ISO 20000 Control processes documentation

Where should we keep our ISO 20k documents? Do we need a sophisticated document system, database or a printed library? Is a shared folders system enough? We asked ourself these and many more questions before we started implementing our service management system.

Living with our ISO/IEC 20000 Service Management System for years, we gathered some experience and knowledge about it that I will be happy to share here. I would like to spend a few posts on the key parts of the system, with document and record management in focus.

I have touched the theme in my previous post Service Management Document System, now let's elaborate it through specific process groups.

Mind you, I am not aiming to describe specific ISO20k requirements, for this you have the standard(http://www.iso.org/iso/catalogue_detail?csnumber=51986). I am discussing the specific required and nice to have documents and their whereabouts.

I will go through each process group and share my experience and opinions.

Let's start with Control processes. It's in the heart of the ISO 20000 schematic and I really feel these processes deal with the vital documents and records for the service management. So it's a good place to start.


Configuration management
Policy: this document will define the main game rules focusing on general non-sequential process rules. After the initial creation, it will not change frequently. Policy can sometimes be a part of the

Procedure document, but I prefer to put it in a separate document since I find it easier to maintain it.

Procedure: a document which describes how Cis are tracked. It will also be rarely changed . Policy and procedure can be stored in shared folders or in a document management system. Configuration Item Type Definitions: we have to have these, and it helps if we have the ITSM tool to keep it in.

CMDB records: if you have CMDB automated in a separate CMDB application or a piece of a ITSM tool, then you are all set, it's a way to go. Otherwise, you have to keep and maintain the knowledge about the customer's infrastructure in one ore (usually) more databases/document repositories. Basic CI info will probably be kept and maintained in your ticketing application. Less structured data can be kept in a separate database and documents. It is very important to keep these data up to date. This can be done by appointing ServiceDesk and/or account managers to be responsible for CI info accuracy. Bad CMDB data are the source of all evil in ITSM. Things to take special care of:

Catalogue of services - services are Cis, and are usually composed of technical services, dependent of many Cis. Think carefully how will you maintain this data, and especially how deep will you go in granular description of Cis.

Access data - passwords and accounts for accessing customer infrastructure are very sensitive and it has to conform to 6.6. Information security management.



Control processes group in ISO/IEC 20000

Change management
Policy: again, a separate document or a part of a procedure document. A good practice would be to keep all important non-sequential data in a policy, like definitions, acronyms, interfaces. There are processes which don't specifically require a policy, but we like to create one for every process anyway. See if it works for you.

Procedure: Only emergency procedure is required, but again it would be nice to have a separate document here defining all types of changes that we perform.

Emergency change definition: it would be very useful if you can get this definition in a contract with the customer. In case of external customer, most of them insist on their own templates created by their legal, so this Emergency change definition agreement has to be done in a separate contract. Most of the auditors will accept a simple confirmation reply from a customer to your e-mail.

Records: change schedules, RFCs, plans, analysis, reports are results of CAB meetings and other CM activities, and they can be kept either in your Service Desk tool or on any other tool you use for document management, in accordance with 4.3.2 Control of documents.

Release and deployment management
Release policy: same as the other policies. You have to keep a record about your agreement with the customer regarding this policy. It would be best if it is in your SLA but it can also be separate mail exchange or a document signed by the customer.

Emergency release definition also has to be agreed with the customer.

Records: plans, control documents, reports/analysis can be kept either in your Service Desk tool or on any other tool you use for document management, in accordance with 4.3.2 Control of documents.

ITIL Service Transition

Service Transition is a stage which gives most pain to the IT Service Provider. Transition (add new, change existing, retire old service) is a source of many service disruptions. So we want our transition of service to be planned, built, tested, evaluated and deployed in an organized and controlled manner.

  

Purpose

To ensure that new or modified services are in conformance with business requirements, as defined in previous Strategy and Design stages, and that services which are no longer needed are properly retired.

Objectives

• Efficiently and effectively plan and manage service changes
• Manage change risks
• Release planned changes
• Manage expectations on new or changed services
• Manage accurate knowledge and info on changed services and assets

Value

• Better estimation of cost, timing, resource requirement and risks
• Higher volumes of successful change
• Reduce delays from unexpected clashes and dependencies
• Reduced effort spent on managing test and pilot environments
• Improved expectation setting for all stakeholders
• Increased confidence that new or changed services can be delivered to specification without unexpectedly affecting other services or stakeholders
• Ensure that new or changed services will be maintainable and cost- effective
• Improved control of service assets and configurations.

Scope

Creating new and changing existing services, implementing new and changed services, service retirement. Plan-build-test-evaluate-deploy.

Key principles

• Align service transition plans with the business needs
• Implement all changes through transition
• Adopt a common framework and standards
• Maximize re-use of established processes and systems
• Manage relationships with stakeholders
• Manage systems for transfer of knowledge and decision support
• Plan release packages
• Proactively manage resources across transitions

ITIL V2011 Service Transition Mind Map

Service Transition Processes:

  

Transition Planning and Support

Since Transition is so important, ITIL  defines the separate Transition Planning and Support process in order to manage and control changes and releases, from overall planning to specific transition resources management. The accent here is on standardization and best practices, managing of overall resources and helping with major changes and releases but not detailed planning of individual changes.

  

Change Management

Change Management is the key Transition process, and one of the key ITIL processes altogether. Since changes are the main cause of service disruptions, we want as much control of change as possible. In Change Management we ensure that all changes are recorded and evaluated. Authorized changes are prioritized, planned, tested, implemented, documented and reviewed. This way number of failed and unauthorized changes is significantly reduced, as well as number of resulting incidents and problems.

  

Service Asset & Configuration Management

This process was previously named Configuration Management and dealt with Configuration Management Database (CMDB). It looked and sounded too technical which scared off some new business-minded people in ITIL. In fact, Conf. Management was in charge of our knowledge of infrastructure: what do we have, where it is and how it works. To be more in spirit of the business aspect of this process, Asset management flavor was added, so now we follow lifecycle of IT assets from cradle to grave and actual info on this assets is available from all processes, any time.

  

Release and Deployment Management

Previous Release Management was the most difficult to explain in an "Elevator presentation", so deployment was added in order to enable Americans to get it quicker. It would be less confusing if it was called only Deployment management from the beginning. In a nutshell (or elevator :)) RDM deals with consequences of Change Management process: build, test and deployment of releases.

  

Service Validation and Testing

This one is a separate process since it is a discipline used throughout the lifecycle, mainly from Change and Release management. Service Validation and Testing will ensure that the service will deliver expected outcomes, and that it is 'fit for purpose' and 'fit for use' (Utility and Warranty, remember them from Strategy?).

  

Change Evaluation

This was 'Evaluation' in V3, and probably since no one knew what it relates to, they added 'Change' in 2011. So now we know it is a process which deals with evaluation of change. It is implemented to identify all predicted and unpredicted change effects. Smaller changes can be evaluated within Change Management, and for more significant changes (up to company to decide).  It is triggered before every approval point.

  

Knowledge Management

Knowledge Management was such a hype in 90's! Here in ITIL Service Transition, it is added as a nice to have process which is even in the foundations syllabus. General idea is to capture and manage knowledge as Service Provider's intellectual property. Methods are classic KM, I even recommend the reading since it is digest version of all I once knew about Knowledge Management.

What is Password Reset: Service Request, Incident or Change?

I browsed through a few social networks lately discussing basic Service Support activities like password reset. Interesting to see how even experienced IT professionals have different points of view on elementary procedures like this one.

One of discussions goes on and on about what is a Password Reset procedure: is it a Service Request, Incident or Change?
We can take for granted that these portals consider the simplest case of Password Reset event: the user forgot hers/his password. In a consolidated service desk of 2000s this was the most frequent event, making 50-80% of all calls.

Is it an Incident?
So, could it be an Incident? Obviously NOT. Incident definition requires a service downtime or probability of downtime. No service downtime here, only end user can't log in, by his own fault.

Why then a plenty of Service organizations treat these events as Incidents? Because of the Service Desk TOOL they (miss)use. They have a nice little tool which is ITIL approved by some elephant. It can do all the process, you name it. But implementation of additional modules costs money and time. They already have Incident Management. Their implementer sucks, their ITSM consultant could do better, and they are often the same person. So they created a category "Password reset" in Incident Management module and they treat password reset as an incident. That's why it has to be an incident. If the only tool you have is a hammer, every problem is a nail. Let's move further.

Is it a Service Request?
Is password reset request a Service Request? Of course it is, there it is in the ITIL definition of a Service Request:

• A request from a User for information or advice, or for a Standard Change or for Access to an IT Service. For example to reset a password, or to provide standard IT Services for a new User. Service requests are usually handled by a Service Desk, and do not require an RFC to be submitted.

So it's a small preapproved standard Change which is processed thru Request Fulfillment process.

Yes, it is a Change, but no need for Change Manager and CAB to get involved since it happens frequently and can be dealt with on the 1st level. And thank you God for technology you provided so that lately any end user password can be reset via a simple self-help portal. User just answers a secret question, puts in his employee ID and receives the new password via text message or such.

What other special flavors of password reset are there?

• Simple web application user passwords are a mild example of the above described case.
• Enterprise domain user password is closer to what first comes to our mind when we think about password reset. Now, we said it is a Service Request. In which cases it escalates to a Change Request? Well, if you have a strong security policy, implemented SOX or ISO/IEC 27001 and influential security officer, then it's possible that they require formalized approval cycle and implemented operational Standard Change procedure.
• VPN account passwords which enable user to connect from the outside of the company to internal network are a very sensitive security case, so all concerns regarding domain user accounts apply to them, and then some. A special case is a VPN account given to a 3rd party employee. Usually such a request has to have defined start and end of usage and approval from a high position (chief security, IT manager or CEO).
• Application Administrator account passwords enable the user to create a significant amount of damage to a company according to the importance of the application to the business. Examples: Intranet applications, CRM, ERP. Which one contains the most sensitive data for your company? Probably the ERP application.
• System Administrator Account presents the highest possible level of trust to an employee. Only security officer , Operations or IT Manager should approve these account creations and their password reset requests.
• Service Accounts under which different IT services are executed. These have to be taken care by the security officers, their catalogue has to point to services they enable (1:M relation) and access to their passwords has to be restricted only to most confidential people. Usually these accounts have broad authorization and they are set to rarely or never expire, so they should be maintained with utmost care, especially in organizations with frequent employee fluctuation. Best practice is to deposit them in a safe box by a single person.
   

Note: there are significant changes lately in best practices and recommendations with large vendors and consulting companies about the password lockout policy.
Until recently, the recommendation was to lock the user account after three to five unsuccessful attempts. What changed? Implementation of security standards and best practices introduced higher password complexity and more frequent user password changes. Majority of users have some kind of mobile device for connecting to an enterprise mail system. These devices cache user credentials and often lock-out user's accounts after password change. Virtualization also contributed to simplification of lockout policy since various user credentials can be cached on different physical and virtual machines.
Brute force attacks are measured in hundreds if not thousands of attempts in a short period of time, so it is now advised to lift the lockout attempt number to 60-100, or to turn the policy off completely and survey security logs with adequate tools.  

Let me just finish here in a nicer tone. ITIL is not too prescriptive in telling you how exactly to do things.
In the above example, if you process Service Requests as a special category Incidents, you are still in the green. Customers get their service, all needed reports can be generated as agreed, KPIs are there, you are good!

We are in business of keeping the customer business going. In the spirit of current holidays, I wish you the very best of luck with it. Because you are going to need it :)

For further reading I recommend 4.2 Incident Management, 4.3 Request Fulfilment and 4.5 Access Management chapters in ITIL Service Operation book.

Also, have a look at articles:

• Incident Management
• Change Management

Change Management Quick Reference

"It is not the strongest of the species that survive, nor the most intelligent, but the one most responsive to change." -Author unknown, commonly misattributed to Charles Darwin.

"It is not necessary to change. Survival is not mandatory." -W. Edwards Deming.

"The only man I know who behaves sensibly is my tailor; he takes my measurements anew each time he sees me. The rest go on with their old measurements and expect me to fit them." -George Bernard Shaw.

Change Management (CM) is the most complex process in Service Support. It's
importance resides on a fact that over 80% of incidents emerge from performed changes. Therefore changes should be managed. Most of the ITIL compliancy projects fail at CM. It requires a high level of collective discipline, skills and mindset.

There is a connection of Change with all other ITSM disciplines, but especially with Release, Configuration and Capacity Management.
For your convenience, here are Change Management quick reference data I gathered for my ITIL Service Manager exam:



Definitions:

• RFC - Request For Change: can be triggered from different sources: Incident/Problem resolution, introduction/upgrade/removal of the CI...
• FSC - Forward Schedule of Changes: details of all the Changes approved for implementation and their proposed implementation dates
• PSA - Projected Service Availability: contains details of Changes to agreed SLAs and service availability because of the currently planned FSC
• CAB - Change Advisory Board: a body that approves Changes and assists Change Management in the assessment and prioritization of changes, composed of major stakeholders impacted by the change and technical staff responsible for tech. implementation
• CAB/EC - Change Advisory Board / Emergency Comitee: a smaller body with authority to make emergency decisions in case of Urgent Changes
• CMDB - Configuration Management Database

Goals

• To minimize the adverse impact of change upon service quality
• To ensure standard methods and procedures are used for efficient and prompt handling of all changes
• To assess the potential benefits of change to the organization against the risk and associated costs to the organization

Picture: Change Management Mind Map


Process

• raising and recording Changes
• assessing the impact, cost, benefits and risk of Changes
• developing the business justification and obtaining approval
• management and co-ordination of Change implementation
• monitoring and reporting on the implementation
• closing and reviewing the Change requests

Inputs

• RFCs
• CMDB
• FSC - Forward Schedule of Changes

Activities

• Initiating and logging
• Initial filtering
• Allocating initial priority
• Categorization
• Assessing impact and resource
• Authorizing and approving
• Scheduling
• Building
• Testing
• Implementing
• Reviewing
• Management reporting on Change Management quality and operations

Outputs

• FSC
• RFCs
• CAB minutes and actions
• Change Management Reports

Picture 1: BASIC Change Management Process


Benefits

• Less adverse impact of changes on the quality of IT services and SLA
• A better assessment of the cost of proposed changes, before it is incurred
• A reduction in the number of changes that have to be backed-out, but an ability to be able to do this more easily
• An ability to absorb a higher level of change without difficulty
• Increased visibility and communication of changes to both business and service support staff
• Improved risk assessment
• Improved Problem and Availability mgt. trough the use of valuable management information relating to changes
• Increased productivity of key staff as less need for diversion from planned duties to implement urgent changes or back our erroneous changes

Possible Problems

• Implementing on over bureaucratic process
• Attempt to bypass the process
• Paper based system - bottleneck
• Cultural difficulties - getting buy-in
• Contracts and third parties
• Scope of change is too wide
• Ownership of impact systems is unclear
• Lack of Configuration Management
• Inaccurate configuration details leading to poor impact assessment
• Lack of management commitment
• Poor synchronization of upgrades between platforms and across locations
• Back-out procedures are missing or not tested
• Handling of urgent changes
• Progressing RFC is too manually intensive
• Complex distributed or mobile infrastructure
• Time-scales (too ambitious)
• Lack of resources (people, products)

Picture 2: STANDARD Change Management Process
Responsibilities
Change Manager:

• Receive, log and allocate priority to all RFCs. Rejects inappropriate RFCs
• Table RFCs for CAB meetings
• Decides meeting participants according to RFC nature
• Convene Urgent CAB or CAB/EC meetings for all URGENT RFCs
• Chair ALL CAB meetings
• Authorize acceptable Changes (according to CAB decisions)
• Issue FSC via Service Desk
• Liaise with all parties to coordinate change building, testing and implementation
• Update Change log with progress
• Review implemented changes
• Review all outstanding RFCs waiting consideration or action
• Analyze Change records to identify trends or apparent problems that can occur
• Close RFCs
• Management reporting

CAB:

• Review all submitted RFCs. As appropriate, determine and provide details of their likely impact, the implementation resources, and the ongoing costs of all Changes.
• Attend all relevant CAB or CAB/EC meetings. Consider all Changes on the agenda and give an opinion on which Changes should be authorized. Participate in the scheduling of all Changes.
• (CAB/EC only). Be available for consultation should an urgent Change be required.
• Provide advice to Change Management on aspects of proposed urgent Changes.

Picture 3: URGENT Change Management Process


Key Performance Indicators
Controlling Changes

• Number of RFCs processed
• Number of RFCs rejected
• Number of unauthorized changes detected
• Number of RFCs implemented on schedule
• Number of RFCs requiring reschedules

Making Quick and Accurate Changes Based On Business Priorities

• Number of RFCs marked as URGENT
• Number of RFCs not tested prior to implementation
• Number of RFCs that failed
• Number of RFCs without business case
• Number of RFCs bypassing CAB or CAB/EC

Protecting Services When making Changes

• Number of high Severity incidents caused by RFC implementation
• Number of other incidents caused by RFC implementation
• Number of RFCs without a backup strategy