Académique Documents
Professionnel Documents
Culture Documents
no
Is the executive responsibility for the co-ordination and management of all services allocated to an individual or post? Does a management forum that includes IT service stakeholders operate to give clear direction and visible management support? Are resources made available to determine and provide planning, implementation, monitoring, reviewing and improvement of service delivery? Are risks to the service management organisation and to the services identified, considered and managed? Is there a published policy on service improvement? Are roles and responsibilities for service improvement activities clearly defined? Are service reports considered in making decisions and taking corrective actions?
8 9 10 11
Do current/existing practices define: a) objectives and requirements to be achieved from existing processes? b) c) interfaces between activities of each IT service? dependencies of each IT service?
12
d) framework of management roles and responsibilities, including process owners? e) key roles and responsibilities of each IT service team member? f) required budget, facilities and other resources?
g) provide an approach to managing, auditing and continuously improving the quality of services delivered? h) where appropriate, address the use of third party suppliers within each IT service? Do the existing IT service practices clearly identify: 13 a) b) 14 which service reports are needed? from where the data for these are derived?
Are there procedures and responsibilities for creating and maintaining relevant documents? Do the existing IT service practices ensure that documents are: a) created when required? b) actively brought to the attention of all parties who could usefully refer to them? c) legible and identifiable?
15
d) readily identifiable and available to all relevant parties? e) f) dated and authorized as appropriate? maintained under version control?
15
g)
h) promptly withdrawn when obsolete and either retained or disposed off as required? 16 17 Are staff competencies and training needs reviewed and managed such that staff can deliver their responsibilities effectively? For all existing roles and responsibilities are the competencies defined and maintained? Are proposals for new or significantly changed services considered in terms of: a) b) c) d) e) f) potential cost? organisational impact? technical impact? commercial impact? regulatory impact? security concerns?
18
Are staff and other stakeholders aware of: a) the importance of meeting objectives and the need for continual improvement? 19 b) relevance and importance of their activities to the delivery of services? c) how they contribute to the achievement of service objective? Are all suggested service improvements: a) 20 b) c) d) 21 22 assessed? recorded? prioritsed? authorized?
Are customer requirements determined? Are customer requirements met? If yes, what is the evidence?
23 24
Are current service levels recorded for measuring improvements at a later date? Do the current operational practices demonstrate any evidence of continual improvement in service quality? Are service reports produced with clear description of: a) identity? b) audience? c) purpose? d) data source details? e) communicated to all relevant parties? Is there a planned audit programme to audit existing processes / practices?
25
26
Percentage of Compliance
1 2 3 4
6 7
Is there a procedure for the agreement of temporary variations to the service? Are the service level targets expressed in terms of customers business? Are OLAs and underpinning contracts regularly reviewed and renegotiated as part of significant change control? Are the reasons for non-conformance to targets:
11
12
a) b)
reported? reviewed?
12 c) acted upon?
Is there monitoring and reporting of current and trend information on: 13 a) b) c) 14 the service levels achieved? the resources used? the cost of the service
Are there adequate documentary records to enable audit of the existing process?
Percentage of Compli
e Level Management
Findings Compliance Level (%)
Percentage of Compliance
agement Of IT Services
Findings Compliance Level (%)
Percentage of Compliance
8 9
b) Access rights? 11 Are there any availability records? Do availability records reflect: a) The organisations relative dependence on the IT 12 service? b) Identify the relative reliance of the IT service at different periods of time?
13 14
Are availability audits carried out to identify weak and potentially weak areas and single points of failure? Are availability requirements reviewed periodically to ensure that requirements are being met?
Percentag
ability Management
Findings Compliance Level (%)
Percentage of Compliance
Does a formal/informal IT Service Continuity Management process exist for IT services? Is there an identified process owner to ensure availability of the IT services? Have the aims and objectives for continuity of the services been defined and documented? Have the roles and responsibilities for the continuity of the services been clearly defined and allocated? Is there a DR Plan for the restoration of the services following a failure or a disaster? Are business plans and risk assessments used as inputs to establishing continuity requirements? Is management authority for invoking a contingency/DR plan unambiguous and documented? Does the DR Plan cover all administrative and nonIT processes within the service management function? Does the service continuity process address: a) the implementation of continuity plans?
2 3 4 5 6
b) the implementation of standby arrangements? 9 c) how risk reduction measures are devised and implemented? d) operational management during contingency situations?
e) the maintenance and testing of continuity plans? 10 Are all data backed up at intervals appropriate to business?
11 Are data backups stored safely from live data? 12 13 Are reports produced on test of the continuity plans? Are test reports reviewed with stakeholders and acted upon?
Percentage of Com
Service Continuity
Findings Informal Continuity Plans and processes do exist at individual app level, but such data is not available for review Compliance Level (%) Rakesh Gupta
Percentage of Compliance
b) time-scales, thresholds and cost of service upgrades? 8 c) current capacity and performance requirements? d) anticipated capacity and performance requirements? e) data and process to enable predictive analysis? f) the anticipated effect of new technologies, techniques and upgrades?
Percentage of Co
Capacity Management
Findings Compliance Level (%)
Percentage of Compliance
Concerns
Does a formal/informal Security Management process exist for IT Services? Is there an identified process owner? Have the aims and objectives of the process been defined and documented? Have the roles and responsibilities for the process been clearly defined and allocated? Are the information security aims and objectives established via risk management considerations? Are the controls of the Information Security Policy published and communicated as appropriate to all system users including:
Compliance
a) b) c) d)
Are customers specified requirements taken into account in implementing appropriate security controls? Are arrangements that involve third party access to systems based on formal agreements that define necessary security arrangements? Are there appropriate security controls to manage the risks associated with access to services and systems? Are security incidents reported in line with incident management procedure as soon as possible after the incident is discovered? Are security controls documented? Is automatic protection in place for business critical systems (h/w, s/w, documentations, etc)?
10 11 12
13
Are the types, volumes and impacts of security incidents and malfunctions monitored and quantified?
Percentage o
Percentage of Compliance
Concerns
Does a formal/informal Business Relationship Management process exist for this service? Is there an identified process owner? Have the aims and objectives of the process been defined and documented? Have the roles and responsibilities for the process been clearly defined and allocated? Is the service provider aware of the business needs and major changes such that they can prepare responses to customer need? Are the business needs of the customer documented (formally/informally)? Are stakeholders of services identified and documented? Are customer satisfaction measurements that cover all customers, in place? Do the customer and service provider attend a service review to discuss changes to scope, SLA/contract, business needs at least annually? Are interim meetings held to discuss performance, achievements and action plan? Are meetings with customers documented? Is there a complaints procedure? Has it been agreed with the customer what constitutes a formal complaint? Are all customer complaints recorded, investigated, acted upon and formally closed?
Compliance
6 8 9 10 11 12 13 14
Percentage of
Percentage of Compliance
2 Is there an identified process owner? 3 4 Have the aims and objectives of the process been defined and documented? Have the roles and responsibilities for the process been clearly defined and allocated?
5 Is a named contract manager responsible for each supplier? 6 7 Are customers aware, if necessary, of when and where services are supplied by third parties? Is there a policy covering the circumstances when services can or must be supplied by third party?
Is the process scopes, level of service and communication 8 processes provided by the supplier documented unambiguously and agreed by all parties? Are there agreements with internal and external service 9 providers aligned with the SLAs/business needs of the customer? 10 11 12 13 14 Is there a process to follow in the event of a contractual dispute? Is there a change management process to amend the process, scope, level of service or contract? Are third parties actively encouraged to search for and implement improvements? Are suppliers notified of change requirements in timely fashion? Are role and relationships between lead and subcontracted suppliers clearly documented?
Percentage of Complianc
Management
Findings Compliance Level (%)
Percentage of Compliance
1 2 3 4 5 6 7 8 9 10 11 12
13
13
j) 14
formal closure?
Are appropriate details of each incident recorded? Does the Incident Management process or a mechanism exists to monitor the status and progress of all open incidents against service levels regularly? Does the Incident Management process or a mechanism exists to monitor incidents that are reassigned between different specialist support groups closely? Does the Incident Management process confirm with the originator the satisfactory resolution of the incident?
15
16
17
Percentage of Compli
nt Management
Findings Compliance Level (%)
Percentage of Compliance
Concerns
Does a formal/informal Problem Management process exist? Is there an identified process owner? Have the aims and objectives of the process been defined and documented? Have the roles and responsibilities for the process been clearly defined and allocated? Are all known errors identified? Are all identified problems recorded? Does a knowledge base of incident information exists and is up-to-date? Are all problems classified, cross-referenced and related to relevant, previously logged and resolved incidents, problems and known errors? Is problem prevention considered a fundamental part of managing IT services? Are there procedures to identify, minimize or avoid the impact of service problems? Are all suggested changes and improvements that might remove errors and prevent incidents routed via change management? Are incident records analysed regularly to detect the increase or reduction of incidents and problems? Are all identified known errors, workarounds and solutions fed back into a service improvement programme? Are impact and urgency evaluated in respect of the business needs of the organisation? Does the problem closure process ensure that: a) the details of the problem resolution have been accurately recorded?
Compliance
11
12 13 14
15
15 b) the cause of the problem has been categorized to facilitate analysis? 16 Are problem reviews (post mortems) held following the resolution of a problem? Are regular management reviews held to highlight problems requiring immediate attention, determine and analyse trends and to provide inputs for other processes, such as customer or service desk education?
17
Percentage o
Percentage of Compliance
Concerns
Does a formal/informal Configuration Management process exist for this service? Is there an identified process owner? Have the aims and objectives of the process been defined and documented? Have the roles and responsibilities for the process been clearly defined and allocated? Is there an integrated change and configuration management plan? Is there a well understood policy defining what constitutes a configuration item? Is the information to be recorded for each item defined, including relationships and documentation? Does configuration management process/mechanism cover all elements of the infrastructure? For configurable components of the service and infrastructure, does configuration management provides mechanisms for: a) b) c) identifying? controlling? tracking versions?
Compliance
10
Does the degree of control meet: 11 a) b) c) 12 13 business needs? risk of failure? service criticality?
Is information on any configuration item available on need-to-know basis to customer/supplier/service staff? Is there a defined owner for each configuration item type at each applicable life cycle stage?
14 15 16
Are configurable items (CIs) uniquely identifiable (Item code)? Are there procedures to prevent unauthorised updating of configuration records? Can configuration baselines, builds and releases be easily and accurately identified? Are logical and physical relationships between CIs recorded? Is the inventory actively managed and verified to ensure its reliability and accuracy? Are master copies of software and documents controlled in a secure physical or electronic library? Are changes to configuration items traceable and auditable? Do configuration records include ownership and identification details?
24 Is there a central data repository (CMDB)? 25 Are regular and accurate reports produced for management? Percentage
Percentage of Compliance
5 6 7 8
b) changes to existing service management framework and services? c) 9 communication to relevant parties? d) consequential contracts/agreements to align with new/changed business need? e) f) manpower and recruitment requirements? skills and training requirements?
g) processes, measures, methods and tools to be used with new/changed services h) i) budgets and timescales? service acceptance criteria?
j) expected outcomes expressed in measurable terms? 10 11 12 13 Does change management cover all elements of the infrastructure? Are changes initiated through a formal procedure (Request for Change RFC) Are there appropriate authorisation and implementation procedures for each category of change? Is there a procedure to assess the impact, urgency and consequences of each change? Are change requests assessed for: a) risks, business benefit and impact? b) cost and urgency? 14 c) d) impact on availability and service continuity? impact on security controls?
e) impact on incident management process (service desk workload)? 15 16 17 18 Is a change schedule, taking account of all factors, including scheduled implementation dates, published and accessible to all appropriate parties? Is release/implementation plan required for all except the simple changes? Are back-out plans always produced and checked for practicality? Is appropriate testing planned and executed, including formal customer acceptance as appropriate? Are all changes reviewed, results reported to relevant parties and actions taken after implementation? Is there a formal documented and well understood emergency change procedure?
19 20
21 22 23
Are change records analysed regularly to detect increasing levels of change, frequently recurring types, emerging trends and other relevant information? Are change records audited and verified? Are audit trails retained in accordance with regulatory, contractual and business requirements?
Percenta
nge Management
Findings Compliance Level (%)
Percentage of Compliance
Concerns
Does a formal/informal Release Management process exist for this service? Is there an identified process owner? Have the aims and objectives of the process been defined and documented? Have the roles and responsibilities for the process been clearly defined and allocated? Is there an agreed and documented policy stating the frequency and type of release? Are there appropriate and comprehensive plans on how to roll out a release to each site and user, agreed and signed off by all potentially affected parties? Are there software libraries and related repositories for managing and controlling software baselines and releases? Do procedures include the access and update of configuration records and versions of software, hardware and documentation used in the build and release processes? Does the existing process include the manner in which the release will be backed out or remedied if unsuccessful? Are release packages formally verified for completeness and accuracy?
Compliance
9 10
Do release plans: a) record release date and deliverables? 11 b) record related RFCs, problems and known errors? c) 12 record related incidents, affected users and services?
Does release procedure include the updating of change and configuration records?
13 14
Is there an emergency release procedure that interfaces with emergency change procedure? Are all release built and tested in a controlled acceptance test environment before release?
Are releases and distribution designed so that the integrity 15 of hardware and software is maintained during installation, handling, packaging and delivery? 16 Are release plans communicated to incident management? Are the successes and failures of releases analysed regularly 17 to assess their impact on business, IT operations and support staff resources? 18 Are incidents related to release measured for a period following release?
Percen
Percentage of Compliance