Service Continuity

IT Service Management - High Level Conce

S# Concerns Are there established IT Service Management: a) policies? b) objectives? c) plans? Are all end-to-end IT services identified? Are the IT services defined in terms of: a) Customers / end users? b) Suppliers/vendors? c) Resources Hardware d) Resources Software e) Resources Documentation f) 5 Resources People Compliance

no

Is the executive responsibility for the co-ordination and management of all services allocated to an individual or post? Does a management forum that includes IT service stakeholders operate to give clear direction and visible management support? Are resources made available to determine and provide planning, implementation, monitoring, reviewing and improvement of service delivery? Are risks to the service management organisation and to the services identified, considered and managed? Is there a published policy on service improvement? Are roles and responsibilities for service improvement activities clearly defined? Are service reports considered in making decisions and taking corrective actions?

8 9 10 11

Do current/existing practices define: a) objectives and requirements to be achieved from existing processes? b) c) interfaces between activities of each IT service? dependencies of each IT service?

12

d) framework of management roles and responsibilities, including process owners? e) key roles and responsibilities of each IT service team member? f) required budget, facilities and other resources?

g) provide an approach to managing, auditing and continuously improving the quality of services delivered? h) where appropriate, address the use of third party suppliers within each IT service? Do the existing IT service practices clearly identify: 13 a) b) 14 which service reports are needed? from where the data for these are derived?

Are there procedures and responsibilities for creating and maintaining relevant documents? Do the existing IT service practices ensure that documents are: a) created when required? b) actively brought to the attention of all parties who could usefully refer to them? c) legible and identifiable?

15

d) readily identifiable and available to all relevant parties? e) f) dated and authorized as appropriate? maintained under version control?

15

g)

reviewed and updated as required?

h) promptly withdrawn when obsolete and either retained or disposed off as required? 16 17 Are staff competencies and training needs reviewed and managed such that staff can deliver their responsibilities effectively? For all existing roles and responsibilities are the competencies defined and maintained? Are proposals for new or significantly changed services considered in terms of: a) b) c) d) e) f) potential cost? organisational impact? technical impact? commercial impact? regulatory impact? security concerns?

18

Are staff and other stakeholders aware of: a) the importance of meeting objectives and the need for continual improvement? 19 b) relevance and importance of their activities to the delivery of services? c) how they contribute to the achievement of service objective? Are all suggested service improvements: a) 20 b) c) d) 21 22 assessed? recorded? prioritsed? authorized?

Are customer requirements determined? Are customer requirements met? If yes, what is the evidence?

23 24

Are current service levels recorded for measuring improvements at a later date? Do the current operational practices demonstrate any evidence of continual improvement in service quality? Are service reports produced with clear description of: a) identity? b) audience? c) purpose? d) data source details? e) communicated to all relevant parties? Is there a planned audit programme to audit existing processes / practices?

25

26

nt - High Level Concerns

Findings Compliance Level (%)

Apex policy needs to be defined

Percentage of Compliance

Service Delivery - Service Level Management

S# Concerns Does a formal/informal Service Level Management process exist for this service? Is there an identified process owner? Have the aims and objectives of the process been defined and documented? Have the roles and responsibilities for the process been clearly defined and allocated? Are there formal agreements, agreed by all parties, for all services that support SLAs and are provided internally within the organisation (OLAs) ? Is there a service catalogue showing the full range of IT services available to customers? Have all underpinning support services relevant to SLAs/services been identified? Is there an agreement on: 8 a) b) 9 10 service level targets? expected service workloads? Compliance

1 2 3 4

6 7

Is there a procedure for the agreement of temporary variations to the service? Are the service level targets expressed in terms of customers business? Are OLAs and underpinning contracts regularly reviewed and renegotiated as part of significant change control? Are the reasons for non-conformance to targets:

11

12

a) b)

reported? reviewed?

12 c) acted upon?

Is there monitoring and reporting of current and trend information on: 13 a) b) c) 14 the service levels achieved? the resources used? the cost of the service

Are there adequate documentary records to enable audit of the existing process?

Percentage of Compli

e Level Management
Findings Compliance Level (%)

Percentage of Compliance

Service Deliver - Financial Management Of IT Services

S# 1 2 Concerns Is budgeting and accounting of IT services done for all IT services? Is there a clear policy on: a) budgeting and accounting for all components? b) apportioning and allocating all indirect costs to relevant services? c) effective financial control and authorization? d) establishing the anticipated and actual costs of each delivered service? 3 4 5 6 7 8 9 Is there a process synergy with the organisations financial control section? Is the basis for cost recovery defined and widely understood? Is IT expenditure budgeted for the future to enable effective control and decision-making? Are changes to the services costed as part of the change approval process? Are the main areas of expenditure broken down in cost units? Are costs monitored and reported against budgets? Are service cost units and expenditure cost types reviewed at each new costing period, e.g. annually? Percentage of Compliance Compliance

agement Of IT Services
Findings Compliance Level (%)

Percentage of Compliance

Service Delivery - Availability Management

S# 1 2 3 4 Concerns Does a formal/informal Availability Management process exist for IT services? Is there an identified process owner to ensure availability of the services? Have the aims and objectives for the availability of the services been defined and documented? Have the roles and responsibilities for the availability of the services been clearly defined and allocated? Is there an Availability Plan that reflects the availability requirements of the customer into internal availability targets? Are business plans and risk assessments used as inputs to establishing availability requirements? Have the availability requirements, including maintainability and serviceability, been considered during system design and major change? Are issues that might affect availability predicted and prevented? Is availability defined, measured, monitored and delivered in terms of the service required for business process? Do availability requirements include: 10 a) End-to-end availability from the user perspective? Compliance

8 9

b) Access rights? 11 Are there any availability records? Do availability records reflect: a) The organisations relative dependence on the IT 12 service? b) Identify the relative reliance of the IT service at different periods of time?

13 14

Are availability audits carried out to identify weak and potentially weak areas and single points of failure? Are availability requirements reviewed periodically to ensure that requirements are being met?

15 Is historical availability information maintained?

Percentag

ability Management
Findings Compliance Level (%)

Percentage of Compliance

Service Delivery - IT Service Continuity

S# Concerns Compliance

Does a formal/informal IT Service Continuity Management process exist for IT services? Is there an identified process owner to ensure availability of the IT services? Have the aims and objectives for continuity of the services been defined and documented? Have the roles and responsibilities for the continuity of the services been clearly defined and allocated? Is there a DR Plan for the restoration of the services following a failure or a disaster? Are business plans and risk assessments used as inputs to establishing continuity requirements? Is management authority for invoking a contingency/DR plan unambiguous and documented? Does the DR Plan cover all administrative and nonIT processes within the service management function? Does the service continuity process address: a) the implementation of continuity plans?

2 3 4 5 6

b) the implementation of standby arrangements? 9 c) how risk reduction measures are devised and implemented? d) operational management during contingency situations?

e) the maintenance and testing of continuity plans? 10 Are all data backed up at intervals appropriate to business?

11 Are data backups stored safely from live data? 12 13 Are reports produced on test of the continuity plans? Are test reports reviewed with stakeholders and acted upon?

Percentage of Com

Service Continuity
Findings Informal Continuity Plans and processes do exist at individual app level, but such data is not available for review Compliance Level (%) Rakesh Gupta

Business Risk assessment, RTO, RPO are not calculated

Percentage of Compliance

Service Delivery - Capacity Management

S# 1 2 3 4 5 6 Concerns Does a Capacity Management process/activity exist in the current scenario? Is there a Capacity Plan? Are capacity implications considered during system development or modifications? Are all services assessed for capacity implications at suitable intervals? Are services assessed for all relevant capacity factors including non-IT resources? Are there appropriate tools to provide the data required? Have methods, procedures, and techniques identified and applied in order to: 7 a) monitor service capacity? b) tune service performance? c) provide adequate capacity? Do existing practices address: a) predicted future business requirements Compliance

b) time-scales, thresholds and cost of service upgrades? 8 c) current capacity and performance requirements? d) anticipated capacity and performance requirements? e) data and process to enable predictive analysis? f) the anticipated effect of new technologies, techniques and upgrades?

Percentage of Co

Capacity Management
Findings Compliance Level (%)

Percentage of Compliance

Service Delivery - Security Management S#

1 2 3 4 5

Concerns
Does a formal/informal Security Management process exist for IT Services? Is there an identified process owner? Have the aims and objectives of the process been defined and documented? Have the roles and responsibilities for the process been clearly defined and allocated? Are the information security aims and objectives established via risk management considerations? Are the controls of the Information Security Policy published and communicated as appropriate to all system users including:

Compliance

a) b) c) d)

service management personnel? customers? suppliers? Temporaries?

Are customers specified requirements taken into account in implementing appropriate security controls? Are arrangements that involve third party access to systems based on formal agreements that define necessary security arrangements? Are there appropriate security controls to manage the risks associated with access to services and systems? Are security incidents reported in line with incident management procedure as soon as possible after the incident is discovered? Are security controls documented? Is automatic protection in place for business critical systems (h/w, s/w, documentations, etc)?

10 11 12

13

Are the types, volumes and impacts of security incidents and malfunctions monitored and quantified?

Percentage o

urity Management Findings Compliance Level (%)

Percentage of Compliance

Relation Management - Business Relationship Management S#

1 2 3 4

Concerns
Does a formal/informal Business Relationship Management process exist for this service? Is there an identified process owner? Have the aims and objectives of the process been defined and documented? Have the roles and responsibilities for the process been clearly defined and allocated? Is the service provider aware of the business needs and major changes such that they can prepare responses to customer need? Are the business needs of the customer documented (formally/informally)? Are stakeholders of services identified and documented? Are customer satisfaction measurements that cover all customers, in place? Do the customer and service provider attend a service review to discuss changes to scope, SLA/contract, business needs at least annually? Are interim meetings held to discuss performance, achievements and action plan? Are meetings with customers documented? Is there a complaints procedure? Has it been agreed with the customer what constitutes a formal complaint? Are all customer complaints recorded, investigated, acted upon and formally closed?

Compliance

6 8 9 10 11 12 13 14

Percentage of

elationship Management Findings Compliance Level (%)

Percentage of Compliance

Relationship Management - Supplier Management

S# 1 Concerns Does a formal/informal Supplier Management process exist for this service? Compliance

2 Is there an identified process owner? 3 4 Have the aims and objectives of the process been defined and documented? Have the roles and responsibilities for the process been clearly defined and allocated?

5 Is a named contract manager responsible for each supplier? 6 7 Are customers aware, if necessary, of when and where services are supplied by third parties? Is there a policy covering the circumstances when services can or must be supplied by third party?

Is the process scopes, level of service and communication 8 processes provided by the supplier documented unambiguously and agreed by all parties? Are there agreements with internal and external service 9 providers aligned with the SLAs/business needs of the customer? 10 11 12 13 14 Is there a process to follow in the event of a contractual dispute? Is there a change management process to amend the process, scope, level of service or contract? Are third parties actively encouraged to search for and implement improvements? Are suppliers notified of change requirements in timely fashion? Are role and relationships between lead and subcontracted suppliers clearly documented?

Percentage of Complianc

Management
Findings Compliance Level (%)

Percentage of Compliance

Resolution Process - Incident Management

S# Concerns Does a formal/informal Incident Management process exist for IT services? Is there an identified process owner? Have the roles and responsibilities for the process been clearly defined and allocated? Are the procedures designed to minimize the impact of service incidents? Are major incidents defined classified and managed according to a defined process? Is the method of contacting IT service support well publicized throughout the organisation? Are all incidents recorded? Are all calls logged? Are all calls routed via a central point of contact? Do the staffs who receive calls have knowledge/training in the business processes being supported? Does the staff in Incident management process have access to a knowledge base? Are customers/users kept informed of the progress of incidents they have reported? For all service incidents do the procedures define: a) b) e) g) h) i) recording? prioritisation? classification? allocation? escalation? resolution? Compliance

1 2 3 4 5 6 7 8 9 10 11 12

13

13

j) 14

formal closure?

Are appropriate details of each incident recorded? Does the Incident Management process or a mechanism exists to monitor the status and progress of all open incidents against service levels regularly? Does the Incident Management process or a mechanism exists to monitor incidents that are reassigned between different specialist support groups closely? Does the Incident Management process confirm with the originator the satisfactory resolution of the incident?

15

16

17

Percentage of Compli

nt Management
Findings Compliance Level (%)

Percentage of Compliance

Resolution Process - Problem Management S#

1 2 3 4 5 6 7 8 9 10

Concerns
Does a formal/informal Problem Management process exist? Is there an identified process owner? Have the aims and objectives of the process been defined and documented? Have the roles and responsibilities for the process been clearly defined and allocated? Are all known errors identified? Are all identified problems recorded? Does a knowledge base of incident information exists and is up-to-date? Are all problems classified, cross-referenced and related to relevant, previously logged and resolved incidents, problems and known errors? Is problem prevention considered a fundamental part of managing IT services? Are there procedures to identify, minimize or avoid the impact of service problems? Are all suggested changes and improvements that might remove errors and prevent incidents routed via change management? Are incident records analysed regularly to detect the increase or reduction of incidents and problems? Are all identified known errors, workarounds and solutions fed back into a service improvement programme? Are impact and urgency evaluated in respect of the business needs of the organisation? Does the problem closure process ensure that: a) the details of the problem resolution have been accurately recorded?

Compliance

11

12 13 14

15

15 b) the cause of the problem has been categorized to facilitate analysis? 16 Are problem reviews (post mortems) held following the resolution of a problem? Are regular management reviews held to highlight problems requiring immediate attention, determine and analyse trends and to provide inputs for other processes, such as customer or service desk education?

17

Percentage o

m Management Findings Compliance Level (%)

Percentage of Compliance

Contol Process - Configuration Management S#

1 2 3 4 5 7 8 9

Concerns
Does a formal/informal Configuration Management process exist for this service? Is there an identified process owner? Have the aims and objectives of the process been defined and documented? Have the roles and responsibilities for the process been clearly defined and allocated? Is there an integrated change and configuration management plan? Is there a well understood policy defining what constitutes a configuration item? Is the information to be recorded for each item defined, including relationships and documentation? Does configuration management process/mechanism cover all elements of the infrastructure? For configurable components of the service and infrastructure, does configuration management provides mechanisms for: a) b) c) identifying? controlling? tracking versions?

Compliance

10

Does the degree of control meet: 11 a) b) c) 12 13 business needs? risk of failure? service criticality?

Is information on any configuration item available on need-to-know basis to customer/supplier/service staff? Is there a defined owner for each configuration item type at each applicable life cycle stage?

14 15 16

Are configurable items (CIs) uniquely identifiable (Item code)? Are there procedures to prevent unauthorised updating of configuration records? Can configuration baselines, builds and releases be easily and accurately identified? Are logical and physical relationships between CIs recorded? Is the inventory actively managed and verified to ensure its reliability and accuracy? Are master copies of software and documents controlled in a secure physical or electronic library? Are changes to configuration items traceable and auditable? Do configuration records include ownership and identification details?

17 Are critical configuration items (CIs) identified? 18

19 Are appropriate statuses defined for CIs? 20 21 22 23

24 Is there a central data repository (CMDB)? 25 Are regular and accurate reports produced for management? Percentage

26 Is random check on CIs carried out (audits)?

uration Management Findings Compliance Level (%)

Percentage of Compliance

Control Process - Change Management

S# 1 2 3 Concerns Does a formal/informal Change Management process exist for this service? Is there an identified process owner? Have the aims and objectives of the process been defined and documented? Have the roles and responsibilities for the process been clearly defined and allocated? Are there formal procedures to ensure that all changes are approved, checked and implemented in a controlled manner? Are customers aware, if necessary, of when and where services are supplied by third parties? Are all changes to CIs recorded? Is the implementation of new or changed services, including closure of a service, planned and approved through a change management process? Does the planning for new/changed service address: a) all relevant roles and responsibilities? Compliance

5 6 7 8

b) changes to existing service management framework and services? c) 9 communication to relevant parties? d) consequential contracts/agreements to align with new/changed business need? e) f) manpower and recruitment requirements? skills and training requirements?

g) processes, measures, methods and tools to be used with new/changed services h) i) budgets and timescales? service acceptance criteria?

j) expected outcomes expressed in measurable terms? 10 11 12 13 Does change management cover all elements of the infrastructure? Are changes initiated through a formal procedure (Request for Change RFC) Are there appropriate authorisation and implementation procedures for each category of change? Is there a procedure to assess the impact, urgency and consequences of each change? Are change requests assessed for: a) risks, business benefit and impact? b) cost and urgency? 14 c) d) impact on availability and service continuity? impact on security controls?

e) impact on incident management process (service desk workload)? 15 16 17 18 Is a change schedule, taking account of all factors, including scheduled implementation dates, published and accessible to all appropriate parties? Is release/implementation plan required for all except the simple changes? Are back-out plans always produced and checked for practicality? Is appropriate testing planned and executed, including formal customer acceptance as appropriate? Are all changes reviewed, results reported to relevant parties and actions taken after implementation? Is there a formal documented and well understood emergency change procedure?

19 20

21 22 23

Are change records analysed regularly to detect increasing levels of change, frequently recurring types, emerging trends and other relevant information? Are change records audited and verified? Are audit trails retained in accordance with regulatory, contractual and business requirements?

Percenta

nge Management
Findings Compliance Level (%)

Percentage of Compliance

Release Process - Release Management S#

1 2 3 4 5 6

Concerns
Does a formal/informal Release Management process exist for this service? Is there an identified process owner? Have the aims and objectives of the process been defined and documented? Have the roles and responsibilities for the process been clearly defined and allocated? Is there an agreed and documented policy stating the frequency and type of release? Are there appropriate and comprehensive plans on how to roll out a release to each site and user, agreed and signed off by all potentially affected parties? Are there software libraries and related repositories for managing and controlling software baselines and releases? Do procedures include the access and update of configuration records and versions of software, hardware and documentation used in the build and release processes? Does the existing process include the manner in which the release will be backed out or remedied if unsuccessful? Are release packages formally verified for completeness and accuracy?

Compliance

9 10

Do release plans: a) record release date and deliverables? 11 b) record related RFCs, problems and known errors? c) 12 record related incidents, affected users and services?

Does release procedure include the updating of change and configuration records?

13 14

Is there an emergency release procedure that interfaces with emergency change procedure? Are all release built and tested in a controlled acceptance test environment before release?

Are releases and distribution designed so that the integrity 15 of hardware and software is maintained during installation, handling, packaging and delivery? 16 Are release plans communicated to incident management? Are the successes and failures of releases analysed regularly 17 to assess their impact on business, IT operations and support staff resources? 18 Are incidents related to release measured for a period following release?

Percen

se Management Findings Compliance Level (%)

Percentage of Compliance