lesson-9-service-design-processes-part-2.pdf

ITIL Foundation Certicate in IT Service Management

Lesson 9 Study Guide Service Design Processes Part 2

The ITIL Foundation Certificate in IT Service Management

www.itiltrainingzone.com

Page 1 of 20

2011 IT Training Zone LTD www.ITILTrainingZone.com

ITIL is a registered trademark of the Office of Government Commerce in the United Kingdom and other countries

Welcome to the ninth chapter of your Study Guide. This document is

supplementary to the information available to you online, and should be used in

conjunction with the videos, quizzes and exercises.

After your subscription to the course has finished online, you will still have the Study Guide to

help you prepare for your exam - if youve not taken the exam by the time your subscription

expires.

Youll download a Study Guide at the end of most Lessons as you progress through the course.

This Chapter contains the Study Guide information for Lesson 9 Service Design Processes:

Part 2.

Use this Study Guide in conjunction with your own notes that you make as you progress

through the course. You may prefer to print the Study Guides out, or use them on-screen.

After each Lesson, you can consolidate what you have learnt whilst watching the videos and

taking the quizzes by reading through the chapter of the Study Guide.

If you progress on to the formal exam, your Study Guide will provide you with vital revision

information.

Remember, your Study Guide is yours to keep, even after your subscription to the course has

finished.

Service Design Processes Part 2



Page 2 of 20



Study Guide Icons 3

Lesson Contents 4

Information Security Management 5

Exercise Poor Security Management 6

Supplier Management 8

Supplier Categorization 10

Capacity Management 12

Capacity Management Sub-Processes 14

ITSCM 16

Business Impact Analysis and Risk Assessment 18

Design Coordination 19

The Service Design Package 20

Table of Contents



Page 3 of 20



Watch out for these icons as you use your Study Guide. Each icon highlights an important piece of information.

Tip this will remind you of something you need to take note of, or give

you some exam guidance.

Definition key concept or term that you need to understand and

remember.

Role a job title or responsibility associated with a process or function.

Exercise Solution suggested solution to one of the exercises you will

complete throughout the course.

Goal or Objective for a particular process or core volume.

Study Guide Icons



Page 4 of 20



This Lesson completed our studies of the Service Design processes.

We studied:

Information Security Management

Supplier Management

Capacity Management

IT Service Continuity Management

Design Coordination

Text in "italics and quotation marks" is drawn from the ITIL core volumes Quoted ITIL text is from Service Strategy, Service Design, Service Transition, Service Operation and Continual Service Improvement Crown copyright 2011 Reproduced under license from OGC.

Lesson Contents



Page 5 of 20



Information Security Management is responsible for aligning IT security with the

business security policy and making sure that effective levels of security are

designed into all new services and service management activities.

The process sets standards that need to be available to everyone in the business. These could

cover areas such as acceptable usage of email and web browsing standards, and password

confidentiality.

Security is part of the warranty of a service.

Process Objectives

Information Security Managements objectives relate to the protection of information, and the

people who use information.

The security objective is met when information is confidential, available as required, has

integrity and has authenticity.

Confidential: information is only seen by those who have a right to know

Integrity: its complete, accurate and cant be changed without permission.

Available: information is available and usable and protected from attack

Authenticity and non-repudiation: information can be shared between organizations and

trusted

Information Security Management



Page 6 of 20



Exercise Poor Security Management

This Lesson included an Exercise to look at the consequences of poor security management. If

you didnt have time to complete the exercise during the Lesson, why not attempt it now?

Exercise

Imagine youre an information security manager. You are trying to get the business to take

security seriously, but they arent really listening.

Prepare a list of some of the potential business consequences of a security breach. Try and

think of at least 6 different consequences remember they can be both tangible and intangible.

Exercise Solution

Consequences could include:

A fine for breach of legislation or regulations

Loss of customer data

Loss of customer trust

Poor reputation and image

Potential for legal proceedings to be taken against accountable staff

Financial loss including theft from the organization

Withdrawal of any relevant industry accreditation

Commercially sensitive information or designs may become public

Remember, if you found this exercise challenging or have any questions, you can

email a tutor at [email protected].



Page 7 of 20



Process Scope

The scope of Information Security Management includes being a focal point for all security

issues.

The process will produce a policy that outlines the organizational approach to security. This will

be linked to any overall business security plans and policies, as well as any legislative

requirements.

Security issues need to be prioritized according to overall business goals and priorities.

The Information security policy should be available to everyone. It sets out standards for the

use of passwords, email and internet browsing.

Adequate levels of security should be designed into each new service and the Information

Security policy will be updated - if required.

The security policy covers everything that could have a potential impact on security, including

email, internet, anti-virus, information classification, remote access, copyright, asset disposal,

access control, and passwords.

The Information Security Manager also needs to ensure that all security policies are

communicated, fully implemented and enforced. The security policies need to be integrated at

all levels of the organization strategic, tactical and operational.

Every single user has the potential to cause a security breach, so training and communication is

critical. For example, security inductions for new starters might include not sharing your

password, or leaving your desk without locking your PC.

Another responsibility of the Information Security Management process is to manage any

security breaches, for example virus outbreaks or unauthorized access to a system.

Security breaches will need to be prioritized and appropriate action must be taken to resolve

the breach. There will be a review after the breach to see if any lessons need to be learnt or

processes updated.

Information Security Management also organizes regular security reviews and security tests -

such as network penetration tests. These reviews and tests will all help to ensure that the

policies and measures put in place are performing as they should.



Page 8 of 20



Supplier Management is responsible for managing suppliers and the services

that they supply to provide a seamless quality of IT service to the business,

ensuring value for money is obtained.

The process is responsible for managing the full lifecycle of a supplier relationship. This starts

with choosing the supplier and making sure the correct contract is in place, and carrying out

any necessary negotiation.

Then, the supplier will be monitored on an ongoing basis in line with the overall organizational

supplier policy. At the end of the contract, the termination or re-negotiation process also

needs to be managed.

Most organizations will have a number of different suppliers. Some suppliers will provide

business critical services and products, whilst others will provide less important services and

products. The least critical suppliers are usually those who provide your organization with

consumables like printer toner cartridges.

Suppliers should be categorized so that it is clear how much actual management each supplier

and their corresponding contract needs. The more disruption the loss of any particular

suppliers service would cause, then the more effort that needs to be put into managing that

particular relationship.

Supplier Management has some overlap with other areas such as Service Catalogue

Management and Service Level Management. Service Level Management will want to make

sure that service targets within suppliers contracts will actually support the targets within SLAs.

Supplier management will maintain an information repository with supplier and contract

details, known as the Supplier and Contract Management Information System.

Supplier Management can provide powerful information to organizations, including:

When are specific supplier contracts due to expire?

Which suppliers are performing well?

Are suppliers improving overall?

Supplier Management



Page 9 of 20



Supplier Management are responsible for ensuring that all suppliers continue to deliver value.

The key outputs from the process include:

Supplier and contract performance reports, which are used to help manage the ongoing

quality of service

Supplier review meeting minutes, which record actions agreed and also track previous

and ongoing actions

Supplier service improvement plans, which are used to manage suppliers who may not

be meeting the required standard and therefore need to improve

Survey reports are used to collect information from all levels of the organization that

deal with a particular supplier. This will give a well-rounded view of the suppliers

overall performance

By reviewing all of this information, Supplier Management can help to ensure that they get the

maximum value from third party suppliers.



Page 10 of 20



The diagram below shows that one of the best methods for categorizing

suppliers is based on assessing the risk and impact associated with the supplier.

This can be plotted against the value and importance of the supplier and their services to the

business.

Service Design fig. 4.28 Supplier Categorization

Crown copyright 2011. Reproduced under license from OGC

Supplier Categorisation



Page 11 of 20



Supplier Category

Notes

Strategic This is relevant for significant partnering relationships that involve senior managers sharing confidential strategic information to facilitate long-term plans. These relationships would normally be managed and owned at a senior management level. For example, if all of IT service provision was outsourced, this might be a strategic relationship.

Tactical This is relevant for relationships involving significant commercial activity and business interaction. These relationships would normally be managed by middle management.

Operational Operational is used for suppliers of operational products or services. These relationships would normally be managed by junior operational management. Examples include an internet hosting service provider, supplying hosting space for a low-usage, low-impact website or internally used.

Commodity Commodity is suitable for suppliers that provide low-value and/or readily available products and services, which could be alternatively sourced relatively easily. For example, paper or printer cartridge suppliers.



Page 12 of 20



Capacity Management extends right across the service lifecycle. It has a key

responsibility to make sure the required level of capacity is designed into new

or changing services.

Lack of Capacity means that something has run out of space. If a server reaches maximum

capacity, or you run out of network bandwidth, this can significantly affect the performance of

a service.

Process Purpose and Objectives

The purpose of Capacity Management is to make sure that the capacity of IT services and

infrastructure in place meets the agreed business requirements in a cost-effective and timely

manner.

This involves planning ahead in order to predict the right capacity requirements for a new

service to avoid suffering from any downtime caused by a lack of capacity.

Capacity Management is interested in service performance how this can be maintained and

improved.

Capacity Management has a number of objectives. It will produce a Capacity Plan, which

provides costed options to meet current and future business needs. It will advise the business

and IT abut capacity-related concerns, and make sure that services are not affected by issues

related to capacity.

The Capacity Management process will carry out reactive activities, working with processes like

incident and problem management when service has been affected.

It will also have a proactive role, carrying out change impact assessments and implementing any

cost-justified measures that could improve service performance.

Capacity Management



Page 13 of 20



Process Scope

The scope of Capacity Management includes being the organizations focal point for capacity

information. The process encompasses hardware, software, infrastructure and even people.

Capacity management needs to work closely with Service Strategy to make sure it understands

and plans for long term business needs, not just short term changes.

To fulfill its role, capacity management needs monitoring capabilities to support it. If capacity

isnt monitored, any potential problems will not be detected.

Capacity Management will constantly tune and refine services and infrastructure to optimize

their performance.

The scope of Capacity Management also includes understanding how technology can improve

services and service performance. If a service is not performing well and investment is not

available to expand capacity, capacity management may try and influence demand.

For example, it may work with Financial Management to introduce peak and off-peak charging

for a service.



Page 14 of 20



Business Capacity Management

Business Capacity Management operates at the strategic level. It looks at the future plans of

the business including information on mergers and acquisitions, and predicts how these will

affect capacity.

This sub-process focuses on predicting future capacity usage based on business plans and

trend analysis of current growth and usage.

Service Capacity Management

Service Capacity Management operates at the tactical level. It will review current capacity

levels and changes to demand to make sure that service targets can be met.

SCM monitors day to day activity to analyze trends. This sub-process is concerned with making

sure that service targets in Service Level Agreements and Service Level Requirements can be

monitored and achieved.

Component Capacity Management

Component Capacity Management is involved with the technology that makes up our

infrastructure.

Individual components such as disk arrays, networks and routers (say rooters) must all be

monitored and measured in order to build up a complete picture of the capacity available to

deliver services.

This is the most technical sub-process. Monitoring should be automated as far as possible.

Capacity Management Sub-Processes



Page 15 of 20



The Capacity Plan

The Capacity Plan is developed to document and predict the capacity required to support the

business in the next financial period. It provides forecasts at the Business, Service and

Component level. This information will feed into financial planning for the next financial

period.

The Capacity Plan provides costed recommendations about how to best meet the Capacity

needs of the business over the coming months.

Capacity Plans are typically produced on an annual basis, in line with an organizations financial

cycle. The plan should be used by all of IT and the business as part of their planning processes.



Page 16 of 20



IT Service Continuity Management deals with situations that could have a

massive effect on the business, including disaster recovery planning.

The process deals with business critical services, including planning to protect them and also

planning for how to successfully recover from their loss.

The purpose of ITSCM is to support the overall Business Continuity Management process by

making sure that minimum agreed levels of services can be delivered in a disaster situation.

This is done by managing risk, and planning for service recovery when required.

One of the important points to be aware of when implementing IT Service Continuity

Management is that is has to be integrated with the organizational Business Continuity Plans.

This means that IT should never be acting alone when developing the IT Service Continuity Plan.

It is not for the service provider to decide how long the business can cope without any

particular service, or which service is the most important. Instead, BCM should provide this

information to ITSCM.

Process Objectives

ITSCM include:

Maintaining the IT Service Continuity plans and IT recovery plans. The plans need to be

updated and regularly assessed to make sure they still support the business continuity

plans

Carrying out regular Business Impact Analysis exercises, to make sure that the changing

criticality of business services is reflected in the plans

Carrying out risk analysis and management, providing advice and guidance as needed

Assessing the impact of all changes on the plans

Negotiating contracts with any suppliers who provide services that support the plans

IT Service Continuity Management



Page 17 of 20



Process Scope

The scope of ITSCM is whatever the business deems to be a disaster. Less significant downtime

will be managed by processes like Incident and Availability Management. The more complex

our services, the more challenging ITSCM planning will be.

One area that is out of scope for ITSCM is long term business changes that could affect the

organization.

For example, a major restructure could affect service, but this would not be part of ITSCM.

These events need to be planned for at the business level, as part of the overall strategic

planning.

As part of its scope, ITSCM follows a four-step process:

Initiation: this is where ITSCM begins, driven by BCM

Requirements and strategy: carrying out Business Impact Analysis and risk assessment

to identify critical services

Implementation: production of plans and implementation of risk reduction measures

Ongoing operation: regular testing of the plans



Page 18 of 20



One of the techniques used by ITSCM is the Business Impact Analysis. This is

way of determining the effect to the business of service loss.

The effects can be financial or non-financial. Some impacts are tangible and easy to measure,

and others are less tangible and can be hard to quantify such as a damaged reputation. How

do you assess what this costs?

The output from the Business Impact Analysis is usually a graph which shows how the effect can

escalate over time. This can be used to identify the minimum amount of staff and

infrastructure required to maintain service.

Business Impact Analysis can help to guide ITSCM efforts and investment.

Risk Assessment

ITSCM also uses risk assessment to help identify what to protect and how much to invest.

Risk assessment is also used by Availability Management and Security Management when they

are protecting services. Standard methodologies like Management of Risk or MoR can be used

to create a profile of risk.

The risks that have the highest chance of materializing or affecting a business critical service

may require countermeasures to reduce their likelihood.

Business Impact Analysis and Risk Assessment



Page 19 of 20



Design coordination provides a point of coordination for all Service Design

processes and activities, and makes sure that design goals are met.

Without good coordination, all the other Service Design processes might work in isolation,

leading to poor quality services and failed designs.

To fulfill its purpose, design coordination needs to make sure that all processes work

consistently. It will coordinate resources and make sure plans are handed over to Service

Transition in a timely way.

It will also make sure that all service designs conform to any overall corporate requirements.

The design coordination process improves overall Service Design effectiveness and efficiency. It

provides a common framework of standard, reusable practices, and identifies improvements

that can be made.

Process Scope

The scope of design coordination covers all design activities, no matter what the technology or

service involved. The more complex the design, the more coordination is needed.

Each organization will need to have guidelines to make sure that each design or project gets an

appropriate level of coordination.

As part of its role, design coordination will:

Assist and support projects

Maintain policies, guidelines and standard documents

Coordinate, prioritize and schedule activities

Review, measure and improve design activies

There are some areas that are out of scope for design coordination. The process is not

responsible for:

Coordinating activities outside of Service Design

Actually carrying out Service Design activities

Design Coordination



Page 20 of 20



Part of the scope of design coordination is making sure the Service Design

Package or SDP is handed over to Service Transition in the agreed format.

Service

Design

Package

The SDP is defined as a set of documents defining all

aspects of an IT service and its requirements through

each stage of its lifecycle. An SDP is produced for each

new IT service, major change or service retirement.

The SDP needs to include information for Service Transition, Service Operation and CSI.

Standard contents will include:

Requirements including business and service

Service Design including functional and Service Level Requirements

Organizational Readiness Assessment

Service lifecycle plan

Service Acceptance Criteria to confirm the service is working as it should

Service Design Package

lesson-9-service-design-processes-part-2.pdf

Documents

Transcript of lesson-9-service-design-processes-part-2.pdf