1 An introduction to ITIL concepts Written by Justin Murray October 2005 Introduction... 2 Objective... 2 The ITIL books and processes... 3 Service Management: a key part of ITIL... 4 Service Support... 5 Service Delivery... 8 Summary For more information About the author...11
2 2 Introduction As the management of both IT services and business needs grows more complex in an increasingly global, competitive, and regulated environment, the need for standardized, proven practices for managing IT services has grown as well. This need drives the increasing popularity of the Information Technology Infrastructure Library (ITIL). ITIL in fact may well be the most widely accepted approach to managing IT services in the world today. ITIL is popular because of the proven best practices that it offers. The demand for information about ITIL continues to grow. Among other reasons for investigating ITIL recommendations, one common motivation is to learn about knowledge and best practices necessary for achieving compliance with Sarbanes-Oxley and other IT governance requirements. Objective The objective of this article is to introduce the main concepts of ITIL best practice recommendations for managing IT services. This article is intended to show you the underpinnings of IT Service Management (ITSM), whether your focus area is from a business, a consulting, or a technology perspective. Note that in addition to the area of ITSM, ITIL also addresses a number of separate areas, including Planning to Implement Service Management, The Business Perspective, Application Management, Security Management, and ICT Infrastructure Management, as shown in Figure 1, below. Figure 1. Areas addressed by ITIL. T h e Planning to Implement Service Management T h e B u s I n e s s The Business Perspective Service Management Service Delivery Service Support Security Management ICT Infrastructure Management T e c h n o l o g y Application Management This paper will not address these additional areas; however, at the end of this paper, you can find sources for learning about these areas as well as exploring ITSM itself in more depth.
3 3 Organizations that promote ITIL Before we proceed with our exploration of ITIL, let s review some common ITIL-related terminology and organizations. ITIL provides a cohesive set of best practices derived from the public and private sectors internationally. A qualifications scheme, accredited training organizations, and implementation and assessment tools support ITIL. The best practice processes ITIL promotes are supported by the British Standards Institution's Standard for IT Service Management (BS15000). It s important to understand that ITIL is not a collection of software, nor can any software claim to be ITIL compliant, as there is no compliance test or validation for this. Vendor software, such as HP s Service Desk, can, however, be labeled ITIL compatible, meaning that it follows the best practices laid out in the ITIL guidelines. In the ITIL literature, you will find reference to the IT Service Management Forum, or itsmf. This organization is a collection of industry players, with HP as one of the chief sponsors, aimed at promoting ITIL and IT service management in keeping with ITIL best practices. IT Service Management (ITSM) is a combination of services, software, people and standard methodologies that improves the quality of IT services. In the longer term, it lowers the cost of those services. ITSM is based on ITIL and is often used as a synonym for it. Strictly speaking, however, ITIL is the description of the best practice only. The ITIL books and processes ITIL is made up of a set of books that contain best practice recommendations for managing IT as a business (as a stated goal). The currently available book titles, sometimes called the colored books, are: The Business Perspective Software Asset Management Service Support Service Delivery Planning to Implement IT Service Management ICT Infrastructure Management Application Management Security Management Figure 1, above, shows the relationships among these books. The Office of Government Commerce (OGC) in the UK publishes these books and makes them available, along with some short demos for each area, on its ITIL publications site. People from companies such as Microsoft, IBM, DMR Consulting (Canada), Fujitsu, Sonera and others have written the ITIL books. The UK OGC and itsmf are working together to scope the content of an update to ITIL publications, scheduled for The colored books describe the ITIL principles, breaking them into sections as seen in the center portions (between the columns labeled The Business and The Technology, ), in Figure 1, above.
4 4 Service Management: a key part of ITIL Let s look first at a key part of ITIL: Service Management. ITIL Service Management (shown in the center of Figure 1) is concerned with the two main sub-areas of service delivery and service support. A key service support offering is the set of processes that are supported by the HP OpenView Service Desk product, such as Incident Management and Problem Management. Service Delivery and Service Support are distinguished by their constituent processes and functions, shown further in Figure 2, below. The ITIL processes making up Service Management are listed across the middle tier of the diagram shown in Figure 2. The Incident Management, Problem Management, Configuration Management, Change Management, and Release Management processes belong to the Service Support area, as does the Service Desk function. Configuration Management supports both sides of the Service Management area: delivery and support. The five processes named Service Level Management, Availability Management, Capacity Management, Financial Management and IT Service Continuity Management taken together comprise the Service Delivery side of the Service Management area. We ll look at each of the processes at a high level here. You can visit the OGC ITIL website for further information on these processes (see References below). Figure 2. The ITIL processes that comprise Service Management. Service Support User Is represented by Service Customer has prime contact Negotiate SLAs ITIL Foundation Service Desk Service Level ITIL Processes Incident Problem Change Release Avail. Capacity Financial IT Svc Continuity Configuration CMDB
5 5 Service Support Let s delve into the Service Support side of the picture (see the left-hand side of Figure 2) first. It is important to realize that your company could implement any one of these processes independently of all the others. Although they have multiple inter-relationships and hand-offs, each process brings benefits in itself. For instance, as a starting point, your organization may benefit from implementing the Change Management process only. By formalizing this one process, an organization benefits from keeping track of changes made to the deployed systems. This helps in understanding those changes that may have caused problems or fixed problems over time. Without an adequate Change Management process, that type of understanding is dependent on human memory of changes made, which can be faulty in larger environments. The user s prime interface to IT is through the ITIL Service Desk function. It is worth noting that the Service Desk in ITIL is considered to be an essential function rather than an ITIL process. As a function it provides a human interface for other processes in the ITIL world, whereas the ITIL processes can be seen as formalized activities that are carried out by various people, including the Service Desk staff. Also, to avoid confusion, take note that the ITIL Service Desk is not the same as the HP OpenView Service Desk set of products, although HP OpenView Service Desk products in fact covers several of the areas described in ITIL. Going briefly to the right-hand side of the picture, we see that the Customer negotiates Service Level Agreements (SLAs) with the Service Level Manager. These SLAs then apply to the levels of service the User will receive. All incidents that occur in the use of their IT facilities are reported to the ITIL Service Desk. Let s now look at each individual ITIL process under the Service Support umbrella. 1. Incident Management An incident, in the ITIL definition, is any event that is not part of the standard operation of a service and which causes, or may cause, an interruption to or reduction in the quality of that service. An incident is not a problem (defined under Problem Management, below) in ITIL, but is separate from it. Incidents are logged as records in the Configuration Management Database (CMDB) quite separately from problem records, although of course there will be linkage between the two. The ITIL Incident Management process is designed to protect service continuity. When an incident occurs, this process works to quickly restore normal service operation with the least possible impact on business operations. The ITIL documentation calls the person in the organization who is responsible for this process the Incident Manager. Your organization may use different job titles for this role. This role title and other role titles such as Problem Manager, Change Manager, etc., in fact often have other names, such as operations manager, within real companies. Regardless of the name for these roles in any individual company, the roles themselves still follow the process under the name given in ITIL. 2. Problem Management A problem in ITIL terms means the unknown underlying cause of one or more incidents. Problems are logged as records in the Configuration Management Database (CMDB), separately from the incidents that they are related to. The error that gave rise to the problem may be known or unknown. Once the cause of a problem is known, it becomes a new item called a known error. Known errors are also logged as records in the CMDB, linked to the problems that they cause.
6 6 The CMDB itself is a collection of configuration items, or CIs. A CI can be anything that has meaningful attributes and that is required to be managed by the business. Let s look at some examples. Incidents, problems, and known errors are all examples of a CI. Incident attributes are associated with CIs. Incident attributes are distinguished by having no further descriptive attributes of their own; for example, think of a Social Security number for a United States citizen. An incident case number is an ITIL-related example of an attribute of a CI. 3. Configuration Management The main goal of the Configuration Management process is to maintain and control all versions of all existing Configuration Items. Configuration management provides accurate information to support all the other service management processes. The personnel and roles of the company, documentation, organization charts, the Definitive Software Library (DSL) and Definitive Hardware Library (DHL) for any released products are stored in the CMDB. This could be a very large set of things, so in practice the CMDB may contain pointers to other storage mechanisms for some of these items, such as a separate personnel database, for example. The DSL is where the authorized versions of all software Configuration Items (and source code) are stored. The DSL contains both the software developed by the owning organization and master copies of any purchased software. The DSL may be physically made up of many storage places, but it is logically one store. The Configuration Management process encompasses five main activities: 1. Planning creating a plan for configuration management over the coming 3 to 6 months. This plan details the strategy and policy, CMDB design, tools, and other resource requirements. 2. Identification selecting and naming all Configuration Items, ownership, relationships to other CIs, versions, and identifiers. 3. Control ensuring that only authorized CIs are accepted for use. This ensures that appropriate documentation (such as a Request for Change, described in the Change Management section below, is available for any CI that is modified, added, removed, or replaced in the CMDB. 4. Status Accounting rather than referring to traditional financial accounting, this means reporting up-to-date and historical data for all CIs throughout their lifetime. This makes it possible to track state changes for CIs. 5. Verification and Audit conducting reviews that assert that CIs actually exist, and checking that these CIs are correctly detailed in the CMDB. Among the benefits of implementing the Configuration Management process fully are the following: We now have accurate information on all CIs and their supporting documentation. We have tools for adhering to the legal and contractual obligations that govern the industry. We have visibility of all software changes and a clear foundation for the Release Management process. 4. Change Management So far, we have discussed incidents, problems, known errors and Configuration Management on the IT Service Management Support side. Now we re ready for the next step. When we solve a problem and want to fully resolve it in production, we need to make a Change. Change Management is the ITIL process that oversees this part of IT Service Management Support, and every change requires a Request for Change (RFC) that is also stored in the CMDB.
7 7 The ITIL Change Management process keeps the IT infrastructure in line with the needs of the business. This process formalizes the approach for handling any changes that could get in the way of allowing IT to deliver services through a single, centralized process of approval, scheduling and control. Authorization and Approval are key words in this process. The Change Advisory Board, or CAB, is a group of people who investigate and authorize or deny any proposed changes. The CAB produces a Forward Schedule of Changes that identifies any future changes and the actions to be taken on them. Anyone (such as a User accessing the Service Desk) can submit an RFC at any time, but the CAB controls these requests and what becomes of them. 5. Release Management Release Management is the final ITIL process under the Service Support umbrella. The defenders and controllers of the production environment execute this process. The person playing the role of the Release Manager selects the pieces and parts to use for implementing an approved change. Remember that this change will have been approved previously by the Change Manager and the CAB as described above. The Release Management process enforces effective use of any new or changed services that the organization plans to implement. This process spans the planning, designing, building, testing, and releasing of hardware and software components. Following this process ensures that only compatible, licensed, and appropriate releases take place. Releases that are not aligned with the organizational goals are minimized. When you want to identify the Release Management group, the key words to look out for in organizations are implementation and deployment. The Release Managers set policy on releasing anything, and they design and build the release as well as control configuration management. A Release is defined as a collection of authorized Changes to an IT service; the release is characterized by the set of Requests for Change (RFCs) that it implements. A Release will be recorded separately from other items in the CMDB. The Definitive Hardware Store (DHS) is a secure area holding spare definitive hardware CIs that make up part of a Release. Details of these DHS components should be recorded in the CMDB. Figure 3 summarizes the types of CI that we have seen. They are independent of each other and are not refinements of one thing in the CMDB. You can think of them as separate records or tables in the database that we are referring to as the CMDB, not as a sequence of updates to one record.
8 8 Figure 3. Summary of the types of CIs discussed here. ITIL Processes Incident Incidents Proble m Problems Known Errors Change Changes Release Releases CMDB You can find more information on the remaining processes in the Service Management area at the reference sites given below. Service Delivery Up to this point, we have focused on the direct interactions with the user from day to day relating to incidents and problems that comprise Service Support. Now we will shift our focus to the separate area of Service Delivery within the overall Service Management section of ITIL, as illustrated in Figure 1. Service Delivery addresses the ongoing delivery and control of the services being offered. This area is composed of five processes: 1. Service level management 2. Availability management 3. Capacity management 4. Financial management 5. IT service continuity management We ll examine each of these processes briefly below. 1. Service Level Management Service Level Management is the process of ensuring that Service Level Agreements (SLAs) are documented with the Customer. This process monitors the actual supplied service levels to ensure that they conform to the SLAs. The Service Level Management process describes the creation of a catalog of supplied services to the Customer. This document itself is stored in the CMDB. The catalog describes the key features of the services provided and forms the basis for understanding between the Customer and IT. We can look at the Service Level Management process as a way to provide the discipline between the service provider (the IT department, for example) and the service consumer or the Customer. 2. Availability Management The Availability Management process ensures that services are available when the Customer needs them. This process is not concerned with extreme catastrophic events, such as the occurrence of a fire
9 9 causing the loss of a building containing parts of the IT infrastructure. Availability management instead addresses the more confined, day-to-day issues that prevent any service from being available and managing them to known levels. This process has various factors impinging on it. Some of these factors include: Business demand Availability of human support Cost of making services available Level of redundancy and reliability of the IT infrastructure Level of maintenance required to support availability of service The ke y elements of the Availability Management process are: The percentage of agreed hours for which the service is available (its Availability ) Its reliability, or the prevention of failure Its maintainability, or the ability to restore services back to normal functioning Its serviceability, or support capability from external suppliers Its security, consisting of confidentiality, integrity and access controls 3. Capacity Management This process addresses the current and future business needs of the Customer of the IT organization and ensures that there is enough computing, storage and network capacity to handle potentially growing needs over time. The success of this process is very dependent on accurate forecasting of business needs, a good understanding of where technology is going, and good planning for IT capacity. The inputs to the Capacity Management process are: The SLAs (with any SLA breach events and trends) and the Service Catalog from the Configuration Management process Both the Business and IT future plans All outputs from the Change Management process, such as the Forward Schedule of Change Outcomes from any Service Reviews Amo ng the outputs from the process are: The Capacity Plan Baseline measurements and thresholds of the service SLA recommendations Changes for service improvement that are fed back into the Change Management process It is important to note that the Capacity Management process covers not just technical IT Resource Capacity Management, but also Business Capacity Management (including the description of current and future SLAs) and Service Capacity Management. 3. Financial Management Financial Management as a process within ITIL has a clear objective: the cost-effective ownership and handling of IT resources in order to provide IT services. This is a key part of Service Management. When done effectively, the Financial Management process reduces overall long-term costs and identifies the actual costs of providing services. The main considerations within Financial Management are the Budgeting and Accounting sub- which are mandatory, and the Charging sub-process which is optional. Not all Service processes, Level Management is charged for, nor are charges always necessary. However, the introduction of charging for services by IT back to the customer is a key theme in ITIL. This practice is encouraged as a means of making the IT Service provider and Customer aware of the value of the services to the business and drawing attention to the associated costs of these services.
10 10 Costs are broken down into Capital Costs versus Operational Costs, Direct versus Indirect Costs and Fixed versus Variable Costs. The Financial Management Process produces a cost model or framework such that all known costs are identified. This makes it possible to calculate the overall cost of IT services to be allocated to different Customers. The resulting overall cost may be a theoretical charge or a real charge, depending on the organization. 4. IT Service Continuity Management IT Service Continuity Management addresses the types of interruption to service that are much more widespread and far-reaching in their effects than those that are covered by the Availability Management process. The IT Service Continuity Management process considers the major negative events that could befall the IT service supporting systems. This process includes making plans and provisions for recovery from significant, potentially serious events so that service returns to normal as soon as possible, within cost constraints. This process attempts to reduce the risk to the business by effective analysis and risk management. The process thus prevents the loss of Customer confidence in the event of a catastrophic occurrence such as a fire that destroys a data center. A risk analysis may be done during the execution of this process according to the Central Communications and Telecommunications Association (CCTA) Risk Analysis and Management Method (CRAMM for short). This analysis identifies the risks, associated threats, vulnerabilities and impacts, and it describes some potential countermeasures. ITIL guidelines categorize the types of Recovery from a serious outage due to loss of a facility, people or critical support systems, such as power, as follows (listed in increasing order of cost and complexity to the organization): Doing nothing (sometimes, if rarely, applicable) Manual back-up A reciprocal arrangement (where other organizations agree to back each other up) Gradual recovery (having a cold standby that must be loaded before it can come into play) Intermediate recovery (having a warm standby ) Immediate recovery (having a hot standby ) Many data processing centers maintain another installation at a remote site that can take over from them in the event of an emergency outage in one of the above forms. Characterizing the type and level of service that will be available in such events is the business of the IT Service Continuity process and plan formation. The plan is itself a document that is required to be safely stored. It should be kept in an off-site location where it will be available when needed. Such a location should be remote from any susceptible site. The plan should of course be tested on a regular basis and adjusted as the needs of the business change over time. Summary You should now have a good overall view of the various ITIL processes and the ITIL Service Desk function that we have introduced in this paper, along with a view of the benefits that accrue from introducing these processes into an organization. As mentioned earlier in this article, organizations can start by introducing one process from the whole set, such as the Change Management process and gain benefits quickly. Table 1 (below) summarizes the full ITIL areas of interest. Service Support Service Delivery Service Desk (a function, not a process)
11 11 Incident Management Problem Management Configuration Management Change Management Service Level Management Capacity Management Availability Management Financial Management Release Management IT Service Continuity Management Table 1. Summary of the processes within ITIL Service Support and Service Delivery. Together, the elements in table 1 comprise the IT Servi ce Management area within the world of ITIL. Looking back at Figure 1, you can see that we have only addressed one area of the overall ITIL sphere. You can also investigate the separate areas of Planning to Implement Service Management, The Business Perspective, Application Management, Security Management, and ICT Infrastructure Management. This information is available through the ITIL website and supporting documentation. HP has long held a leadership role in contributing to the development of ITIL guidelines and in offering ITIL-compatible solutions and services. HP has contributed by constructing its own ITSM Framework, based on ITIL and offering services to customers to implement it. The HP ITSM Framework and the Consolidated Service Desk solution include consulting practices and software products to help organizations build manageable systems that enable a closer linkage between IT and business needs. HP s professional services include access to experts who can assist clients with ITIL as well as with more traditional consulting and implementation needs. ITIL best practices will be useful for anyone implementing service management in order to align IT with the business. We encourage you to investigate further and determine which ITIL practices will best fit your business s needs. For more information ITIL OGC Website itsmf Website ITIL best practices for application development How ITIL can help t he application developer (playback webcast, free registration required) Developing man ageable applications using ITIL processes (free registration required) HP ITSM portal (free registration required) About the author Justin Murray is a solution architect. He has worked for HP in various consulting and teaching roles. Justin has consulted at a technical level on customer projects involving Java, J2EE and web services. Justin works in the management software domain at HP, linking the HP OpenView suite of management tools with HP's alliance partners to create solutions for customers Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. The only warranties for HP products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. HP shall not be liable for technical or editorial errors or omissions contained herein.