ITIL v3 Foundation Certification Notes: Service Design [3]

[ITIL® v3 Foundation Notes] Other processes of the Service Design phase for the ITIL® 4 Foundation Certification exam are covered here, including: service catalog management, availability management, information security management, supplier management, capacity management, IT service continuity management and design coordination. The purpose, objectives, and scope of the processes and their importance in the Service Design lifecycle stage are addressed.

Service Catalog Management Process

• [definition] A service catalogue is a database or structured document with information about all live IT services, including those available for deployment. The service catalogue is part of the service portfolio and contains information about two types of IT service: customer-facing services that are visible to the business and supporting services required by the service provider to deliver customer-facing services.
• The service catalogue has different views for different people (users, IT, etc.) – two-view (business service/technical service) or three-view (wholesale customer, retail customer and supporting services).
• Purpose: provide and maintain a single source of consistent information on all operational / ready-to-deploy services, used by customers and IT, essential to service management
• Objectives
  • the production and maintenance of the service catalogue
  • documenting the details of the service, status, interfaces and dependencies (obtained from Configuration Management System), often in service packages (solution)
  • the info is made available in a suitable format to authorized persons
• Scope
  • all services in production or will be transitioned to production
  • create definitions and descriptions of services / service packages
  • may optionally include services that can be requested

Availability Management Process

• Poor availability is the primary cause for customer dissatisfaction.
• A firm understanding of the effect of downtime to business processes should be well studied
• Customer satisfaction is not only about availability but the perception on how IT responds to issues and understands business processes from customer’s perception
• Vital Business Function (VBF) should have a high availability
• [definition] Availability is the ability of an IT service or other configuration item to perform its agreed function when required. Any unplanned interruption to a service during its agreed service hours (also called the agreed service time, specified in the service level agreement) is defined as downtime.
• Availability Formula (use the agreed service time in calculation):
  
• Since availability management is primarily concerned about customer satisfaction, the definition on service uptime (whether it is end-to-end or just the service) should be agreed by the customer by balancing the cost and availability
• Need to identify vital business function (VBF) for high availability need to justify the higher cost
• Purpose: take the necessary steps (improvements) to deliver the availability requirements defined in the SLA in a cost-effective way and timely manner, taking into accounts current and future needs
• Objectives
  • create annual or bi-annual plans for fulfilling availability requirements (useful for budget allocation)
  • monitor availability
  • provide availability-related advice throughout service lifecycle
  • assess risks on availability for change requests
  • take proactive steps to improve and optimize availability of end-to-end services
• Scope
  • covers the design, implementation, measurement, management, testing and improvement of IT service and component availability (reduce availability issues throughout the service lifecycle)
  • make sure availability is duly considered in service design
  • should be applied to all operational services and technology, particularly those covered by SLAs.
  • monitor and measure availability according to SLA (if available)
  • include both reactive (monitoring by event management, investigating downtime incidences) and proactive (identifying and managing risks) activities
  • all information is recorded in the availability management information system
  • an ongoing process, finishing only when the IT service is decommissioned or retired
• Concepts of availability:
  • [definition] Reliability is a measure of how long a service, component, or CI can perform its agreed function without interruption– measured by mean time between failures / incidents
    • good quality components / good suppliers
  • Resilience: designing the service so that a component failure does not result in downtime
    • with redundancy (component failure won’t affect the system)
  • Maintainability: (internal) how quickly the fault can be overcome, measured by mean time to restore service (MTRS)NOT mean time to repair (MTTR)
    • 
    • e.g. with spare parts on site
  • [definition] Serviceability is the ability of a third-party supplier to meet the terms of its contract – the time taken by the contractor to restore the service (external – including maintainability and/or reliability requirements)
  • involves two key elements:
    • Reactive activities These involve the monitoring, measuring, analysis and management of all events, incidents and problems involving unavailability. These activities are principally performed as part of the operational roles. (Service Operation phase)
    • Proactive activities These involve the proactive planning, design and improvement of availability. These activities are principally performed as part of the design and planning roles. (Service Design phase)
  • service availability (end-to-end service) vs component availability
  • continuous availability = 100% availability, impossible to maintain

Information Security Management Process

• [definition] Information security is the management process within the corporate governance framework, which provides the strategic direction for security activities and ensures objectives are achieved.
• To identify and mitigate information (data stores, databases and metadata) security risks
• Information security is integral to service design
• Information security must be an integral part of all services and systems and is an ongoing process that needs to be continuously managed using a set of security controls
• Statistics show that the large majority of security incidents stem from human errors (intended or not) or procedural errors, and often have implications in other fields such as safety, legal or health
• Purpose
  • to ensure IT security meets the overall business security requirements through availability, integrity and confidentially
    • information is made available to only authorized persons when needed
    • data integrity – protected from corruption and unauthorized alternation
• Objectives
  • to protect the interests of those relying on information, and the systems and communications that deliver the information, from harm resulting from failures of confidentiality, integrity, and availability.
• Scope
  • all aspects of information security
    • define protection levels (including technical and physical) with security policy and plans
    • identify risks and implement countermeasures
    • understand regulatory and organizational requirements
• Output
  • Information Security Policy (produce and maintain), including:
    • Use and misuse of IT assets policy
    • An access control policy, a password control policy
    • An email policy, an Internet policy, an antivirus policy, a remote access policy
    • An information classification policy, a document classification policy
    • A policy for supplier accessing to IT service, information, and components
    • A copyright infringement policy for electronic material
    • An asset disposal policy
    • A records retention policy
  • Information Security Management System (ISMS) – standards, management procedures and guidelines supporting the information security policies
  • Available to all customers
  • Referred to in all SLRs, SLAs, OLAs, underpinning contracts and agreements
  • Educate all staff about the policy and their responsibilities
  • Need to be formally reviewed at least annually

Supplier Management Process

• [definition] Supplier Management is the process responsible for obtaining value for money from suppliers, ensuring that all contracts and agreements with suppliers support the needs of the business and that all suppliers meet their contractual commitments.
• Supplier performance is directly related to service performance, therefore in the service design phrase
• Purpose
  • ensure suppliers provide value for money by managing the contracts with suppliers driven by a supplier strategy and policy from Service Strategy
• Objectives
  • ensure suppliers deliver the service paid for which aligns to the business objectives (as well as SLRs and SLAs)
  • control the cost of the contract by using objective selection criteria
  • manage relationship with suppliers – the relationship is owned by an individual within supplier management
• Scope
  • select supplier and agree to the terms of the contracts
  • review contracts for improvement
  • monitor and manage supplier performance especially the suppliers providing critical services through supplier categorization – strategic, tactical, operational and commodity suppliers
  • risk identification
• Output
  • supplier policy

Capacity Management Process

• [definition] Capacity Management is responsible for ensuring that the capacity of IT services and the IT infrastructure is able to meet agreed current and future capacity and performance needs in a cost-effective and timely manner.
• Purpose
  • understand current and future service capacity (both hardware and software) needs and ensure delivery of that level of service
    • one way to ensure future need is to allow easy and timely increase in capacity when needed
• Objectives
  • develop a detailed plan on the current and expected future requirements and actions steps to fulfill these
  • consider implication of change requests on capacity
  • take proactive measures to improve performance at a reasonable cost
• Scope
  • ensure sufficient capacity all the time (including seasonal fluctuations)
  • reduce capacity to save costs if service need dwindles
  • include technical, application, operation and human resources consideration
  • monitor pattern of business activity to understand the demands
  • suggest and enact proactive improvements through metrics feedback from the service
• Subprocesses
  • Business Capacity Management – to calculate and forecast needs according to the business plan
  • Service Capacity Management – to understand how the use of individual live services vary over time and deliver agreed capacity for individual services
  • Component Capacity Management – to understand the utilization and capabilities of all components for end-to-end service, to clear bottleneck
• Output
  • Capacity Plan
    • captures the current and future requirements and proposes action steps for the 12 to 18 months ahead and to be reviewed at least annually
    • contents
      • introduction – current capacity and issues, scope of the plan, assumptions
      • management summary
      • possible scenarios – reasons, capacity requirements and possible outcomes (forecast) for individual services
      • recommendation

IT Service Continuity Process

• IT service continuity management (ITSCM) is responsible for the continuity of the IT services required by the business in times of disasters or extreme events to recover the IT services. (Less significant incidents are dealt with by Incident Management Process.)
• Included as one element of the business continuity plan (BCM) (also: human resources continuity plan, financial management continuity plan, etc.)
• Purpose
  • identify and manage the risks to the IT services
  • agree with the business for the minimum requirement of service in case of a disaster
• Objectives
  • to reduce the chance of a disaster occurring at all by identifying the risks to IT services and implementing cost-effective countermeasures to reduce or remove the risk
  • to have a plan to restore an acceptable level of service according to agreed timescales
  • to review continuity plan from time to time by carrying out business impact analysis (BIA) and risk re-assessments
• Scope
  • focus on major events with a catastrophic impact (e.g. fire, flood, explosion, etc.)
  • provide the technical facilities to enable critical services to perform in time of disasters
  • agree on policies and plans and test the plans
  • carry out business impact analysis to manage risks
  • develop a strategy for service continuity to align to business continuity strategy
• Subprocesses
  • Business Impact Analysis – identify key services that need continuity at different time of the day/month/year and clarify relative importance of individual services
  • Risk Assessment – to compile a list of evaluated risks and propose countermeasures
  • These will ensure the provision of IT service continuity in a cost-effective way
• Output
  • IT service continuity plan
    • adopt a lifecycle approach: initiation, requirements & strategy, implementation, operation

Design Coordination Process

• Service Design not only involves providing the utility but also the warranty (including availability, security, continuity and capacity), which requires interface with other activities and processes.
• Purpose
  • carry out the coordination of the many different activities of service design to avoid complications and misunderstanding
• Objectives
  • to ensure all aspects of the design (architecture, processes and metrics) to provide utility and warranty to meet business requirements for now and in future
  • to resolve conflicts in demand in case of simultaneous competing projects including resources and time conflicts
  • to ensure everyone is clear about the requirements for handing over between different lifecycle (e.g. service design package to transition phase)
  • to check whether all requirements are met and repeatable design practices are used
  • to reduce risks associated with complexity of projects
  • to compile the service design package within inputs from various processes
• Scope
  • cover all activities in design and ensure consistency across them for new, existing and retiring services (usually for large projects but according to guidelines of individual organizations)
• Output
  • service design package
  • suggestions for improvements for service design stage

Conclusion: ITIL® v3 Foundation Service Design

This ITIL® v3 Foundation study note gives an introduction to the various essential processes to the Service Design phrase of the service lifecycle. These processes are important to an effective design, i.e. a service which fulfills the utility and warranty needs of current and future business requirements.

We will further move to the next (and final) part of ITIL® Service Design study notes on roles and responsibilities of process owner, process manager, process practitioner and service owner, the RACI (responsible, accountable, consulted, informed) responsibility model and how staff can acquire the skills to work effectively.