ITIL and Security Management Overview

David McPhee

What is ITIL?For the purpose of this chapter, the focus is how information security management works within the Information Technology Infrastructure Library (ITIL).

The Information Technology Infrastructure Library (ITIL) is a framework of best practices. The concepts within ITIL support information technology services delivery organizations with the planning of consistent, documented, and repeatable or customized processes that improve service delivery to the business. The ITIL framework consists of the following IT processes: Service Support (Service Desk, Incident Management, Problem Management, Change Management, Configuration Management, and Release Management) and Services Delivery (Service Level Management, Capacity Management, Availability Management, Financial Management and IT Service Continuity Management).

History of ITIL

The ITIL concept emerged in the 1980s, when the British government determined that the level of IT service quality provided to them was not sufficient. The Central Computer and Telecommunications Agency (CCTA), now called the Office of Government Commerce (OGC), was tasked with developing a framework for efficient and financially responsible use of IT resources within the British government and the private sector.

Figure 1. ITIL Overview.

The earliest version of ITIL was actually originally called GITIM, Government Information Technology Infrastructure Management. Obviously this was very different to the current ITIL, but conceptually very similar, focusing around service support and delivery.

Large companies and government agencies in Europe adopted the framework very quickly in the early 1990s. ITIL was spreading far and, and was used in both government and non-government organizations. As it grew in popularity, both in the UK and across the world, IT itself changed and evolved, and so did ITIL.

What Is Security Management?

Security management details the process of planning and managing a defined level of security for information and IT services, including all aspects associated with reaction to security Incidents. It also includes the assessment and management of risks and vulnerabilities, and the implementation of cost justifiable countermeasures.

Security management is the process of managing a defined level of security on information and IT services. Included is managing the reaction to security incidents. The importance of information security has increased dramatically because of the move of open internal networks to customers and business partners; the move towards electronic commerce, the increasing use of public networks like Internet and Intranets. The wide spread use of information and information processing as well as the increasing dependency of process results on information requires structural and organized protection of information.

Descriptions

Service Support Overview
Service support describes the processes associated with the day-to day support and maintenance activities associated with the provision of IT services: Service Desk, Incident Management, Problem Management, Change Management, Configuration Management, and Release Management.

• Service Desk: This function is the single point of contact between the end users and IT Service Management.
• Incident Management: Best practices for resolving incidents (any event that causes an interruption to, or a reduction in, the quality of an IT service) and quickly restoring IT services.
• Problem Management: Best practices for identifying the underlying causes of IT incidents in order to prevent future recurrences. These practices seek to proactively prevent incidents and problems.
• Change Management: Best practices for standardizing and authorizing the controlled implementation of IT changes. These practices ensure that changes are implemented with minimum adverse impact on IT services, and that they are traceable.
• Configuration Management: Best practices for controlling production configurations; for example, standardization, status monitoring, and asset identification. By identifying, controlling, maintaining and verifying the items that make up an organization’s IT infrastructure, these practices ensure that there is a logical model of the infrastructure.
• Release Management: Best practices for the release of hardware and software. These practices ensure that only tested and correct versions of authorized software and hardware is provided to IT customers.

Service Support Details

Service Desk
The objective of the service desk is to be a single point of contact for customers who need assistance with incidents, problems, questions, and to provide an interface for other activities related to IT and ITIL services.

Figure 2. Service desk diagram.

Benefits of Implementing a Service Desk

• Increased first call resolution
• Skill based support
• Rapidly restore service
• Improved incident response time
• Quick service restoration
• Improved tracking of service quality
• Improved recognition of trends and incidents
• Improved employee satisfaction

Processes Utilized by the Service Desk

• Workflow and procedures diagrams
• Roles and responsibilities
• Training evaluation sheets and skill set assessments
• Implemented metrics and continuous improvement procedures

Incident Management
The objective of Incident management is minimize the disruption to the business by restoring service operations to agreed levels as quickly as possible and to ensure the availability of IT services is maximized, and could also protect the integrity and confidentiality of information by identifying the root cause of a problem.

Benefits of an Incident Management Process

• Incident detection and recording
• Classification and initial support
• Investigation and diagnosis
• Resolution and recovery
• Incident closure
• Incident ownership, monitoring, tracking and communication
• Repeatable Process

With a formal incident management practice, IT quality will improve through ensuring ticket quality, standardizing ticket ownership, and providing a clear understanding of ticket types while decreasing the number of un-reported or misreported incidents.

Figure 3. Incident management ticket owner workflow diagram.

Problem Management
The object of problem management is to resolve the root cause of incidents to minimize the adverse impact of incidents and problems on the business and secondly to prevent recurrence of incidents related to these errors. A `problem’ is an unknown underlying cause of one or more incidents, and a `known error’ is a problem that is successfully diagnosed and for which a work-around has been identified. The outcome of known error is a request for change (RFC).

Figure 4. Problem management diagram overview.

A problem is a condition often identified as a result of multiple Incidents that exhibit common symptoms. Problems can also be identified from a single significant incident, indicative of a single error, for which the cause is unknown, but for which the impact is significant.

A known error is a condition identified by successful diagnosis of the root cause of a problem, and the subsequent development of a work-around.

An RFC is a proposal to IT infrastructure for a change to the environment.

Incident Management and Problem Management: What’s the Difference?
Incidents and service requests are formally managed through a staged process to conclusion. This process is referred to as the “incident management lifecycle.” The objective of the incident management lifecycle is to restore the service as quickly as possible to meet service level agreements (SLAs). The process is primarily aimed at the user level.

Problem management deals with resolving the underlying cause of one or more incidents. The focus of problem management is to resolve the root cause of errors and to find permanent solutions. Although every effort will be made to resolve the problem as quickly as possible this process is focused on the resolution of the problem rather than the speed of the resolution. This process deals at the enterprise level.

Change Management
Change management ensures that all areas follow a standardized process when implementing change into a production environment. Change is defined as any adjustment, enhancement, or maintenance to a production business application, system software, system hardware, communications network, or operational facility.

Benefits of Change Management

• Planning change
• Impact analysis
• Change approval
• Managing and implementing change
• Increase formalization and compliance
• Post change review
• Better alignment of IT infrastructure to business requirements
• Efficient and prompt handling of all changes
• Fewer changes to be backed out
• Greater ability to handle a large volume of change
• Increased user productivity

Configuration Management
Configuration management is the implemtation of a configuration management database (CMDB) that contains details of the organization’s elements that are used in the provision and management of its IT services. The main activities of configuration management are:

• Planning: Planning and defining the scope, objectives, policy and process of the CMDB.
• Identification: Selecting and identifying the configuration structures and items within the scope of your IT infrastructure.
• Configuration control: Ensuring that only authorized and identifiable configuration items are accepted and recorded in the CMDB throughout its lifecycle.
• Status accounting: Keeping track of the status of components throughout the entire lifecycle of configuration items.
• Verification and audit: Auditing after the implementation of configuration management to verify that the correct information is recorded in the CMDB, followed by scheduled audits to ensure the CMDB is kept up-to-date.

Configuration Management and Information Security
Without the definition of all configuration items that are used to provide an organizations’s IT services, it can be very difficult to identify which items are used for which services. This could result in critical configuration items being stolen, moved or misplaced, affecting the availability pf tje services dependent on them. It could also result in unauthorized items being used in the provision of IT services.

Benefits of Configuration Management

• Reduced cost to implement, manage, and support the infrastructure
• Decreased incident and problem resolution times
• Improved management of software licensing and compliance
• Consistent, automated processes for infrastructure mapping
• Increased ability to identify and comply with architecture and standards requirements
• Incident troubleshooting
• Usage trending
• Change evaluation
• Financial chargeback and asset lifecycle management
• Service Level Agreement (SLA) and software license negotiations

Release Management
Release Management is used for platform-independent and automated distribution of software and hardware, including license controls across the entire IT infrastructure. Proper Software and Hardware Control ensure the availability of licensed, tested, and version certified software and hardware, which will function correctly and respectively with the available hardware. Quality control during the development and implementation of new hardware and software is also the responsibility of Release Management. This guarantees that all software can be conceptually optimized to meet the demands of the business processes.

Benefits of Release Management

• Ability to plan resource requirements in advance
• Provides a structured approach, leading to an efficient and effective process
• Changes are bundled together in a release, minimizing the impact on the user
• Helps to verify correct usability and functionality before release by testing
• Control the distribution and installation of changes to IT systems
• Design and implement procedures for the distribution and installation of changes to IT systems
• Effectively communicate and manage expectations of the customer during the planning and rollout of new releases

The focus of release management is the protection of the live environment and its services through the use of formal procedures and checks.

Release Categories
A release consists of the new or changed software or hardware required to implement approved change.

• Major software releases and hardware upgrades, normally containing large areas of new functionality, some of which may make intervening fixes to problems redundant. A major upgrade or release usually supersedes all preceding minor upgrades, releases and emergency fixes
• Minor software releases and hardware upgrades, normally containing small enhancements and fixes, some of which may have already been issued as emergency fixes. A minor upgrade or release usually supersedes all preceding emergency fixes.
• Emergency software and hardware fixes, normally containing the corrections to a small number of known problems

Figure 5. Release management overview.

Releases can be divided based on the release unit into:

• Delta Release is a release of only that part of the software which has been changed. For example, security patches to plug bugs in a software.
• Full Release means that the entire software program will be release again. For example, an entire version of an application.
• Packaged Release is a combination of many changes: for example, an operating system image containing the applications as well.

Service Delivery Overview

Services delivery is the discipline that ensures IT infrastructure is provided at the right time in the right volume at the right price, and ensuring that IT is used in the most efficient manner. This involves analysis and decisions to balance capacity at a production or service point with demand from customers, it also covers the processes required for the planning and delivery of quality IT services and looks at the longer term processes associated with improving the quality of IT services delivered.

• Service Level Management: Service level management (SLM) is responsible for negotiating and agreeing to service requirements and expected service characteristics with the customer
• Capacity Management: Capacity management is responsible for ensuring that IT processing and storage capacity provision match the evolving demands of the business in a cost effective and timely manner
• Availability Management: Availability management is responsible for optimizing availability
• Financial Management: The object of financial management for IT services is to provide cost effective stewardship of the IT assets and the financial resources used in providing IT services.
• IT Service Continuity Management: Service continuity is responsible for ensuring that the available IT Service Continuity options are understood and the most appropriate solution is chosen in support of the business requirements

Service Level Management
The object of service level management (SLM) is to maintain and gradually improve business aligned IT service quality, through a constant cycle of agreeing, monitoring, reporting and reviewing IT service achievements and through instigating actions to eradicate unacceptable levels of service.

SLM is responsible for ensuring that the service targets are documented and agreed in SLAs and monitors and reviews the actual service levels achieved against their SLA targets. SLM should also be trying to proactively improve all service levels within the imposed cost constraints. SLM is the process that manages and improves agreed level of service between two parties, the provider and the receiver of a service.

SLM is responsible for negotiating and agreeing to service requirements and expected service characteristics with the Customer, measuring and reporting of Service Levels actually being achieved against target, resources required, cost of service provision. SLM is also responsible for continuously improving service levels in line with business processes, with a SIP, co-coordinating other Service Management and support functions, including third party suppliers, reviewing SLAs to meet changed business needs or resolving major service issues and producing, reviewing and maintaining the Service Catalogue.

Benefits of Implementing Service Level Management

• Implementing the service level management process enables both the customer and the IT services provider to have a clear understanding of the expected level of delivered services and their associated costs for the organization, by documenting these goals into formal agreements.
• Service level management can be used as a basis for charging for services, and can demonstrate to customers the value they are receiving from the Service Desk.
• It also assists the service desk with managing external supplier relationships, and introduces the possibility of negotiating improved services or reduced costs.

Capacity Management
Capacity management is responsible for ensuring that IT processing and storage capacity provisioning match the evolving demands of the business in a cost effective and timely manner. The process includes monitoring the performance and the throughput of the IT services and supporting IT components, tuning activities to make efficient use of resources, understanding the current demands for IT resources and deriving forecasts for future requirements, influencing the demand for resource in conjunction with other Service Management processes, and producing a capacity plan predicting the IT resources needed to achieve agreed service levels.

Capacity management has three main areas of responsibility. First of these is BCM, which is responsible for ensuring that the future business requirements for IT services are considered, planned and implemented in a timely fashion. These future requirements will come from business plans outlining new services, improvements and growth in existing services, development plans, etc. This requires knowledge of existing service levels and SLAs, future service levels and SLRs, the Business and Capacity plans, modeling techniques (Analytical, Simulation, Trending and Base lining), and application sizing methods.

The second main area of responsibility is SCM, which focuses on managing the performance of the IT services provided to the Customers, and is responsible for monitoring and measuring services, as detailed in SLAs and collecting recording, analyzing and reporting on data. This requires knowledge of service levels and SLAs, systems, networks, service throughput and performance, monitoring, measurement, analysis, tuning and demand management.

The third and final main area of responsibility is RCM, which focuses on management of the components of the IT infrastructure and ensuring that all finite resources within the IT infrastructure are monitored and measured, and collected data is recorded, analyzed and reported. This requires knowledge of the current technology and its utilization, future or alternative technologies, and the resilience of systems and services.

Capacity Management Processes:

• Performance monitoring
• Workload monitoring
• Application sizing
• Resource forecasting
• Demand forecasting
• Modeling

From these processes come the results of capacity management, these being the capacity plan itself, forecasts, tuning data and Service Level Management guidelines.

Availability Management
Availability management is concerned with design, implementation, measurement and management of IT services to ensure the stated business requirements for availability are consistently met. Availability management requires an understanding of the reasons why IT service failures occur and the time taken to resume this service. Incident management and problem management provide a key input to ensure the appropriate corrective actionss are being implemented.

• Availability Management is the ability of an IT component to perform at an agreed level over a period of time.
• Reliability is the ability of an IT component to perform at an agreed level at described conditions.
• Maintainability is the ability of an IT Component to remain in, or be restored to an operational state.
• Serviceability is the ability for an external supplier to maintain the availability of a component or function under a third party contract
• Resilience is a measure of freedom from operational failure and a method of keeping services reliable. One popular method of resilience is redundancy.
• Security refers to the confidentiality, integrity, and availability of the data associated with a service.

Availability Management
Security is an essential part of availability management, this being the primary focus of ensuring IT infrastructure continues to be available for the provision of IT services.

Some of the elements mentioned earlier are the products of performing risk analysis to identify how reliable elements are and how many problems have been caused as a result of system failure.

The risk analysis also recommends controls to improve availability of IT infrastructure such as development standards, testing, physical security and the right skills in the right place at the right time.

Financial Management
Financial management for IT services is an integral part of service management. It provides the essential management information to ensure that services are run efficiently, economically and cost effectively. An effective financial management system will assist in the management and reduction of overall long term costs, and identify the actual cost of services. This provisioning provides accurate and vital financial information to assist in decision making, identify the value of IT services, enable the calculation of TCO and ROI.

The practice of financial management enables the service manager to identify the amount being spent on security counter measures in the provision of the IT services. The amount being spent on these counter measures needs to be balanced with the risks and the potential losses that the service could incur as identified during a business impact assessment (BIA) and risk assessment. Management of these costs will ultimately reflect on the cost of providing the IT services, and potentially what is charged in the recovery of those costs.

Service Continuity Management
Management is to support the overall business continuity management process by ensuring that the required IT technical and services facilities can be recovered within required and agreed business time-scales.

IT service continuity management is concerned with managing an organization’s ability to continue to provide a pre-determined and agreed level of IT services to support the minimum business requirements, following an interruption to the business. This includes ensuring business survival by reducing the impact of a disaster or major failure, reducing the vulnerability and risk to the business by effective risk analysis and risk management, preventing the loss of customer and user confidence, and producing IT recovery plans that are integrated with and fully support the organization’s overall business continuity plan.

IT service continuity is responsible for ensuring that the available IT service continuity options are understood and the most appropriate solution is chosen in support of the business requirements. It is also responsible for identifying roles and responsibilities and making sure these are endorsed and communicated from a senior level to ensure respect and commitment for the process. Finally, IT service continuity is responsible for guaranteeing that the IT recovery plans and the business continuity plans are aligned, and are regularly reviewed, revised and tested.

The Security Management Process

Security management provides a framework to capture the occurrence of security-related incidents and limit the impact of security breaches. The activities within the security management process must be revised continuously, in order to stay up-to-date and effective. security management is a continuous process and it can be compared to Deming’s Quality Circle (Plan, Do, Check and Act).

Figure 6. Security image diagram.

The inputs are the requirements which are formed by the clients. The requirements are translated into security services, security quality that needs to be provided in the security section of the service level agreements. As you can see in the picture there are arrows going both ways; from the client to the SLA; from the SLA to the client and from the SLA to the plan sub-process; from the plan sub-process to the SLA. This means that both the client and the plan sub-process have inputs in the SLA and the SLA is an input for both the client and the process. The provider then develops the security plans for his organization. These security plans contain the security policies and the Operational level agreements. The security plans (Plan) are then implemented (Do) and the implementation is then evaluated (Check). After the evaluation the both the plans and the implementation of the plan are maintained (Act).

Control
The first activity in the security management process is the “control” sub-process. The control sub-process organizes and manages the security management process itself. The control sub-process defines the processes, the allocation of responsibility the policy statements and the management framework.

The security management framework defines the sub-processes for the development of security plans, the implementation of the security plans, the evaluation and how the results of the evaluations are translated into action plans.

Plan
The plan sub-process contains activities that in cooperation with the service level management lead to the information security section in the SLA. The plan sub-process contains activities that are related to the underpinning contracts which are specific for information security.

In the plan sub-process, the goals formulated in the SLA are specified in the form of operational level agreements (OLA). These OLAs can be defined as security plans for a specific internal organization entity of the service provider.

Besides the input of the SLA, the plan sub-process also works with the policy statements of the service provider itself. As said earlier these policy statements are defined in the control sub-process.

The operational level agreements for information security are setup and implemented based on the ITIL process. This means that there has to be cooperation with other ITIL processes. For example, if the security management wishes to change the IT infrastructure in order to achieve maximum security, these changes will only be done through the change management process. The security management will deliver the input (request for change) for this change. The change manager is responsible for the change management process itself.

Implementation
The implementation sub-process makes sure that all measures, as specified in the plans, are properly implemented. During the implementation sub-process no (new) measures are defined or changed. The definition or change of measures will take place in the plan sub-process in cooperation with the change management process.

Evaluation
The evaluation of the implementation and the plans is very important. The evaluation is necessary to measure the success of the implementation and the security plans. The evaluation is also very important for the clients and possibly third parties. The results of the evaluation sub-process are used to maintain the agreed measures and the implementation itself. Evaluation results can lead to new requirements and so lead to a request for change. The request for change is then defined and it is then sent to the change management process.

Maintenance
It is necessary for the security to be maintained. Because of changes in the IT infrastructure and changes in the organization itself, security risks are bound to change over time. The maintenance of the security concerns both the maintenance of the security section of the service level agreements and the more detailed security plans.

The maintenance is based on the results of the evaluation sub-process and insight in the changing risks. These activities will only produce proposals. The proposals serve as inputs for the plan sub-process and will go through the whole cycle or the proposals can be taken in the maintenance of the service level agreements. In both cases the proposals could lead to activities in the action plan. The actual changes will be carried by the change management process.

The maintenance sub-process starts with the maintenance of the service level agreements and the maintenance of the operational level agreements. After these activities take place in no particular order and there is a request for a change, the request for change activity will take place and after the request for change activity is concluded the reporting activity starts. If there is no request for a change then the reporting activity will start directly after the first two activities.

---

About the Author
From Information Security Management Handbook, Sixth Edition, Volume 2, edited by Harold F. Tipton and Micki Krause. New York: Auerbach Publications, 2008.

 

Many times people who are just getting started with ITIL (or broader speaking ITSM) stumble over what the differences are between a Process Owner and Process Manager and, to a lesser extent, a Process Engineer.

These are different roles, with different skill sets and expectations but there are some overlaps. Often, especially in smaller organizations, these roles are all served by a single person. Even in that case, it is important to know the different objectives of each role so we can ensure we are in the right frame of mind when working to either promote, create, edit, or report on a process.

Process Owner

In general then the Process Owner is the ultimate authority on what the process should help the company accomplish, ensures the process supports company policies, represents and promotes the process to the business, IT leadership and other process owners, continuously verifies the process is still fit for purpose and use and finally, manages any and all exceptions that may occur.

Overall Accountability and Responsibility:

• Overall design
• Ensuring the process delivers business value
• Ensures compliance with any and all related Policies
• Process role definitions
• Identification of Critical Success Factors and Key Performance Indicators
• Process advocacy and ensuring proper training is conducted
• Process integration with other processes
• Continual Process Improvement efforts
• Managing process exceptions

As you can see the Process Owner is really the process champion. Typically the person filling this role is in a higher level in Leadership to help ensure the process gets the protection and attention it deserves.

The Process Owner will be the main driving force for the process creation, any value the process produces, to include acceptance and compliance within the organization and also any improvements. It is therefore crucial that the Process Owner really understands the organization and its goals as well as its own culture. This is not about reading a book and trying to implement a book version of a process but really understanding how to create a process that will deliver the most value for this particular organization.

General Skills and Knowledge needed:

• Company and IT Department goals and objectives
• IT Department organizational structure and culture
• Ability to create a collaborative environment and deliver a consensus agreement with key IT personnel
• Authority to manage exceptions as required.
• ITIL Foundation is recommended
• ITIL Service Design and Continual Service Improvement could be helpful

Level of Authority in the Organization

• Director
• Senior Manager

Process Manager

The Process Manager is more operational than the Process Owner. You may have multiple Process Managers but you will only ever have a single Process Owner.

You can have a Process Manager for different regions or different groups within your IT Department. Think of IT Service Continuity with a ITSC Process Manager for each of your different Data Centers or Change Management having a different Change Process Manager for Applications versus Infrastructure. The Process Owner will define the roles as appropriate for the organizational structure and culture (see above). The Process Manager is there to manage the day to day execution of the process. The Process Manager should also serve as the first line for any process escalation, they should be very familiar with the ins and outs of the process and will be able to determine the appropriate path or if he/she needs to involve the ultimate authority – the Process Owner.

Overall Accountability and Responsibility:

• Ensuring the process is executed appropriately at each described step
• Ensuring the appropriate inputs/outputs are being produced
• Guiding process practitioners (those moving through the process) appropriately
• Producing and monitoring process KPI reports

The Process Manager is key to the day to day operations of the process. Without a good and helpful Process Manager it won’t matter how well a process was designed and promoted by the Process Owner, the process will flounder in the rough seas of IT day to day execution.

General Skills and Knowledge needed:

• In depth knowledge of the process workflow and process CSF/KPI’s
• Ability and authority to accept/reject all inputs/outputs related to the process
• Ability to successful explain and guide people through the process and handle any low level process issues
• ITIL Foundation is recommended
• ITIL Intermediate in an area that covers their particular process could be helpful

Level of Authority in the Organization

• Mid Level Manager
• First Line Manager
• Supervisor

Process Engineer

The Process Engineer is likely to have a lot of Business Analysis and Technical Writer skills and knowledge. This person needs to be able to take the Process Owner’s vision and intent of the process and actually create the process document that will be functionally usable by Process Managers and Process Practitioners. Another useful role of the Process Engineer is help ensure that each process in the enterprise is written in a common manner to ensure consistency in approach and method.

Overall Accountability and Responsibility:

• Understanding the Process Owner’s vision and intent
• Documenting the process in a usable and readable manner
  • Organized
  • Simple
  • Unambiguous
  • Ensuring flow charts match text
  • Ensuring processes are documented in a common manner across the enterprise

General Skills and Knowledge needed:

• Ability to capture process requirements and translate them into a process document
• Ability to write well
• Ability to create effective work flow diagrams
• ITIL Foundation could be helpful

Level of Authority in the Organization

• Individual Contributor

As you can see a Process Engineer can be quite helpful in ensuring that the vision of the Process Owner is translated into a functional process document.

Conclusion

It is possible that a single person can do all three roles effectively but more likely the person will be more effective at one of these roles and less so at the others. If your organization is such that it is not possible that the three can be filled separately with people possessing the appropriate skills it is still advisable that a separate Process Engineer is utilized across the enterprise. A Process Engineer can work on several processes at once and will always be helpful for any process improvement efforts. A Process Owner can also function as a Process Manager without much issue given an appropriate scope and demand.

Source : http://www.theitsmreview.com/2013/03/process/

Any application or computer program that enables you to run one or more IT Service Management processes is considered to be an ITSM tool. As with any application or program, there are a great number of both commercial and free tools for ITSM. In a small IT organization, parts of IT Service Management can be done by using office tools, such as spreadsheets, databases and word processing applications. However, managing larger amounts of data over time, with flexibility and consistency, requires specialized tools for the task at hand, regardless of organization size. Here is a list of the most common open source (free) ITSM tools:

Free ITSM software

Help Desk and Ticketing

• RT: Request tracker – RT is an “issue tracking system which thousands of organizations use for bug tracking, help desk ticketing, customer service, workflow processes, change management, network operations, and even more…”
• SpiceWorks – Spiceworks’ free app will allow you to easily manage your daily projects and user requests – all from one spot. And if you’re a help desk pro, you’ll still be amazed at how painless Spiceworks is to get up and running.
• Triage – The web-based application will provide interfaces for handling tickets with notes and solutions, full-text search indexing, and allowing for plug-ins which can generate tickets from external sources (i.e. Asterisk, OpenNMS, Nagios, IMAP, POP3, etc.).
• FreeHelpDesk – FreeHelpDesk is a feature-rich help desk system designed from the ground up to meet the demands of help desk staff and their users. It is a web-based system that can accept new calls from your users directly into the system. Calls can be tracked and searched to enable faster response times.
• OSTicket – Easily manage, organize, and streamline your customer service and drastically improve your customer’s experience – all with one simple, easy-to-use (and free) system.
• OTRS Help Desk – OTRS Help Desk software provides the tools needed to deliver superior service to your customers. Build stronger, longer-lasting relationships and gain a solid competitive edge with the proven functionality of OTRS.

If you need more information about Help Desk, Service Desk and Call Center distinction, follow this great blog post: Service Desk: Single point of contact.

Inventory and Change Management DataBase (CMDB)

• i-doIT – Open Source IT Documentation and CMDB.
• OCS Inventory NG – Open Computers and Software Inventory Next Generation is a technical management solution of IT assets. It uses small client software that has to be installed on every machine, and a server that aggregates information about those machines. It can be used for software deployment as well.

Learn more on ITIL V3 Change Management – at the heart of Service Management.

Service Monitoring

• Nagios – Achieve instant awareness of IT infrastructure problems, so downtime doesn’t adversely affect your business. Nagios offers complete monitoring and alerting for servers, switches, applications, and services.
• Icinga – is an enterprise-grade open source monitoring system which keeps watch over networks and any conceivable network resource, notifies the user of errors and recoveries and generates performance data for reporting. Scalable and extensible, Icinga can monitor large, complex environments across dispersed locations. Icinga is a branch of Nagios and is backward compatible.
• Zabbix – is the open source availability and performance monitoring solution. Zabbix offers advanced monitoring, alerting, and visualization features today which are missing in other monitoring systems – even some of the best commercial ones.
• GroundWork – monitors your entire datacenter and collects all its information in one place, helping to make better sense of your IT environment performance and availability data.

Service Management

• OTRS:ITSM – is a scalable, high-performance, enterprise-grade IT Service Management (ITSM) software that couples the best practices of the IT Infrastructure Library (ITIL v3). The OTRS IT Service Management software is a powerful set of tools for managing complex IT administration processes, reducing business risk and ensuring high service quality.
• iTop – written in a simple, popular programming language (PHP) that can be customized in an instant, iTop was developed to let you choose the modules you are interested in. If you just want a CMDB, you just get a CMDB. If you need to deal with all ITIL processes, you can get all ITIL modules covered by iTop. Adding a module is a question of minutes.
• Project Open (]Project Open[) – is a modular open source project and service management tool with a focus on finance and knowledge management. “]po[ ITSM” is a special configuration of ]po[ designed to address the specific needs of IT departments and IT service providers, according to ITIL V3 best practices.

Learn more on IT Service Management in general.

Note: Product descriptions have been given by their respective developers, and are to be used for informational purposes only. As they are all free to download and use, take your time to try them before implementing.

Free does not always equal zero cost

There are many free ITSM tools available for you to download, install, and use, but you don’t get any support or help implementing the tool itself or its processes. Open source ITSM tools generally have nice communities built around the tools, so there might be some help available if you get stuck, but don’t expect instant answers or solutions.

Companies that offer free ITSM tools generate their revenue by offering a) hosting and cloud services for the tool, b) consulting and help with implementation, c) support once the tool has been implemented, d) and sometimes additional features have to be purchased separately. It’s important to remember: these are all the things that will be up to you; find a resource to run the software (server), have the know-how to install & configure, use, teach others to use it, and support the software itself if needed.

Where to start

If there aren’t any kinds of ITSM tools implemented in your organization, then the best way to start would be tools for processes that revolve around IT Operations, and are most visible to end users. These include Incident and Service Management (Help Desk / Service Desk), Configuration Management, Change Management, and some sort of Service Monitoring tools.

Make a list of products that may interest you, and some criteria which will help you decide: installation requirements (OS, resources, web based, etc.), modules available (incident management, configuration management, change management, etc.), are modules aligned with best practices such as ITIL (Read more on: How to implement ITIL and information about other ITSM Standards and Frameworks), is there support available (community based or commercial), additional features such as self-service portal and/or e-mail integration, and how confident you feel about being able to implement it.

Author: Neven Zitek

Source: http://advisera.com/20000academy/knowledgebase/free-tools-for-itsm/