to conduct NAC assessments and self-quarantines at the endpoint.
• Client-based DLP was recently licensed from a third party and added to the security product portfolio.
• Cost-competitive with other EPP vendors.
• Heavy focus on application control.
• Blocks software execution or devices that are not on a corporate preapproved list from running and
maintains the integrity of installed applications by cross-checking multiple file hashes before they execute.
• Bit9 has developed a huge source of information on applications and files with Knowledgebase, its file and
application identification system.
• To reduce the overhead of maintaining whitelists, Bit9 ParityCenter, is a software-as-a-service (SaaS)
offering provides context on more than 9 million applications and 4 billion individual files to help customers
identify and assess the software applications
• Bit9 has focused on limiting the management and usability challenges associated with application control.
• The vendor offers Device and Application Reporting Tool, which is an agentless software and device audit
tool.
• Bit9 is appropriate for organizations that have the political clout to enforce an authorized-only software
image on PCs or subsets of PCs with a high security requirement.
• Mature malware research labs and broad portfolio of operational and security products.
• CA EPP solutions include the basic components of anti-malware, HIPS and a personal firewall. CA also
offers software-based e-mail and HTTP gateway solutions.
• The personal firewall has many advanced features, such as support for one active NIC,
VPN detection, and good event logging and device control.
• CA's HIPS capability includes numerous system checks, as well as vulnerability shielding, sandbox
execution and behavior anomaly detection. Its learning mode capability eases set up and policy creation.
CA also maintains a known application database for broad industry wide whitelisting.
• Reference customers and resellers often noted the low cost as a major benefit of the CA
product.
• CA customers and those looking for inexpensive EPP capabilities should consider CA's
eTrust solutions.
• ZoneAlarm provides a major source of data for malware research.
• Check Point's firewall capabilities are much improved since 2006 and are very complete.
• Check Point is also a significant provider of VPN clients.
• Integrity includes an 802.1X supplicant and also supports self-enforcement native NAC
solutions. An on-demand agent is available for unmanaged machines.
• Existing Zone personal firewall, Pointsec encryption and Check Point VPN users should
include Check Point on their shortlists. Others may want to wait for better integration and
a more mature management capability.
• More of an HIPS solution than a traditional antivirus product.
• Its primary strength is in multiple styles of proactive HIPS-based protection.
• The included firewall is complete with good advanced features
• Blink does not depend on signature-based mechanisms as the primary mechanism for malware detection,
but it does offer integrated signature-based antivirus and sandboxing, which is licensed from Norman.
• The company has strong malware research capabilities.
• Consider eEye Blink if you are an SMB looking for a tactical HIPS solution to supplement signature-based
protection and native firewalls on Windows clients and servers.
DRAFT FOR DISCUSSION PURPOSES ONLY
Cautions
• Smaller company with minimal customer presence outside North America.
• Operations tools, such as software distribution, patch, vulnerability and configuration
management, are not included with the AntiThreat solution pack.
• It lacks a proven track record in the anti-malware protection side of the business.
• Anti-malware capabilities are immature and dependent on CA and other partners.
• It lacks HIPS capabilities in the current release (due the first half of 2008).
• It doesn't have encryption capabilities.
• mall vendor with a limited user base that is primarily in North America.
• It does not have a personal firewall, antivirus or HIPS capability beyond application and
device control.
• If a malware manages to evade detection, then Bit9 cannot clean it up.
• Bit9 has limited operating system platform support. Current versions only work on
Windows.
• It has limited resources to integrate wider EPP capabilities, such as NAC, DLP or
encryption.
• Outsource eTrust antivirus product development, engineering, support and threat research to HCL Technologies, while
CA will continue to perform sales, marketing and product management tasks.
• It took several years to integrate the PestPatrol anti-spyware capability. The HIPS solution is not yet integrated in the
eTrust Management console. Correlation between different components is shallow.
• Rootkit detection is weak. There is no capability to discover an installed rootkit in the corporate version.
• NAC capabilities are limited to participation in Cisco NAC and Microsoft Network Access Protection infrastructure.
• Although Check Point has an excellent reputation in the enterprise network space, it has not yet established this
reputation with the desktop security buying center.
• An advanced management capability is lacking.
• Although Check Point has a small research lab, it is primarily dependent on antivirus partners (Kaspersky) for malware
research.
• Rootkit detection is limited to spotting traffic patterns.
• Device control is in the Pointsec product, which is still being integrated.
• One of the smallest companies in this market, with only 74 employees
• It has limited application and device control capabilities.
• The vendor doesn't have NAC capabilities.
• eEye lacks the capability to detect installed rootkits, although it has techniques to prevent rootkit installation.
• Platform support is limited to Windows.
• It has expensive list pricing.
Source: Gartner (December 2007)
- 103 -
2.3 Industry Leading Tools and Standards: Endpoint Protection Management Analysis
Company
F-Secure
IBM
Kaspersky Lab
LANDesk
McAfee
Strengths
• Fast response times to malware outbreaks because of automated threat analysis and multiple sources of
threat samples.
• The vendor has the largest share of ISP customers, including a SaaS multitenant platform, F-Secure
Protection Service for Business, which enables ISPs to offer SMBs a fully managed security solution.
• Customers comment on the outstanding support from F-Secure.
• F-Secure backlight provides a good rootkit scanning capability.
• The personal firewall component, Internet Shield in F-Secure Client Security, uses Vista's Windows
Filtering Platform.
• It is a good alternative for SMBs, especially those in their direct service area of northern Europe and those
looking for SaaS-type services.
• IBM Proventia's main strength is in a variety of styles of HIPS protection
• The personal firewall is full-featured and mature
• Proventia offers an optional integrated antivirus signature engine from BitDefender
• IBM/ISS has the broadest platform coverage of any HIPS vendor.
• IBM's X-Force R&D labs have a strong reputation.
• IBM's reputation and channel presence in large enterprises enable it to attract capable partners, such as
BigFix and Sophos. We fully anticipate that several partners will become acquisition candidates in the near
term.
• IBM has announced strategic plans for a significant program to move into the data security market around
the three pillars of data protection, system protection and an extensible management framework.
• Kaspersky Lab is a smaller, but technically astute, organization with a strong reputation for fast signature
response and high-malware detection rates.
• Its primary client base has been in Europe, but it is rapidly expanding into North America and emerging
markets, such as China.
• The Kaspersky client has a relatively small disk and memory footprint for a comprehensive suite platform.
• Starting with v.6.0, Kaspersky introduced advanced HIPS
• The vendor has a strong OEM business with e-mail and Web gateway vendors.
• SMBs that prefer to focus on signature-based defenses and HIPS should evaluate Kaspersky. Larger
organizations should consider Kaspersky as a strong antivirus engine when offered in other vendors' e-mail
and Web gateways.
• The security suite includes several operations management capabilities
• Some advanced firewall capabilities
• Malware detection is provided by partners Lavasoft and Kaspersky. The management of other antivirus
engines is provided by McAfee, Sophos, Trend Micro and Symantec.
• One of LANDesk's main advantages is the ease of which it can find, assess and update any aspect of a
PC, even when it is off a LAN.
• LANDesk offers NAC (802.1X, DHCP, Cisco NAC and IPsec) to automate security assessments and
remediation.
• McAfee is a consistent leader in the antivirus market, with a high desktop penetration rate and a solid
international threat research capability.
• McAfee has demonstrated excellent vision, leading the market with the acquisition of DLP capabilities
(Onigma) and full-disk encryption (Safeboot) to protect enterprise data.
The vendor also offers a managed service (SaaS) for SMBs.
• It is slowly acquiring some operations life cycle tools
• McAfee's spyware detection rates are very good for a traditional antivirus vendor.
• EPO has historically been the standard for centralized administration consoles
DRAFT FOR DISCUSSION PURPOSES ONLY
Cautions
• Less advanced enterprise management features (distributed management console, role based administration and
automated network scanning for agentless machines), which makes the use of this product in large environments
challenging.
• The HIPS solution is missing some basic capabilities, such as buffer overflow, vulnerability shielding or application
whitelisting.
• F-Secure only offers a Web-based, on-demand scanner. It does not have an enterprise version suitable for scanning
unmanaged machines.
• The personal firewall is basic and lacks features such as device control and expansive logs, and it has limited attack
prevention to shield it from being disabled.
• Advanced data protection, such as DLP and encryption, are not on F-Secure's road map. The vendor exited the
encryption market.
• NAC is limited to agent self-enforcement for signature file freshness.
• Market presence is mostly in Europe, the Middle East and Africa, with limited presence in North America and
Asia/Pacific.
• F-Secure needs to enhance its quality control and alpha testing on new product version releases.
• IBM's expansion plans for PC and data security are in the early stages and may change significantly.
• High administration, careful tuning and exception handling are essential to the successful deployment of Provintia
desktop.
• Some HIPS techniques may have an impact on endpoint CPU, and memory use is relatively high.
• There is slow support for Windows Vista for 64-bit Windows.
• IBM's signature-based anti-malware capabilities are dependent on a smaller vendor, BitDefender
• Minimal NAC support exists, and IBM doesn't have any encryption or DLP plans yet.
• Small company relative to the market leaders, and its minor global enterprise market share is mostly in SMBs.
• Its current solution lacks some visionary capabilities, including self-contained NAC, firewall controls for VPN
enforcement, prevention of Wi-Fi bridging and device management, DLP, encryption and network gateways.
• Rapid growth and global expansion will be difficult to manage and could have a negative impact on product quality.
• The biggest drawback to LANDesk EPP is that the initial investment in infrastructure needs to be shared with
operations administrators and their budgets.
• The extensive management interface can be overwhelming at first; however, after training, it becomes intuitive.
• LANDesk does not resell a firewall but can manage Windows XP and Vista firewalls.
• It lacks a proven track record in the protection side of the business.
• Visionary extended products, such as DLP and encryption, are lacking.
• Users report that it can be difficult to navigate and use. Integration of new products into the console is often very slow.
Also, we continue to get reports that EPO status reports are not always accurate.
• Longtime EPO users report some frustration navigating the new Web version.
• HIPS policy setting can be administration-intensive.
• The McAfee agent can have an impact on PC startup and streaming media.
• NAC capability is limited to self-enforced NAC or McAfee NAC 2.5 integrated with IntruShield Network IPS, and is
lacking granular policy capability.
• McAfee's Total Protection for Enterprise products suite has a high list price and includes gateway products (Web and
e-mail) that enterprises should source separately. McAfeecan be aggressive in negotiating renewals.
Source: Gartner (December 2007)
- 104 -
2.3 Industry Leading Tools and Standards: Endpoint Protection Management Analysis
Company
Microsoft
Panda Security
Sophos
Symantec
Trend Micro
Webroot
Software
Strengths
• Strength in ease of use and manageability
• The FCS management console provides excellent drill-down reporting of the security status of managed
clients.
• It has solid operating system knowledge and integration, which minimize the risk of operating system
conflicts and destabilization.
• Pricing is attractive, especially for enterprises that purchase Microsoft's Enterprise Client Access License.
• Microsoft NAC support is embedded.
• Consider Microsoft's FCS if you are an SMB looking for basic protection for Windows desktops and
servers.
• Panda Security has a mature malware lab and was early to embrace the EPP concept.
• Broad array of HIPS techniques that enable it to catch malware prior to execution without relying on threat
signatures.
• The vendor also has some interesting plans for software identification in the cloud, which could improve
malware signature speed and accuracy.
• Panda has good platform support for handheld platforms.
• SMBs that are looking for a more customer intimate alternative to the incumbent giants in the antivirus
market should consider the EPP suite from Panda.
• The acquisition of Endforce provided excellent integrated NAC capability
• The management is significantly improved with its simple to manage and support SmartView filter that
shows.
• Reporting is also greatly expanded to include PC configuration and software status indicators.
• The management console is able to monitor, assess and remediate some competitive EPP clients.
• The Sophos EPP suite offers a good balance of malware, personal firewall and HIPS
defenses that are deterministic and easy to deploy and manage.
• Long-suffering Symantec Antivirus (SAV) 9 and 10 users will appreciate less-intrusive scheduled malware
scanning with SEP 11.0, a task that formerly had a significant impact on system performance.
• Improved directory integration and reporting.
• Symantec On-Demand Agent is a solid (but optional) offering for scanning unmanaged machines with a
light downloaded agent.
• Consider Symantec for more complete protection platform that supports the selection of multiple styles of
protection from an extensible agent framework and managed from a single console.
• Excellent international malware research capabilities.
• It gets high marks from its clients for service and support.
• Trend Micro OfficeScan provides basic HIPS functionality
• NAC capability is good
• Trend Micro recently developed a plug-in architecture that enables more rapid integration of new
technologies acquired by Trend Micro or offered by smaller innovative companies that do not have the
management capability for enterprises.
• Trend Micro's NeatSuite packaging/pricing is attractive. In some regions, Trend Micro resellers provide
free protection software for employees' home PCs.
• Enterprises looking for a reliable and conservative alternative to other leaders would do well to include
Trend Micro on their shortlists.
• Webroot Software's primary strength is its spyware and adware threat detection and filtering capabilities.
The Phileas URL search engine is distinguished in the industry as an excellent site-oriented spyware
detection system.
• Its malware engine uses 17 real-time shields that identify and block malware from loading.
• The vendor has leveraged its spyware niche into a profitable business with no debt, but larger incumbents
are catching up in spyware detection rates.
• Webroot will continue to fill the niche need of buyers who primarily seek to augment spyware defense until
it can provide HIPS and personal firewall functionality.
DRAFT FOR DISCUSSION PURPOSES ONLY
Cautions
• FCS only offers Microsoft Windows client and platform support.
• Potential for a conflict of interest.
• Microsoft is continuously challenged to choose between embedding security into Windows, which benefits all
customers, or providing competitive security products.
• FCS does not manage all Windows built-in security capabilities, such as the firewall
• The FCS Security Management Console is not yet integrated into the other Forefront security products
• Initial Microsoft malware lab weakness in early evaluations of OneCare
• FCS is optimized for Active Directory Group Policy for configuring agents and Windows Server Update Services for
distributing signatures.
• Microsoft is missing visionary features, such as DLP, and encryption is only available in Windows Vista.
• Overall, Panda is still a small regional vendor and needs to break out of its niche market in Spain. Its international
growth plans may stretch corporate resources.
• It lacks several visionary capabilities regarding its firewall, such as external media controls, VPN enforcement and the
prevention of Wi-Fi bridging.
• Future road maps for DLP and encryption are lacking.
• The NAC platform is incomplete, although frequent compliance re-checks are a plus.
• Some customers reported poor Office 2007 compatibility.
• Sophos lacks several visionary capabilities, including agentless scanning, advanced firewall controls (to prevent Wi-Fi
bridging), device control, DLP and encryption, although road map commitments for data encryption with basic media
port controls are in place.
• The EPP management console is not yet integrated with advanced NAC and e-mail and Web gateway products.
• Ad hoc and scheduled reporting could be improved.
• Overlap with Symantec Critical System Protection and Symantec Compliance Manager, which uses a separate
management and reporting console, needs to be rationalized.
• The SEP management console is completely new and slightly immature.
• Buffer overflow technology from Sygate was not integrated. Most EPP competitors offer buffer overflow protection.
• Client dissatisfaction with Symantec support continues to be an issue,
• Add-ons to the SEP 11.0 foundation can become expensive.
• Slow response to changing market conditions
• OfficeScan's lack of advanced HIPS and personal firewall features had a significant impact on its vision score.
• The company has no operations life cycle tool components, such as vulnerability scanning patch or security
configuration management, nor does it have any integration with partners for this type of capability.
• OfficeScan Client is relatively heavy, and scheduled scans can affect PC performance.
• The product portfolio has only limited agentless scanning capabilities.
• Native NAC capability is appliance-based, making it expensive and complex for large organizations.
• Control Manager does not yet have the richness of reporting like some competitive solutions, and central management
can be difficult.
• Webroot is a relatively small company in this market, and it has experienced some management turnover. It will be
difficult for it to compete in the broader EPP market with such small engineering and support capabilities.
• The relative breadth of Webroot's EPP features is limited compared with the market average.
• The Webroot enterprise client base is primarily U.S.-based SMBs (fewer than 500 seats).
• Despite a relatively lightweight client, scheduled scans can have a noticeable performance impact on PCs.
• Webroot lacks several visionary capabilities, including on-demand protection, NAC, device controls and DLP
capabilities.
Source: Gartner (December 2007)
- 105 -
3.3 Current Position - Detailed ITIL Process Maturity Model (1 of 2)
Maturity Stages
Stage 1
(Chaotic)
Service Desk
No formal Service Desk or Service
Desk roles are defined. Nobody has
overall responsibility for receiving and
owning Incidents. There is no
supporting technology for logging calls.
Stage 2
(Reactive)
Stage 3
(Stable)
Stage 4
(Proactive)
A Service Desk role exists and there
The Service Desk is recognized as the The Service Desk has the correct
Processes are in place to continually
are people who conduct some activities point of contact for all users/customers. balance of technical resource to ensure assess the effectiveness of the Service
for the Service Desk. The Service Desk Communications are distributed via the efficient and effective handling of
Desk and deliver ongoing
is frequently by-passed. Service Desk Service Desk - such as informing users issues.
improvements to performance.
processes are not well defined and
of planned service outages.
The Service Desk has sophisticated
The Service Desk is driven by the
documented, allowing calls to be
Basic service levels are in place to
call handling technologies such as
business needs and demand, providing
handled differently. No Service Levels control the Service Desk, and regular knowledge bases, CMDB, IVR, ACD, comprehensive MI to allow IT to assist
for the Service Desk are in place.
customer satisfaction surveys are
Self Help portal etc.
the business in decision making.
conducted.
The Service Desk operates to tightly
A single asset and user repository is
controlled service levels.
used.
Incident
Management
Incidents are not identified, tracked and A basic Incident Management process A well structured and enforced Incident
resolved in a structured and consistent exists has been documented.
Management process is in place, with
manner. No process exists, and there The process can be, and is regularly
periodic reviews and updates made to
is no supporting technology and loggingby-passed with issues being resolved inthe process to ensure effectiveness.
system.
a 'hero-based' approach.
All incidents are logged, classified and
A basic system is used to record most tracked in a common system.
incidents, but this is not enforced for all Incident Management is well integrated
incidents.
with Problem Management and Event
Management providing MI for Trend
Analysis and delivering proactive
resolutions.
Basic SLAs are in place to monitor
Incident resolution.
Comprehensive SLAs and supporting
OLAs exist and all Incidents are
proactively tracked and escalated to
ensure SLA agreements are met.
Intelligent Incident resolution tools are
in place such as comprehensive
Knowledge Base, CBR, Self-help
Incident Management is appropriately
structured to best meet the
requirements of the business.
Request Fulfillment
A Request Fulfillment process does not Request Fulfillment occurs either
A formal Request Fulfillment process is Request Fulfillment provides
exist, and no alternative process is in through a basic Request Fulfillment
defined, implemented, communicated standardized services which result in
place to manage requests. Requests process, or via an alternative process and enforced.
minimized bureaucracy with highare therefore dealt with in an adsuch as Incident Management.
Requests are differentiated from
quality service.
hoc/informal manner where there is no Requests may be regarded as low
Incidents and RFCs
Services are commoditized and well
defined approach, or agreed service
impact Incidents and processed against Request Models are defined to ensure managed, ensuring complete control
targets.
the Incident service level targets
frequently required services are
over licensing, media and IT
handled consistently and within agreed infrastructure.
service levels.
Users are able to access information
Efficient financial approvals are in place and services easily, and satisfaction
to approve requests in a quick,
results and metrics indicate widecontrolled manner.
spread usage of the Request
Users are clearly informed of the
Fulfillment process.
request services available and the
Technology is used to assist in
means by which they can request
providing Request Fulfillment services
them.
such as self help portals.
DRAFT FOR DISCUSSION PURPOSES ONLY
Stage 5
(Value Driven)
Incident Management is closely
integrated with all key ITIL processes
(such as Problem, Change,
Configuration, Event, Financial
Management etc)
Cost to resolve Incidents is monitored
and assessed with proactive action to
continually reduce both the cost to IT
and cost to the Business to resolve
incidents
Request Fulfillment allows the Business
to gain quick and effective access to
standard services, thereby greatly
improving the Business efficiency and
productivity.
-
- 106 -
3.3 Current Position - Detailed ITIL Process Maturity Model (2 of 2)
Maturity Stages
Stage 1
(Chaotic)
Stage 2
(Reactive)
Change Management
The Change Management process and A standard process exists and is
roles do not exist. Changes are not
documented for issuing RFCs. The
reviewed and approved. Changes to
process is not always adhered to and
the IT environment can occur without can be by-passed. A Change Manager
intervention.
is responsible for the process and
convenes a regular CAB for assessing
and approving changes.
Stage 3
(Stable)
Stage 4
(Proactive)
Stage 5
(Value Driven)
Service Asset &
Config Mgmt
Problem
Management
Change Management defines Standard Changes are assessed and prioritized
Normal and Emergency procedures for against Business needs and impact on
changes
related SLAs .
Standard changes are clearly identified Change Management is closely
- such as in a Service Catalogue
integrated with Configuration
Change Management is fully enforced Management, assessing changes
and provides a consistent and trusted against interdependencies of CIs.
approval mechanism for change.
Changes are assessed and grouped
Changes are assessed for IT and
into change releases in order to
Business impact and are fully vetted for minimize disruption to services
completeness of planning/testing/roll
Changes are assessed post
back etc.
implementation by Change
A forward schedule of change is
Management.
produced and updated
The Change Process complies with
relevant regulations and control
structures (such as SOX, COBIT etc).
Change Management is tightly
integrated with other ITIL processes
(e.g. Incident, Problem, Configuration,
Capacity, Availability and Release
Management)
The change process is regularly
monitored and improved upon as part
of the Continual Service Improvement
cycle, ensuring thorough vetting of
changes whilst minimizing bureaucratic
process administration.
No process or repository for Asset and
Configuration Items exist.
Relationships between IT infrastructure
and services is not clearly understood.
A formal Service Asset and Config
Formal procedures and processes exist There are links and interfaces between
process does not exist. Some Asset
for identifying, categorizing and
the CMS and other Service
data is collected, and some service
recording Asset and Configuration
Management systems. SACM
relationships are understood, but these information in a CMS and Integrated
information is routinely used to assess
are not consistently stored in a
CMDB.
and reduce impact from Changes,
repository, they are spread around in Standard naming conventions are used Incidents and Problems.
databases and spreadsheets or held and CIs are uniquely tagged with an
Comprehensive procedures exist to
within individuals minds. SACM is more identifier.
track and efficiently manage software
akin to IT Asset Management purely for Technology is used to support SACM - and hardware deployment and license
compliance requirements.
such as automated CI discovery and usage.
status tracking.
Suppliers are required to comply with
Relationships between CIs are well
the SACM processes and standards.
understood, recorded and updated by
procedures to ensure 'house-keeping'
of the SACM data.
SACM is used to effectively manage all
software, hardware and contracts held
within IT. This includes managing
hardware warranty, monitoring software
usage and harvesting unused licenses,
and assisting projects to determine
refresh requirements for deployed
hardware etc.
Core Problem Management activities
do not exist such as problem
determination, problem analysis,
problem resolution? Resolution of
problems is entirely reactive based.
Core Problem Management process
exists and is documented. Problem
Management occurs on an ad-hoc
basics with no dedicated Problem
Management team.
Problem Management is fully proactive,
working with suppliers to understand
development roadmaps. Problem
Management is closely involved with
Architecture and Design group to
ensure designs address current risks
and deficiencies in IT.
Problem Management is closely
integrated with the Business to
understand and prioritize problem
areas in-line with Business
requirements.
DRAFT FOR DISCUSSION PURPOSES ONLY
A dedicated Problem Management
Problem Management effectiveness is
team exists who are responsible for
tracked and monitored with clearly
proactive problem determination and defined targets for problem resolution
resolution. Problems are classified for and incident avoidance.
category, urgency, priority and impact Problem Management is closely
and assigned for investigation.
integrated with other ITIL processes
The bulk of Problem Resolution is
Problem Management conducts both such as Incident, Change, Config,
recurring Incident-based as opposed to resolution of recurring Incidents and
Availability and Continuity
proactive Problem Management.
also proactive Problem Management. Management.
Problem Management is well integrated Problem Management proactively
with the development cycle.
works with development and suppliers
to understand known issues and
resolutions.
- 107 -