Thursday, June 05, 2008

ISO, ITIL and COBIT triple play fosters optimal security management execution

Home Source: http://www.scmagazineuk.com/ISO-ITIL-and-COBIT-triple-play-fosters-optimal-security-management-execution/article/108620/

This information is a survey which about security professionals conducted for the recent research report Security Management Matures, ESG. The survey materials are the organizations with 1,000 or more employees, and what kind of the commercial frameworks which include ITIL, Cobit, ISO implement in the organization.

ESG discovered that 72 percent of North American enterprise-class organizations say they are implementing one or more formal IT best practice control and process models.

Among survey participants, 18 percent have simultaneously implemented ITIL, ISO and COBIT. Of those implementing just one set of standards, ITIL is the most frequently selected (16 percent) followed by ISO (11 percent). A significant 17 percent have not implemented any type of framework at this time. An additional 20 percent have implemented other best practices or did not know whether their organization used these types of frameworks.

Over three-quarters (76 percent) of the organizations implementing all three sets of guidelines indicate that demands to comply with external regulations were very influential in defining their security management requirements during the past year. In contrast, only 44 percent of those implementing ITIL alone and 51 percent of those with no frameworks in place felt the same way.

For those organizations implementing all three best practices guidelines, the data reveals that regulatory pressures impact multiple business activities, as these organizations are required to comply with diverse regulatory requirements, such as Sarbanes-Oxley, PIPEDA (Personal Information Protection and Electronic Documents Act, Canada), FISMA (Federal Information Security Management Act), HIPAA (Health Insurance Portability and Accountability Act) and PCI DSS (Payment Card Industry Data Security Standard). Across all of these different regulatory requirements, organizations implementing all three sets of best practices guidelines are significantly more likely to be subject to those requirements than are organizations with a lesser number of best practices frameworks currently in place.

Combined, these forces require organizations to promote extensive and ongoing communication, cooperation and reporting capabilities across information security groups, data center operations teams, e-mail administrators, facilities, human resources and other business groups in order to assure that information security control policies are implemented consistently across the business. By combining the detailed security specifications from ISO, IT operations and cross-IT workflow integration best practices from ITIL, and governance and control models from COBIT, the most sophisticated firms are able to address the full range of compliance and audit requirements set before them by government and industry compliance mandates.

ESG found interesting relationships between an organization's degree of implementation of security and governance standards and the amount of cooperation between different IT groups within that organization. Organizations implementing all three sets of best practices recommendations are most likely to report significant levels (62 percent) of cooperation between IT operations and information security groups, compared with 56 percent of those implementing ITIL only and just 46 percent of those that have not implemented any frameworks. Interestingly, those organizations that have not implemented any frameworks are most likely to have merged IT operations and information security groups (29 percent), compared to just 14 percent of those implementing multiple frameworks.

In my opinion, this time I understand more about why company implement more then one standard in the organization. Because of the complex requirement across business, security and IT teams, in facts these three groups are work together. As common sense, IT is support the business, but IT services can not without the security. As the summary which ESG made, inducts ITIL, ISO and COBIT for compliance requirements on governance, operational process and information security policy integration.

Alphabet Soup: Cobit, ITIL and ISO

Home Source: http://www.csoonline.com/article/221411/Alphabet_Soup_Cobit_ITIL_and_ISO

This information is about Malcolm Wheatley interview an Expert Gary Hardy, Hardy is an adviser to both the IT Governance Institute and the Information Systems Audit and Control Association (ISACA), he having been a member of the latter for more than 25 years.

The content of the interviewing is about this question “How do Cobit and ITIL differ ?” Hardy answer is “Cobit [control objectives for information and related technology], the last version is the fourth release was lunched at November 2005, it is a high-level set of objectives with management and assurance tools for overall IT governance. People call it a standard, but it is not a framework. ITIL a set of best practices is mostly focused on service delivery and service management, the delivery of IT services in terms of the processes that should be followed.” Hardy also explained people say that Cobit is what you should do, and ITIL is how you should go about doing it—accepting that ITIL has a narrower scope.

Malcolm Wheatley asked again about how does ITIL's approach to security issues? Hardy answer is “ITIL talks about security, but mostly in the context of service delivery. Frankly, security isn't really what ITIL is focused on, it's not its core strength, and it's not what people go to ITIL for.”

Malcolm Wheatley asked the last question about how Cobit approaches to security issues. Hardy explained this Cobit has always been security-oriented, and at a high level sets out what should be done about security which the things that security should focus on. Cobit provides a set of objectives and guiding principles.

In my opinion, if the company’s character is service oriented, it is better using ITIL framework on the certification for their services quality. Such as Acer eDC. If an organization or company focus on the security aspect, they should take the Cobit standard. As the expert Hardy explained Cobit is focus on the security-oriented which the things should be done about security. If Cobit standard not popular at the location, ISO17799 may be another selection. Enterprise can choose the standard for they needed.

ITIL V3 Certification

Home Source:
http://www.itil-officialsite.com/Qualifications/ITILV3QualificationScheme.asp
http://www.itil-officialsite.com/Qualifications/ITILV3CreditSystem.asp

For the ITIL version 3 Certification, there have five core subjects which include Service Strategy, Service Design, Service Transition, Service Operation and Continual Service Improvement. Each core subject covers the knowledge next:

Service Strategy
– Value Creation
– Business Fundamentals of services
– Service Provider Types
– Service Structures
– Service Strategy Processes
– IT Financial Management
– Service Portfolio Management
– Demand Management
Service Design
– Service Design Principles
– Service Design Processes
– Service Catalog Management
– Service Level Management
– Capacity Management
– Availability Management
– Service Continuity Management
– Information Security Management
– Supplier Management
– Application Management
– Requirements Engineering

Service Transition
– Service Transition Principles
– Service Transition Processes
– Change Management
– Configuration Management System
– Service Asset and Configuration Management
– Knowledge Management
– Service Releases Planning

Service Operation
– Service Operation Principles
– Service Operations Processes
– Event Management
– Incident Management
– Problem Management
– Service Request Management
– Functions (Detailed Information for each)
– Service Desk
_ Technical Management
_ IT Operations Management
_ Applications Management

Continual Service Improvement
– Continuous Improvement Fundamentals
– Continuous Improvement Principles
– Continuous Improvement Models
– Measurement and Control
_ Measurement
_ Benchmarking
_ Reporting
– Implementation Consideration
– Service Level Management

There are four levels certification for ITIL version 3
  • Foundation Level.
  • Intermediate Level (Lifecycle Stream & Capability Stream) .
  • ITIL Expert.
  • ITIL Master.

Foundation Level
The Foundation Level focuses on knowledge and comprehension to provide a good grounding in the key concept, terminology and processes of ITIL.


Intermediate Level
There are two streams in the intermediate level. Both assess an individual's comprehension and application of the concepts of ITIL. Candidates are able to take units from either of the intermediate streams, which give them credits towards the diploma.

  • Intermediate Lifecycle Stream - 5 individual certificates built around the five core OGC books: Service Strategy, Service Design, Service Transition, Service Operation and Continual Service Improvement.
  • Intermediate Capability Stream - 4 individual certificates loosely based on the current V2 offerings but broader in scope in line with the updated V3 content.

ITIL Expert

To achieve the ITIL Expert in IT Service Management, candidates must successfully complete, in addition to the Foundation Level, a number of intermediate units and the Managing Through The Lifecycle capstone course. This course brings together the full essence of a Lifecycle approach to service management, and consolidates the knowledge gained across the qualification scheme.

ITIL Master
This level of the qualification will assess an individual's ability to apply and analyse the ITIL concepts in new areas. This higher level qualification is currently under development.

Relationship Between Version 3 & Version 2
Individuals with existing ITIL v2 qualifications can use those qualifications as credits towards the Expert or may find that the credits or qualifications they hold will make them eligible for the current v3 Bridging routes.


Foundation level - There is a short bridging course which covers the differences between v2 and v3 and allows someone to take an exam to demonstrate their understanding of the ITIL v3 approach.

ITIL v2 Practitioner qualifications count towards the ITIL Expert in Service Management. Depending on whether an individual holds a single topic certificate or a clustered certificate the credits will vary.

Any ITIL v2 Service Manager who wishes to gain the v3 Expert Level can take a bridging course and must pass the v3 Managers Bridge examination. The course covers the new concepts within ITIL v3 and fully integrates the benefits of the Lifecycle approach.


In my opinion, the ITIL version 3 certification is quite difficult than version 2. I can understand the version 3 qualification higher than version 2. If candidates don’t have the version 2 certification and then jump to the version 3, it is a huge challenge. Because the version 3 concepts are base on the version 2 and extending. Without the version 2 knowledge and then take the version 3 certification which has a high risk on failed examination. It is waste time and money. I don’t thing that investment is make sense. I believe the best strategy is holding the version 2 certification and then upgrade to version 3.

Wednesday, June 04, 2008

Risk? Survey Shows Information Technology Infrastructure Library (ITIL) Benefits Are Exclusive

Home Source: http://www.riskcenter.com/story.php?id=16186

According to a recent compass survey about the global adopter’s experience on ITIL framework inducts to the organization. The information is referring to Gregory Beat’s report.

The survey comprises 70 responses from executives with organizations from at least eleven different countries. Of the respondents, 82 percent started their ITIL implementation program at least eighteen months beforehand and should therefore be qualified o comment on their ITIL processes and the benefits that their ITIL program is delivering.

Respondents were asked to categorize the maturity of eight core ITIL processes which includes Incident, Change, Problem, Service Level, Continuity, Availability, Configuration and Capacity. The results from these responses (Established, Mature, and World Class) shows Incident Management (90%) to be the most mature and Capacity Management (35%) to be the least mature of ITIL processes. Of potential concern to executives is the finding that Configuration Management (40%), widely accepted as the underpinning of all other core ITIL processes, is regarded as less mature than almost all others.

Respondents were then asked to describe their level of confidence that their ITIL program is delivering tangible improvements in IT performance:
Unsurprisingly, respondents expressed a relatively high degree of confidence about 67% (Fully Confident 31%, Fairly Confident 36%), just 20% response Some Confidence and 13% feeling Little Confidence / Don’t know.

Interviewer then asked executives how well they measured the maturity of their ITIL processes. Only 4 percent of respondents felt able to say that all of their ITIL processes were fully measured for maturity, 28 percent for all ITIL processes some measured, and 55 percent felt able to say that some processes were some measures. About 13 percent were no measures for all ITIL processes.

Respondents were asked to define how well their organizations could measure the impact of process maturity on performance improvement. Surprisingly, only 9 percent of respondents (six out of seventy) felt able to say that the relationship was based on full measures, fully linking process maturity with performance. Seventy-two percent felt unable to acknowledge any linkage at all between process maturity and performance improvement.

As the result, what I can see this most adopter still standing on the ITIL induction, some adopter just start, some started for few months and no more adopter finished the whole processes on IT services improvement . Because the implementation process takes times typically, that represents on training, documentation, tools integration and such. As people take time to adapt the enterprise culture change as well. As a common sense one-size can not fit all the audiences on using the best-practice guidelines increase the efficiency of service management. Enterprise should establish a baseline on the performance improvement, and review it on schedule. Reduce the risk of failure. The benefits not appear to give results in terms of cost saving immediately; it will certainly bring about long-term business benefits.

The Top 10 Strategic Benefits of ITIL

Home Source: http://www.cmpp.net/CMS/Media/Docs/ITIL/The%20Top%2010%20Strategic%20Benefits%20of%20ITIL.doc

According to the Introductory Overview of ITIL, the itSMF provides examples of figures from their research detailing some of the improvements business are experiencing every day:
  • More than 70 percent reduction in service downtime
  • ROI up by more than 1,000 percent
  • Savings of nearly $200 million annually
  • 50 percent reduction in new product cycles

For the example figures, how can we get those benefits from the planning? The following top 10 strategic benefits of ITIL is coming from the CMPP, with those strategic may be help the adopter have a direction where they can get the benefits from the improvements of business. The content of the 10 strategic benefits of ITIL as next:

  1. Provides a single, definable, repeatable, and scalable documented framework for IT best practices that flows across the IT organization.
  2. Clearly identifies roles and responsibilities for IT Service Management.
  3. Supports reducing IT costs and justifying the cost of IT quality.
  4. Supports ability of IT to measure and improve internal performance and service provisioning.
  5. Defines IT in terms of services rather than systems.
  6. Supports improvement of user productivity.
  7. Improves communication and information flows between IT and organization business departments.
  8. Provides a framework for IT to support regulatory challenges.
  9. Improves ability of IT to adjust as business opportunities and challenges are presented.
  10. Improves relationship of IT with the business – builds trust.

In summary, the ten points is a good idea which let the adopter realize which area they can get the benefits if inducts the ITIL standard to the organization. Are the figures of benefit always come true? I don’t think so. Because of the figures are references. How much the adopter would have? That will depend on the adopter’s execution ability during the ITIL induction. As we know there are many factors which will affect the final result. Different gains on different industry. However, I believe adopter will have the reaping on the days.

ITIL V3 Foundation Overview Diagram

Home Source: http://www.zyworld.com/geoffharmer/ITIL_V3_Foundation_Overview_Diagram_V3.2.pdf



For the last version of ITIL version 3 which have five core area which includes Service Strategy, Service Design, Service Operation and Continual Service Inprovement. But what is the relationship between that five core subjects with people, processes, products and partner's knowledge? It is so complicated and challenged with few words to descript those scenarios. If we don't have the real case experiences, how can we draw up that diagram? What can I say? It is an impossible mission. Fortunately, I found that diagram from Zyworld web site. It is very useful for people understand the relationship between people(users), processes(five core subjects), products(CMDB, SKMS) and partners(outsource or in-house design). With this diagram help, it is more easilt to understand the ITIL version 3 objectives.


ITIL Certification

Home Source: http://gllig.org/docs/ITIL_Certification_Presentation.ppt

Here list some information that about the ITIL certification. The information comes from the Great Lakes LIG’s ITIL Certification Presentation. According to the presentation, both company and employee will have the benefits when they get the ITIL certification. The benefits of ITIL certification includes two parts, one is the company. Other one is the employee. What are the benefits for the company and employee? The answer as following:

Benefits to Company:

  • Certification provides an objective demonstration of the Company's breadth and currency of knowledge, which builds credibility and provides the competitive edge.
  • Measurable improvement in product and service quality.
  • Fosters customer confidence based on evidence of qualifications and suitability for the projects.
  • Benchmarks IT skill sets possessed by its employees

Benefits to Employees:

  • Certification provide a highly effective and practical way to:Gain additional knowledge and skills to perform current job more effectively.
  • Acquire third party validation of knowledge and skills.
  • Common understanding of Industry standards and terminology.
  • Professional recognition and networking with other professionals.

ITIL Certification Providers

EXIN - The National Exam Institute for Informatics (Netherlands)

ISEB - The Information Systems Examination Board(UK)

Types of ITIL Certification

Foundation - Fundamental Level. Basic Understanding of the ten ITIL Service Delivery and Service Support processes and the Service Desk.

Objective: - Introduce knowledge and understanding of IT Service Management concepts and terminology, and insight into the applicability of IT Service Management.

Suitable for: - All personnel who wish to become familiar with the best practices of ITIM as defined by OGC ITIL guidelines.

Exam Qualification requirements:
No Formal entry requirements
Some experience in IT

Exam Format:
Closed book Multiple Choice
40 questions on Service Delivery Service
Support and Service Desk

Exam Duration: 1 hour

Exam Assessment:
Required to score 65% to pass (26 out of 40)

Cost:
Training Cost: $ 200 to $ 2500 approx
Exam Fee: $ 135 USD

Practitioner - In-depth understanding of one of the ten ITIL process areas

Objective: - Provide the knowledge and skills necessary to plan, implement and execute the IT Service Management processes.

Suitable for: - Person with responsibility for the definition, execution and maintenance of a specific ITSM process or processes in the Organization.

Exam Qualification Requirements:
Demonstrate one years experience in Practice area
Attend accredited course and complete in-course assignment
Hold Foundation Certificate in ITSM
Exam Format:
Closed book Multiple Choice
25 questions based on Case Study
Exam Duration: 1 hour

Exam Assessment:
Combined total score of 65% to pass (50 % of In-course Assignment & 50% of Exam score)

Cost:
Training Cost: Approx $ 2500 approx
Exam Fee: $ 160 USD

Manager (Masters) - Broader understanding of all ten processes and the Service desk function

Objective: -Provide the knowledge and skills necessary to plan, implement and execute the IT Service Management processes.

Suitable for: - Person with responsibility for the definition, execution and maintenance of a specific ITSM process or processes in the Organization.

Exam Qualification Requirements:
Demonstrate one years experience in Practice area
Attend accredited course and complete in-course assignment
Hold Foundation Certificate in ITSM

Exam Format:
Two Closed book essay exams based on Case
Study (Paper 1 Service Support, Paper 2
Service delivery)

Exam Duration:
3 hours each in a period of 24 hours

Exam Assessment:
Achieve a total score of 50% or more in both of the written exams)

Exam Offered in:
January, April, July, October

Cost:
Training Cost: Approx $ 6000 – 10,000 approx
Exam Fee: $ 360 USD

In my opinion, the ITIL certification is quite useful in the world. No worries where come from, each professional have the same language on the communication as well as working together. Those exams also take many times to prepare. Before we get the benefits, we need to pay much money on the training and examination. The total cost also expensive. That could be another long-term investment. I believe the result is excellent when we have the certification.

Tuesday, June 03, 2008

ITIL implementation checklist

Home source: http://www.cce.umn.edu/pdfs/CPE/ITIL/Preflight_checklist.pdf

The following information is a checklist which comes from the University of Minnesota. The checklist used for the preparing of ITIL induction. Checklist includes eleven items which provided for somebody who consider before the ITIL implementation. The checklist’s content as following:

Organizational Support
The following organizational entities are aware of ITIL and are supportive of its goals:
  1. CEO / President
  2. CIO / CTO / VP of IT Operations
  3. CFO / VP of Finance
  4. IT Managers
  5. Business unit Managers
  6. Board of Directors
  7. Union representatives

Baseline Assessment

  1. A baseline assessment has been administered to measure the organization’s current compliance with ITIL processes, with a gap analysis that indicates areas of deficiency.
  2. The organization has administered a survey of the IT department’s internal customers and users to determine a current level of satisfaction with the services it provides.

Scope of Implementation

  1. The organization has determined which of the 11 ITIL processes / functions it plans to implement, in which sequence, and has created a timeframe for doing so.
  2. A specific implementation maturity level has been agreed upon for each of the processes that are to be adopted. Stages of implementation include:
  • Initial: The process is recognized but there is little or no process management activity.
  • Repeatable: The process is recognized and is allocated little importance, resource or focus within the operation.
  • Defined: The process is recognized and is documented but there is no formal agreement, acceptance nor recognition of its role within the IT operation as a whole.
  • Managed: The process is fully recognized and accepted throughout IT, it is service focused with objectives and targets that are based on business objectives and goals.
  • Optimized: The process is fully recognized and has strategic objectives and goals aligned with overall strategic business and IT goals.

Training Strategy

  • A budget for training and certifying the staff has been created and approved.
  • The staff that is to receive ITIL Foundation training has been identified.
  • The staff that is to receive ITIL Practitioner training has been identified.
  • The staff that is to receive ITIL Manager training has been identified.
  • A training vendor has been selected.
  • A training schedule has been created.
  • An organizational change management strategy has been implemented.

Certification Strategy

  • The number of staff to be Foundation certified has been established.
  • Provisions have been made for purchasing and administering the Foundation exam.
  • Provisions have been made for purchasing and administering the Practitioner exams.
  • Provisions have been made for purchasing and administering the Manager exam.
  • A policy has been established to accommodate participants who fail the exam.

Staffing

  • Process owners have been identified for each ITIL process to be implemented.
  • Key staff members have been empowered to carry out the implementation process.
  • A CTO, VP of IT operation or other staff person has been selected to be responsible for overall implementation of IT Service Management.

Communication

  • An ITIL implementation vision has been created, endorsed by upper management, and communicated to all stakeholders.
  • A series of information sessions have been scheduled to apprise staff of the purpose and benefits of implementing ITIL.
  • The Service Desk has established a procedure to provide regular updates to all internal customers regarding usage, trends and customer satisfaction ratings, either via email or the Intranet.

ITIL Resources

  • Sufficient copies of the ITIL Service Support and Service Delivery books have been acquiredand are available in the organization’s resource center.
  • An on-line version of these books, including a multi-user license, has been acquired and isaccessible to employees via the organization’s Intranet or other file server.
  • An organization membership to the local itSMF (IT Service Management Forum) has been established.
  • Mentoring and consulting by a peer organization has been arranged.

Reporting and Record Keeping

  • The IT department is prepared to publish a catalog of the services they provide internal customers, with prices based on differing levels of service.
  • A CMDB (Configuration Management Database) exists, is regularly maintained, representsan accurate inventory, and captures the data necessary to be an effective tool for those ITIL processes that depend on it.
  • Service Level Agreements (SLAs) have been created between the IT department and its internal customers and users, and are published in clear, non-technical language.
  • Underpinning contracts between the IT department and external vendors are in place, written so as to be clearly understood, and renewed on an annual basis.
  • Business continuity and disaster recovery plans have been created by the organization (not a vendor) that are current, simple, and detail the steps necessary to recover from unforeseen or difficult circumstances.
  • A liaison has been established between the business units and the IT department to assure compliance with regulatory requirements such as Sarbanes-Oxley.

Measurement and Assessment

  • The Service Desk maintains records of all calls and their resolution, and publishes these regularly.
  • A set of metrics, based on a recognized business measurement philosophy such as the Balanced Scorecard©, is in place to capture and analyze IT service management processes and their interrelationships.

Assuring On-Going Success

  • An organizational change management class has been scheduled to provide the necessary training to key staff.
  • An IT process improvement team has been established to monitor progress of ITIL implementation.
  • ITIL terminology has been incorporated into the staff’s annual performance plan, with incentives for employees who suggest improvements in the IT service management.

In my opinion, the checklist is a very good material which provides a direction for the adopter to evaluate the organization current state is ready or not to induct ITIL framework to the organization. The eleven items in the checklist should help the enterprise avoid the mistake or missing the consideration whether components which they forget. I can not find this checklist which variable at other consultant company web site. May be that is a secret weapon for the consultant company as well.

ITIL: 10 deployment mistakes

Home Source: http://searchcio.techtarget.com/news/article/0,289142,sid182_gci1304412,00.html

In Guglielmo article, he addressed the following 10 biggest mistakes that could IT organizations make during the first year of an ITIL implementation. If enterprise make whether mistake, that will affect the successful on ITIL implementation. The content of the 10 mistake as next:

Mistake No. 1: There is no vision. No one is sure of what is happening with ITIL and there are no clear answers.
Mistake No. 2: Top-down commitment isn't necessary. The project can be infiltrated via middle management.
Mistake No. 3: We don't need a business case. We know why ITIL is important and why we're doing it.
Mistake No. 4: We don't need an initial baseline. Let's just get started.
Mistake No. 5: ITIL is not a strategic project, so we can use existing resources to implement it.
Mistake No. 6: We don't need a communications strategy. A few emails and a kickoff meeting will suffice.
Mistake No. 7: We don't need an overall process strategy. Different process teams can do their own thing and we'll worry about process integration later. Let's just get it done.
Mistake No. 8: We'll start with a new tool and build processes around that later.
Mistake No. 9: Unmanaged scope creep. Manage growth as you go along.
Mistake No. 10: We don't expect much resistance to ITIL. We'll just tell them what to do.

As Guglielmo said, “organizations often make mistakes within the first year of an ITIL implementation, and that's normal.” If enterprise understands their direction is wrong early, and brings the project back on track. That may not too bad. If they don’t know, just waste time and money.

In my view, enterprise made those mistakes because of poor analyzes on the business needs, weak project management and communications. Also enterprise doesn’t really concentrate on the ITIL induction. Those mistakes could take the business down. Because something been changed that situation can not be reverse again. So, enterprise can avoid those mistakes happened in the organization, therefore they has to take the IT services assessment first, and then make a decision on which part allow the enterprise start the changing first then following. Do the ITIL induction step by step. The benefits can see easily.

Monday, June 02, 2008

NYLI: IT environment more maturity, the value which more considerable.

Home Source:
http://app.digitimes.com.tw/print.aspx?zNotesDocId=0000077689_B8Q6997A3572UR8LPEQOI

The following information which comes from the reporter Geng Huiru's reported.

Several year ago, the goal of system induction is for increases the work performance and helps the company reduces the operation cost. But IT already became an essential and auxiliary item indirect on the operation activity today, any new system induction, changing, that already could not ponder only for increase business operation effective. Because of the stakeholder, “profits” and “efficiency” is their most important goal. IT manager understands that is most important which besides reduce the cost and how to create the competition for the company based on the system.

Now IT department must pay attention not only on system induction, they should know how to penetrate the intelligent method, integrate and make it properly between the systems.

At present New York Life Insurance information service department altogether has 40 people, 30 people are responsible for the system development; Other 10 people are responsible to maintain the foundation construction, including: The database, the networking, equipment maintenance service, server room operation and such. Many people thought that only inducts the application system can increases the competition. In term of Qingtong’s opinion, both groups are important on the application system and foundation construction maintenance work, although 2 group’s manpower is disparate. Therefore, New York Life Insurance planning inducts ITIL’s Help Desk and the related flow in 2008.

In many person of cognitions, ITIL Induction is a huge project, generally only big size enterprise will have, because SLA has the very high level requirement, therefore inducts ITIL into the business processes. For New York Life Insurance such ordinary scale of company why care on the SLA? This is because I believed that IT needs to create the automated support system.

Now our regional of business unit's equipment requests for repairing, is apply the demand by the telephone call. Take care this business by 4 personnel working on IT unit, these 4 colleagues must support the front end approximately 300~400 users, the work load are very heavy. It is very difficult to subscribe their KPI on measuring their performance. Therefore Qingtong thought that is necessary on building a regulation and systematization maintenance flow and appraises the suitable responding. Also lets them know what must achieve according to the regulation. On the other hand, the automated working flow may let the user confide on IT department. As a result of New York Life Insurance has about 200 exterior points in Taiwan each region. Many exterior point only have 1~2 colleagues, if the company can create the unification and automation on equipment repairing working flow, these exterior point colleagues can under the standardized work flow to fixing the problem quickly, even without the IT the person assistance.

In this case, what I am understand that is very hard on IT service quantity measuring, inducts ITIL to let the achievements can be appraised. There is no doubt on the important of IT services, but in current stage profit is the key. Those ideas are happened in most high level management. I am not worried about that, because it is natured in the real world.

Mr. LDAP: The data centre management automation is the first step on ITIL successful

Home Source: http://www.ithome.com.tw/itadm/article.php?c=44140

One of LDAP initiators, Opsware’s CTO Timothy A. Howes believed that data centre management automated in the future, which will be the important component for all enterprise’s application.

He pointed out that similar ITIL framework establishment, if it does not have the automated management tool support, the enterprise will be very difficult to succeed. Along the enterprise's equipment more and more, the automated management's procedure is more important.

He believes that the data centre automated management is the most important factor. Generally the reason on enterprise defeat ITIL's induction, because of the user does not follow the standard which the enterprise formulates. The enterprise writes down a thick standard, gives the user it, but very difficult to request the user to follow this standard completely. But the data centre automation management's tool, it can actually achieve the function on user management to follow these standards truly. Therefore I thought that the enterprise needs to make the first step on ITIL, besides understood what application need to be manage, how many entities and visual equipment needs to manage, a very important point is the data centre automation management the tool must be used on the management, then can let person's factor fall lowly.

Along the enterprise’s entity and visual equipment more and more, we believed that if the enterprise does not understand the application that between the integrity connection of foundation construction and relational scheme, it is very hard to manage the data centre. We need to understand which equipment being used in the data centre? And defines the relations clearly, and then we can see the whole picture of the entire enterprise IT the construction. Only the automated management tool can achieve on this scenario. Only that way can provide the high efficiency of the environment for enterprise manage their data centre.

In the 90s, the enterprise spends in data centre management cost possible only half in present, but now is different, the enterprise spends in data centre equipment's management already increased largely. This representative the automated management's software is able to reduce the cost on enterprise’s data centre management.

Most enterprise data center's visibility is very low now, manages network's IT personnel possibly only to know that the network equipment's condition, server's IT the personnel possibly only know server's condition, that mean is nobody can see the comprehensive operation condition, when enterprise's application crash, each personnel attempt to solve the problem base on the condition which they know, this usually is invalid. But the automated management's tool can provide higher visibility and ability to support the enterprise finding the problem quickly, and then solving the problem.

The automated management on data center provides the same information to the IT department and support the different team worker can see the complete picture which related with the program and the hardware equipment. Therefore inducts the automated management procedure is very important; it can support the personnel to discover certain application program potency is lower. But the most enterprises do not like changing the pattern on their existing work flow, therefore inducts the automated management data center tool should be comes gradually, regarding the demand, enterprise can starts from server's management first, then works as in the future when network equipment more and more, then start from the network equipment's automated management. For this way, the enterprise possibly does not to change, but inducts part of the automated management, actually paved the way for the enterprise future change, the impact can also be small.

Enterprise should think about how using the data centre automated management's tool change the existing construction quickly, and change resources' assignment to supply the flow changing, reduces the enterprise in the management maintenance cost.

In my point of view, the data center automated management is support the personnel monitor all the equipments. Solve problem within a short time, and less impact on the business operation. Also reduce the maintenance cost in the long-term perspective.

Sunday, June 01, 2008

IAC: With ITIL integrated Six Sigma

Home Source:
http://www.ithome.com.tw/itadm/article.php?c=44586

The following information come from the reporter Whiffen Yang reported.

Inventec Appliances Corp. (IAC), also begin the ITIL v.2 induction in April 2007, and achieves the Six Sigma with ITIL framework, reduces the problem’s process time positively, simultaneously and enhances the senior IT personnel's value.

During the ITIL induction, IAC besides follows ITIL standard conformity and also integrated with Six Sigma methodology. Briefly, with ITIL methodology achieves the Six Sigma requirement.

IAC information department senior Manager DeLong, Cai indicate that Six Sigma and ITIL although emphatically on IT working flow and service quality improvement, but between both, actually also respectively has the different advantage to be possible supplementary, used broadly by manufacturing industry on Six Sigma. Because Six Sigma takes the quality improvement by statistics the quantification way, therefore enterprise has a set of rigorous calculation formula, but actually Six Sigma doesn’t have the practical on quantification target method. However, the ITIL framework has the method on quantification target processing to make up this gap.

DeLong Cai point out that IAC starts appraising on ITIL in January 2007, the Service Desk and Incident Management implementation already completed in April. The reason that inducts ITIL as the Six Sigma’s project, the consideration mainly focuses on the cost aspect and user demand faster responding aspect. In the past, IAC have two problems which existing before the service desk setting up. The end user would like to ask recognizable IT personnel to solve the problem, but if the IT personnel who are busy or out of the office, the end user’s problem is unable to be solved immediately, because of the IT service quality is not ideal.

Looking from the cost expect, the original procedure represent also no performance. Because senior IT personnel take the high salary from company, but actually spends their time in the low value added work. Sometimes possibly only half time in the development, cause busy on the end user’s issue. After ITIL inducting, the end user’s issue can be fixing via a service window. The senior personnel can have the quite much time to concentrate in the difficulty higher development work.

At present IAC’s ITIL induction project still in processing. In term of the planning at current stage, Service Level Agreement (SLA) can be progress in 2008 hopefully. DeLong Cai point out that the ITIL application will expand to the exterior enterprise finally. Lets customer thought out their problem and get the respond immediately and directly according their rights. This linkage also needs to be improved, because IAC is facing both OEM and ODM. They disperses in global various countries, meanwhile the operating in the different time zone also have different operating. Reduce the processing time by using the web technology.

What I understand in this case, even ITIL is the best practice but still have some area that ITIL can fully cover. In case, it should need to combine with other standard to approach in the future. As IAC implement the Six Sigma standard and ITIL within the same project. Because both working as related as closely in the real world.

ITIL: Brings two authentication fashion

Home Source: http://www.ithome.com.tw/itadm/article.php?c=35074

The following information come from the reporter Whiffen Yang reported.

Regarding to individual, the authentication may prove that carries out ITIL the ability; for the enterprise, by the authentication may inspect that conform the operation of ITIL induction is following the international standard.

After ITIL extends gradually to ISO20000, one issue on the ITIL authentication personally, another issue is the enterprise authentication at ISO20000. From personally, there has the related training program can be found on the net. Also have more than 50 enterprises in the whole world to obtain the authentication, such IBM, CA, Microsoft and such. Taiwan's enterprise obtains not many regarding to the ITIL authentication. If the enterprise just improve parts of the operation flow by ITIL methodology, perhaps ITIL induction will be focusing on the most need place, doesn’t matter which part taking ITIL framework, which inducted ITIL. For example, many enterprises only made the event to manage, the Service Desk, this also inducted ITIL. But if enterprise must obtain the international standard authentication ISO20000, they must induct ITIL within each IT service management flow.

Because of the authentication auditing key point which care on the flow meeting standards inspection, therefore, no matter on the height of ITIL validity, so long as the flow coverage fit the standards can through the authentication.

Under such premise, if the enterprise obtains the authentication on the commercial purpose, the achievement possibly will neglect the IT service management validity. If enterprise focuses on improving the IT foundation construction and service management, it will be the true goal on ITIL induction.

The biggest significance of ITIL authenticates, that prove enterprise have the practical ability on ITIL implementation. ITIL authentication mainly may differentiate at 3 levels at presently, including ITIL Foundation, ITIL Practition as well as ITIL Service Management. But the authentication obtains in the process must proceed in an orderly way, the sequence also obtain ITIL Foundation first, according to own demand then enter to the ITIL Practition phase or ITIL Service Management.

For the ITIL Foundation may say that is the most foundation authentication, mainly focus on ITIL concept understanding; ITIL Practition concentrates the flow practice; But the ITIL Service Management besides must understand the ITIL concept fully and must have all flow practical ability.

At present the ITIL authentication is authenticated by both EXIN and ISEB organization mainly. EXIN is located at Holland's making profit unit, and also setup the subsidiary company in the Asian and Pacific area, ISEB is subordinates under a British Computer Association's semi-official unit.

In my view, before we get the benefits on the certification of ITIL, we must pay a lot of money and time on the training. Even though the examination just three level, it will take a long time for that certification. I believe the ROI is quite good but we need to have the budget on taking the professional level certification. Also should patient on the understanding of all material, then reaping later on.

ASE: Inducts ITIL process in an orderly way, do not attempt complete the wholes set immediately.

Home Source: http://www.ithome.com.tw/itadm/article.php?c=43812

The reporter Whiffen Yang reported after the speech by ASE group information Vice-president Mincheng Sheng.

After ITIL becomes international standard ISO 20000 officially, more and more enterprises improve their IT service management with ITIL methodology gradually. This ASE example shares their ITIL induction information with public.

The ASE inducts is also quite complete, a key point must be mentioned is whether Acer or ASE inducts the ITIL processes, both has adopted with the same pattern which proceeds in an orderly way.

ASE group information Vice-president Mincheng Sheng shares ASE’s experience on ITIL induction by itSMF Taiwan branch's invitation. “The enterprise inducts ITIL framework which should better be adopts the processes on proceeding in an orderly way, do not attempt to complete ITIL framework immediately, the reason is setting the scope is too big at the beginning, the cost on investment must be increasing naturally. The disagreement will be prompted on the boss side easily. Therefore enterprise should start from the point which has highest benefit and the smallest impulse.” he said.

By the ASE's experience, we starts from Service Level Management on the entrance of ITIL project induction before more than two years ago, then progresses gradually to the Change Management, as well as Incident Management and Problem Management and such. Mincheng Sheng said that besides both ASE and Acer starts to invest ITIL is also adopts the process on expand the scope with gradual growth way. ASE faces to the configuration management information database (CMDB) and the Change Management slowly extended recently.

Many people thought that inducts ITIL is must spend a lot of money, parts on buying many tools. Then can complete the IT service management truly, but as ASE inducts ITIL not to spend many money. Mincheng Sheng said. Take the example on the establishment on CMDB, ASE implement CMDB with their own method, has not invested too many money on tool purchasing. Because of CMDB is the key mainly, don’t matter the tool itself, just keep going on the flow improvement and the management. In term of the CMDB part, actually there does not have any information service provider to be possible to provide suggestion to the enterprise explicitly, how can the enterprise measure the achievement to be able to have the help to the IT management.

According to the ASE's procedure is caring the most important system. Mincheng Sheng explained that ITIL is talking about the flow management actually. However, in all the practice operation, each flow has the different priority, enterprise should take care their important software and hardware system, for example: ERP, the server or the storage. And also carry on the strict management, which can probably fit IT service requirement about 95%~98%.

In the past, the role of IT just focuses on solving problems. That idea was not make sense. After inducting ITIL, IT department may along to the SLA agreement to provide IT the service which matches the request initiatively.

Mincheng Sheng suggested that each enterprise should induct ITIL, because inducts ITIL really has the advantage; it will let IT changed differently compare to the former. After inducting ITIL, might reduce IT the Operation Cost effectively. In term of ASE’s experience, in the past wanted we need about 250 did a matter personally, so long as now the same matter only 70 people can complete it. Moreover, enterprise might control all the events and the processing status by the daily report. Do more with few resources this benefit should have the opportunity in each enterprise.

In my opinion, each enterprise wants to use a limit cost to have more benefits under high competition environment. This idea also can be seen on the ASE case as well. With some one’s story illustrate their reaping, we can not feeling truly, only if we confirms the advantage on IT government personally.

Saturday, May 31, 2008

IBM: ITIL is not only the IT service management Bible

Home Source: http://www.zdnet.com.tw/news/software/0,2000085678,20121784,00.htm

After the ITIL version 3 has been published at the middle of 2007, ITIL becomes a hot topic which has been discussed between the manufacturer and enterprise. IBM believed that ITIL become a hot topic, it is no doubt to be helpful to the market introduction. Enterprise must complete the consummation the IT service management, no just only ITIL, another standard as CMMI, COBIT, also enters the consideration.

Michael Shallcross, IBM construction service and the IT strategy Executive Consultant to indicate this enterprise should evaluate the present IT service management which parts needs to be improve, and then chooses the suitable standard to follow. Which standard should be use to improve the IT service management, the decision should consider the requirement from the user side.

Michael expand, If enterprise IT services focus on the business operational, that is suitable play attention on ITIL. But if the enterprise’s IT department focuses on the development, they should pick CMMI (Capability Maturity Model- Integrated) framework. If enterprise focuses on the government or planning, they should pick COBIT (Control Objectives for Information and related Technology) standard.

IBM global IT service department Consultant Manager Junchang, Chen said. “ITIL is parts of ITSM, enterprise may take many standards to match their development situation and demand.

IDC enterprise applied research Manager Yonghui,Cao indicate that ITIL is one of achievement on ITSM ways, but it is not for all. He also believed that although ITIL is the Best Practice which provides the criterion to enterprise face on ITSM, but no more than two enterprises have the same way to fulfill the ITSM. If enterprise just follow the single standard, they might take the ITIL framework as the foundation, develops their own IT service management flow.

Other entrepreneurs approve this ITIL is not the only one, but it is a very good reference to carry on the ITSM. CA senior technical adviser Zhenyi-Jiang indicated that achieve all the requirement base on ITSM, ITIL is not the only way certainly. Regarding to the enterprise did not have the resources develop their self management flow; it is quite easy to create the management flow base on the existing standard.

According to the professional’s opinion, that has been published early. I can see this strategy. The goal on IT service quality improvement, everybody is consistent. But the experiences, the time and the procedures could be different because of enterprise's nature are different. Meets enterprise's needs first then faces to the global standard later. This strategy is the best way to reach the coveted benefits.

Friday, May 30, 2008

ITIL or not ITIL? That is not the question

Home Source:
http://www.zdnet.com.tw/enterprise/technology/0,2000085680,20123187-2,00.htm

Brian Johnson emphasis this is not necessary each enterprise needs ITIL, but which ITIL version should enterprise chooses, it depend on enterprise’s business demand. The final answer on which edition should be taken to use? That must clear understanding is ITIL suit to be used in the organization. ITIL framework covers the area broad and depth, the implementation cost is huge money which is oversized. Whether needs to induct the ITIL framework in the enterprise or organization, making the decision after the appraisement voluntarily.

Johnson also pointed out clearly that ITIL is one kind of directive, is not the law. ITIL even requests the enterprise have to confirm their demand before starting, while the enterprise knows which part should be improved, then can discover the suitable products and solution, also consider which ITIL version should be chosen to implement if it should be is required.

If enterprise knew clearly what they needs, perhaps they don’t need ITIL. As ASE CIO Mincheng,Sheng reported, ASE has not obtained the ITIL authentication, also did not want to facing the ISO authentication, he believed that so long as all the processes can guarantee the practical execution by the internal management, ASE does not need the certification.

Whether Enterprise general manager or CIO, the main point is: taking ITIL for improving IT service, But not for ITIL. IDC Research Manager Yonghui, Cao has a similar idea, he indicate whatever is ITIL perhaps COBIT, or BS7799, these are the external models, it may not suits the enterprise completely, the external consultant also may not necessarily can tell enterprises are they suit it. All must return to the physical demand. “The most understands the demand and the work, is the internal IT department.” he said.

In summary, what I can see is the change is eternal, ITIL is not exceptional. The main point on ITIL framework is "provides the information service management framework which the enterprise needs", but the enterprise does not need to follow all the material. There are different requirement along the industrial characteristic, enterprise culture and the market strategy, different enterprise pays attention on the information service also difference. Which way can let business running smoothly, that way is we need.

Thursday, May 29, 2008

ASL ITIL for Enhanced Application Management

Home Source:
http://ezinearticles.com/?ASL-ITIL-for-Enhanced-Application-Management&id=168396

Patrick Moore is an independent consultant and technology writer residing in Los Angeles, CA, USA. The following information comes from his writing.

The Applications Services Library (ASL) was developed specifically for the application management domain. ASL is increasingly being used for application management improvement to complement ITIL.

In ASL domain it serves to ensure the prudent management of application software, databases and the relevant documentation throughout the useful life of the relevant business processes that are supported by the application. ASL describes the implementation of service management processes in the application management domain. ASL also includes best practices for the implementation of the various processes. It devotes significantly more attention than ITIL to the strategic processes as part of the future of an ICT portfolio; which supports a business process. The processes concerning enhancement and renovation of applications are considered as an enrichment of ITIL. The ASL processes complement those of ITIL.

ASL is based on the processes and service concepts of ITIL framework. The two frameworks differ in their approach to controlling and supporting the technical infrastructure. In effect, ASL more explicitly outlines the process interdependencies between the infrastructure, applications and the business. ASL stresses different functional competencies and introduces additional processes that support the Application Management framework, in addition to providing more detail surrounding the ongoing management and support of business systems and services. ASL also adds some practical guidance for management of the lifecycle through its recognition of a paradigm shift in focus from application development to software maintenance.

From the ASL perspective, roughly 80% of Application Management efforts may lie in the maintenance of systems. While ASL does not replace the ITIL Application Management framework, it compliments the service manager through its broader perspective into the dependencies associated with the functional and technical aspects of optimized service provision. That being said, the evolution of ITIL and ASL as a partnership should continue, but the framework documentation itself could more collaborative, reduce redundancy and more clearly articulate Application Management best practices to the ITIL community.

In my view, in spite of ITIL is the best practice, cover a wide area on IT service improvement. Each area may have the specific standard or public domain framework involve deeply. ITIL is a collector collects all the area it needs then become a good one. That mean, holding the ITIL certification should easily to get the others. As certification of ISO-20000, ASL and such. Those certifications are to be related as closely on high quality services improvement.

Security emerging as ITIL adoption incentive

Home Source:
Http://computerworld.co.nz/news.nsf/mgmt/FA3EBCDB14ADC8E8CC2573D400029683

Here listed some figures that come from a survey reported By Denise Dubie Framingham.

A survey analysts and enterprise ITIL adopters discussed how process improvements are now providing security benefits. The result conducted by IDC in November 2007 of more than 300 companies revealed that security had surpassed improved availability and lowered costs as a main driver for adopting the best practices laid out in ITIL. ITIL best-practices framework not just reducing operating costs, it also helps mitigate enterprise risk. The ITIL adopters said.

Specifically, 56% of survey respondents indicated security as a motivation for ITIL, while close to 50% said they wanted to lower costs and about 47% thought ITIL would help improve availability at their organizations. More than 45% said problem-solving was a driver for rolling out process improvements, and nearly 45% indicated that reducing errors was a top driver for ITIL adoption. The survey response might indicate a growing need among organizations to better secure corporate data and information, considering processes around security information management have been incorporated into ITIL Version 3.

ITIL may not provide the external protections of a firewall, but it can go a long way towards securing internal resources and preventing data breaches. "Security can be the motivation for doing some of these processes, such as patch and change management, for instance, because improving processes will make security work better in situations such as access controls," said Tim Grieser, programme vice president of enterprise system management for IDC.

According to companies using ITIL, security and risk management could be an easier argument to make when trying to get executive buy-in for adopting ITIL. The ROI for process improvements can be ambiguous and not realised for quite some time, so putting an executive's mind at ease with talk of reduced risk may be the better way to go. Oryst Kunka the vice president of process design and architecture at The Bank of New York Mellon, said, "This change will result in a reduction of risk, and it will get management's attention. Sometimes it's hard to point out dollars with process improvements, but companies understand risk. At The Bank of New York, ITIL has become a business advantage.”

In conclusion, according to the survey’s result representing, I can see the security of the information within an organization is a very big issue in present technical day, security policies should been considered in the control, planning, implementation, and evaluation. More then 50% ITIL adopter also indicated solving security issues also a motivation for ITIL methodology become more and more popular.

How ITIL Can Improve Information Security

Home Source: http://www.securityfocus.com/infocus/1815

The author Steven Weil is senior security consultant with Seitel Leeds & Associates. Steven Weil provided the overview of the information security issues based on ITIL implementation. The coming section represented his idea.

ITIL stresses service quality and focuses on how IT services can be efficiently and cost-effectively provided and supported. ITIL defines the objectives, activities, inputs, and outputs of many of the processes found in an IT organization. It primarily focuses on what processes are needed to ensure high quality IT services; however, ITIL does not provide specific, detailed descriptions about how the processes should be implemented, as they will be different in each organization. In other words, ITIL tells an organization what to do, not how to do it.

ITIL seeks to ensure that effective information security measures are taken at strategic, tactical, and operational levels. Information security is considered an iterative process that must be controlled, planned, implemented, evaluated, and maintained.

ITIL breaks information security down into:
  • Policies - overall objectives an organization is attempting to achieve
  • Processes - what has to happen to achieve the objectives
    Procedures - who does what and when to achieve the objectives
  • Work instructions - instructions for taking specific actions
  • It defines information security as a complete cyclical process with continuous review and improvement

ITIL's Information Security Process can be described as a seven step process:

  1. Using risk analysis, IT customers identify their security requirements.
  2. The IT department determines the feasibility of the requirements and compares them to the organization's minimum information security baseline.
  3. The customer and IT organization negotiate and define a service level agreement (SLA) that includes definition of the information security requirements in measurable terms and specifies how they will be verifiably achieved.
  4. Operational level agreements (OLAs), which provide detailed descriptions of how information security services will be provided, are negotiated and defined within the IT organization.
  5. The SLA and OLAs are implemented and monitored.
  6. Customers receive regular reports about the effectiveness and status of provided information security services.
  7. The SLA and OLAs are modified as necessary.

Ten ways ITIL can improve information security. There are a number of important ways that ITIL can improve how organizations implement and manage information security.

1. ITIL keeps information security business and service focused. Too often, information security is perceived as a "cost center" or "hindrance" to business functions. With ITIL, business process owners and IT negotiate information security services; this ensures that the services are aligned with the business' needs.
2. ITIL can enable organizations to develop and implement information security in a structured, clear way based on best practices. Information security staff can move from "fire fighting" mode to a more structured and planned approach.
3. With its requirement for continuous review, ITIL can help ensure that information security measures maintain their effectiveness as requirements, environments, and threats change.
4. ITIL establishes documented processes and standards (such as SLAs and OLAs) that can be audited and monitored. This can help an organization understand the effectiveness of its information security program and comply with regulatory requirements (for example, HIPAA or Sarbanes Oxley).
5. ITIL provides a foundation upon which information security can build. It requires a number of best practices - such as Change Management, Configuration Management, and Incident Management - that can significantly improve information security. For example, a considerable number of information security issues are caused by inadequate change management, such as misconfigured servers.
6. ITIL enables information security staff to discuss information security in terms other groups can understand and appreciate. Many managers can't "relate" to low-level details about encryption or firewall rules, but they are likely to understand and appreciate ITIL concepts such as incorporating information security into defined processes for handling problems, improving service, and maintaining SLAs. ITIL can help managers understand that information security is a key part of having a successful, well-run organization.
7. The organized ITIL framework prevents the rushed, disorganized implementation of information security measures. ITIL requires designing and building consistent, measurable information security measures into IT services rather than after-the-fact or after an incident. This ultimately saves time, money, and effort.
8. The reporting required by ITIL keeps an organization's management well informed about the effectiveness of their organization's information security measures. The reporting also allows management to make informed decisions about the risks their organization has.
9. ITIL defines roles and responsibilities for information security. During an incident, it's clear who will respond and how they will do so. ITIL establishes a common language for discussing information security. This can allow information security staff to communicate more effectively with internal and external business partners, such as an organization's outsourced security services.

The Conclusion for Steven Weil's idea, Information security measures are steadily increasing in scope, complexity, and importance. It is risky, expensive, and inefficient for organizations to have their information security depend on cobbled-together, homegrown processes. ITIL can enable these processes to be replaced with standardized, integrated processes based on best practices. Though some time and effort are required, ITIL can improve how organizations implement and manage information security.

In my view, majority of ITIL articles is talking about the implementation theory. Also the content just represented the benefits when audience jumps in the ITIL pool. No more authors or papers mention the information security issues in article, including the direction or processes. Fortunately, I found Steven Weil’s article. I understand more about the information security issues improvement based on ITIL framework form his article. Even that information I can’t practice, but least I know which area should be focus on the practical.

ITIL: the benefit difficultly to measure on introduction

Home Source: http://www.zdnet.com.tw/news/software/0,2000085678,20112824,00.htm

The following information come form the Reporter Cui Ling, Zhong.

ITIL induction cannot be equal to the traditional IT technical project induction. it also not to be possible similar with other IT system induction which can be deliver equally, or it can be measure the ROI obviously. If the senior management wants to see the benefit immediately, their expectation is to be disappointed.

The objective of ITIL methodology is the improvement on person and the related technical flow, the goal focus on IT capacity optimization. ITIL methodology view enterprise IT services as Service Company or user's department. ITIL framework provides a set of process to illustrate the better way of IT business operation in the enterprise.

After ITIL methodology inducts in the business, it has been integrated in the enterprise's daily business operation. ITIL implementation is not to be possible equal to other IT system induction, the implementing duration not just a half year or one year then can finish, obviously to get the ROI. ITIL project considered IT services is one kind of property investment or IT portfolio management; with it achieve the goal of business adaptively.

In other words, enterprise needs to understand what they want to be? Then clear to know which is their goal, otherwise very difficult to see any effect dependence on product induction or consultant involving. Although it is not getting the result immediately, also it does not unable to estimate. Enterprise should identify the approximate KPI, such as the system response time and the network disconnect time or the IT work load dropping because of automated and so on. Because ITIL processes are closely linked in the business operation flow, the enterprise should take a long time to feel the benefit from the change.

In my opinion, the changing can be seeing during the ITIL induction, and the conflicts could be found easily than the benefits. According to another case as Shell Oil, P&G, HSBC, they can get the obvious benefits after the ITIL induction four to 5 years probably. Enterprise must be patient on their business process improvement until feeling the benefits.

Wednesday, May 28, 2008

ITIL v3: Bridging the Gap Between IT and Business

Home Source: http://www.cioupdate.com/reports/article.php/11050_3737921_3

Augusto Perazzo and Glen Willis is the consultant of PA Consulting Group. They illustrate the information about ITIL v3 builds on v2; greatly expanding its usefulness and helping CIOs make the leap to business strategist. Majority of audiences take the ITIL framework to maintaining existing services at a satisfactory level of quality and on increasing operational efficiencies. Oh the other hand, operational focuses are struggling to introduce new services in order to keep up with changing business needs.

How the organizations established ITIL programs with an operational focus facilitate of new services creation and ensure greater integration among project based IT functions, IT operations and the ever changing business demands? ITIL version 3 (v3) comes to the rescue by incorporating a more strategic, innovation focused and integrated view of service management, better aligning the IT service portfolio to the business strategy and providing project teams with an honest and realistic view into the operational realities of an organization's enterprise.

The following section raises the idea on business’s creation, aligning the IT service and Bridging the Gap between Development and Operations within the v3.

From Business as Usual to Innovation
There are many success stories on how ITIL guidance has helped organizations reduce spending on IT operations and become more effective at it. Nonetheless, businesses are increasingly demanding for IT to be an enabler of innovation and to focus on more strategic concerns such as creating competitive advantage through the development of new products and services.

ITIL version 3 builds up on the operational excellence concepts of v2 and extends service management towards a more holistic approach. With the life cycle mindset embedded in v3, IT organizations are better equipped to understand the business needs, to have a closer dialogue regarding business strategy and to best support it through the creation, design and implementation of relevant IT services that are in sync with business requirements. Service Strategy phase in the v3 life cycle provides such guidance. It encourages IT organizations to understand why a service is needed from a business perspective and how to best align to and pursue IT capabilities that are in par with business needs. It places IT as a core strategic asset, participating and often leading the business towards the innovation path. Following the v3 philosophy, you would first catalogue all existing services, understand your customer and make sure that the services you provide are in line with their needs. ITIL v3 would encourage you to continue to monitor the relevance of your services amidst shifts in consumer tastes.

Aligning the IT Service Portfolio to the Business Strategy
The Service Deign phase in ITIL v3 provides guidance on how to build a portfolio of services that are aligned with the business strategy. Whereas the Service Strategy phase is concerned with understanding the why and elaborating on what is needed, Service Design is concerned with how to make it happen. Service Design goes beyond the infrastructure requirements and takes a holistic view of how processes, people and platforms, managed internally and comes together to best support the overall business strategy. Service Design to ensure that all IT services are created with the ultimate end goal in mind: to enable business strategy and innovation at the most cost effective manner.

Bridging the Gap Between Development and Operations
ITIL v3 provides a greater opportunity to address this unproductive behavior. By incorporating the mindset of a service life cycle, v3 brings service management and operations much closer to the way application development groups have been working for years.
ITIL v3 provides guidance on how operational concerns such as availability, capacity and incident management can be taken into consideration when new services are being designed. Through the Service Transition phase, v3 recognizes that a much more structured approach is needed in order to transition a service, its related applications and subsequent modifications from the development group into the live environment. This phase brings the two groups even closer together to ensure a smoother transition. By promoting a service life cycle as opposed to a software development life cycle, ITIL v3 can provide insights to the application development group about service management. Application development groups must create applications inside the greater context of a service.

Those questions that ITIL v3 with the support of the operations group can help elucidate.

  • How efficient and effective will this application be in enabling day-to-day business processes once it goes live?
  • How can it be changed in the less disruptive way in order to adapt it to new business needs without introducing unwanted risks?
  • How to best support users without key technical resources being stripped away from critical new developments?

In my view, I get more details on ITIL v3 Service Design and Transition that changes the application development people’s thinking, as Augusto and Glen’s reported the change to work closer with the business, it is better understand that new business strategies require new services realized by new applications that will eventually transition to the live environment and be supported by operations.

Ten Tips for Successfully Implementing ITIL

Home Source: http://www.cioupdate.com/article.php/3554001

Isabel Wells is a consultant represented some tips on ITIL implementation successfully; which tips come form the PA Consulting Group. As majority audiences know, the benefits of implementing globally consistent, ITIL-based processes include:
  • Improved availability, reliability and security of IT services.
  • Increased IT project delivery efficiencies.
  • Reduced TCO of IT infrastructure assets and IT applications.
  • Improved resource utilization including decreased levels of rework and elimination of redundant activities.
  • Provisioning of services that meet business, customer and user demands, with justifiable costs of service quality.
  • More effective and better third-party relationships and contracts.
Many CIOs are not seeing the improvements they expected—despite heavy investment in ITIL. ITIL deployment should be set within the context of a business; any IT change program will encompass organizational, process and technology elements. The tips are drawing from PA's experience, they provide these ten tips about CIO's strategy and program directors can use to approach effective ITIL implementation with confidence.

For the organization area, the tips as coming:
  • Approach ITIL implementation as part of the IT-wide strategy, and use it to guide all other strategic initiatives.
  • Consider the post-ITIL organization before completing the process design.
  • Engage, engage, engage. Continuous communication is required at all levels of the organization.
  • Set realistic expectations about benefits realization and establish a baseline from which to monitor improvements.
  • Engage existing suppliers early.
Focuses on the processes, the trips are next:
  • Identify and deliver the quick wins.
  • Maximum benefit can only be achieved if the impact each process has on another is understood.
  • Prioritize process selection based on current maturity; don’t bite off more than you can chew!
  • Use success as a springboard for further improvement.

Executiom on Technology, trip is next:

  • Combine process and tool activities from day one as part of a single solution approach.

Playing on the technology, the tip is “Combine process and tool activities from day one as part of a single solution approach.”

Excluding the previous ten tips, Isabel Wells also mention, implementing ITIL is not just about evaluating and revising processes, it is about change: changing the way people work and are rewarded; changing technology platforms; and changing behaviors across an entire organization.

Regarding to this article, I can see the ITIL induction impacts widely, the current service management structure, people, services quality, organization culture every things. Those impacts on business and IT are significant and not isolated, closes as a family and interactive together.

Tuesday, May 27, 2008

First Bank integrate information management flow by ITIL

Home source: http://www.ithome.com.tw/itadm/article.php?c=46695

The following information reported by First Bank the vice-president of Information center. According to the First Bank's medium and long-term strategy plan, the information center has two important development phases, one carries out ITIL at 2008, other establishes the information cost model. After carries on the ISO 20000 authentications in 2009. In fact, First Bank had inducted ITIL to the business operation several years ago, because of some risk event's reason. First Bank decided that makes the information security aspect first on ISO 27001. According to the ISO 27001 Induction experiences, First Bank discovered that ISO 27001 have many methods with ITIL framework is interlinked. Moreover, if First Bank gets the certification on ISO 27001, that mean can also match to the information security requirement on ITIL framework. Although First Bank enters ISO 27001 first, actually it was also equal to has made part of ITIL.

ITIL covers domain bigger than ISO 20000, such as information service's valuation model which doesn’t cover in ISO 20000. for the future, First Bank wish the information department change to the service orientated model, the cost valuation model must been done, therefore, the First Bank expected that carry out ITIL truly, though ITIL framework link all the information management flow together.

Focus on the auditing, financial industry has frequently the internal and external auditing since long, the control point had already in the work flow and the management flow, but looking from the ITIL angle, First Bank still had the improvement. An example as First Bank has a unification foreign information service desk, also have the version control and release management, but these two works have not established contacts in the same place, therefore, troubles still occurrence. For example: a new edition system already online, but service desk has not informed. Until receiving the telephone which the user carries, delay solving the question time immediately.

Because the connection between each flow's is completes depending on the manpower, not system automatically. Therefore sometimes unavoidably loses in control. With ITIL framework, these change management and Release Management, Service Desk, Problem Management and such will integrate together and automation. In First Bank has many information management flow originally, and these information management flow probably already covered ITIL requirement, just missing the connection on automation integration. That integration, processes improvement and carry on the ITIL implementation are the First Bank's mission in 2008.

In this case, I can see banking is more easier inducts ITIL framework in their business operation and lets the processes become automation. Because they already has many information management flow, which probably already covered ITIL expectation. Compare to other industry, banking should get the ITIL certification shortly.

Understanding ITIL Key Process Relationships

Home Source: http://www.computereconomics.com/article.cfm?id=1074

Robert Boyd a Contributing Research Analyst for Computer Economics. He explains the processes relationship on Incident, Problem and Change. ITIL is divided into three major areas: Service Support, Service Delivery, and Security Management. Understanding the differences between those area and the relationships among, these processes is an important first step in implementing ITIL. He takes an example to explain the process relationship on Incident Management and Problem Management. The objective of Incident Management in Service Support category is to restore service as quickly as possible. Therefore, an incident is active until service is verified as restored. The objective of Problem Management in Service Support category is to minimize the economic impact of service disruption by diagnosing the root causes of incidents, gathering information on known errors and by providing work-arounds, temporary fixes, and permanent fixes.

While an incident is active only until service is restored, a problem continues to be active until appropriate fixing solution are published and implemented. This means that incidents and problems are not synonymous. Neither do incidents become problems. Rather incidents, problems, and changes each have a many-to-many relationship with the other two. It is also important to note that not all problem requests are created because of an incident. Some problem requests are initiated by proactive problem control discovering a likely cause of future incidents.

In case, an instance of a problem may have no related instance of an incident. The problem may initiate a change request to implement a permanent fix. In another case, the incident control activity of the Problem Management process may discover that multiple incidents have the same root cause and link all these incidents to a single instance of a problem. Another incident may implement a temporary-fix created previously by the problem control activity of Problem Management.

These relationships can become quite intricate. During the training phase it is easily getting confusion about the relationships between incidents, problems, and changes. Support personnel do not have to know every possible permutation of these relationships, but they should understand that incidents, problems, and changes are not synonymous and can have quite complex interactions.

In my opinion, I strongly agree Robert Boyd's explanation on the relationship between Incident Management, Problem Management and Change Management is important during ITIL implementation. These complex relationships are not easily to the detriment and clearly define instances of incidents and problems. If audiences confuse on those processes, the ITIL implementation will have more pressures.

Does ITIL still matter?

Home Source:
http://www.misweb.com/magarticle.asp?doc_id=26167&rgid=5&listed_months=0

John Lui reported a CEO's opinion on ITIL is important to any organization, but not always, just for IT services management. ITIL may not cover all the area or industry. Don Page the CEO of the Marval Group, he has more than 20 years of experience in IT service management.

Don Page strongly argues that ITIL is beneficial to organizations of any size. Whether is in the private or public sector. But it has a bit different in term of the organization size. Smaller organizations are at greater risk simply because of their size and dependency on key staff. They need to position themselves where key services are not dependent on individuals. Based on this, having well-defined policies, processes and procedures could be the difference between success and failure. Small and medium-sized organizations should seriously consider ISO 20000 as their IT service framework.

If the organization want to improving the IT services, but no the wholes one; just for the critical part as processing or governance aspect. Don Page advice is, if you are an IT service department, all you need is ITIL and ISO 20000. ITIL provides the underpinning process framework and ISO 20000 the IT governance controls and evidence. There are complementary best practices and standards, in different area take different standard. He would use on a service improvement project. For example; PRINCE 2 for project management and ISO 17799 for security. Many frameworks are specifically designed to meet the demands and regulatory requirements of a specific industry sector. (For example, ETOMS for the telecoms industry, Six Sigma for manufacturing, COBIT for auditors). ISO 20000 is a standard, whereas ITIL is a best practice. The area is covered on different requirement.

From an IT service management framework perspective, there is only ITIL. ITIL will continue to thrive and evolve for two main reasons: 1) because it underpins and aligns with ISO/IEC 20000, the new worldwide auditable standard for IT service management. 2) ITIL's development is driven by the IT Service Management Forum, which has the largest group of practicing IT service management experts and professionals in the world today.

Don Page mention another idea, ISO 20000 gives ITIL the teeth it needs. To maintain a competitive advantage, many businesses need to have the confidence to measure and benchmark their IT organization to maintain business confidence and demonstrate to stakeholders how they measure up against a recognized industry standard or their competition. That mean practice on ISO 20000 is easier than ITIL standard.

In my view, if the organization's IT services management is not at the mature stage, may be take the ISO 20000 first, when all the processes and working flow are running well then consider face to more high level on ITIL framework again.

Monday, May 26, 2008

ITIL standard has mass appeal

Home source: http://management.silicon.com/itpro/0,39024675,39170242,00.htm?r=1

Tim Ferguson provides some information for ITIL framework which has be used in IT services improvement in the world wide. As he reported “Two-thirds (66 per cent) of companies around the globe are using IT infrastructure library (Itil) - the IT service delivery framework - to help manage their IT infrastructure.” Information about the performance, this information comes from the Dimension Data which is a managed services company. ITIL scored an average of three out of five - higher than any other framework - in a survey of more than 370 CIOs in 14 countries.

In term of the survey on taking ITIL framework in organization’s size, they found the size of organization has an impact on ITIL adoption with companies of less than 100 employees rarely using ITIL compared with 87 per cent of companies of more than 10,000 employees using it in some form.

In Tim’s report, he also mentions have another best practice drop off the ITIL implementation in organization. The Engagement best practices as Prince 2, ISO, CMMi, ASL, CoBIT and TQM.

Regarding to Tim’s report, ITIL framework has a good reputation round the world. Even the engagement best practices are coming up, but I believe ITIL framework will continues being used on IT services improvement.

Introduction to ITIL: Early US Adopters Show Business Value

Home source: http://enterpriseleadership.org/content.php?cid=1445

Elizabeth Ferrarini is an IT consultant and freelance writer from Boston, Massachuetts. There have three examples this information about the ROI from the ITIL implementation. In Elizabeth’s report, he mention a news how ITIL support audiences getting benefits from Grater group. The news as following:

“Gartner Group describes ITIL as a roadmap for carrying out repeatable steps for managing technology. It sets out major procedures, goals, and directions for each of 10 different disciplines -- everything from incident management to service-level management -- that can turn IT into a service delivery system rather than an infrastructure made up of discrete processes. ITIL addresses those activities that an organization should do in order to keep processes in control. It can also help determine if a process is cost effective or not, and whether job descriptions should be changed.”

Also Elizabeth takes three successful examples to justify how ITIL framework improves the audience business. Three examples include Procter & Gamble, Caterpillar and Ontario Justice Enterprise. The information as next:

Procter & Gamble
Procter & Gamble, the Cincinnati, Ohio-based consumer products giant, embarked on ITIL in 1999 with a worldwide effort to streamline the number of applications help desks have to support. In just the past four years, Procter & Gamble has reportedly saved about $500 million. A study of savings within Procter & Gamble's finance and accounting IT departments showed a six percent to eight percent cut in operating costs and a 15 percent to 20 percent reduction in technology personnel. Procter & Gamble's most recent ITIL endeavor involved root-cause analysis of trends in help-desk requests. This initiative resulted in a 10 percent reduction in help desk calls.

Caterpillar
In 2000, Caterpillar, the Fortune 100 construction equipment and engine manufacturer based in Peoria, Illinois, used ITIL methods to address incident management for Web-related services. The ITIL team found that internal service providers couldn't meet the target response time of 30 minutes between 60 percent and 70 percent of the time. Now service providers surpass the 90 percent mark.

Ontario Justice Enterprise
Ontario Justice Enterprise, an agency that handles the Canadian government's court system, adopted ITIL in 1999 to help manage growth and to improve service to its internal customers. With 1,000 locations across Ontario serving 25,000 individuals, the agency was under intense pressure to provide more efficient services. The ITIL initiative spawned a virtual service desk that helped slash support costs by 40 percent. The service desk improved service-level monitoring and service request processing, ensuring that everyone worked together as a service-delivery chain. As a result of this agency's experience, other Ontario federal government agencies have adopted ITIL principles.

To sum up, even though the previous examples no more details to talk about the ITIL five basic elements, business perspective, application management, service delivery, service support and infrastructure management, but those examples represent the values from induction the ITIL framework to the business is quite shine. I got more senses from Elizabeth’s report, but the feeling is rough and not enough.

Bank of America and ITIL

Home Sources:
http://www.fisc.com.tw/FISCWeb/FISCBimonthly/Article.aspx?Volume=42&TNo=31
https://www.itsmf.com/upload/conference2002/Bank%20of%20Ameriica.pdf

BOA (Bank of America) the world headquarters in Charlotte, N.C. (North Carolina), the Global Corporate and Investment Banking group has offices in 35 countries serving clients in more than 150 countries, with associates in major business centers in the Americas, Europe and Asia.

The consumer and commercial banking operations serve more than one in four households in the United States, transacting with more than 150 customers per second. In order to support its service operation, its IT system and organization complex it can be imagined.

Cause of BOA wants to be best in the world. They take the ITIL methodology to support them Overcome Organizational and Culture Differences with a unify operation. Out Perform the Competition in both Quality and Cost. Allow for continuous process improvement to reach and ultimately exceed the industry benchmark and such. They started the ITIL project at 2003 with Global Consultancy Company. Begins in inducts ITIL components as IT Service Management, Problem Management, Change Management, Configuration management and Asset Management. These processes are critical to improving production quality assurance.

During the cooperation with Global Consultancy Company, in term of the different phases of management marital identifying, current state assessment, planning the process, design and deployment, this experience discovered that during inducts ITIL processes, the items as:
  • INVENTORY MANAGEMENT: Provide detailed real-time information defining what, when, where, and how much for all components.
  • ASSET MANAGEMENT: Manage and optimize the cost, retention, and ultimate disposal (the lifecycle) of IT assets which includes Hardware, Software, Communications and Staff.
  • CONFIGURATION MANAGEMENT: Provide enterprise wide, real-time component information (hardware, software, et al.) and incorporate new resources as required, such as provide historical information and provide relationship information.

Those to achieve the effect which initially established, its partner's consultant ability, carries out ability, the execution to deliver and uses the tool is decided that inducts the result is an important attribute. With the ITIL project, that will enable BOA’s IT organization capable to provide and the design the processes on IT management with Business Views, then adds more value to their business operation, this will realize ITIL to achieve it.

In conclusion, by the BOA example, I can see this is understandable on ITIL inducts will be take a longer time and performs each process step by step. If ITIL induction outsourcing with other company, this components for that company’s consultant ability, carries out ability, the execution to deliver and uses the tool is decided will affect the results on ITIL induction successful or failure.