Call Girls Brigade Road Just Call 👗 7737669865 👗 Top Class Call Girl Service ...
ITILv3 /2011 Edition Case Study
1. Implementing ITIL®V3/2011 Edition Framework
for Japanese Enterprises
Soma, Jerimi (yuko.soma8@gmail.com), Oct. 8, 2023
Abstract
This essay will discuss my own interpretation of ITIL®v3/2011 Edition and ISO/IEC 20000-1:2011 based on the Service
Management Framework Trainings.
ITIL (Information Technology Infrastructure Library) has been in IT service industries since 1989. ITIL V2 was the second
version of this framework, released in 2001. ITIL®V3 was released in 2007 and it started to become a Western enterprise
standard, including their Japan branch offices. ITIL V3®/2011 Edition introduced a service lifecycle approach to IT service
management, consisting of five phases: Service Strategy (SS), Service Design (SD), Service Transition (ST), Service
Operation (SO), and Continual Service Improvement (CSI). ITIL® 2011 Edition became best practice even among Japan
local enterprises, since its release in 2011.
ITIL® V3/2011 also placed greater emphasis on the integration of ITIL® with other frameworks and standards, such as
ISO/IEC 20000-1:2011. Currently both ISO/IEC 20000-1:2018 and ITIL®4 (2019) are not just for IT service management
anymore but for any kind of service management.
ITIL®4 has undergone significant transformation and evolution to align with emerging trends such as AI (Artificial
Intelligence), RPA (Robotic Process Automation), Cybersecurity, ADM (Agile Delivery Model), DevOps, Cloud Technologies,
and SIAM (Service Integration and Management). ITIL®4 no longer emphasizes PDCA due to rapid global environmental
changes. Before studying ITIL®4, let's review the ITIL®v3/2011 Edition to understand the differences between them.
Introduction
First of all, I will describe the ITIL® lifecycle for seeking
"value to the customer" by using 5 stages as follows.
ⅰ) Service Strategy (SS)
As the center or starting point of the service lifecycle, it
provides basic principles that help organizations
understand their achievement goals and customer
needs, as well as develop policies, guidelines, and
processes for service management from both financial
and technical perspectives.
ⅱ) Service Design (SD)
Recognizing achievement goals, covering all
requirements, prioritizing, communicating with all
stakeholders as necessary, and designing and
developing accurate service management.
ⅲ) Service Transition (ST)
In the transition stage of services, which involves risks
and complexity, it manages programs, projects, and
clear cooperative relationships, controls risks associated
with transitions, and ensures that the entire business
organization transitions to the new environment cost-
effectively and reliably.
ⅳ) Service Operation (SO)
By taking over the service design package strategically
designed in Service Design, and taking over the
operation from Service Transition, it supports the
activities of the entire business in a strategic and stable
manner in line with the business goals.
ⅴ) Continual Service Improvement (CSI)
Aim to improve strategies, designs, transitions, and
operations. Specifically, plan and implement
improvement activities throughout the service lifecycle
in line with the overall goals of the business, improving
service quality, promoting operational efficiency, and
maintaining business continuity.
Secondly, the common meanings of the terms in each
lifecycle are as follows;
Service
A service is the act of providing specific value to a
customer. By doing so, the customer does not have to
2. p. 2
bear the risk of failure or cost directly, but can instead
delegate them to the service provider, enabling them to
achieve their goals and focus on their business, thereby
improving efficiency. Therefore, service providers
should be experts who have the ability to control risks
and costs appropriately. The value of a service is
determined and defined by the customer, so ultimately,
the customer decides whether or not to receive the
service at the offered price. Additionally, as value
changes, the service must always be adapted
accordingly.
Service Management
Service Management is the series of activities that
provide value to customers through the assurance of
ongoing service delivery of a consistent quality across
the five lifecycle stages of strategy, design, transition,
operation, and continual improvement. This involves
inputting service assets such as personnel and
capabilities, controlling and transforming 26 processes
(such as change management and knowledge
management) through the use of four functions (service
desk, operations management, technical management,
and application management), and outputting results to
customers. The value of these results is defined by
customers and is dependent on the achievement of
desired performance, the absence of constraints, and
the guarantee of adequate availability, capacity,
continuity, and security.
Process
A process is a set of defined activities that are aimed at
achieving a specific purpose. Processes are measurable,
and process managers aim to measure the cost and
quality of processes, while process practitioners focus
on measuring duration and productivity. Processes are
triggered by data and carry out a series of activities,
delivering outputs to customers or stakeholders. The
output data then becomes a trigger, and the process is
repeated, forming a closed loop. This is called a
performance-driven process, and it is characterized by
continuity, repetition, and improvement. Processes are
also quantifiable, as they result in specific outcomes.
Function
Functions use service assets such as personnel, tools,
and accumulated knowledge to execute processes.
Functions are organizational units responsible for a
series of activities that produce specific results, and they
must be staffed with specialized groups that perform at
a high level. Functions are assigned roles and
responsibilities through RACI (Responsible, Accountable,
Consulted, and Informed), and productivity of functions
is improved through the use of appropriate processes.
Then, discuss about 26 processes in ITIL®2011 from
Chapter 1. Each chapter in this essay tells the name of
the core books of ITIL®2011.
Chapter 1:
SOA (Service Offering and Agreement)
The following is a summary of SOA (Service Offering and
Agreement).
Value creation, usefulness, and assurance
While the results of IT services can be qualitatively
defined, quantifying them in monetary terms can be
difficult. If we attempt to quantify the value of IT
services, customers can recognize value through
"Reference value (what the customer can do on their
own) + benefits from using the service - losses from
using the service = economic value of the service,"
And
"Economic value of the service - reference value = the
difference in service."
This difference in service is what the service provider
can offer as useful and assured "usefulness and
assurance" (although it is important to note that all of
these factors are based on the customer's perception,
preferences, and business outcomes).
Usefulness, which determines the value of the service,
refers to its suitability for the intended purpose
(functionality), such as whether performance is
supported and constraints are eliminated. Assurance
refers to its suitability for use (manageability), such as
whether availability, capacity, continuity, and security
are sufficient. The phase of design that confirms
usefulness, such as application development, should not
be executed independently and is more valuable when
3. p. 3
the operational phase that confirms assurance is
involved. If the operational phase is entered after the
design phase is completed, additional costs for rework
may occur, resulting in a lower value. Additionally, when
the level of usefulness and assurance is balanced, a
synergistic effect is created, resulting in value creation.
The roles of Service Catalog Manager and Service Level
Manager
・Develop a strategy that aims to achieve overall goals,
not for organizational politics or self-interest.
・Foster team culture through mentoring and coaching.
・Ensure investments are proportional to the intended
development and growth of the organization.
・Prioritize investments by considering areas that will
have the greatest impact on the business.
・Make decisions based on analysis results.
・Evaluate, direct, and monitor the strategy, policies,
rules, and contracts.
・By investing only in valid businesses, reduce costs and
maximize ROI.
・Increase investment levels for major projects and
service improvements.
・ Receive instructions and report to senior
management.
・Understand and support customer needs.
・Involve other managers and provide support.
Risks and challenges faced by service design Challenge:
a) Managers must address the following challenges:
Services and processes that are not designed will
develop in a chaotic manner. Without proper control,
they will become reactive to the environmental
conditions that have arisen without a clear
understanding of the overall vision and business needs.
An iterative and innovative approach is needed for
service design.
Risk: Without service design, costs become very high
and cost-effectiveness becomes low. Also, there is a
higher likelihood of incidents occurring during service
operation. Resources are wasted and no longer aligned
with business needs. Regardless of the improvement
plan, business goals that should have been achieved will
not be met.
a) Actions in accordance with the position of a manager
・Always act with business objectives, profitability, and
investment priorities in mind.
・ Give equal weight to control from above (senior
management), the side (customers and other IT
managers), and below (subordinates, processes,
technology, and tools).
・Prioritize considering what service management is.
b) Actions that are not in line with this
・Engage in internal political activities for self-interest
or self-preservation.
・ Micromanaging or conducting subordinates' tasks
without asking them can lower their motivation.
・ Assign projects to their subordinates without
conveying business objectives.
Service Portfolio Management
About Portfolio A portfolio, like an investment portfolio,
should be adjusted based on the characteristics of
customer risk and return to maximize profits at an
acceptable level of risk. Therefore, if conditions change,
the portfolio should be updated accordingly.
IT service portfolios include service portfolios,
application portfolios, customer portfolios, customer
agreement portfolios, and project portfolios. However,
only the service portfolio under portfolio management
is described below.
This is a documentation that describes the operational
or deployed services (=service catalog), services under
preparation or development (=pipeline), and obsolete
services that the provider offers from the perspective of
business value. This serves as a means of comparing the
competitiveness of various providers. The purpose of
creating a portfolio is to ensure that the appropriate
services are prepared to achieve a balance between IT
investment and business results. The value of the
4. p. 4
portfolio to the business is that it enables sound
decision-making regarding IT service investments.
What services are needed to achieve it?
What capabilities and resources (resource assets) does
the organization need to realize those services? How
will the goals be achieved?" Satisfactory answers to
these questions require the participation of senior
leaders and subject matter experts, such as senior
architects. This group is called the Service Architecture
Board (SAB), and they support clear answers to the
aforementioned strategic questions and conduct
analysis of each service to ensure that the service
portfolio brings value to the business in a strategic
manner.
Activities of Service Portfolio Management Process
Activity initiation: Triggered by strategic management,
business relationship management, continuous service
improvement, and other service process management
processes. Here, we use continuous service
improvement as an example. CSI provides inputs such as
performance improvement opportunities, service level
achievement opportunities, gaps in the current service
portfolio, and overall improvement opportunities for
service portfolio management.
Defining: Defining the desired business outcomes,
opportunities, requirements for usefulness and
assurance, and the service itself, as well as predicting
the required investments to achieve these.
Service Catalog Management
Objectives of Catalog Management
By clearly showing business customers what services are
provided, which services have been approved and can
be received in the future, which services have been
discontinued, and which services are lacking, customers
can more easily receive services and understand what
services they want to receive in the future, promoting
business development. In addition, customers can
consider whether services are being provided at an
appropriate price. The catalog must always be up-to-
date.
The content of the service catalog There are two types
of service catalogs, both of which are included in the
service portfolio.
a) Technical service catalog for support staff
That is not publicly available to the business side The
contents include services, hardware, software,
networks, applications, data, suppliers, etc. Two types
of services are listed: currently provided services and
approved services that have not yet been provided.
b) Business service catalog
It centrally manages all service information promised to
be supplied to customers and supplies that information
to all authorized stakeholders. The contents include
services, supported product policies, ordering and
request procedures, support conditions, entry points
and escalation, pricing and billing methods. Different
catalogs can be shown to user groups using different
views.
The Goal of Service Level Management (SLM)
The goal of SLM is to ensure that current and planned
services meet agreed achievable targets. To achieve this,
the following objectives are set: define, document,
agree, monitor, measure, report, review, and take
appropriate improvement measures for IT service levels.
Collaborate with business relationship management to
maintain and improve relationships with the business
and customers. Enable IT services to be set with
measurable targets. Monitor and improve customer
satisfaction with service quality. Ensure that quality is
maintained at agreed levels while always being cost-
effective and constantly striving for continuous
improvement.
SLA and OLA
An SLA is a formal agreement between an IT service
provider and a business customer that defines the
objectives of each service and the responsibilities of
both parties. The agreement is not intended for paying
compensation in the event of a breach, but rather
emphasizes the agreement between the two parties.
The SLA defines the useful features and guarantees that
the service should provide. The SLA is planned,
5. p. 5
coordinated, drafted, agreed upon, monitored, and
reported by service level management (SLM).
An OLA is a formal agreement between an IT service
provider and another department in the same
organization that supports it, such as procurement or
facilities management. The OLA defines the objectives
that support service activities and ensure that they do
not cause SLA violations.
Types of SLAs:
a) Service-based SLA:
It specifies an SLA for a single service used by all
employees, such as email service. However, even for the
same email service, different conditions may apply, such
as employees using it from home, connecting via VPN
from another site, or accessing it from the company's
internal LAN. Thus, there is a problem of whether the
same SLA can be applied and who will sign the
agreement on behalf of the users. Using multiple service
levels can be considered to improve the effectiveness of
service levels.
b) Customer-based SLA:
It specifies a single SLA for all services used in a single
department, such as financial, payroll, billing, or email
systems. It is often preferred by the customer because
all requirements are met in a single document and only
one person needs to sign the agreement, making it clear.
c) Multi-level SLA:
It may have a hierarchical structure, such as specific
service-level SLAs, customer-level or business unit-level
SLAs, and enterprise-level SLAs. Details are similar to a)
and b). Using a combination of hierarchical SLAs makes
them easier to handle, avoids unnecessary duplication,
and requires less frequent updating. However, it
requires more effort to maintain the necessary
relationships in the service catalog and
CMS(Configuration Management System).
Service Level Management
The main activities are as follows: 1) Evaluation,
negotiation, documentation, agreement, management,
and review of new or changed service requirements in
SLRs, and incorporating these requirements into SLAs
through service lifecycle management. 2) Monitoring
and measuring service performance against SLAs. 3)
Creating service reports. 4) Conducting service reviews,
including identifying opportunities for improvement in
the CSI register and appropriately managing the SIP. 5)
Measuring customer satisfaction in collaboration with
business relationship management and implementing
improvements based on the results. 6) Reviewing and
revising SLAs, service scopes, and OLAs. 7) Recording
and managing complaints and compliments in
collaboration with the business relationship
management process.
Reality of Service Level Management Activities
Step 1 - Availability management measured and
baselined the availability and capacity of the current
ABC phone server, and based on those results, service
level management discussed SLAs with business clients,
including business client management. Service level
management agreed on a service-based SLA for ABC
phone mail service, which includes 24/7 availability,
downtime of no more than 2 hours per incident due to
failures or maintenance, no more than one outage every
four months, and response time of less than three
seconds for initiating email sending and receiving on
ABC phone, with a period of less than 1 hour for periods
of less than that time. The agreement is based on end-
to-end performance, and the customers agreed to it
(without using expressions that customers do not
understand, such as "99.8%"). In addition, service
providers, such as NNN and RIM, that support the
service also signed a separate SLA and a legally binding
external outsourcing contract to achieve that SLA. The
procurement department agreed to an OLA stating that
it would deliver ABC phone to IT within 14 days of a
user's request.
Step 2 - Monitoring and measuring service performance
against SLAs.
Step 3 - Creating service reports, including RAG charts.
Step 4 - Conducting service reviews and adding
consideration of ABC phone OS upgrades to the SIP in
light of the impact of security vulnerabilities on
availability.
6. p. 6
Step 5 - Triggered by case closure, a survey was sent out
through an incident management tool for ABC phone
incidents, asking users to rate their satisfaction on a
scale of 1 to 10 and provide honest opinions in a free-
form field.
Demand Management
Demand management is a process of understanding,
predicting, and analyzing the business activity patterns
and user profiles of business customers, and controlling
the capacity and performance of service assets to
ensure that they are provided with sufficient resources
to meet their needs. Along with capacity management,
it involves controlling service assets to ensure that they
are provided with sufficient resources to meet their
needs. Specific processes unique to demand
management include using strategies such as incentives
and penalties to control demand and splitting out peak
hours, as well as finding ways to balance business
objectives and IT investments.
The process most closely related to Demand
Management is Capacity Management:
Both aim to achieve business results and optimize IT
investment, but differ in the following ways. Demand
Management is a somewhat business and user-oriented
process, where business customers adjust product
demand by setting differential pricing or spreading peak
demand, and IT services predict and develop strategies
for managing that demand. In contrast, Capacity
Management is a more IT service and technology-
oriented process, managing service asset capacity and
performance based on the demand information
received from Demand Management. Therefore,
Capacity Management's work is inherited from Demand
Management and the two processes are closely related
because capacity is needed in response to demand.
Core services and support services
Core services are the basic services that customers rely
on, such as the ability to send and receive emails. On the
other hand, support services provide additional value to
customers, such as the ability to choose between
Domino server, Exchange server, or Office 365, and a
guarantee that email sending and receiving is available
24/7. These services are presented to customers as a
service package, and service providers incorporate
them into their service portfolio management to be
considered for purchase and implementation. At the
same time, the combination of these core and support
services is evaluated through demand management to
determine if they fit with the customer's business
activity patterns and user profiles.
Control Demand Management
One way to control demand is through demand
management, which analyzes business activity patterns
and user profiles to determine which users need which
services, at what time (or time of day), and how much in
advance. By knowing this information beforehand,
demand can be controlled by implementing strategies
like penalties (such as withholding expense
reimbursements until a user input their expenses by a
certain deadline) to normalize the use of expense
reporting systems. Additionally, capacity management
can control demand by understanding changes in the
business environment and reflecting new technologies
and service requirements in the service portfolio, as well
as accurately forecasting resources to meet demand.
The business activity pattern of the services provided
by XYZ tool services:
XYZ is a powerful ITSM tool that strongly supports the
ITIL® framework. The target users are all business
customers, with 5,000 users, not only IT staff but also
human resources department due to its high frequency
of use for managing employee entry and exit. It is used
for incident management, problem management,
request fulfillment, access management, and other
purposes.
For request fulfillment, users can select the necessary
services from the service catalog on the intranet in a
shopping cart style, and the ticket is automatically
created.
For incidents, users create tickets. The service desk
follows the sun, so XYZ is used 24 hours a day, Monday
to Friday, with peak transaction times being constantly
busy.
In terms of timing, it is at the end of each month, end of
each quarter, and end of the fiscal year. The number of
users for each time zone (APAC, CEMEA, North America
daytime) is 1,500, and no-load balancing measures are
7. p. 7
taken, but demand management will need to be carried
out to avoid imbalanced numbers of employees in each
region, and capacity management will need to be
adjusted if differential internal charging is not applied.
Supplier Management
What are Suppliers?
Suppliers are classified into four categories from top to
bottom: strategic suppliers, tactical suppliers,
operational suppliers, and commodity suppliers. The
term "supplier" often implies working under the service
provider.
Strategic suppliers are partners who make long-term
commitments on an equal footing with service
providers and their business customers, sharing
confidential strategic information, accepting joint
responsibility, and sharing risks and rewards, so they are
managed at the senior management level of the service
provider. Example: Providing network construction
services and operation management on an Asia-wide
scale.
Tactical suppliers are involved in commercial activities
and interactions with business, including regular
contacts and performance reviews, including ongoing
improvement programs, and are managed by middle
management. Example: Maintenance organizations
that provide solutions for server hardware failures.
Operational suppliers provide operational products or
services and are managed by lower-level management,
including occasional contacts and performance reviews.
Example: Hosting service providers.
Commodity suppliers provide low-value, readily
available products and services that are relatively easily
sourced. Example: Providing printer cartridges.
Although managing multiple suppliers can be
cumbersome, it diversifies risks. Using a single supplier
makes management easier, but the risk of dependence
and cost increases. Note that transitioning to alternative
suppliers becomes even more difficult when suppliers
customize services.
Achievement goals for supplier management
The goals of supplier management are to obtain results
that match the value invested by the business customer
or service provider, to manage contract details to fit the
needs of business customers, to work with the service
level management process to determine agreed-upon
SLA targets and SLAs, to fully manage relationships with
suppliers, to review and manage supplier performance,
to negotiate and agree on contracts, and to manage
them throughout their lifecycle, and to maintain and
manage supplier policies and supporting supplier and
contract management information systems (SCMIS).
What is a Supplier Contract Database?
The Supplier and Contract Management Information
System (SCMIS) is created to ensure that service
provider policies for all suppliers are consistent and
effective. SCMIS records the details of the types of
services or products provided by each supplier, other
relevant CI information, and the content of contracts,
which must be integrated into the CMS(Configuration
Management System) or SKMS (Service Knowledge
Management System). This also forms the service
portfolio and service catalog. The following information
in SCMIS provides a reference set of information for
supplier management procedures and activities: ⅰ )
Definition of requirements for new suppliers and
contracts, ⅱ ) Evaluation and configuration of new
suppliers and contracts, ⅲ) Categorization of suppliers
and maintenance of SCMIS, ⅳ) Establishment of new
suppliers, ⅴ) Management of supplier performance
and related contracts, and (6) Update or termination of
contracts.
Challenges, Key Success Factors (KSF), and Risks in
Supplier Management
Challenges: The supplier management process manager
must address the following challenges in order to solve
them. Change management due to constantly changing
business and IT needs. Business operations are carried
out based on contracts that do not have sufficient target
values and performance measurement definitions.
Insufficient specialized knowledge within the
organization. Long-term contracts with punitive
penalties for early termination despite no possibility of
improvement, leading to cost increase. Disputes
regarding fees. A reactive approach is taken due to
being overwhelmed with day-to-day firefighting tasks,
and a proactive approach is not taken. Losing the
8. p. 8
strategic perspective and only focusing on operational
challenges, resulting in failure to achieve goals and solve
challenges.
Key Success Factors: Suppliers demonstrate sufficient
performance, provide support services that align with
business needs and business goals, and provide
sufficient availability, and providers have clear
ownership of supplier contracts.
Risks: Lack of commitment to the supplier management
process from business and senior management.
Insufficient information regarding future business and
IT policies, plans, and strategies. Lack of resources and
budget. Old contracts that do not support business
needs, SLAs, and SLRs. There are supplier transitions
that result in changes to relationships, resources, and
contracts.
Financial Management
Benefits of Financial Management
First, the financial management process includes the
following three tasks. Monitoring discrepancies
between budget and actual expenses and monitoring
revenue = accounting task. Creating and managing
budgets = budgeting task. Invoicing for payments
received = charging task.
The benefits of financial management are that a healthy
business decision can be made based on appropriate
data in compliance with regulations (such as the SOX
law and US-GAAP accounting and reporting) to avoid
penalties. Additionally, the decision to continue or
withdraw from business can be made based on a service
portfolio that clarifies the relationship between service
and cost, with financial support. Furthermore, financial
management can design billing systems, optimize costs,
and make reasonable investments for IT service
management by considering the relationship between
supply and demand.
Service Assessment: Service assessment refers to two
types of value: (a) the cost of tangible and intangible
elements required to provide IT services, such as
hardware, software licenses, maintenance fees,
personnel expenses, facilities costs, and compliance
costs; and (b) the potential value added to the business
by providing IT services, which cannot be accurately
quantified but is perceived by the business customers.
For example, the value of services includes the
customers' perception of the usefulness and guarantee
of services and the potential value added to the
customer's assets by the services provided.
Return on Investment (ROI): Return on Investment (ROI)
is a concept used to measure the value of IT service
investments. It measures the increase in business
profits resulting from IT service investments relative to
the total investment made by the business customer.
The result is expressed as a percentage and is used to
determine whether IT services are treated as profit
centers or cost centers. However, since many intangible
factors affect the provision of IT services, the ROI
formula may oversimplify the calculation and not
capture all potential benefits, such as improved
customer loyalty.
Chapter 2:
PPO (Planning, Protection & Operation)
PPO, or Planning, Protection & Operation, is a service
management methodology evaluated in terms of its
strengths and weaknesses. PPO has several strengths,
such as comprehensive information management using
XYZ tools, adherence to ITIL® guidelines for roles and
functions, a robust service desk function with 24/7
infrastructure support, effective business continuity
planning, and a balance between management
flexibility and risk aversion. However, PPO also has some
weaknesses, including the lack of a billing model
assessment for demand management, lower customer
satisfaction among Japanese users due to the parent
company's focus on US-based processes, and a lack of
awareness that the company is an internal service
provider that may cause customers to be less patient
with IT service issues.
The benefit of properly implementing service design is
to minimize the necessary improvements in the service
lifecycle. These improvements will inevitably be
required as the direction of the business changes over
time or as domestic infrastructure technology evolves
regardless of the business. It is important to prepare a
service design package, taking into account the impact
9. p. 9
on service transition and service operation. For
customers using large-scale cloud technologies such as
Microsoft 365 and CCC's business cloud, which can be a
significant investment, there is the benefit of being able
to confirm cost-effectiveness before introducing the
service. Furthermore, this proper implementation also
contributes to IT governance.
Processes included in PPO that allow for even better
efforts and potential effects
In the case of the above-mentioned business customer,
the information security management process was
appropriately incorporated into the service design
package (SDP) at the introduction stage, passed to
service transition, and appropriately addressed by
service operation. As a result, there was a fault during
the AD/Exchange server/file server migration project,
but it caused minimal damage to the user, and the
project was completed as planned.
Fault details: During the Exchange server migration on a
holiday, some of the data in the distribution list (DL) was
lost. Also, during the file server migration, some of the
folder security settings were lost.
Action taken by IT: The IT department promptly notified
the respective department heads of the customer about
the fault and followed the procedures as stated in the
customer service catalog. They also requested the
customer to call the service desk for assistance if
needed and proceeded to continue with the other tasks
in the project promptly, finishing all migration work by
the start of business the next morning.
Customer behavior: On Monday morning, the
department head who is the DL(Distribution List) owner
came to work and added the correct members to the DL
list based on the hardcopy. Similarly, the department
head who is the owner of each department folder added
the correct member access rights to all folders under the
department folder based on the access rights to
hardcopy. As a result, all users were able to receive
group emails in a state where CIA was maintained at
9:15 AM and were able to access the folders they
needed to access, returning to BAU (Business as usual).
The benefits of conducting service design appropriately
include minimizing the necessary improvements in the
service lifecycle. These improvements will always be
necessary as business direction changes over time or
domestic infrastructure technology advances, but they
must be smoothly completed. In carrying out this
process, a service design package should be carefully
prepared, taking into account the impact on service
transition and service operation. In particular, for
customers using large-scale cloud technologies such as
Microsoft 365 and CCC Business Cloud, there is a benefit
of being able to confirm cost-effectiveness before
implementation, as it represents a significant
investment. Additionally, conducting service design
appropriately leads to IT governance.
Furthermore, the processes included in a well-executed
PPO and the potential effects can enable superior
initiatives.
In the case of the business customer described above,
the information security management process was
appropriately incorporated into the service design
package (SDP) during the introduction phase, passed to
service transition, and appropriately addressed by
service operation. As a result, despite the incident
during the Active Directory/Exchange server/file server
migration project, the impact on users was minimized,
and the project was completed as planned.
Service catalog notation:
a) DLs are created by IT upon request from department
managers. However, the department manager is
responsible for adding or deleting members to the DL
and managing it.
b) Only IT can create department folders on the file
server. However, the department manager is
responsible for creating, updating, and managing access
rights for the folders under the department folder.
Note: The file server administrator has full access rights
to all folders but does not access them for purposes
other than support.
If an appropriate SDP is not in place, the lack of clarity
regarding who is responsible for restoring access rights,
how to grant access rights, or what the original access
rights were can lead to disputes between IT and users,
causing delays in operations, delays in IT service
operations, and potential loss of business opportunities.
Improvement points: Emails sent to the DL were not
delivered from the time of the incident until Monday
10. p. 10
morning. Users who attempted to use the file server via
VPN during the holiday weekend were unable to access
the intended folder until Monday morning. Even on
holidays, it may be advisable to convene an ECAB to
obligate department managers to take emergency
measures. While IT is not involved in these access
controls due to resource constraints and confidentiality
and document security considerations, if a department
manager is unable to respond for some reason, IT may
need to become a backup for each department manager.
IT should have set a baseline and taken a rollback
approach. These points can be recorded in the CSI
management table by the information security
management manager and improved in conjunction
with the availability management manager to achieve
even better PPO and increase availability.
The four process managers listed below have the
responsibility of coordinating with each other due to the
close relationship between their respective processes,
obtaining an understanding of IT financial service
management, and providing material to justify
appropriate investment from business customers.
The common responsibilities shared by the following
four process managers are: a) taking responsibility for
the operation and management of the process,
appointing personnel to roles and managing resources;
c) planning and development of the necessary
investment and management procedures with the
process owner; d) monitoring performance and
reporting to the process owner; e) creating and
updating the CSI register; f) monitoring compliance with
agreed SLAs; g) attending necessary CAB meetings; h)
ensuring all of the above is documented and kept up-to-
date.
Responsibility for explaining to the CIO and analyzing
KPIs falls within the remit of the process owner, so it is
not the responsibility of the process manager. However,
if the manager also serves as the process owner, this
does not apply. Additionally, since process managers
may be located in multiple sites, they should coordinate
with each other.
The specific responsibilities of each manager are as
follows:
ⅰ) Availability Manager - responsible for identifying the
reliability, maintainability, and serviceability
requirements of internal and external suppliers'
components. Provides support for related incident and
problem management. Performs risk assessment and
risk management.
ⅱ ) ITSCM Manager - responsible for conducting
business impact analysis, risk assessment, and risk
management. In the event of a disaster, directs the
invocation of the service continuity plan for recovery.
Directs testing, post-review, and corrective action.
Manages contracts with recovery service providers.
SLAs are agreed with the business rather than
customers.
ⅲ ) Capacity Manager - Responsible for balancing
capacity and demand. Analyzes past, present, and
future usage rates, maximum capacity, performance
thresholds, and tuning methods. Supports incident and
problem management activities.
ⅳ) Information Security Manager - Assists the ITSCM
manager in conducting business impact analyses.
Supports incident and problem management activities.
Conducts security risk assessments and risk
management. Promotes the company's security policies
to customers and users.
Availability-related "Issues, CSFs (Critical Success
Factors), Risks": ⅰ) Issue: The XYZ service ticketing
system experiences downtime or extremely slow
response times for about 5 hours, twice a week during
business hours. The SLA requires 99.99% availability
during weekdays (excluding Japanese holidays) from
9:30 to 17:30, and a Severity 2 incident ticket should be
resolved within 3 hours after being reported. However,
the system has been in violation of the SLA for almost a
year since its implementation. The XYZ server and its
technical and application management are located in
the United States.
[Current situation] Availability (%) = (Agreed service
hours - downtime) x 100 = (480h / 1920h) x 100 = 25%
To address this issue, it is necessary to reach an
agreement with the business customer to lower the SLA.
However, as the application is only used within the IT
department, it has only an indirect impact on customers
and is not considered a VBF. Therefore, the discussions
have been postponed. However, in reality, even when
incidents are reported by users, the service desk cannot
11. p. 11
create tickets, and the workaround for known errors
that have been updated by technical management
cannot be accessed by the service desk, resulting in
significant delays in service response to users and a
major impact on business customers' businesses.
Additionally, the service provider's work efficiency has
significantly decreased, although the impact has not
been measured. As a result of the business customer's
lack of awareness of the need for high availability of XYZ,
appropriate investments and improvement activities
are not being carried out. Information is integrated into
AMIS (Availability Management Information System),
but since AMIS is within XYZ, it cannot be utilized.
2) CSF (Critical Success Factor)
According to the SLA, XYZ's availability is 98.12%,
reliability (MTBSI) is 160 hours (12 downtimes per year),
and maintainability (MTRS) is 3 hours (12 downtimes
per year with a total downtime of 36 hours), ensuring
that availability and reliability are managed.
Fulfilling business needs for using XYZ.
Providing the service at an optimal cost.
ⅲ) Risk
XYZ is an ITSM tool used only within the IT department,
and it is essential for ensuring business continuity for
business customers. However, senior managers have
not been able to explain to the management that when
individual users or system-wide issues arise, the low
availability of XYZ indirectly affects all users of the
business customers and directly affects all users of the
service provider.
Due to the above reasons, resources and budget for the
availability process of this system are insufficient.
Reporting to seven group companies individually
requires significant effort in the reporting process.
Capacity Management
Objectives of Capacity Management:
The goal of Capacity Management is to ensure that all
services related to capacity and performance are
achieved at the agreed-upon level with business
customers. Expectations for capacity are constantly
changing and new technologies are emerging, so it is
important to regularly measure and be sensitive to new
technology, anticipate future needs, and seek
understanding from business customers for appropriate
budget investments. Resources at the component level,
such as human resources and skill levels for functions
like the Service Desk, as well as network bandwidth and
CPU performance, are also within the scope of Capacity
Management. It must be managed at the optimal
schedule for high cost-effectiveness.
The three levels of Capacity Management:
There are three sub-processes: Business Capacity
Management (BCM), Service Capacity Management
(SCM), and Component Capacity Management (CCM).
All three sub-processes have in common a focus on both
current and future business demands. BCM is focused
on accurately assessing long-term business objectives to
analyze and plan for capacity. SCM involves analyzing
the impact of transactions resulting from timing, time of
day, and updates to business plans, and predicting how
to utilize resources. CCM involves predicting and
managing the performance and capacity of each
component, such as the data center's air conditioning
system, the SECOM entry management system, and
CPUs. These three sub-processes form a hierarchy in the
order of 1→2→3, and if there is a problem with 3, it will
have a negative impact on 2, leading to a review of 1,
which demonstrates a hierarchical relationship.
Challenges, Critical Success Factors(CSF), and Risks of
Capacity Management: Challenges: Due to the vast
amount of information to handle, tools need to be used
to set appropriate thresholds, and automation needs to
be maximized for efficiency, such as setting alarms and
alerts. Particularly if you are an external service provider,
it can be difficult to know the business plans of business
customers, so you need to work with senior
management to collect information.
Critical Success Factors: Understand the needs that
correspond to the business plan and introduce the
capacity management plan cost-effectively and in a
timely manner. Remove old technologies that cause SLA
failures and consider new technologies, and have a
broad technical knowledge. Reduce incidents caused by
low performance.
12. p. 12
Risks: Lack of adequate amounts of people, goods,
money, and information from business customers and
senior management, lack of knowledge of future
business plan information, inability to provide accurate
and prompt information by relying on manual methods
instead of using tools and computer systems, inability to
create reports that can be understood from a business
perspective.
The relationship between business activity patterns and
capacity management in the service delivery
infrastructure and targeted businesses is different
depending on the user profile due to variations in busy
periods and usage purposes, as shown in the table
below. For example, as shown in the table below, the
capacity of the internal LAN is particularly important
infrastructure for the technology department, which
supports this business customer's product. This
business customer's VBF is a software development
environment, and the critical service is the performance
of the internal trusted network. However, the capacity
requirements for the internal trusted network for other
users are not as high as those for the technology
department.
The relationship between capacity management and
business activity patterns specific to this business
customer is shown in the table below.
User profile Relevant Business Activity Pattern (PBA)
Capacity management Senior Executives (UP1)
It is essential for maintaining a good relationship with
customers that they are always able to send and receive
emails via ABC phone. Response time of the internal
trusted network for all applications: within 5 seconds,
within 10 seconds for VPN connections.
Mobile Corporate Sales (UP2)
High contact with customers. Need to be able to
respond immediately to customers. Expect the network
to be operational from evening to late at night as they
work long hours. They often use the train, so they
require lightweight LAPTOPs, even if processing power
is reduced. It is essential to be able to connect to VPN
with a LAPTOP and send and receive emails via ABC
phone for a quick response to external customers.
Response time of the internal trusted network for all
applications: within 3 seconds, within 5 seconds for VPN
connections. File server usage space increases by
100MB per month (SLA).
Back Office Staff (UP3)
Mostly works in the office. Need a stable LAPTOP with
good processing performance, but weight is not a
concern. Requires high productivity during business
hours but does not expect the network to be
operational after hours or on holidays. Response time of
the internal trusted network for all applications: within
5 seconds. File server usage space increases by 100MB
per month (SLA).
Non-Mobile Technology Staff (UP4)
Resident in the office with few travel requirements. As
they are engaged in software development, they expect
high reliability and performance (response time) of the
internal network as they frequently download large
amounts of data. Response time of the internal trusted
network for all applications: within 2 seconds. File
server usage space increases by 5GB per month (SLA).
Financial Management System (UP5)
During the one week prior to the closing date, the
response time is expected to be slow. Network speed is
not a significant concern to ensure stable transactions,
but high network availability is essential. Response time
of the internal trusted network: within 5 seconds, within
10 seconds for VPN connections (SLA).
Business Support Process - XYZ (UP6)
Business process. A system where users themselves
report incidents and manage progress. The service desk
function follows the sun, so both IT and users use it 24/7.
IT also uses XYZ for LAPTOP builds. Also, many
departments share it because the HR department and
each department head use it for New Hire requests.
Response time of the internal trusted network: within 2
seconds, within 5 seconds for VPN connections (SLA).
Availability Management
"Objectives" of Availability Management The objective
of Availability Management is to ensure that all IT
services are available and performing well (without
reliability, maintainability, or serviceability issues), with
13. p. 13
adequate capacity and security (without safety issues)
when required. However, service providers should not
set availability levels that are not required by business
customers, and the appropriate availability target
values based on agreement between business
customers and senior managers should be established,
and investment at reasonable prices must be made.
"Two levels of availability" Availability management is
classified into two levels: service availability and
component availability. Service availability refers to
whether the service is in a service provision state from
the user's perspective (end-to-end). Component
availability, on the other hand, is whether each
component such as network, uninterruptible power
supply (UPS), data center air conditioning, and LAPTOP
is operating or not from the service provider's
perspective, and whether the necessary components
are available or not. If any of the components are not
available, there is a risk that service availability will be
affected. Therefore, these two are interrelated, with
service availability as the upper layer and component
availability as the lower layer.
Challenges, key success factors, and risks of Availability
Management Challenges: The challenge is to manage
the expected availability of business customers and
senior management, justify the necessary budget, and
manage the changing expected values of availability.
Many customers demand high availability as a matter of
course, influenced by the impact of Microsoft setting
the availability of its Microsoft 365 service at 99.9% and
promising a refund if it is not met. However, extremely
high availability may require unnecessary high costs, so
it is important to note that cost-effectiveness may not
be achieved in some cases. Another challenge is that it
is extremely difficult to manage the availability of what
appears to be a single service when information from
various technologies is managed in different formats by
various tools. For example, the availability of email
communication depends on the availability of server
hardware, ISP, internal network, MS Exchange Server
application, LAPTOP, Outlook installed on the LAPTOP,
and security, all of which are usually managed by
separate functions. Information should be integrated
into AMIS (Availability Management Information
System) to enable consistent analysis.
Key success factors: Availability is properly managed
along with reliability, resulting in improved end-to-end
availability, reduced non-availability, and shorter MTRS.
The business needs are being met, resulting in high
customer satisfaction and high VBF availability.
Appropriate SLAs that are well documented and allow
cost reductions due to non-availability or timely
completion of system reviews exist as critical success
factors of Availability Management.
Risk: Failure in availability management may occur if
there is a lack of understanding from business
customers and senior management, and if appropriate
budget is not secured. The dissemination of vast
amounts of information from numerous components in
an unorganized state can make the reporting process
laborious. There is a tendency to focus on technology
rather than end-to-end availability and business needs,
leading to potential oversight.
How should we decide on indicators of infrastructure
availability? Decision: The availability management
process manager measures the current availability of
the ABC phone server and reports it to the process
owner. The process owner explains it to the CIO, who
then conducts a meeting with executive management,
taking into account business customer demands, IT staff
resources, and supplier serviceability in the event of
component failure, to determine the SLA with 90.00%
availability, 24/7 uptime, and downtime of no more
than two hours due to faults or maintenance.
Improvement: While determining the availability of the
ABC phone server, various services such as Exchange
mail server, ABC phone terminal failures, NNN base
station malfunctions in Japan, and internal network
malfunctions can complexly affect the availability of
sending and receiving emails via ABC phone. If business
customers do not understand this point, they may think
that ABC phone is not usable for a long time, even
though the ABC phone server itself is running normally
at 100%, and the availability of ABC phone may meet the
SLA of 90.00%. To ensure that business customers
understand the availability of sending and receiving
emails via ABC phone, it may be necessary to establish
an SLA. The availability management manager should
record these points in the CSI management table and
work to improve them with capacity management
managers, supplier management managers, and IT
service financial management managers.
14. p. 14
IT service continuity management (ITSCM)
The "objective" of IT service continuity management To
support the entire business continuity management
process under the responsibility of executive
management, and to aim to select and introduce
recovery options and formulate risk reduction measures.
This is similar to the availability management process
that deals with availability issues caused by component
failures, but the scope and responsibility differ. The goal
is to resume and continue business at the agreed-upon
level of the SLA in the event of major earthquakes, fires,
criminal incidents, information leaks, and other such
incidents. Therefore, it is necessary to regularly conduct
business impact analyses (BIA) and risk assessments and
reviews to ensure that all continuity plans are
maintained to match changing business requirements.
Relationship with IT Service Continuity Management
(BCP) If a business cannot continue due to situations
such as prolonged office closures, loss of IT service
continuity, or inability for all staff to return to work
during emergencies or disasters, management is
responsible for the resulting financial losses. Therefore,
business customers should appoint a BCM manager to
establish a business continuity plan (BCP). However,
since much of the BCP is related to IT services and IT
environments, the ITSCM manager must manage how to
restore their IT based on the BCP plan. Therefore, BCP
and ITSCM are closely related.
Challenges, important success factors, and risks of IT
Service Continuity Management Challenge: The absence
of business continuity management (BCM) is a challenge.
Without the BCM process, the IT side may not
understand the business customers' strategies and may
attempt to restore IT services according to processes
and priorities that are convenient for IT, resulting in the
purchase of expensive IT solutions that do not align with
the business customers' intentions. Alternatively,
assuming that IT will handle everything during disasters
can result in the loss of business continuity and revenue.
Important Success Factors: It is important to recognize
that IT services are supplied to achieve business
customers' objectives and enable recovery efforts
accordingly. Appropriate contracts with suppliers for
recovery options should be in place. Additionally,
awareness of the business continuity plan and IT service
continuity plan among the business customers'
management, IT senior managers, and all employees is
a critical success factor.
Risk: The absence of BCM and the existence of ITSCM
alone. Even with ITSCM in place, the information may be
outdated and not aligned with the needs of the business.
There may not be enough information, such as business
plans and strategies, from the business customers to
establish a BCM-aligned ITSCM, and therefore, the
budget cannot be justified. There may be too much
focus on technical issues and not enough on the needs
and priorities of the business.
Activities of IT Service Continuity Management Establish
an ITSCM policy aligned with BCM and launch a BCM
project. ITSCM should identify the damage caused by
disasters through a business impact analysis and assess
risks to understand the level of vulnerability in the
organization. Then, decide how much to reduce
strategic risks and which recovery option to use,
followed by an initial test. Then, raise awareness of
business continuity throughout the organization, from
management to users, and educate them on the actual
procedures. Through these activities, conduct reviews
and audits, conduct retests, and if there are no
problems, transfer to change management, and the
ITSCM activities are completed. However, revisions will
be made in response to changes in the business.
What kind of damage occurs in the event of
infrastructure damage and service interruption?
・ IT department member is in a traffic accident
overseas and hospitalized. During that time, access to
the email server with a malfunction cannot be obtained,
causing a break in communication with the trading
partner for over a month, resulting in the suspension of
transactions.
・ Mail information leakage and management
misconduct are publicized in the media, severely
damaging the company's reputation. 40% of employees,
including all IT personnel, resign immediately, causing
the internal IT infrastructure to stop. As a result, all
business operations that depend on IT services are
suspended, leading to bankruptcy.
・A physical injury incident occurs in the company, and
the police come to investigate. While IT was
investigating the entry management history to identify
15. p. 15
the culprit, all entry device services stopped for a long
time, causing business disruption and resulting in a halt
in transactions with customers.
・A server installed in the data center was destroyed by
a fire. As a result, access to web business application
services was lost, causing the closing date to expire. The
accounting system of the US headquarters was
automatically closed, making it impossible to correct,
and the department head was held responsible by the
US headquarters.
・Due to a tsunami, access to the external internet
connectivity is lost, and remittances to trading partners
using online banking do not make it in time, resulting in
a loss of trust, and cause a reputation risk.
・Due to an earthquake, the file server goes down,
making it impossible for sales to download the new
product presentation template created by the US
headquarters. They miss the deadline for the
competition, and a competing company wins.
・Due to an earthquake, the telephone line goes down,
making it impossible to make and receive calls to the
technical support hotline. As a result, technical support
cannot be obtained from customers, and a low score is
given by many customers in a survey, leading to the
department head being held responsible by the US
headquarters.
・ Due to an earthquake, the FAX goes down, and
according to YYY's policy, the HDD unlock master key
can only be sent by FAX from the contract FAX number.
The key cannot be received from YYY, and the material
that only exists on the president's local HDD cannot be
emailed, causing a great deal of trouble for the trading
partner and leading to a suspension of transactions.
・Due to a fire, the entry management system is broken,
and employees cannot enter the office. After a month,
cancellation requests pour in from customers.
・ Due to the vibrations of an earthquake, a
development-use Unix server set up in a department is
physically destroyed, causing a delay in the delivery of
the development program. As a result, the contract with
that customer is canceled.
This business client has almost complete "immediate
recovery options" prepared, so the above events will
not occur.
The following is a list of measures taken by a business
customer to prepare for potential infrastructure
damage and service downtime:
IT staff: The company has multiple staff members in
different countries who can perform the same tasks.
This allows for remote support or long-term business
travel to provide support.
Email: Employees can send and receive emails via GGG
Link servers or ABC phone servers installed abroad using
their smartphones. The hardware and carrier of these
smartphones are compatible with communication
methods in any country, making it easy to take them
abroad. The address book is synchronized with AD (+
Exchange server) so it can be searched at any time. In
case of email server downtime, application
management and technical management are available
for 24/7 on-call repair.
LAN: If the local internet infrastructure is down,
employees can switch their LAPTOP to an emergency
outline cable, tether their company-issued smartphone
or connect to the internet using a data card to access
VPN. If the entire region's internet infrastructure is
down, all tasks are shared among employees of other
branches in the APAC time zone, or an employee may
travel to work in the Hong Kong or Taiwan office.
LAPTOP: If all LAPTOPs are destroyed due to a disaster,
the company has an inventory of old model LAPTOPs in
foreign branches, which can be retrieved from the
nearest foreign branch and built by using the XYZ tool,
with data restored immediately via Mozy online backup.
Local data that is locked on the HDD of the damaged
LAPTOP can also be restored to another LAPTOP
through Mozy online backup.
Hotline: If the entire regional phone infrastructure is
down, technical support departments in other countries
can act as substitutes, with language-specific technical
employees.
Server physical damage: If the local IT department is
absent, the damaged server is airlifted to the German
branch for repair under DELL's international warranty.
16. p. 16
The data is then migrated by German IT, and the server
can be used in a few days.
Server failure: Almost all shared servers in foreign
branches are centrally managed and duplicated in the
US head office, eliminating the need to synchronize data
in the event of shared server failures outside the US
head office.
"CIA" in Information Security
"C" stands for Confidentiality - maintaining a high level
of confidentiality by making information viewable only
to those with permission. "I" stands for Integrity -
ensuring information is complete, accurate, and
protected from unauthorized modifications. "A" stands
for Availability - ensuring information is available when
needed, with defenses against potential disruptions,
and trustworthy when exchanged with external
organizations. CIA must be protected not only from the
technical aspects of IT, but also from physical aspects
such as unauthorized entry into offices and across the
entire business process.
Challenges, Key Success Factors, and Risks in
Information Security Management
Challenges: The information security committee is not
functioning properly due to lack of support from senior
management and lack of planning. Business customers
believe IT (especially external service providers) will
take care of security and no discussion is being held with
senior management. Even if planning has been done,
process practitioners may not have been adequately
explained the importance of security, resulting in users
not following security regulations. When accidents
occur, such as a single mis-sent email, all employees'
resources are used for an investigation but there is no
established response procedure, resulting in lost
business continuity. Another challenge is the lack of
alignment between the security awareness of business
customers, and that of the IT department.
Key Success Factors:
First, protecting the business from security breaches
and minimizing the number of violations reported to the
service desk. Senior management and business
customers have agreed upon policies that are
integrated with business needs, and users have
internalized these preventive measures. The entire
organization, including process practitioners and users,
receives repeated training. Security procedures are
justified, appropriate, and supported by senior
management. A mechanism for improvement, where
many proposals for improvements to procedures and
controls are presented according to changing
environments, is in place.
Risks:
Risks that must be addressed include the increasing
requirements for availability and robustness. There is a
risk of unintentional disclosure of personal information
due to user's smartphone loss, virus infection, external
intrusion, and the risk of users intentionally taking
internal information outside the organization. There is
also the risk that business customers will not follow ISM.
The lack of recognition of future business strategies and
insufficient budgets pose a risk to the effective
implementation of ISM.
Information Security Policy
a) Purpose of accident response related to admission
and retirement
When a New Hire request is generated on the tool, a
Windows account is automatically generated, but set it
so that it cannot be seen from Outlook on the AD side
and set it to be visible only after confirmation of
attendance (in the case of employees in remote offices,
after confirming with the person himself/herself), in
order to protect the personal information of non-
employees.
When a Termination Request is filed on the tool by
HRBP, the Windows account is automatically disabled,
but confirm the final attendance date with the HR
department and the individual and set it so that it
cannot be seen from MS Outlook (in order to protect the
privacy of people who are no longer employees).
Any additional access rights can only be granted upon
request from the user's direct supervisor.
Check that the Windows account of the retiree is
disabled on the AD side, disable the hostname and Unix
account, and remove it from all Distribution Lists and
access groups.
17. p. 17
Check if access rights are being managed for each folder
on the file server.
Create a list of assets to be collected from retirees,
collect all assets, and obtain the signature of the
department head.
Burn the retiree's local data to a DVD and give it to the
department head, obtaining their signature.
Format the retiree's HDD at a level that cannot be
recovered within the prescribed time.
Create an access card that restricts the minimum
number of people who can enter the room, and change
the system within the prescribed time when entry is no
longer necessary.
b) Legal security purpose
If requested by the HR department, disclose the user's
personal VPN access history, logon history, internet
access history, etc.
Contribute to the creation of regulations by the
Information Security Committee, conduct investigations,
make proposals, and update documents.
Even for email data from retirees, put it on litigation
hold for a certain period of time.
Accurately grasp the migration status of software
licenses to prevent unauthorized use.
c) Purpose of Information Leakage Protection
LAPTOPs are stored in a locked warehouse and even
temporary removals for about 10 minutes are recorded
on paper.
LAPTOPs are distributed with a unique hard disk
password.
To prevent email mis delivery, the MS Outlook 2010
autocomplete function is turned off before providing
the LAPTOP to the user, and the user is required to
pledge not to turn it on.
Accounts are locked after three incorrect password
attempts.
All passwords are enforced to be complex and changed
after a certain period of time by the system (e.g. group
policy), and writing down passwords on paper is strictly
prohibited.
Giving passwords or PIN codes for RSA tokens to other
users, or allowing someone else to log in on behalf of
oneself, is 100% prohibited even with permission.
Users are required to report immediately to the IT or
information security committee if they realize that their
smartphone, notebook LAPTOP, or RSA token is missing.
Users are required to pledge not to save email
attachments to personal LAPTOPs when accessing the
mail server via MS OWA from their personal LAPTOPs.
Users are required to pledge to use cable locks on all
LAPTOPs at their workstations.
Purpose of Virus and External Intrusion Prevention
The Windows Firewall is grayed out so that users cannot
turn it off and distributed with LAPTOPs.
Viruses are automatically detected and removed on the
server, and infection alerts are automatically reported.
If automatic removal is not successful, the user is
contacted, and the LAPTOP is rebuilt.
If the McAfee EPO Agent on the LAPTOP detects a virus
but cannot remove it automatically, the user is required
to report it immediately to the IT service desk.
Except for IM, installation and use of other software that
cannot be monitored by the IM gateway are strictly
prohibited.
External vendors working within the company are
required to sign an NDA.
LAPTOPs rented to external vendors are configured to
log on locally and cannot log on to the domain (to
prevent using Wireless LAN) and are required to
connect via an outline.
Demand Management
Demand Management In demand management, the
business activity patterns and user profiles of business
customers are understood, predicted, and analyzed,
and the capacity and performance of service assets are
controlled along with capacity management to ensure
18. p. 18
that there is neither shortage nor excess. The specific
process of demand management is to influence demand
through strategies such as incentives and penalties that
spread the busy season of the business and control
access to specific servers, as well as to find a policy that
balances business goals and IT investment in achieving
targeted numbers.
Which process is most closely related to demand
management? It is the capacity management process.
Both aim to achieve business results and optimize IT
investments, but they differ in the following ways.
Demand management is a slightly more business and
user-oriented process, where business customers adjust
product demand by, for example, creating differential
pricing and spreading busy periods, and predict the
demand for IT services and develop strategies based on
that. On the other hand, capacity management is an IT
service and technology-oriented process that manages
service asset capacity and performance to avoid excess
or shortage based on the demand information received
from demand management. As a result, the work of
capacity management is inherited from demand
management, and since capacity is required when there
is demand, these processes can be said to have a close
relationship.
Core Services and Support Services Core services are
basic services for customers, such as being able to send
and receive emails. In contrast, support services provide
additional value to customers, such as being able to
choose from Domino servers, Exchange servers, or
Microsoft 365to meet customer demands and
guarantee 24/7 email sending and receiving. These
combinations are presented to customers as service
packages, and service providers incorporate them into
service portfolio management and consider
purchasing/introduction. At the same time, the
combination of core services and support services is
examined in demand management to see if it fits the
customer's business activity pattern and user profile.
Methods to Control Demand management analyzes
business activity patterns and user profiles to determine
which users need which services, when (which time of
day), and how much in advance. Based on this, some
control methods include imposing penalties such as
carrying over expenses to the following month if users
do not input their expenses by the deadline, thereby
evening out the use of the expense settlement system
to control it. In addition, capacity management
understands changes in the business environment,
reflects new technologies and service requirements in
the service portfolio, and accurately predicts resources
to respond to demand, which can also be considered a
method of controlling demand.
Business Activity Patterns Pattern: The web timesheet
input deadline is every Friday at 22:00, so 7,000 users
access it simultaneously between 17:25-17:35 on
Fridays, causing a drop in user-perceived performance.
There is also a possibility of server downtime.
Background: Many people input their timesheets
together on Fridays, and they do not know their quitting
time until around 17:25 on Fridays. Moreover, because
it is Friday, few people work overtime, so it is difficult to
make them input after 17:35. Even if they input on
Monday morning, they have already missed the
deadline, and they still have to input in the evening on
Fridays even if they input every day. Countermeasure:
Every Thursday morning, send a mass email to 7,000
people with the subject "Notification of the timesheet
input deadline of Friday at 22:00," and expect users who
have predetermined quitting times, such as part-time
employees, to input from Monday to Friday during their
free time on Thursday. In the future, we plan to take
measures that cannot be decentralized
Chapter 3:
RCV (Release, Control & Verification)
This process is included in the management processes
indicated in ITIL®.
Change Management Process:
Trigger: Change in IT organization from local to
worldwide, for cost reduction (organizational change)
Input: A change request to the service portfolio
management from the US headquarters to change the
operating system language from local to English for
worldwide use (since this is a significant change with a
large impact, a change request to the service portfolio
management is necessary) Interface: Planning and
support for the migration, change evaluation process
Output: Approved changes are outputted and handed
over to the planning and support management for the
migration.
19. p. 19
Roles of managers and staff involved in RCV:
Service validation and testing
ⅰ)Service Test Manager: To maintain the neutrality of
the test, only assign people responsible for resource and
deployment management. Support the design and
planning of test conditions, test scripts, and test data
sets at the SD stage. Assign test resources, adhere to
test policies, verify the tests performed by resource and
deployment management, manage the test
environment, and provide management reports on the
progress of the test, test artifacts, success rates, and
issues and risks.
ⅱ) Release and Asset Management
ⅲ)Release and Deployment Manager: To maintain the
neutrality of the test, only assign people not responsible
for service validation and testing. Plan and coordinate
all resources, including those from functional areas such
as technology and application management. Plan and
manage support for tools and processes. Support the
change permission management process prior to any
activity that requires change permission. Coordinate
change management, service asset and configuration
management, and the interface with validation.
ⅳ ) Initial Support Staff: They are personnel from
functional areas such as technology and application
management, and are often assigned as practitioners
for packaging and building, or deployment. Provide
support documents to support IT services and business
functions during the deployment period until final
acceptance. Accept the release. Support service
operation in handling incidents and errors in the initial
stages. Handle the transition to service operation.
Conduct problem management and raise RFC. Conduct
service risk assessments.
Service Knowledge Management
Knowledge Management Process Owner In many
organizations, this role is combined with the Process
Manager and also the role of Service Asset and
Configuration Management. They create an overall
architecture for identifying, acquiring, and maintaining
knowledge within the organization. They define the
process strategy and support process design. They keep
process documentation up-to-date. They define policies
and standards for the process. They conduct regular
audits for compliance checking. They review and modify
the process strategy as needed. They also handle CSI
management and review.
Release and Deployment Manager Overview:
Release of device drivers, standard software, and
security patches from Windows XP to Windows 7.
Roles:
1) Planning of release and deployment: package the
device drivers to make them compatible with the new
OS for the transition from Windows XP to Windows 7.
The release package includes multiple release units such
as manual installation instructions, documentation of
improvements from the previous version, etc.
Uninstallation is also included in the test items for
rollback in case of issues. 2) Building the release:
request package creation from the package team in
Stockholm and Sydney. 3) Validation testing:
communicate with the package team, install the release
package on the test laptop via SCCM on Japanese
Windows 7, conduct tests according to the test
procedure, and issue problem tickets to the
development team for reassignment and package
improvement if any issues occur. Confirm that new
functionality can be provided while maintaining
integrity, usefulness, and assurance. 4) Get permission
from the Change Management Process to register with
the definitive media library. Request a change permit
from the Change Management Process when there are
no more problem items in the operating test procedure
table. 5) Deployment: deploy to pilot users via SCCM by
conducting testing of the entire new image after
performing the test desktop imaging. 6) Establish
service as per SDP. 7) Communicate and transfer
predicted problems, etc. to the Service Operation. 8)
Review and close: Confirm with pilot users that there
were no negative impacts, and register with the
definitive media library. Push distribution to all 7,000
users who have been distributed Windows 7 machines
and close the change request ticket.
Advantages of using tools in service management The
Service Design Process functions more efficiently.
Specifically, it identifies efficiency and effectiveness,
weaknesses and opportunities for improvement, and
provides management information. It reduces
20. p. 20
management costs and improves IT service productivity.
It improves the quality of IT services. It centralizes
important processes, automates and integrates core
processes in service management. The advantage is that
data becomes information, and that information
becomes knowledge, which clarifies trends.
Challenges, Critical Success Factors, and Risks in
Service Transition
Challenges: Service Transition (ST) can be complex, as it
involves not only the IT organization but also finance,
technology, human resources, and many other people.
It requires managing a diverse range of customers and
interfaces, which can make it difficult to achieve
harmony and integration. Additionally, there may be
unknown dependencies between legacy systems and
new technologies. It is important to balance stable
operation with business needs for service change.
Critical Success Factors (CSF): The ability to continuously
improve service quality cost-effectively while aligning
with business requirements.
Risks: There are risks of demotivation due to
accountability, execution responsibility, and practice
changes. There may be staff turnover during operations.
There is a risk of unexpected additional costs. Overly
avoiding risks can lead to excessive costs for the
business. Inappropriate people may access information
and interfere with knowledge. Insufficient integration
between processes may result in a siloed organization,
leading to business failure.
Case Example of Starting a Business from Scratch:
Transition from RSA Hardware Token to RSA Software
Token
Focus on ensuring that VPN connections can continue to
be used during the migration period, without any
downtime - this resolves availability issues.
Focus on promptly and reliably disabling RSA Hardware
Token accounts for users who have completed the
transition to RSA Software Token - this resolves security
and availability issues.
Focus on securely recovering RSA Hardware Tokens to
maintain accurate data in the Service Asset and
Configuration Management (SACM) database - this
resolves issues related to service asset management
and configuration.
Change Management
Objectives of Change Management The objective of
Change Management is to minimize the risk of service
disruption and implement beneficial changes to the
business by consistently controlling the change lifecycle.
In order to achieve this goal, it is necessary to respond
to changing business requirements, maximize the value
of services, reduce incidents, service interruptions, and
rework caused by changes. It is desirable to respond to
change requests that align with the needs of IT services
and the business. Change management is a necessary
process for improving the profit and loss of the business
by achieving a) cost reduction, service improvement,
ease and effectiveness of support required by the
business, b) reducing reactive costs and time to resolve
errors and adapt to changing situations, and c) realizing
benefits and eliminating risks early.
"Change Approval Model" There are various levels of
change approval for change requests, which should be
documented in the CMS. If new risks are discovered
during the process, they should be escalated to the
appropriate level. Change requests that are rejected can
be appealed to a higher level. Level 1: Business
executive approval - high cost, high-risk changes that
require executive decision-making. Level 2: IT executive
approval - changes that affect multiple services or
business units. Level 3: CAB or ECAB approval - changes
that only affect a group in the field or service. Level 4:
Change manager approval - low-risk changes. Level 5:
Local approval - standard changes.
The 7 Rs of Change Management
Raised, Reason, Return, Risk, Resource, Responsible,
Relationship. These must be reported in order to
properly manage changes. The person who initiated the
change, the reason for the change, the benefits of the
change, the risks associated with the change, whether
to pursue the change despite the risks, the resources
(people, materials, money) needed to make the change,
and the individual responsible for the design, testing,
and implementation of the change, as well as those
impacted by the change, must all be clearly identified.
21. p. 21
Change Approval: Level 2: IT Executive Approval -
Changes that affect multiple services or business units.
For changes that only affect the local region and are not
impacting other regions, local IT can approve the
changes as the CIO is located in the overseas
headquarters. Examples of such changes include model
changes to smartphones and feature phones that are
sold only in Japan, and selection of local
telecommunication carriers. If the estimated cost is over
10 million yen, the change request will be escalated to
level 1.
Service Asset and Configuration Management (SACM)
Objectives of SACM The goal of SACM is to properly
control assets to enable efficient and effective
operation of the business. In order to achieve this,
accurate and reliable information must be available
when and where it is needed. The primary objectives of
SACM are to a) identify, control, record, report, audit,
and inspect services and other configuration items (CIs),
including versions, baselines, configuration components,
their attributes, and relationships with other CIs, b)
create and maintain an accurate and complete CMS and
establish its integrity, and c) provide the ability to make
appropriate judgments in granting permission for
changes and releases, as well as for resolving incidents
and problems.
Value of SACM to the Business There are two values of
SACM to the business: a) overall improvement of service
performance, such as reducing service downtime, fines,
corrective licensing fees, and audit failures, and b)
providing service level assurance, improving compliance
with legal and regulatory obligations, identifying service
costs, managing fixed assets appropriately, and
visualizing the service release environment by providing
assessment and planning.
SACM Activities
Step 1: Management and Planning (Note: This Step 1
corresponds to the "Plan" phase of PDCA, and governs
Steps 2-5 below.)
Determine the scope: services, environment,
infrastructure, and location
Determine the requirements: requirements related to
policy and strategy, accountability, traceability, and
auditability, and related to requirements of the CMS
Determine applicable policies and standards: industry
initiatives such as ISO 20000 and hardware standards
Establish the SACM organization: roles and
responsibilities, authority to establish CAB, baselines,
changes, and releases
Determine SACM tools and process procedures:
configuration identification, version identification,
supplier management, and change management
Relationship with other processes and groups: fixed
asset management, projects, SPI, and service desk
Step 2: Identification of Configurations
Determine CIs and configuration components according
to documented criteria
Assign identifiers to CIs
Specify attributes of CIs
Specify the time to place CIs under SACM control
Determine the owner of each CI
Step 3: Control of Configurations
License control to minimize unused licenses
Version control of change management and image
builds
Access control to CMS
Control of the integrity of DML(Definitive Media Library)
Step 4: Explanation and Reporting of Status
Status: under development, approved, or retired
Maintain and archive configuration records
Record, search, and manage previous configurations
Record changes to CIs from receipt to disposal
Step 5: Verification and Audit Activities
22. p. 22
This step involves ensuring that the documented
baselines match the actual configurations, that the CIs
are present in the organization or in the DML and spare
parts inventory, and that the records in the CMS match
the actual infrastructure. Note that this step builds upon
Step 1.
Configuration Management
The XYZ tool extracts information about servers and
laptops (CIs) connected to the network via network
access. For CIs, DMLs, and image builds that cannot be
automatically recognized, they are managed separately
using tools such as MS Excel, file servers, and cabinets.
The XYZ console allows for checking of the serial number,
model number, hardware specifications, installed OS,
and software information for laptop assets. This
information is used for fixed asset management,
software license number management, and as
reference information for troubleshooting. Since the
history of statuses such as in-use and disposed cannot
be confirmed from XYZ, tickets are created as needed
and the history of configurations is tracked at all times
through management in MS Access. Upon delivery of
assets, the service tag number is reported to the
accounting department, and the fixed asset
management is conducted through physical
confirmation of fixed assets during the annual inventory
with the IT department.
Validation and Testing of Services
ⅰ) Goals of Validation and Testing of Services:
The goal is to ensure quality assurance of services, with
a focus on achieving newly introduced or modified
services and service offerings through SD and release.
The release should bring about results and value within
the constraints of cost, capacity, and limitations, while
meeting the business needs and requirements of
stakeholders. The service should be useful and available,
and a test process should be planned and implemented
to meet business and stakeholder requirements. Testing
during SD is critical to prevent increases in the following:
a) ineffectiveness of user utilization, b) incidents, c)
confirmation calls to the service desk, and d) increased
costs due to errors.
ⅱ) Related Terms for Validation and Testing of Services:
ⅰ ) Test Strategy: Third-party testing by uninvolved
parties is desirable. The criteria for success or failure are
determined after documentation in the SDP. The
approach should be iterative, reusable, and involve a
test model, test case, test script, test data library
creation, cataloging, and maintenance templates, and
integration of testing with the project or service lifecycle.
The approach should also include a risk-based testing
approach and skill improvement in testing.
ⅱ) Test Model: A set of test procedures for obtaining
feedback based on the test strategy described above. It
includes test scripts that define the test plan, test
targets, and test methods. It should be repeatable,
effective, efficient, and consistent.
Perspectives on Validation and Testing of Services
Validation and testing of services focus on whether the
service is being provided as requested, with the
perspectives of the people who use, provide, deploy,
manage, and operate the service as fundamental. The
starting and ending criteria for testing are determined
during the development phase of the Service Design
Package. The perspectives include ⅰ) Service Design
from functional, management, and operational
perspectives, ⅱ) Technical Design, ⅲ) Processes, ⅳ)
Measurement Settings, ⅴ ) Documentation, and (6)
Skills and Knowledge. Acceptance testing of services
begins with verification of service requirements.
Customers, customer representatives, and other
stakeholders (users of new or modified services)
conduct a final review of the acceptance criteria and
acceptance test plan.
Validity checks during migration and judgments of
service levels (usefulness and assurance) are made
through an evaluation process.
Content: Validity confirmation of the reporting macro
version upgrade for the accounting system Method:
Copy last week's data from the production system to the
test system, and run the upgraded reporting macro on
the test system data to confirm that the extracted data
meets customer requirements.
Service level assessment: By confirming whether the
data requested by the customer is extracted correctly
23. p. 23
(performance realization) and whether any special
operations are required to extract it (no usage
restrictions), usefulness can be confirmed by checking
four points: whether the report is displayed without
YYYy when the macro button is pressed (capacity
management), whether it always operates correctly in
the same way (availability management), whether an
alternative can be used when the macro is broken (IT
service continuity management), and whether only
appropriate users can access the data (security
management).
Release and deployment management
Goals of Release and Deployment Management The
goal is to plan, schedule, and control the construction,
testing, and deployment of releases and provide new
functionality required by the business while protecting
the integrity of existing services. To achieve this, the
following objectives should be achieved in order: a)
Define and agree on the release and deployment
management plan with customers and stakeholders. b)
Create and test release packages. c) Ensure integrity is
maintained, saved in DML, and accurately recorded in
CMS. d) Deploy from the DML environment to the
production environment. e) Ensure that tracking,
introduction, testing, verification, and appropriate
removal and rollback are possible. f) Record, manage,
and take necessary corrective action for deviations, risks,
and issues. g) Ensure that knowledge and skills are
inherited into service operation functions.
Value of Release and Deployment Management to the
Business By effectively implementing release and
deployment management, customers and users can use
new or changed services in a way that supports business
goals more quickly, at optimal costs, and with minimized
risk. By taking a more consistent implementation
approach among changes in the business, service team,
supplier, and customer, service transition can be
auditable and traceable, which is valuable to the
business.
Activities of Release and Deployment Management a)
Plan release and deployment – change management
approval → release package creation. b) Build and test
the release – build a baseline release package → test it
and register it to DML through service asset and
configuration management (Note: only occurs once). c)
Deployment – Deploy the release package in DML to the
production operating environment and hand it over to
service operation and initial support (application
management and technical management) (Note: occurs
multiple times for each release). d) Review and close –
activities to obtain experience and feedback, review
performance and results, and gain knowledge.
Comparison with ITIL® release management activities
Step 1: Plan release and deployment – change
management approval → release creation. If the
infrastructure for Windows 7, client LAPTOP, service
desk, operational management, technical management,
and application management is not established by the
end of December 2013, users will not be able to receive
IT services safely by the end of support for Windows XP
in April 2014. At the same time, the migration from
Lotus Domino (Notes Mail and Notes Database) to MS
Exchange Server (Outlook Mail) + MS SharePoint
(Database) must be completed, and the impact should
not affect users' client LAPTOP. By using MS Exchange
Server + MS SharePoint, the efficiency of users' work
must also be improved. RFCs were created for these
plans, and change evaluation assessed the risk and
obtained permission to start creating releases from
change management.
Step 2: Build and Test the Release - Activity of Building a
Release Package → Conducting Validity Confirmation
Tests → Registering with DML (Definitive Media Library).
Packagers in Sydney and Stockholm built the release
package, and in Japan, validity confirmation tests were
conducted on those that passed and were registered
with DML sequentially.
Step 3: Deployment Activity - Distributed to pilot users
using the MS SCCM tool and distributed to all users with
permission from change management. Reviews were
conducted by application management and technical
management, and initial support staff took over.
Step 4: Review and Close Activity - Obtain experience
and feedback from application management and
technical management, review performance and results,
and save knowledge to SKMS (Service Knowledge
Management System).
Evaluation:
24. p. 24
Evaluation "Objectives" The activity performed before
change management allows the release, with the goal
of providing a consistent and standardized means of
judging service request performance based on its
potential impact on business outcomes, existing and
proposed services, and IT infrastructure. Performance is
evaluated by comparing it to predicted performance.
Setting stakeholder expectations correctly and
providing effective information to change management
to prevent changes from being authorized with risks. It
is desirable to evaluate as many items as possible.
Challenges of Evaluation The challenges of the
evaluation management process that managers must
address are a) creating standard performance indicators
and measurement methods that are applicable to
various projects and suppliers, b) understanding various
stakeholders' perspectives, c) measuring and
demonstrating the reduction of differences in
predictions during and after migration, d) measuring the
reduction of differences in predictions during and after
migration, e) taking a realistic and cautious approach to
risks, and f) promoting a risk management culture of
sharing information.
Evaluation Process Status: Step 1: Evaluation Plan
Planning - Develop a plan to ensure that the intended
change is achieved and there are no unintended adverse
effects from the change.
Step 2: Evaluation of Predicted Service Performance
(Utility and Guarantee) - Evaluate whether the planned
performance is achieved to ensure that there are no
issues with migration.
Step 3: Evaluation of Actual Service Performance -
Submit an evaluation report that includes a risk profile,
deviation report, validation report, and
recommendations for the change evaluation, including
(temporary evaluation report if before release) and
feedback from initial support if after deployment.
What is included in the evaluation report: Risk profile,
deviation report, validation report, recommended
actions.
Step 4: Information Management - Register all
evaluation reports with CMS and save them to SKMS.
Knowledge Management
Objectives of Knowledge Management: a) To share
ideas, experiences, information, and perspectives, and
make decisions based on information b) To reduce the
need for discovering new knowledge, and efficiently and
safely use reliable knowledge, information, and data
throughout the service lifecycle to improve the quality
of management decision-making. This will improve
service quality, increase customer satisfaction, reduce
service costs, and ensure that staff have a common
understanding.
DIKW (Data, Information, Knowledge and Wisdom):
Data - a collection of individual facts, such as the date
and time an incident in an Oracle-based business
application was reported by a user.
Information - data that has been given meaning, and is
stored in content, such as the cumulative number of
unclosed issues escalated in Oracle's application
management function.
Knowledge - integrating what has been learned from
personal experience and ideas into new knowledge,
such as discovering that workarounds are found quickly
only when an issue in an Oracle-based business
application is reassigned to John, who seems to be
knowledgeable.
Wisdom - using knowledge to make useful common-
sense judgments based on sufficient information. For
example, the wisdom to propose that the Oracle team
shares information with John for all issues in the
meantime, which led to training by John and smoother
problem-solving.
Value of Knowledge Management to Business: The
following are the benefits of knowledge management
that add value to a business: a) Compliance with legal
requirements, company policies, and professional ethics,
among other requirements. b) Information that is easily
accessible to the organization. c) Up-to-date, complete,
and effective knowledge. d) Access to knowledge by the
necessary people when they need it. e) Disposal of
knowledge as needed.
Additionally, by providing controlled and secure access
to the necessary "knowledge, information, and data" for
managing and providing services, knowledge