ITIL and Security Management

ITIL and Security Management Overview

David McPhee

What is ITIL?For the purpose of this chapter, the focus is how information security management works within the Information Technology Infrastructure Library (ITIL).

The Information Technology Infrastructure Library (ITIL) is a framework of best practices. The concepts within ITIL support information technology services delivery organizations with the planning of consistent, documented, and repeatable or customized processes that improve service delivery to the business. The ITIL framework consists of the following IT processes: Service Support (Service Desk, Incident Management, Problem Management, Change Management, Configuration Management, and Release Management) and Services Delivery (Service Level Management, Capacity Management, Availability Management, Financial Management and IT Service Continuity Management).

History of ITIL

The ITIL concept emerged in the 1980s, when the British government determined that the level of IT service quality provided to them was not sufficient. The Central Computer and Telecommunications Agency (CCTA), now called the Office of Government Commerce (OGC), was tasked with developing a framework for efficient and financially responsible use of IT resources within the British government and the private sector.

ITIL Overview
Figure 1. ITIL Overview.

The earliest version of ITIL was actually originally called GITIM, Government Information Technology Infrastructure Management. Obviously this was very different to the current ITIL, but conceptually very similar, focusing around service support and delivery.

Large companies and government agencies in Europe adopted the framework very quickly in the early 1990s. ITIL was spreading far and, and was used in both government and non-government organizations. As it grew in popularity, both in the UK and across the world, IT itself changed and evolved, and so did ITIL.

What Is Security Management?

Security management details the process of planning and managing a defined level of security for information and IT services, including all aspects associated with reaction to security Incidents. It also includes the assessment and management of risks and vulnerabilities, and the implementation of cost justifiable countermeasures.

Security management is the process of managing a defined level of security on information and IT services. Included is managing the reaction to security incidents. The importance of information security has increased dramatically because of the move of open internal networks to customers and business partners; the move towards electronic commerce, the increasing use of public networks like Internet and Intranets. The wide spread use of information and information processing as well as the increasing dependency of process results on information requires structural and organized protection of information.

Descriptions

Service Support Overview
Service support describes the processes associated with the day-to day support and maintenance activities associated with the provision of IT services: Service Desk, Incident Management, Problem Management, Change Management, Configuration Management, and Release Management.

  • Service Desk: This function is the single point of contact between the end users and IT Service Management.
  • Incident Management: Best practices for resolving incidents (any event that causes an interruption to, or a reduction in, the quality of an IT service) and quickly restoring IT services.
  • Problem Management: Best practices for identifying the underlying causes of IT incidents in order to prevent future recurrences. These practices seek to proactively prevent incidents and problems.
  • Change Management: Best practices for standardizing and authorizing the controlled implementation of IT changes. These practices ensure that changes are implemented with minimum adverse impact on IT services, and that they are traceable.
  • Configuration Management: Best practices for controlling production configurations; for example, standardization, status monitoring, and asset identification. By identifying, controlling, maintaining and verifying the items that make up an organization’s IT infrastructure, these practices ensure that there is a logical model of the infrastructure.
  • Release Management: Best practices for the release of hardware and software. These practices ensure that only tested and correct versions of authorized software and hardware is provided to IT customers.

Service Support Details

Service Desk
The objective of the service desk is to be a single point of contact for customers who need assistance with incidents, problems, questions, and to provide an interface for other activities related to IT and ITIL services.

Service desk diagram
Figure 2. Service desk diagram.

Benefits of Implementing a Service Desk

  • Increased first call resolution
  • Skill based support
  • Rapidly restore service
  • Improved incident response time
  • Quick service restoration
  • Improved tracking of service quality
  • Improved recognition of trends and incidents
  • Improved employee satisfaction

Processes Utilized by the Service Desk

  • Workflow and procedures diagrams
  • Roles and responsibilities
  • Training evaluation sheets and skill set assessments
  • Implemented metrics and continuous improvement procedures

Incident Management
The objective of Incident management is minimize the disruption to the business by restoring service operations to agreed levels as quickly as possible and to ensure the availability of IT services is maximized, and could also protect the integrity and confidentiality of information by identifying the root cause of a problem.

Benefits of an Incident Management Process

  • Incident detection and recording
  • Classification and initial support
  • Investigation and diagnosis
  • Resolution and recovery
  • Incident closure
  • Incident ownership, monitoring, tracking and communication
  • Repeatable Process

With a formal incident management practice, IT quality will improve through ensuring ticket quality, standardizing ticket ownership, and providing a clear understanding of ticket types while decreasing the number of un-reported or misreported incidents.

Incident management ticket owner workflow diagram
Figure 3. Incident management ticket owner workflow diagram.

Problem Management
The object of problem management is to resolve the root cause of incidents to minimize the adverse impact of incidents and problems on the business and secondly to prevent recurrence of incidents related to these errors. A `problem’ is an unknown underlying cause of one or more incidents, and a `known error’ is a problem that is successfully diagnosed and for which a work-around has been identified. The outcome of known error is a request for change (RFC).

Problem management diagram overview
Figure 4. Problem management diagram overview.

A problem is a condition often identified as a result of multiple Incidents that exhibit common symptoms. Problems can also be identified from a single significant incident, indicative of a single error, for which the cause is unknown, but for which the impact is significant.

A known error is a condition identified by successful diagnosis of the root cause of a problem, and the subsequent development of a work-around.

An RFC is a proposal to IT infrastructure for a change to the environment.

Incident Management and Problem Management: What’s the Difference?
Incidents and service requests are formally managed through a staged process to conclusion. This process is referred to as the “incident management lifecycle.” The objective of the incident management lifecycle is to restore the service as quickly as possible to meet service level agreements (SLAs). The process is primarily aimed at the user level.

Problem management deals with resolving the underlying cause of one or more incidents. The focus of problem management is to resolve the root cause of errors and to find permanent solutions. Although every effort will be made to resolve the problem as quickly as possible this process is focused on the resolution of the problem rather than the speed of the resolution. This process deals at the enterprise level.

Change Management
Change management ensures that all areas follow a standardized process when implementing change into a production environment. Change is defined as any adjustment, enhancement, or maintenance to a production business application, system software, system hardware, communications network, or operational facility.

Benefits of Change Management

  • Planning change
  • Impact analysis
  • Change approval
  • Managing and implementing change
  • Increase formalization and compliance
  • Post change review
  • Better alignment of IT infrastructure to business requirements
  • Efficient and prompt handling of all changes
  • Fewer changes to be backed out
  • Greater ability to handle a large volume of change
  • Increased user productivity

Configuration Management
Configuration management is the implemtation of a configuration management database (CMDB) that contains details of the organization’s elements that are used in the provision and management of its IT services. The main activities of configuration management are:

  • Planning: Planning and defining the scope, objectives, policy and process of the CMDB.
  • Identification: Selecting and identifying the configuration structures and items within the scope of your IT infrastructure.
  • Configuration control: Ensuring that only authorized and identifiable configuration items are accepted and recorded in the CMDB throughout its lifecycle.
  • Status accounting: Keeping track of the status of components throughout the entire lifecycle of configuration items.
  • Verification and audit: Auditing after the implementation of configuration management to verify that the correct information is recorded in the CMDB, followed by scheduled audits to ensure the CMDB is kept up-to-date.

Configuration Management and Information Security
Without the definition of all configuration items that are used to provide an organizations’s IT services, it can be very difficult to identify which items are used for which services. This could result in critical configuration items being stolen, moved or misplaced, affecting the availability pf tje services dependent on them. It could also result in unauthorized items being used in the provision of IT services.

Benefits of Configuration Management

  • Reduced cost to implement, manage, and support the infrastructure
  • Decreased incident and problem resolution times
  • Improved management of software licensing and compliance
  • Consistent, automated processes for infrastructure mapping
  • Increased ability to identify and comply with architecture and standards requirements
  • Incident troubleshooting
  • Usage trending
  • Change evaluation
  • Financial chargeback and asset lifecycle management
  • Service Level Agreement (SLA) and software license negotiations

Release Management
Release Management is used for platform-independent and automated distribution of software and hardware, including license controls across the entire IT infrastructure. Proper Software and Hardware Control ensure the availability of licensed, tested, and version certified software and hardware, which will function correctly and respectively with the available hardware. Quality control during the development and implementation of new hardware and software is also the responsibility of Release Management. This guarantees that all software can be conceptually optimized to meet the demands of the business processes.

Benefits of Release Management

  • Ability to plan resource requirements in advance
  • Provides a structured approach, leading to an efficient and effective process
  • Changes are bundled together in a release, minimizing the impact on the user
  • Helps to verify correct usability and functionality before release by testing
  • Control the distribution and installation of changes to IT systems
  • Design and implement procedures for the distribution and installation of changes to IT systems
  • Effectively communicate and manage expectations of the customer during the planning and rollout of new releases

The focus of release management is the protection of the live environment and its services through the use of formal procedures and checks.

Release Categories
A release consists of the new or changed software or hardware required to implement approved change.

  • Major software releases and hardware upgrades, normally containing large areas of new functionality, some of which may make intervening fixes to problems redundant. A major upgrade or release usually supersedes all preceding minor upgrades, releases and emergency fixes
  • Minor software releases and hardware upgrades, normally containing small enhancements and fixes, some of which may have already been issued as emergency fixes. A minor upgrade or release usually supersedes all preceding emergency fixes.
  • Emergency software and hardware fixes, normally containing the corrections to a small number of known problems

Release management overview
Figure 5. Release management overview.

Releases can be divided based on the release unit into:

  • Delta Release is a release of only that part of the software which has been changed. For example, security patches to plug bugs in a software.
  • Full Release means that the entire software program will be release again. For example, an entire version of an application.
  • Packaged Release is a combination of many changes: for example, an operating system image containing the applications as well.

Service Delivery Overview

Services delivery is the discipline that ensures IT infrastructure is provided at the right time in the right volume at the right price, and ensuring that IT is used in the most efficient manner. This involves analysis and decisions to balance capacity at a production or service point with demand from customers, it also covers the processes required for the planning and delivery of quality IT services and looks at the longer term processes associated with improving the quality of IT services delivered.

  • Service Level Management: Service level management (SLM) is responsible for negotiating and agreeing to service requirements and expected service characteristics with the customer
  • Capacity Management: Capacity management is responsible for ensuring that IT processing and storage capacity provision match the evolving demands of the business in a cost effective and timely manner
  • Availability Management: Availability management is responsible for optimizing availability
  • Financial Management: The object of financial management for IT services is to provide cost effective stewardship of the IT assets and the financial resources used in providing IT services.
  • IT Service Continuity Management: Service continuity is responsible for ensuring that the available IT Service Continuity options are understood and the most appropriate solution is chosen in support of the business requirements

Service Level Management
The object of service level management (SLM) is to maintain and gradually improve business aligned IT service quality, through a constant cycle of agreeing, monitoring, reporting and reviewing IT service achievements and through instigating actions to eradicate unacceptable levels of service.

SLM is responsible for ensuring that the service targets are documented and agreed in SLAs and monitors and reviews the actual service levels achieved against their SLA targets. SLM should also be trying to proactively improve all service levels within the imposed cost constraints. SLM is the process that manages and improves agreed level of service between two parties, the provider and the receiver of a service.

SLM is responsible for negotiating and agreeing to service requirements and expected service characteristics with the Customer, measuring and reporting of Service Levels actually being achieved against target, resources required, cost of service provision. SLM is also responsible for continuously improving service levels in line with business processes, with a SIP, co-coordinating other Service Management and support functions, including third party suppliers, reviewing SLAs to meet changed business needs or resolving major service issues and producing, reviewing and maintaining the Service Catalogue.

Benefits of Implementing Service Level Management

  • Implementing the service level management process enables both the customer and the IT services provider to have a clear understanding of the expected level of delivered services and their associated costs for the organization, by documenting these goals into formal agreements.
  • Service level management can be used as a basis for charging for services, and can demonstrate to customers the value they are receiving from the Service Desk.
  • It also assists the service desk with managing external supplier relationships, and introduces the possibility of negotiating improved services or reduced costs.

Capacity Management
Capacity management is responsible for ensuring that IT processing and storage capacity provisioning match the evolving demands of the business in a cost effective and timely manner. The process includes monitoring the performance and the throughput of the IT services and supporting IT components, tuning activities to make efficient use of resources, understanding the current demands for IT resources and deriving forecasts for future requirements, influencing the demand for resource in conjunction with other Service Management processes, and producing a capacity plan predicting the IT resources needed to achieve agreed service levels.

Capacity management has three main areas of responsibility. First of these is BCM, which is responsible for ensuring that the future business requirements for IT services are considered, planned and implemented in a timely fashion. These future requirements will come from business plans outlining new services, improvements and growth in existing services, development plans, etc. This requires knowledge of existing service levels and SLAs, future service levels and SLRs, the Business and Capacity plans, modeling techniques (Analytical, Simulation, Trending and Base lining), and application sizing methods.

The second main area of responsibility is SCM, which focuses on managing the performance of the IT services provided to the Customers, and is responsible for monitoring and measuring services, as detailed in SLAs and collecting recording, analyzing and reporting on data. This requires knowledge of service levels and SLAs, systems, networks, service throughput and performance, monitoring, measurement, analysis, tuning and demand management.

The third and final main area of responsibility is RCM, which focuses on management of the components of the IT infrastructure and ensuring that all finite resources within the IT infrastructure are monitored and measured, and collected data is recorded, analyzed and reported. This requires knowledge of the current technology and its utilization, future or alternative technologies, and the resilience of systems and services.

Capacity Management Processes:

  • Performance monitoring
  • Workload monitoring
  • Application sizing
  • Resource forecasting
  • Demand forecasting
  • Modeling

From these processes come the results of capacity management, these being the capacity plan itself, forecasts, tuning data and Service Level Management guidelines.

Availability Management
Availability management is concerned with design, implementation, measurement and management of IT services to ensure the stated business requirements for availability are consistently met. Availability management requires an understanding of the reasons why IT service failures occur and the time taken to resume this service. Incident management and problem management provide a key input to ensure the appropriate corrective actionss are being implemented.

  • Availability Management is the ability of an IT component to perform at an agreed level over a period of time.
  • Reliability is the ability of an IT component to perform at an agreed level at described conditions.
  • Maintainability is the ability of an IT Component to remain in, or be restored to an operational state.
  • Serviceability is the ability for an external supplier to maintain the availability of a component or function under a third party contract
  • Resilience is a measure of freedom from operational failure and a method of keeping services reliable. One popular method of resilience is redundancy.
  • Security refers to the confidentiality, integrity, and availability of the data associated with a service.

Availability Management
Security is an essential part of availability management, this being the primary focus of ensuring IT infrastructure continues to be available for the provision of IT services.

Some of the elements mentioned earlier are the products of performing risk analysis to identify how reliable elements are and how many problems have been caused as a result of system failure.

The risk analysis also recommends controls to improve availability of IT infrastructure such as development standards, testing, physical security and the right skills in the right place at the right time.

Financial Management
Financial management for IT services is an integral part of service management. It provides the essential management information to ensure that services are run efficiently, economically and cost effectively. An effective financial management system will assist in the management and reduction of overall long term costs, and identify the actual cost of services. This provisioning provides accurate and vital financial information to assist in decision making, identify the value of IT services, enable the calculation of TCO and ROI.

The practice of financial management enables the service manager to identify the amount being spent on security counter measures in the provision of the IT services. The amount being spent on these counter measures needs to be balanced with the risks and the potential losses that the service could incur as identified during a business impact assessment (BIA) and risk assessment. Management of these costs will ultimately reflect on the cost of providing the IT services, and potentially what is charged in the recovery of those costs.

Service Continuity Management
Management is to support the overall business continuity management process by ensuring that the required IT technical and services facilities can be recovered within required and agreed business time-scales.

IT service continuity management is concerned with managing an organization’s ability to continue to provide a pre-determined and agreed level of IT services to support the minimum business requirements, following an interruption to the business. This includes ensuring business survival by reducing the impact of a disaster or major failure, reducing the vulnerability and risk to the business by effective risk analysis and risk management, preventing the loss of customer and user confidence, and producing IT recovery plans that are integrated with and fully support the organization’s overall business continuity plan.

IT service continuity is responsible for ensuring that the available IT service continuity options are understood and the most appropriate solution is chosen in support of the business requirements. It is also responsible for identifying roles and responsibilities and making sure these are endorsed and communicated from a senior level to ensure respect and commitment for the process. Finally, IT service continuity is responsible for guaranteeing that the IT recovery plans and the business continuity plans are aligned, and are regularly reviewed, revised and tested.

The Security Management Process

Security management provides a framework to capture the occurrence of security-related incidents and limit the impact of security breaches. The activities within the security management process must be revised continuously, in order to stay up-to-date and effective. security management is a continuous process and it can be compared to Deming’s Quality Circle (Plan, Do, Check and Act).

Security image diagram
Figure 6. Security image diagram.

The inputs are the requirements which are formed by the clients. The requirements are translated into security services, security quality that needs to be provided in the security section of the service level agreements. As you can see in the picture there are arrows going both ways; from the client to the SLA; from the SLA to the client and from the SLA to the plan sub-process; from the plan sub-process to the SLA. This means that both the client and the plan sub-process have inputs in the SLA and the SLA is an input for both the client and the process. The provider then develops the security plans for his organization. These security plans contain the security policies and the Operational level agreements. The security plans (Plan) are then implemented (Do) and the implementation is then evaluated (Check). After the evaluation the both the plans and the implementation of the plan are maintained (Act).

Control
The first activity in the security management process is the “control” sub-process. The control sub-process organizes and manages the security management process itself. The control sub-process defines the processes, the allocation of responsibility the policy statements and the management framework.

The security management framework defines the sub-processes for the development of security plans, the implementation of the security plans, the evaluation and how the results of the evaluations are translated into action plans.

Plan
The plan sub-process contains activities that in cooperation with the service level management lead to the information security section in the SLA. The plan sub-process contains activities that are related to the underpinning contracts which are specific for information security.

In the plan sub-process, the goals formulated in the SLA are specified in the form of operational level agreements (OLA). These OLAs can be defined as security plans for a specific internal organization entity of the service provider.

Besides the input of the SLA, the plan sub-process also works with the policy statements of the service provider itself. As said earlier these policy statements are defined in the control sub-process.

The operational level agreements for information security are setup and implemented based on the ITIL process. This means that there has to be cooperation with other ITIL processes. For example, if the security management wishes to change the IT infrastructure in order to achieve maximum security, these changes will only be done through the change management process. The security management will deliver the input (request for change) for this change. The change manager is responsible for the change management process itself.

Implementation
The implementation sub-process makes sure that all measures, as specified in the plans, are properly implemented. During the implementation sub-process no (new) measures are defined or changed. The definition or change of measures will take place in the plan sub-process in cooperation with the change management process.

Evaluation
The evaluation of the implementation and the plans is very important. The evaluation is necessary to measure the success of the implementation and the security plans. The evaluation is also very important for the clients and possibly third parties. The results of the evaluation sub-process are used to maintain the agreed measures and the implementation itself. Evaluation results can lead to new requirements and so lead to a request for change. The request for change is then defined and it is then sent to the change management process.

Maintenance
It is necessary for the security to be maintained. Because of changes in the IT infrastructure and changes in the organization itself, security risks are bound to change over time. The maintenance of the security concerns both the maintenance of the security section of the service level agreements and the more detailed security plans.

The maintenance is based on the results of the evaluation sub-process and insight in the changing risks. These activities will only produce proposals. The proposals serve as inputs for the plan sub-process and will go through the whole cycle or the proposals can be taken in the maintenance of the service level agreements. In both cases the proposals could lead to activities in the action plan. The actual changes will be carried by the change management process.

The maintenance sub-process starts with the maintenance of the service level agreements and the maintenance of the operational level agreements. After these activities take place in no particular order and there is a request for a change, the request for change activity will take place and after the request for change activity is concluded the reporting activity starts. If there is no request for a change then the reporting activity will start directly after the first two activities.


About the Author
From Information Security Management Handbook, Sixth Edition, Volume 2, edited by Harold F. Tipton and Micki Krause. New York: Auerbach Publications, 2008.

 

Process Owner, Process Manager or Process Engineer

Process Owner, Process Manager or Process Engineer?

While they might appear much the same at first glance, these roles are actually very different

Many times people who are just getting started with ITIL (or broader speaking ITSM) stumble over what the differences are between a Process Owner and Process Manager and, to a lesser extent, a Process Engineer.

These are different roles, with different skill sets and expectations but there are some overlaps. Often, especially in smaller organizations, these roles are all served by a single person. Even in that case, it is important to know the different objectives of each role so we can ensure we are in the right frame of mind when working to either promote, create, edit, or report on a process.

Process Owner

In general then the Process Owner is the ultimate authority on what the process should help the company accomplish, ensures the process supports company policies, represents and promotes the process to the business, IT leadership and other process owners, continuously verifies the process is still fit for purpose and use and finally, manages any and all exceptions that may occur.

Overall Accountability and Responsibility:

  • Overall design
  • Ensuring the process delivers business value
  • Ensures compliance with any and all related Policies
  • Process role definitions
  • Identification of Critical Success Factors and Key Performance Indicators
  • Process advocacy and ensuring proper training is conducted
  • Process integration with other processes
  • Continual Process Improvement efforts
  • Managing process exceptions

As you can see the Process Owner is really the process champion. Typically the person filling this role is in a higher level in Leadership to help ensure the process gets the protection and attention it deserves.

The Process Owner will be the main driving force for the process creation, any value the process produces, to include acceptance and compliance within the organization and also any improvements. It is therefore crucial that the Process Owner really understands the organization and its goals as well as its own culture. This is not about reading a book and trying to implement a book version of a process but really understanding how to create a process that will deliver the most value for this particular organization.

General Skills and Knowledge needed:

  • Company and IT Department goals and objectives
  • IT Department organizational structure and culture
  • Ability to create a collaborative environment and deliver a consensus agreement with key IT personnel
  • Authority to manage exceptions as required.
  • ITIL Foundation is recommended
  • ITIL Service Design and Continual Service Improvement could be helpful

Level of Authority in the Organization

  • Director
  • Senior Manager

Process Manager

The Process Manager is more operational than the Process Owner. You may have multiple Process Managers but you will only ever have a single Process Owner.

You can have a Process Manager for different regions or different groups within your IT Department. Think of IT Service Continuity with a ITSC Process Manager for each of your different Data Centers or Change Management having a different Change Process Manager for Applications versus Infrastructure. The Process Owner will define the roles as appropriate for the organizational structure and culture (see above). The Process Manager is there to manage the day to day execution of the process. The Process Manager should also serve as the first line for any process escalation, they should be very familiar with the ins and outs of the process and will be able to determine the appropriate path or if he/she needs to involve the ultimate authority – the Process Owner.

Overall Accountability and Responsibility:

  • Ensuring the process is executed appropriately at each described step
  • Ensuring the appropriate inputs/outputs are being produced
  • Guiding process practitioners (those moving through the process) appropriately
  • Producing and monitoring process KPI reports

The Process Manager is key to the day to day operations of the process. Without a good and helpful Process Manager it won’t matter how well a process was designed and promoted by the Process Owner, the process will flounder in the rough seas of IT day to day execution.

General Skills and Knowledge needed:

  • In depth knowledge of the process workflow and process CSF/KPI’s
  • Ability and authority to accept/reject all inputs/outputs related to the process
  • Ability to successful explain and guide people through the process and handle any low level process issues
  • ITIL Foundation is recommended
  • ITIL Intermediate in an area that covers their particular process could be helpful

Level of Authority in the Organization

  • Mid Level Manager
  • First Line Manager
  • Supervisor

Process Engineer

The Process Engineer is likely to have a lot of Business Analysis and Technical Writer skills and knowledge. This person needs to be able to take the Process Owner’s vision and intent of the process and actually create the process document that will be functionally usable by Process Managers and Process Practitioners. Another useful role of the Process Engineer is help ensure that each process in the enterprise is written in a common manner to ensure consistency in approach and method.

Overall Accountability and Responsibility:

  • Understanding the Process Owner’s vision and intent
  • Documenting the process in a usable and readable manner
    • Organized
    • Simple
    • Unambiguous
    • Ensuring flow charts match text
    • Ensuring processes are documented in a common manner across the enterprise

General Skills and Knowledge needed:

  • Ability to capture process requirements and translate them into a process document
  • Ability to write well
  • Ability to create effective work flow diagrams
  • ITIL Foundation could be helpful

Level of Authority in the Organization

  • Individual Contributor

As you can see a Process Engineer can be quite helpful in ensuring that the vision of the Process Owner is translated into a functional process document.

Conclusion

It is possible that a single person can do all three roles effectively but more likely the person will be more effective at one of these roles and less so at the others. If your organization is such that it is not possible that the three can be filled separately with people possessing the appropriate skills it is still advisable that a separate Process Engineer is utilized across the enterprise. A Process Engineer can work on several processes at once and will always be helpful for any process improvement efforts. A Process Owner can also function as a Process Manager without much issue given an appropriate scope and demand.

Source : http://www.theitsmreview.com/2013/03/process/

Free tools for ITSM – supporting IT Service Management for zero tool cost

Any application or computer program that enables you to run one or more IT Service Management processes is considered to be an ITSM tool. As with any application or program, there are a great number of both commercial and free tools for ITSM. In a small IT organization, parts of IT Service Management can be done by using office tools, such as spreadsheets, databases and word processing applications. However, managing larger amounts of data over time, with flexibility and consistency, requires specialized tools for the task at hand, regardless of organization size. Here is a list of the most common open source (free) ITSM tools:

Free ITSM software

Help Desk and Ticketing

  • RT: Request tracker – RT is an “issue tracking system which thousands of organizations use for bug tracking, help desk ticketing, customer service, workflow processes, change management, network operations, and even more…”
  • SpiceWorks – Spiceworks’ free app will allow you to easily manage your daily projects and user requests – all from one spot. And if you’re a help desk pro, you’ll still be amazed at how painless Spiceworks is to get up and running.
  • Triage – The web-based application will provide interfaces for handling tickets with notes and solutions, full-text search indexing, and allowing for plug-ins which can generate tickets from external sources (i.e. Asterisk, OpenNMS, Nagios, IMAP, POP3, etc.).
  • FreeHelpDesk – FreeHelpDesk is a feature-rich help desk system designed from the ground up to meet the demands of help desk staff and their users. It is a web-based system that can accept new calls from your users directly into the system. Calls can be tracked and searched to enable faster response times.
  • OSTicket – Easily manage, organize, and streamline your customer service and drastically improve your customer’s experience – all with one simple, easy-to-use (and free) system.
  • OTRS Help Desk – OTRS Help Desk software provides the tools needed to deliver superior service to your customers. Build stronger, longer-lasting relationships and gain a solid competitive edge with the proven functionality of OTRS.

If you need more information about Help Desk, Service Desk and Call Center distinction, follow this great blog post: Service Desk: Single point of contact.

Inventory and Change Management DataBase (CMDB)

  • i-doIT – Open Source IT Documentation and CMDB.
  • OCS Inventory NG – Open Computers and Software Inventory Next Generation is a technical management solution of IT assets. It uses small client software that has to be installed on every machine, and a server that aggregates information about those machines. It can be used for software deployment as well.

Learn more on ITIL V3 Change Management – at the heart of Service Management.

Service Monitoring

  • Nagios – Achieve instant awareness of IT infrastructure problems, so downtime doesn’t adversely affect your business. Nagios offers complete monitoring and alerting for servers, switches, applications, and services.
  • Icinga – is an enterprise-grade open source monitoring system which keeps watch over networks and any conceivable network resource, notifies the user of errors and recoveries and generates performance data for reporting. Scalable and extensible, Icinga can monitor large, complex environments across dispersed locations. Icinga is a branch of Nagios and is backward compatible.
  • Zabbix – is the open source availability and performance monitoring solution. Zabbix offers advanced monitoring, alerting, and visualization features today which are missing in other monitoring systems – even some of the best commercial ones.
  • GroundWork – monitors your entire datacenter and collects all its information in one place, helping to make better sense of your IT environment performance and availability data.

Service Management

  • OTRS:ITSM – is a scalable, high-performance, enterprise-grade IT Service Management (ITSM) software that couples the best practices of the IT Infrastructure Library (ITIL v3). The OTRS IT Service Management software is a powerful set of tools for managing complex IT administration processes, reducing business risk and ensuring high service quality.
  • iTop – written in a simple, popular programming language (PHP) that can be customized in an instant, iTop was developed to let you choose the modules you are interested in. If you just want a CMDB, you just get a CMDB. If you need to deal with all ITIL processes, you can get all ITIL modules covered by iTop. Adding a module is a question of minutes.
  • Project Open (]Project Open[) – is a modular open source project and service management tool with a focus on finance and knowledge management. “]po[ ITSM” is a special configuration of ]po[ designed to address the specific needs of IT departments and IT service providers, according to ITIL V3 best practices.

Learn more on IT Service Management in general.

Note: Product descriptions have been given by their respective developers, and are to be used for informational purposes only. As they are all free to download and use, take your time to try them before implementing.

Free does not always equal zero cost

There are many free ITSM tools available for you to download, install, and use, but you don’t get any support or help implementing the tool itself or its processes. Open source ITSM tools generally have nice communities built around the tools, so there might be some help available if you get stuck, but don’t expect instant answers or solutions.

Companies that offer free ITSM tools generate their revenue by offering a) hosting and cloud services for the tool, b) consulting and help with implementation, c) support once the tool has been implemented, d) and sometimes additional features have to be purchased separately. It’s important to remember: these are all the things that will be up to you; find a resource to run the software (server), have the know-how to install & configure, use, teach others to use it, and support the software itself if needed.

Where to start

If there aren’t any kinds of ITSM tools implemented in your organization, then the best way to start would be tools for processes that revolve around IT Operations, and are most visible to end users. These include Incident and Service Management (Help Desk / Service Desk), Configuration Management, Change Management, and some sort of Service Monitoring tools.

Make a list of products that may interest you, and some criteria which will help you decide: installation requirements (OS, resources, web based, etc.), modules available (incident management, configuration management, change management, etc.), are modules aligned with best practices such as ITIL (Read more on: How to implement ITIL and information about other ITSM Standards and Frameworks), is there support available (community based or commercial), additional features such as self-service portal and/or e-mail integration, and how confident you feel about being able to implement it.

Author: Neven Zitek

Source: http://advisera.com/20000academy/knowledgebase/free-tools-for-itsm/ 

Is this the first step towards ITIL v4?

READ BELOW THE FREQUENTLY ASKED QUESTIONS ABOUT NEW AXELOS QUALIFICATION ITIL PRACTITIONER PUBLISHED IN MARCH 2015

The Qualification:

1. Why are you introducing this new qualification?

The qualification aims to demonstrate that IT Service Management (ITSM) professionals are equipped with the skills to apply ITIL concepts in their organization, ensuring maximum business value by delivering fit-for-purpose and fit-for-use services. At the same time, it’s designed to give confidence to managers that the members of their team are ready to initiate and successfully carry out required improvement initiatives.

2. What is the ITIL Practitioner exam based on?

The exam is based on various elements of ITIL, with a strong focus on Continual Service Improvement (CSI), a fundamental lifecycle stage in ITIL; as well as additional guidance covering the practical elements in more detail.

3. How did AXELOS come to the decision to launch ITIL Practitioner? And who was consulted?

Since AXELOS’ inception in 2013, we have been meeting with practitioners globally to understand how they use the best practice portfolio, their successes and challenges. We have been analyzing this feedback, to find ways to help improve organizations’ performance. The new ITIL Practitioner qualification and the accompanying guidance is a response to practitioners’ requests for an additional, practical element to complement the existing ITIL guidance. While the ITIL Foundation qualification confirms a good understanding of what service management is, in addition to introducing all the relevant ITIL concepts and the language, the ‘how’ is addressed only very briefly. ITIL Practitioner addresses the question how to start adopting and adapting ITIL within the organization.

4. What is the official launch date for the first exam/qualification?

Delegates will be able to sit their first ITIL Practitioner exams in Q4 2015.

5. Is this the first step towards ITIL v4?

Our goal is to provide practitioners with the best possible guidance to help with their day to day roles and this requires us to evolve ITIL over time. This will not be achieved with big bang updates, but by continually improving the framework.

As an organization we are always on the lookout for new practices (good and emerging), which we will link to the stable core of ITIL’s best practice framework. ITIL Practitioner follows this principle, adding additional practical guidance to the existing qualification scheme. Some materials will be introduced alongside the qualification to help practitioners identify changing approaches to service management.

6. Will self-study be allowed for ITIL practitioner?

The ITIL Practitioner syllabus is currently in development and so the decision on this has not yet been made. We need to make sure the exam does test practical skills and gives confidence to professionals and their managers alike. The exact design of the exam will dictate whether formal training is required to acquire the skills.

7. What guidance is available to support this new exam? For example will there be a manual that represents core guidance?

In addition to the ITIL core library consisting of five books, and especially the CSI book, additional guidance papers covering the practical application of theory will be developed as support for this new qualification.

The need for a specific study guide will be assessed as the development progresses.

8. What type of assessment will the exam be?

The exam will be a scenario-based multiple choice exam that tests the candidate’s ability to apply the knowledge and the tools in the best possible way.

9. How long is the course?

AXELOS does not prescribe the length of an accredited training course. The training requirements will be those necessary to ensure the delegates are introduced to all elements that are referenced within the qualification syllabus. Our expectation is that on average a good trainer will be able to cover the material in two days, with an expectation that some additional pre- and post-course reading might be required, depending on the delegate’s level of experience.

10. What is this cognitive complexity of the qualification?

The exam will target Bloom’s taxonomy levels 3 – 5. A definition of the taxonomy can be found here. 11. Who will provide the training?

The training will be provided by AXELOS Accredited Training Organizations (ATOs) globally.

12. What languages will this launch in?

The exam will launch in English, with additional languages added over time based on community feedback. AXELOS is committed to delivering global best practice, and supporting practitioners in a range of different languages.

13. Does this mean that you are rolling back to ITIL v2 which included a Practitioner qualification?

Although there was a qualification in ITIL v2 called “ITIL Service Practitioner”, this is not related to the new ITIL Practitioner. With the new ITIL Practitioner we are providing help with the ‘how’ for all ITSM practitioners regardless of their job role. Advanced ITIL qualifications (such as Intermediate) are aimed at more job role specific knowledge and skills and are more similar to specific v2 Practitioner qualifications.

Qualification Eco-System:

1. How will this impact on the existing ITIL framework?

ITIL Practitioner is additive to the existing ITIL qualification scheme, and is built on the existing core guidance with additional guidance on good practices added where required.

2. Will ITIL Practitioner add points towards ITIL Expert, and if so, how many?

Once the complexity level of the exam has been agreed, we will assign a specific amount of credit points to ITIL Practitioner that count towards ITIL Expert the same way as Foundation, Intermediate and Managing Across the Lifecycle (MALC) do today.

3. Are candidates able to substitute ITIL Foundation with ITIL Practitioner?

ITIL Foundation is a prerequisite to take ITIL Practitioner as it supplements, rather than substitutes the Foundation qualification. To that end the ITIL Practitioner syllabus will require delegates to have passed their ITIL Foundation exam and be familiar with the principles of ITSM and the organization-wide common language of ITIL. These learnings will be put in context to answer the ‘how’ of successful improvement initiatives with ITIL Practitioner, which is the next step after Foundation, not a substitution.

4. Will this qualification be positioned between ITIL Foundation and ITIL Intermediate?

Passing ITIL Practitioner is not a prerequisite to sign up for any of the ITIL Intermediate courses, although we do encourage people with advanced ITIL qualifications to familiarize themselves with the scope and approach of ITIL Practitioner, and consider the qualification for additional hands-on guidance.

5. What are the pre-requisites for ITIL Practitioner?

To sign up for ITIL Practitioner, a delegate will need to have passed the ITIL Foundation exam successfully.

6. How does this affect people that are already on the ITIL Expert path?

By being additive to the existing qualification scheme, ITIL Practitioner is another qualification within the scheme providing credits for people on a path to ITIL Expert.

7. Is there a fast track for people that have already invested in the ITIL training roadmap?

ITIL Practitioner, built on the existing ITIL guidance, includes additional guidance and focuses on practical application of the acquired knowledge. There is no comparable qualification in the current ITIL qualification scheme to fast track from.

8. What does this mean to the existing lifecycle/capability courses?

As mentioned above, ITIL Practitioner is additive to the existing ITIL qualification scheme. All current qualifications in the scheme will remain as they are.

ITIL®, PRINCE2®, MSP®, M_o_R®, P3M3®, P3O®, MoP® and MoV® are registered trade marks of AXELOS Limited. AXELOS, the AXELOS logo and the AXELOS swirl logo are trade marks of AXELOS Limited.

Copyright © AXELOS Limited 2015

Next Move: Should I study Prince2 or ITIL?

cropped-cropped-ITIL-2011.jpg

I have been with my current company for four years as a systems manager. I am an experienced manager of technical teams and have…

I have been with my current company for four years as a systems manager. I am an experienced manager of technical teams and have good general technical skills in mid-range systems, PCs and networks. I am now looking to work for a larger organisation in a service management type role. I recently applied for two positions but was turned down because I did not have an ITIL qualification. I am currently doing a BTec in network management and was looking to do Prince2 for project management. Should I now consider ITIL instead? My employer will not pay for any qualifications.

Research potential employers
Your lack of ITIL (IT Infrastructure Library) should not have been the make or break point on which you failed to get a job. You appear to have a solid IT career and obvious technical and people management skills that should make you a good prospect for any company.

It is unfortunate that your company does not recognise these project management qualifications, but you could use that to your advantage when talking to future employers. You could explain that you have the practical knowledge and ability, but have been unable to formalise this because your company is already so confident in your skills that your bosses feel paying for additional training would be a waste.

Have you looked into ITIL and compared the subject areas it covers alongside Prince2? It is my understanding that Prince (Projects in Controlled Environments) is the methodology of choice for central and local government, whereas ITIL seems to be designed more for general commercial applications. The course content looks very interesting but I suspect that you have probably covered most of it in your working day anyway.

Identify the type of company you have a desire to work for, ideally you will know the names of these companies, perhaps there is a specific business area? Use a Web site such as www.hoovers.com and type in the name of your ideal company and it will come up with a number of competitors in the same field.

Often competitors will use the same software and networks, so once you have found out which companies use which software you will generally be able to apply to all of them in the knowledge that your skills should be appropriate.

Solution by by Tracey Abbott, Zarak Technology

Service Portfolio vs Service Catalog: 5 Reasons You Should Know the Differences

At first glance, the service portfolio and service catalog almost seem like the same thing. After all, both contain details of IT services. However, there are important differences when you’re talking about service portfolio vs. service catalog.

two hammers
To the casual observer, these may look similar, but use the wrong one for the job, and the differences become obvious.

service portfolio is an overarching document used in the management of the life cycles of all services: including those no longer offered, those currently offered, and those in the pipeline. The service portfolio is more of a living historical document of service-related activities.

service catalog, on the other hand, details the currently-active IT services and may include information on those that will be deployed soon. The service catalog is an “outward facing” document for your end users.

To use an analogy, suppose you’re an architect. Your portfolio contains examples of work you have completed for your clients, work representative of what you’re doing now, and information about where you want to take your expertise in the future. If you as an architect were to create the equivalent of the “service catalog,” it would contain information about exact services you provide, how the services are performed, how long they take to complete, and how much you charge.

There are several reasons you should understand the service portfolio vs service catalog differences. Here are 5 of them.

1. To Remain Consistent with ITIL Framework

This is a matter of good corporate IT hygiene. When you bring in a new IT service manager, collaborate with another company on an IT initiative, bring in a consultant, or take on the task of creating a service catalog and portfolio, knowing the difference between the service portfolio and the service catalog keeps everyone on the same page and makes communication easier.

2. To Prioritize Your Efforts

There are varying opinions on which should come first: the service catalog or the service portfolio. The choice may depend on many factors, including how well-documented past IT services were and what your resources allow. The service catalog is a more focused document, and many people think that this is where your initial efforts should be focused, followed by use of the information in the service catalog as a springboard to creating a service portfolio. The “right” answer about which to tackle first depends on your particular organization’s priorities and resources.

3. To Know Where to Place Your “Marketing” Efforts

The service portfolio is usually an internal document that the IT help desk and management use to gain a historical overview of IT services, assess what worked and what didn’t, and try to lay out long-term plans. It doesn’t “market” services, per se. Your service catalog, however, being an outward-facing document primarily directed at end users, really is like a catalog: here is a service you may be interested in, what this service does, how it’s done, and how long you can expect it to take. It should be written with less “IT-speak” so that end-users understand and appreciate it.

4. To View ITSM Both Long Term and Short Term

Service portfolio vs. service catalog is also about long-term versus short-term. The service portfolio gives the long view and helps you determine how to play the long game, with fewer specifics. Technology changes so rapidly that trying to nail down specific future services using just the information in your service portfolio may be an exercise in futility. Your service catalog, on the other hand, is about here and now, and the near future.

5. To Prepare End Users for Upcoming Changes

Just as your local game store gives you release dates so you’ll know when to expect an anticipated product, your service catalog can tell end users: “Our social help desk app is scheduled to launch September 1” (or whatever). Service catalog users generally have less interest in long-term plans with unknown effects (like when your new data center is expected to be complete), and are more interested in finding out things like, “When does the help desk integration with Salesforce Chatter go live?” or “When will the IT help desk start using remote desktop support so I don’t have to wait for someone to show up or walk me through a fix?”

The service portfolio and service catalog are both important, living documents that make planning and delivery of IT services better. Samanage, a leading cloud IT service management software provider, gives you the tools you need for creating and managing your IT service catalog and developing a service portfolio that can help your organization map out where it’s been and where it needs to go.

source from: https://blog.samanage.com/it-service-management/service-portfolio-vs-service-catalog-5-reasons-you-should-know-the-differences

The 4 Ps of ITIL Service Management

The IT Service Management life cycle has 5 stages – strategy, design, transition, operation and improvement. During service design, the 4 Ps need to be considered – People, Process, Products and Partners. An effective IT service strategy needs to acknowledge the importance of all of these.

This is just one small part of what is covered on our ITIL Foundation course, which teaches you real life applications of the ITIL framework as well as the knowledge needed to pass the ITIL Foundation exam.

4 Ps of ITIL

 

People

The first ‘people’ to consider are the people that work in the IT services. Service managers need to ensure the following:

  • That their staff have the skills to match the roles
  • They have sufficient staff to support the service
  • That the roles and responsibility of the staff are fit for purpose
  • That culture and communication within the service is appropriate
  • That ongoing training can be provided to fill skills gaps
  • That the IT service fits with the organisational structure and that the right relationships are in place

The next people to be considered are the customers of the service. These are the recipients of the service, and the SLA is agreed with them. The customer is usually another manager within the organisation, or a business owner. For more information, have a look at our blog post on key customer conversations.

The service userare very important. The service must be designed to make the user experience as effective as possible – the users usually feed back to the customer.

Process

The definition of a process is “A set of coordinated activities combining and implementing resources and capabilities in order to produce an outcome, which directly or indirectly, creates value for a customer or stakeholder.”

An effective process must be measurable; have specific results that are identifiable and accountable; must deliver to customers and stakeholders (meet their expectations); and must be able to respond to specific events.

In ITIL, each process will have a Process Owner, whose role includes the following:

  • definition of process strategy and standards
  • assisting with process design
  • keeping process documentation updated
  • ensuring the process is efficient and effective
  • ensuring the right resources and training is provided
  • providing input to Service Improvement Programmes
There will also be a Process Manager, whose role includes the following:
  • accountability for the the operational management of a process
  • working with the Process Owner to plan
  • appointing people to their roles
  • managing resources assigned to processes
  • monitoring and reporting the performance of the process
  • identifying potential improvements
Finally, there will be a Process Practitioners who:
  • carries out process activities
  • creates and updates records to show activities and duties carried out

Products (technology)

An IT service depends on the following technology/products:

  • Its own technology to run efficiently to support others
  • Monitoring tools
  • Automation
  • Support tools
  • Communication tools

Partners (suppliers)

Suppliers have a big impact on IT services – the staff depend on these third parties to deliver the goods or services needed to run the IT service. It’s important for appropriate partnership agreements to be formed, i.e. contracts and service level agreements.

The 4 Ps of ITIL

By managing the 4 Ps, the ITIL framework makes sure that all aspects of an effective IT service strategy are covered. All of the 4 Ps must be aligned to corporate goals to ensure the best, most appropriate, service is delivered.

Read more: http://www.itiltraining-uk.co.uk/the-4-ps-of-itil-service-management/#ixzz3ngch05lL

IT Service Management

Service Portfolio vs Service Catalog: 5 Reasons You Should Know the Differences

At first glance, the service portfolio and service catalog almost seem like the same thing. After all, both contain details of IT services. However, there are important differences when you’re talking about service portfolio vs. service catalog.

two hammers
To the casual observer, these may look similar, but use the wrong one for the job, and the differences become obvious.

service portfolio is an overarching document used in the management of the life cycles of all services: including those no longer offered, those currently offered, and those in the pipeline. The service portfolio is more of a living historical document of service-related activities.

service catalog, on the other hand, details the currently-active IT services and may include information on those that will be deployed soon. The service catalog is an “outward facing” document for your end users.

To use an analogy, suppose you’re an architect. Your portfolio contains examples of work you have completed for your clients, work representative of what you’re doing now, and information about where you want to take your expertise in the future. If you as an architect were to create the equivalent of the “service catalog,” it would contain information about exact services you provide, how the services are performed, how long they take to complete, and how much you charge.

There are several reasons you should understand the service portfolio vs service catalog differences. Here are 5 of them.

1. To Remain Consistent with ITIL Framework

This is a matter of good corporate IT hygiene. When you bring in a new IT service manager, collaborate with another company on an IT initiative, bring in a consultant, or take on the task of creating a service catalog and portfolio, knowing the difference between the service portfolio and the service catalog keeps everyone on the same page and makes communication easier.

2. To Prioritize Your Efforts

There are varying opinions on which should come first: the service catalog or the service portfolio. The choice may depend on many factors, including how well-documented past IT services were and what your resources allow. The service catalog is a more focused document, and many people think that this is where your initial efforts should be focused, followed by use of the information in the service catalog as a springboard to creating a service portfolio. The “right” answer about which to tackle first depends on your particular organization’s priorities and resources.

3. To Know Where to Place Your “Marketing” Efforts

The service portfolio is usually an internal document that the IT help desk and management use to gain a historical overview of IT services, assess what worked and what didn’t, and try to lay out long-term plans. It doesn’t “market” services, per se. Your service catalog, however, being an outward-facing document primarily directed at end users, really is like a catalog: here is a service you may be interested in, what this service does, how it’s done, and how long you can expect it to take. It should be written with less “IT-speak” so that end-users understand and appreciate it.

4. To View ITSM Both Long Term and Short Term

Service portfolio vs. service catalog is also about long-term versus short-term. The service portfolio gives the long view and helps you determine how to play the long game, with fewer specifics. Technology changes so rapidly that trying to nail down specific future services using just the information in your service portfolio may be an exercise in futility. Your service catalog, on the other hand, is about here and now, and the near future.

5. To Prepare End Users for Upcoming Changes

Just as your local game store gives you release dates so you’ll know when to expect an anticipated product, your service catalog can tell end users: “Our social help desk app is scheduled to launch September 1” (or whatever). Service catalog users generally have less interest in long-term plans with unknown effects (like when your new data center is expected to be complete), and are more interested in finding out things like, “When does the help desk integration with Salesforce Chatter go live?” or “When will the IT help desk start using remote desktop support so I don’t have to wait for someone to show up or walk me through a fix?”

The service portfolio and service catalog are both important, living documents that make planning and delivery of IT services better. Samanage, a leading cloud IT service management software provider, gives you the tools you need for creating and managing your IT service catalog and developing a service portfolio that can help your organization map out where it’s been and where it needs to go.

Source from: https://blog.samanage.com/it-service-management/service-portfolio-vs-service-catalog-5-reasons-you-should-know-the-differences

ITSM vs. ITIL: What’s the Difference?

If you’re not sure whether you need ITSM or ITIL®, then I’m pretty sure you’re asking the wrong question. It’s not an “either/or” decision. IT service management (ITSM) is what you do to manage the services you deliver to your customers, even if you don’t actually use that term. ITIL is a best practice framework for ITSM, and you should think about adopting some ideas from ITIL to help you work more effectively.

ITSM or ITIL: What's the Difference?

Here’s what you need to know about ITSM and ITIL, and how each can contribute to the success of your IT organization.

What’s the Difference?
Let’s start with a quick overview of what these terms stand for:

  • ITSM is an acronym for IT service management. It simply means how you manage the information systems that deliver value to your customers. Even if you’ve never heard the term ITSM, if you’re running IT systems, then you are doing ITSM. ITSM could include activities like planning and managing changes so they don’t cause disruption to the business, fixing things when they go wrong, or managing a budget to ensure you can pay the bills when they arrive. People who use the term ITSM tend to think of IT as a means of delivering valuable services to their customers, rather than as a way to manage technology—but even if you have a completely technical focus, your work still needs to be managed, and that’s what we call ITSM.
  • ITIL is the name of the world’s most widely recognized framework for ITSM. ITIL is a registered trademark of AXELOS, which owns a range of best practice solutions and their corresponding publications and exams. ITIL has been adopted by many organizations, and there are millions of certified ITIL practitioners worldwide.

Benefits of ITIL
It is likely that some—probably many—of the ITIL best practices would prove beneficial to your organization. Organizations that adopt ITIL often find that they:

  • Improve the alignment of IT to their business, providing services that better meet the needs of their customers.
  • Improve the quality of the IT services they deliver by understanding the required levels of availability, security, capacity, and continuity, and then planning solutions that are able to deliver these.
  • Lower the cost of delivering IT by reducing wasted effort and focusing on getting things right the first time.

You don’t have to adopt ITIL to manage your IT services effectively and efficiently, but it can certainly help. Some organizations simply create their own set of processes for running IT, and this can work. But it’s hard to develop something original that matches the years of experience that have gone into the development of the ITIL best practice framework that has now been adopted by many thousands of organizations.

Adopt and Adapt to Fit Your Needs
IT organizations that make use of ITIL decide for themselves which aspects to adopt. Many IT organizations choose to adopt only the operational processes, such as incident management and change management. On their own, these do provide some value, of course, but they are only a small part of the whole ITIL framework. However, you’ll get the best value from ITIL by taking a lifecycle approach to ITSM. This covers everything from your overall IT strategy through the design, transition, and operation of services; and it incorporates continual improvement into everything you do.

When your organization has made the decision to adopt a best practice framework, a smart strategy is to understand which approach will be a good fit for your organizational culture and to incorporate it into your own management system in a sympathetic way. I have worked with many organizations that start our relationship by telling me they tried ITIL a few years ago, but it didn’t deliver any value. When I investigate what happened, I usually discover they attempted to adopt a rigid set of processes, with no understanding of how they would fit within the culture of their organization. As a result, people would ignore the new processes—so the money spent on the project ended up being wasted. The right way to use ITIL is summarized in the phrase “adopt and adapt.” You only adopt the parts that you need, and you adapt the ideas to fit your environment rather than slavishly following the guidance.

Additional Frameworks to Explore
The smartest organizations tend to use other standards or best practice frameworks in combination with ITIL. This can be very effective as each approach brings something different to the mix. For example:

  • COBIT is a very good framework for governance, audit, and compliance. It is much stronger than ITIL in these areas, and the two work very well together.
  • Agile and DevOps help to ensure the IT organization quickly delivers new business functionality. They often conflict with ITIL because of cultural differences between the people who adopt them, but they can fit together very well if the organization understands the value provided by each.
  • Lean can be used to drive continual improvement and elimination of wasted effort. It is a great fit with ITIL continual improvement.

If you run IT services, you owe it to your customers to adopt ideas that will make you effective, efficient, and agile. So maybe it’s time you had another look at ITIL to see what it has to offer.

source from: http://www.bmc.com/blogs/itsm-or-itil-that-isnt-the-question/

TOGAF™ 9 and ITIL® Two Frameworks Whitepaper

cropped-ITIL-framework.jpg

TOGAF and ITIL are both frameworks that follow a process approach. They are both based upon best practice and are supported by a large community of users. However, whereas TOGAF is focused on Enterprise Architecture, ITIL focuses on Service Management. In the years of development of these frameworks, they have described an ever-growing change of domain, from IT to business processes. In their final versions they appear to have entered into each other’s domains. In this paper we try to explain that it is not a question of whether these models describe similar processes and that one has to make a choice between them. It is more important that the people who are concerned with Service Management understand TOGAF and that Enterprise Architects understand ITIL – because in most large companies worldwide, both will be used next to each other. As most IT architects and IT Service Managers probably have more knowledge of TOGAF than ITIL, and vice versa, this white paper will help them see and understand how these two frameworks are interrelated. Maybe even more important is how the ‘other’ framework can enhance the value of your ‘own’ framework.

Although these frameworks describe areas of common interest, it is not necessarily the case that they do that from the same perspective. Basically, ITIL was developed to support Service Management and TOGAF was developed to support organizations in the development of Enterprise Architecture. The focus of ITIL is therefore on services, whereas TOGAF is focused on architecture. However, since services have become part of fast-changing organizations, the prediction of what will be needed tomorrow is of growing interest to the people that deliver these services. Conversely, architecture has changed from a rather static design discipline to an organization- encompassing discipline, and is only useful if the rest of the organization is using it to enable all developments to be aligned to each other.