Module 5

IT Operations,
Maintenance and
Support
………

Module 5: IT Operations, Maintenance and Support

5.1: Introduction to IT Operations and its Elements

5.2: KTP:1 Service-Level Management
5.3: KTP:2 Capacity Management
5.4: KTP:3 Problem and Incident Management
5.5: KTP:4 Change Management
5.6: KTP:5 Business Continuity Planning and Disaster Recovery Planning
5.7: KTP:6 Information Security Management
5.8: Summary
5.9: References

5.2 KTP: 1 Service Level Management

INTRODUCTION SERVICE LEVEL MANAGEMENT

Service-level management is the process of defining, agreeing upon, documenting and

managing levels of service that are required and cost-justified. It aims to maintain and improve
customer satisfaction and to improve the service delivered to the customer. With clear definition
of service level, the IT organization or service provider can design the service based on the
service level, and the customer can monitor the performance of the IT services. If the services
provided do not meet the SLA, the IT organization or service provider has to improve the services.

A Service Level Agreement (SLA) is an agreement between the IT organization and the customer.
The SLA details the services to be provided. The IT organization could be an internal IT
department or an external IT service provider, and the customer is the business. The business
may acquire IT services from an internal IT organization, such as email services, an intranet, an
enterprise resource planning (ERP) system, etc. The business may acquire IT services from an
external IT service provider, such as Internet connectivity, hosting of the public website, etc.

The SLA describes the services in nontechnical terms, from the viewpoint of the customer. During
the term of the agreement, it serves as the standard for measuring and adjusting the services.
IT services can be better managed with a SLA, and the services offered form a basis for such
agreements. There is a possibility of a gap between customer expectations and the services
offered, and this is narrowed by the SLA, which completely defines the nature, type, time and

Module
5 IT Operations, Maintenance and Support 1
………

other relevant information for the services being offered.

For example, when a complaint is received, the help desk looks for an available solution from
the Known Error Database (KEDB) after classifying and storing the complaints as an incident.
Repeated incidents or major incidents may lead to problems that call for the problem
management process. If changes are needed, the change management group of the
process/program can provide a supporting role.

Service Agreement Management Lifecycle

COBIT 51, particularly the Align, Plan and Organize 9 (APO 9) Domain, provides the processes in
managing service agreements which are as follows:

1. Identify IT services. Analyze business requirements and the way in which IT-enabled services
and service levels support business processes. Discuss and agree on potential services and
service levels with the business, and compare them with the current service portfolio to
identify new or changed services or service level options. This is in the Establish phase of the
lifecycle. Identifying IT services can be better executed by performing the following activities:
 Assess current IT services and service levels to identify gaps between existing services
and the business activities they support. Identify areas for improvement of existing
services and service level options.
 Analyze, study and estimate future demand and confirm capacity of existing IT-enabled
services.
 Analyze business process activities to identify the need for new or redesigned IT services.
 Compare identified requirements to existing service components in the portfolio. If
possible, package existing service components (IT services, service level options and
service packages) into new service packages to meet identified business requirements.
 Where possible, match demands to service packages and create standardised services
to obtain overall efficiencies.
 Regularly review the portfolio of IT services with portfolio management and business
relationship management to identify obsolete services. Agree on retirement and
propose change.

2. Catalogue IT-enabled services. Also a part of the Establish phase of the service agreement
management lifecycle (Figure 1). It involves defining and maintaining one or more service
catalogues for relevant target groups. Publish and maintain live IT-enabled services in the
service catalogues.

1
COBIT 5 or Control Objectives for Information and Related Technologies is a business framework for the Governance and

Management of Enterprise IT created by international professional association, ISACA.

Module
5 IT Operations, Maintenance and Support 2
………

Figure 1: Service Level Management Lifecycle2

3. Define and prepare service agreements (Implement Phase). Define and prepare service
agreements based on the options in the service catalogues. Include internal operational
agreements. Activities under this process are:
 Analyse requirements for new or changed service agreements received from
business relationship management to ensure that the requirements can be matched.
Consider aspects such as service times, availability, performance, capacity, security,
continuity, compliance and regulatory issues, usability, and demand constraints.
 Draft customer service agreements based on the services, service packages and
service level options in the relevant service catalogues.
 Determine, agree on and document internal operational agreements to underpin
the customer service agreements, if applicable.
 Liaise with supplier management to ensure that appropriate commercial contracts
with external service providers underpin the customer service agreements, if
applicable.
 Finalise customer service agreements with business relationship management.

2 Source: http://www.rightstar.com/solutions-by-function/service-level-management/

Module
5 IT Operations, Maintenance and Support 3
………

4. Monitor and report service levels (Manage Phase). Monitor service levels, report on
achievements and identify trends. Provide the appropriate management information to aid
performance management. This process is perform by:
 Establish and maintain measures to monitor and collect service level data.
 Evaluate performance and provide regular and formal reporting of service
agreement performance, including deviations from the agreed-on values. Distribute
this report to business relationship management.
 Perform regular reviews to forecast and identify trends in service level performance.
 Provide the appropriate management information to aid performance management.
 Agree on action plans and remediations for any performance issues or negative
trends.

5. Review service agreements and contracts (Review Phase). Conduct periodic reviews of the
service agreements and revise when needed.
Regularly review service agreements according to the agreed-on terms to ensure that they
are effective and up to date and changes in requirements, IT-enabled services, service
packages or service level options are taken into account, when appropriate.

Defined service levels must be regularly monitored by an appropriate level of management

to ensure that the objectives of IT operations are achieved. It is also important to review the
impact on the customers and other stakeholders of the organization.

For example, a bank may be monitoring the performance and availability of its automated
teller machines (ATMs). One of the metrics may be availability of ATM services at expected
levels (99.9%); however, it may also be appropriate to monitor the impact on customer
satisfaction due to non-availability. Similar metrics may be defined for other services such as
email, internet, etc.

Monitoring of service levels is essential for outsourced services particularly if the third-party
is involved in directly providing services to an organization’s customers. Failure to achieve
service levels will impact the organization more that the third party. For example, a fraud due
to control weakness at a third party may result in reputation loss.

It is important to note that when service delivery is outsource, only responsibility for serviced
provision is outsourced – accountability is not and still rests with the organization. Where this
is the case, the IT auditor should determine how management gains assurance that the
controls at the third party are properly designed and operating effectively. Several techniques
can be used by management, including questionnaires, onsite visits or an independent third-
party assurance report such as Statement on Standards for Attestation Engagements 16 (SSAE 16).

Module
5 IT Operations, Maintenance and Support 4
………

AUDITING SERVICE LEVEL MANAGEMENT CONTROLS

The risks in Service Level can be mitigated by implementing an effective Service Level
Management. Below are samples of risks and controls, as well as, the review steps the auditor
can take to evaluate the Service Level Controls of the auditee:

Risks Controls Review or Audit Steps

Inadequate or Define and agree SLAs for all
inappropriate Service Level critical IT services based on
Agreement customer requirements and
IT capabilities
Obtain the SLAs and verify
that it cover:
 customer commitment;
 service support
requirements;

 quantitative and
qualitative metrics for
measuring the service
signed off on by the
stakeholders;

 funding and commercial

arrangements, if
applicable; and

 roles and
responsibilities,
including oversight of
the SLA

Ineffective SLAs and  Regular review of SLAs
contracts and Contracts and revise
when needed
 Continuous monitoring
and reporting of Service
Level Achievements
Determine that SLAs and
contracts are regularly
reviewed to ensure that they
are effective and up to date,
and that changes in
requirements have been
taken into account.

Module
5 IT Operations, Maintenance and Support 5
………

Risks Controls Review or Audit Steps

SLA not met or complied  Mechanisms (i.e.,  Interview IT organization

with imposing penalty) in
placed to ensure that SLA
is adhered to consistently.
personnel and examine
the nature of supervision
of help desk personnel,
the monitoring tools used,
the support task
prioritization, gathering of
baseline for network and
application, data on
response time, frequency
of back-ups, testing of
backed up data to verify
compliance with SLA
requirements.

 Check what actions are

taken by the IT unit, or in
the case of an outsourced
IT support group – by the
organization’s
management – if
operational parameters
are not in agreement with
SLA requirements.

References

1. WGITA – IDI Handbook on IT Audit for Supreme Audit Institutions by INTOSAI Working
Group on IT Audit and INTOSAI Development Initiative (IDI), February 2014
2. ITIL Service Operation 2011 Edition

Module
5 IT Operations, Maintenance and Support 6