Version 1.0. IT Service Management & IT Asset Management Services (ITSM & ITAM Services) Governance Process

Transcription

1 Version 1.0 IT Service Management & IT Asset Management Services (ITSM & ITAM Services) Governance Process

2 Table of Contents 1 Planning and Organization Executive Overview ITSM & ITAM Services Value Management ITSM & ITAM Services Business Alignment ITSM & ITAM Services Performance Management ITSM & ITAM Services Strategic Plan ITSM & ITAM Services Tactical Plan Technological Direction ITSM & ITAM Services Information Architecture Model Technological Direction Planning Technological Infrastructure Plan Monitoring of Future Trends and Regulations Technology Practices, Standards and Guidelines Organizational Roles and Relationships ITSM & ITAM Services Steering Committee ITSM & ITAM Services Governance Council Organizational Structure of Application Service Roles and Responsibility of Application Service Responsibility for Risk, Security, and Compliance ITSM & ITAM Services Data and System Ownership ITSM & ITAM Services Personnel Service Relationships (Operational Level Agreements and Underpinning Contracts) Manage Financials Billing and Cost Recovery Model ITSM & ITAM Services Budget Prioritization ITSM & ITAM Services Budgeting Process Cost Management Benefit Management Manage Quality Assess and Manage Service Risks Risk Assessment Risk Response Maintenance and Monitoring of a Risk Action Plan Manage Projects Acquisition and Implementation Acquisition of Resources, Software, Hardware Maintaining Service and Test Tools Enable Operation and Use Knowledge Transfer to End Users & Train the Trainer Knowledge Transfer to Operations and Support Staff

3 2.3.3 Remedy Application Training Procurement of IT Resources Procurement Control Manage Changes Change Standards and Procedures Change Status Tracking and Reporting Manage Releases ITSM & ITAM Services Implementation Plan ITSM & ITAM Services Test Environment Testing of Changes Service Delivery and Support Define and Manage Service Levels Service Level Management Definition of Services Service Level Agreements Operating Level Agreements Review of Service Level Agreements Monitoring and Reporting of Service Level Agreements Service Contract Agreements Manage Performance and Capacity Performance and Capacity Planning Service Monitoring Ensure Continuous Service Ensure Service Security IT Security Plan Management of IT Security Identity Management User Intrusion Identify and Allocate Costs Definition of Services IT Accounting Cost Modeling and Charging Cost Model Maintenance Manage Service Desk and Incident Management Service Desk Registration of Customer Queries Incident Escalation Incident Closure Trend Analysis Manage the Configuration Configuration Repository and Baseline Identification and Maintenance of Configuration Items Configuration Integrity Review Manage Problems

4 3.9 Manage Data Storage and Retention Arrangements Media Library Management System Disposal Backup and Restoration Security Requirements for Data Management Manage the Physical Environment Manage Operations Operations Procedures and Instructions Infrastructure Monitoring Sensitive Documents and Output Devices Preventive Maintenance for Hardware Monitoring and Evaluation Monitor and Evaluate Performance Definition and Collection of Monitoring Data Monitoring Methods Performance Assessment Board and Executive Reporting Remedial Actions Ensure Regulatory Compliance Laws & Regulations w/ Potential Impact on ITSM & ITAM Services Appendix A Governance Roles and Responsibilities Appendix B ITSM & ITAM Services Governance Process Diagram Appendix C ITIL Mappings for ITS and ITSM & ITAM Services

5 Copyright Disclosure The Control Objectives for Information and related Technology version 4.0 (COBIT 4.0) specification document was used as the basis for developing this Governance Framework Template. The COBIT 4.0 specification is produced and maintained by The IT Governance Institute (ITGI The ITGI was established in 1998 to advance international thinking and standards for directing and controlling the use of information technology. Effective IT governance helps ensure that IT supports business goals, optimizes business investment in IT, and appropriately manages IT related risks and opportunities. The IT Governance Institute offers original research, electronic resources, and case studies to assist organizations in their IT governance responsibilities. ITGI (the Owner ), has designed and created the COBIT 4.0 specification (the Work ), primarily as an educational resource for senior IT management and control professionals. The Owner makes no claim that use of any of the Work will assure a successful outcome. The Work should not be considered inclusive of any proper information, procedures and tests or exclusive of other information, procedures and tests that are reasonably directed to obtaining the same results. In determining the propriety of any specific information, procedure or test, senior IT management and control professionals should apply their own professional judgment to the specific circumstances presented by their particular systems or information technology environment. ITS Enterprise Solutions (ES) has leveraged the content of the COBIT 4.0 specification document for creating the ITSM & ITAM Services Governance document that can be reused and adapted for governance process development for ES shared services. Per the ITGI copyright disclosure statement, this type of content reuse is permitted for internal, noncommercial, or academic use only and must include full attribution of the material s source. ITS-ES intends to comply with this copyright requirement by only using this material for internal and noncommercial use. 5

6 1 Planning and Organization 1.1 Executive Overview Mission statement The ITSM & ITAM Services Governance Council mission is to provide a highly reliable, scalable, secure, and cost effective IT Service Management, Asset Management and Customer Relationship Management tool that NC State agencies can leverage for managing tasks and activities associated with the OEP implementations of the processes designed within the ITIL Framework. Purpose and Role The purpose of this document is to provide all interested parties with a formal structure that outlines how the ITSM & ITAM Services Group conducts business and responds to business requirements that affects the service as a whole. This governance mechanism also provides a vehicle for each member to make decisions on behalf of their respective agency and to share in the responsibilities and goals of the ITSM & ITAM Services within the State of NC ITSM & ITAM Services Value Management ITSM & ITAM Services provides State of NC agencies with the ability to access and leverage a best in class IT Service Management and Asset Management software solution as a shared service utility without having to fund the significant up-front investment that would normally be associated with the acquisition and deployment of a comparable in-house solution. Other value provided by the service includes: Access to the ITS OEP processes, procedures and documents developed in accordance with the ITIL Framework which is also the basis for the ITSM & ITAM Services implementation. Adhesion to the ITIL Framework and methodology for the management of IT Services. A collection of Best Practices for the processes of Incident Management, Problem Management, Change Management, Configuration Management, Release Management, and Service Level Management, supported by a single integrated application. 6

7 A complete solution of integrated tool and processes which will bring higher levels of efficiency and effectiveness to your Service Management and Asset Management activities. Economies of scale from a shared service offering that would offer lower entry costs for using the ITSM & ITAM Services when it would normally be out of reach for most agencies ITSM & ITAM Services Business Alignment The concept of a shared ITSM & ITAM Services hosted under a single agency started several years ago. The current ITSM application is the third application hosted by ITS providing a means of managing and tracking activities related to Incidents, Service Requests, Changes, and root cause analysis functions of Problem Management. Asset Management is a new offering with the latest tool. Several Service Desks / Call Centers have utilized the previous tools offered by ITS to fill their needs for managing Incidents and Service Requests. These Agencies are positioned to move to the new ITSM & ITAM Services as it offers significantly enhanced capabilities over the previous offerings and provides a substantially less expensive alternative than implementing a tool only for their agency s use. This new offering has generated a high level of interest from several new state agencies that recognize the strength and cost effectiveness of the offering. As a result the support staff was increased with the goal of shortening the time to market for the ITSM & ITAM Services offering. These agencies have agreed to participate on the ITSM & ITAM Services Governance Council and to contribute in helping to shape and define how the ITSM & ITAM Services meet the needs of the State of North Carolina, its agencies and its citizens. ITS, in turn agreed to host and maintain the service including software, hardware, and infrastructure and to offer State agencies the following ITSM & ITAM Services tool options: IT Service Management Service Desk tools to manage Incidents, Service Requests, Problems and in some cases Customer Relationship Management: An Incident Management Application for managing and tracking Incidents and Service Requests. This Incident Management application allows for management of the entire Incident Management process in order to assist in restoring service as quickly as possible. The ability to prioritize Incidents and Service Requests according to business impact allows staff to focus efforts where it matters most. A Problem Management Application for managing and tracking Problem investigations from detection to eradication through the sub-processes of Problem 7

8 Control, Error Control, and Pro-Active Problem Analysis. Problem Management processes remove defects from the IT infrastructure, eliminate recurring Incidents, and stabilize the environment. A Change Management Application for managing and tracking infrastructure changes which includes process management and planning capabilities that help increase the speed and consistency in the way changes are implemented while minimizing risk and errors. This module includes built-in approval process for Change and Release management. This module is completely integrated with Incident, Problem, Asset and Service Level Management Applications. A Service Level Management Application for managing and tracking SLA commitments and breaches allowing management to pinpoint weaknesses and take corrective action. IT Asset Management Asset Management tools to discover and manage assets: A Configuration Discovery Application automates collection of hardware, software, and system information, which provides accurate data for reporting and license compliance. This tool can help reduce support costs by providing support staff with details that will allow them to remotely troubleshoot and resolve issues. A Topology Discovery Application can provide fast, accurate dependency mapping of components within an IT environment. This application provides an upto-date view of dependencies and relationships of assets. An Asset Management Application gives greater visibility to assets and allows for managing and tracking assets along with their physical and financial attributes and disposition. This module includes a Definitive Software Library (DSL) as well as the ability to manage contracts. This allows automated links between assets and software license, lease, warranty, and support contracts to ensure compliance. Asset Management also allows tracking of total cost of ownership of assets. Additional information about the service in general and how it aligns itself in regards to the business perspective can be found on the ITS website under ITS Service Catalog, Application Services, ITSM & ITAM Services. Below is a link to access this information directly ITSM & ITAM Services Performance Management The ITSM & ITAM Services Governance Council will assess and measure the performance of existing policies, plans, procedures, processes, and controls as they relate to the business objectives, delivery, functionality, maintainability, security, and costs of the service. 8

9 1.1.4 ITSM & ITAM Services Strategic Plan ITSM & ITAM Services achieved the goal of introducing an enterprise level ITIL compliant IT Asset Management application in June, 2007 and IT Service Management application in October, This application is available for other State Agencies to utilize for managing their day to day tasks and activities associated with the core ITIL processes of Incident Management, Problem Management, Change Management, Release Management and Configuration Management as well as Asset Management based on the close alignment of the ITSM application with the ITIL Framework. Any agency electing to follow the ITIL Best Practices may do so utilizing the tool ITSM & ITAM Services Tactical Plan To be added and determined by the ITSM & ITAM Services Steering Committee. 9

10 1.2 Technological Direction ITSM & ITAM Services Information Architecture Model Insert Multi Tenancy Diagram and Concept Technological Direction Planning ITSM & ITAM Services group will provide any new technological, software, or service options and/or recommendations to assist with determining the most appropriate strategy when issues with the current service or Remedy ARSystem occur. These will be presented to the ITSM & ITAM Services Governance Council for review. ITSM & ITAM Services currently has a multi-year agreement with Column Technologies for the support and maintenance of the Remedy AR System and applications utilized as part of ITSM & ITAM Services Technological Infrastructure Plan Technical Infrastructure plans are handled and developed by the Architecture and Engineering (A&E) group in conjunction with the ITSM & ITAM Services. The service was implemented in June of The only updates currently scheduled are an addition of a test environment for User Acceptance Testing Monitoring of Future Trends and Regulations The ITSM & ITAM Services Governance Council, under the guidance of the ITSM & ITAM Services group, will monitor business sector/industry, technology, infrastructure, legal, and regulatory environment trends Technology Practices, Standards and Guidelines ITSM & ITAM Services will comply with any applicable principles, practices, standards, guidelines, processes set forth by the State of North Carolina Statewide Technology Architecture (NCSTA) and any state-level information technology strategies, plans, policies, and procedures set forth by Architecture and Engineering (A&E). Below are links to access this information directly:

11 1.3 Organizational Roles and Relationships ITSM & ITAM Services Steering Committee The ITSM & ITAM Services Steering Committee includes the State CIO, Deputy State CIO (ITS), ES Director, and current members of the TPG. Their primary focus may include all or one of the following: Determine prioritization of IT-enabled investment programs in line with the enterprise s business strategy and priorities Track status of projects and resolve resource, software, or hardware conflicts Monitor service levels and service improvements ITSM & ITAM Services Governance Council The ITSM & ITAM Services Governance Council is comprised of current subscribers of the service. Appendix A provides a current list of agencies and members along with their roles and responsibilities Organizational Structure of Application Service ITSM & ITAM Services is part of the Enterprise Solutions group within ITS and reports to the ES Director. The following sections detail the Organizational Placement and Structure of the service Roles and Responsibility of Application Service The responsibility for ITSM & ITAM Services includes but is not limited to the following: Work with agency designees in the initial implementation and deployment activities and tasks providing guidance and leadership in the execution. Participate in daily operations, coordination, and support of agency application administrators, users, and customers using the ITSM & ITAM Services. Provide support and maintenance of the application to ensure its ongoing availability to the agencies that utilize the service in alignment with the published SLA for the ITSM & ITAM Services. Establish overall test strategy & scope; test readiness; and perform risk analysis for assigned testing activities. 11

12 Provide and manage functional and performance testing of the ITSM & ITAM Services. Serve (as needed) in a subject matter expert (SME) role to support ITSM & ITAM Services for local application administrators using the Remedy AR System tools, forms and application. Receive and provide feedback on the product life cycle and Road Map for ITSM & ITAM Services as it pertains to development and maintenance of strategic business/technology plans; logical and physical platform architecture; and configuration, maintenance, and version upgrades of ITSM & ITAM Services infrastructure Responsibility for Risk, Security, and Compliance ITSM & ITAM Services will comply with any applicable policies, standards, and procedures set forth by the Enterprise Security and Risk Management Office as it pertains to potential security risks. Below is a link to access this information directly: ITSM & ITAM Services Data and System Ownership ITSM & ITAM Services Data Any data stored within any specific tenancy of the ITSM & ITAM Services database will be fully owned by the agency tenant. With the exception of the ITSM & ITAM Services System Administrators, data within each tenancy is visible and available only to the respective tenant agency unless the tenant agrees to make data visible to other tenancies. Excluding any activities which must be or can only be carried out by ITS ITSM & ITAM Services System Administrators, the management of all data and records within any specific tenancy shall be the sole responsibility of the tenant agency System Ownership ITSM & ITAM Services is solely responsible for coordinating and implementing any modifications, updates, and patches to any of the Remedy AR System tools, servers, or databases, as well as installation of any new software as required. 12

13 1.3.7 ITSM & ITAM Services Personnel ITSM & ITAM Services will comply with any applicable policies and procedures set forth by ITS and OSP office in regards to the process for hiring and staffing of state employees Security Clearance Procedures ITSM & ITAM Services will comply with any applicable policies and procedures set forth by ITS for personnel security clearance. Any adherence to additional security clearance policies required by other State Agencies will be determined as necessary Contracted Staff Policies and Procedures ITSM & ITAM Services will comply with any applicable policies and procedures set forth by ITS Statewide Procurement office in regards to the process for hiring and staffing of contracted personnel Service Relationships (Operational Level Agreements and Underpinning Contracts) ITSM & ITAM Services administers, supports, and maintains the Remedy AR System application tool suite and the Atrium CMDB. The hosting of the service is provided by several support groups within ITS. In conjunction with ITSM & ITAM Services, they are responsible for supporting and maintaining the following components that complete the service. Computing Services - Server hardware and software platform including OS patches/ updates, virus protection, monitoring, and re-imaging Telecommunication Services Network hardware, connectivity, firewalls, VPN profiles, and security NCID Single sign on authentication and identity management ITS Enterprise Security and Risk Management Services oversight and security scanning, user intrusion detection, and security patch enforcement ITS Service Desk 24 X 7 support of handling of incidents related to ITSM & ITAM Services 13

14 Column Technologies support 24 X 7 support of the Remedy AR System tool suite administrated by ITSM & ITAM Services for critical incidents NCAS Fixed Asset System Ariba eprocurement System Business Relationship Management Business relationships between agencies and ITSM & ITAM Services ITSM & ITAM Services Governance Council represents each subscribing agency in making business decisions related to ITSM & ITAM Services 14

15 1.4 Manage Financials Billing and Cost Recovery Model Charges for the usage of ITSM & ITAM Services will be invoiced on a monthly basis to each tenant agency in accordance with the approved annual rates and the license counts to which they have committed. General usage of the application, standard application maintenance, application hosting, and infrastructure support for all ITSM & ITAM Services specific hardware, software, and OS are included in the approved annual rates. Any optional work requested by and carried out for a specific agency tenant or group of agency tenants will be charged at the time and material rate set for the current year. Specific rates are available on the rates page at : ITSM & ITAM Services Budget Prioritization ITSM & ITAM Services Governance Council will review and prioritize any allocation of IT resources, software, hardware, licensing, infrastructure, support maintenance agreements, and other recommendations that may affect changes to the current cost model. Changes to the cost model must be reviewed by the ITSM & ITAM Services Governance Council prior to submission to the State CIO ITSM & ITAM Services Budgeting Process ITSM & ITAM Services will comply with any applicable budgeting policies and procedures set forth by Financial Management and contained in the Financial Management for IT Library within ITS or the ITS Financial Budget office. The Financial Management for IT documentation was developed to meet the standards of the Information Technology Infrastructure Library (ITIL) methodology as part of the Operational Excellence Program (OEP) in the Office of Information Technology Services Cost Management ITSM & ITAM Services Governance Council, in conjunction with the budgetary recommendations set forth by ITSM & ITAM Services, will review and approve any changes, recommendations, or additional service charges to the cost model on an annual basis Benefit Management Please refer to section ITSM & ITAM Services Value Management 15

16 1.5 Manage Quality To ensure ongoing business requirements are properly aligned, ITSM & ITAM Services has established standards and practices to help manage the quality of services provided and delivered to subscribing agencies and customers by continuous measurement of and concentration on the following criteria: Customer focus and communication Customer feedback and satisfaction Continuous improvement of service delivery Preventive maintenance and conflict resolution Service usage, monitoring, and review Overall performance is ultimately measured against the current Service Level Agreement (SLA) and Operational Level Agreement (OLA) documents pertaining to ITSM & ITAM Services. The scope of these agreements is further explained in section 3. 16

17 1.6 Assess and Manage Service Risks Risk Assessment ITSM & ITAM Services will comply with any applicable policies or procedures set forth and developed by Risk Management Services, part of the Enterprise Security and Risk Management Office, which supports the State CIO. Their performance of duties and responsibilities are directly associated with any involvement as it pertains to information technology risk management, continuity of operations/continuity of government, and audits/assessments as they relate to information technology and include but are not limited to any of the following: ITSM & ITAM Services and Business Risk Management Alignment Establishment of Risk Context Event Identification Risk Management Services reviews and evaluates State Agency plans including ITSM & ITAM Services on an annual basis against industry standards, State policy, and best practices. Audits and assessments are conducted as prescribed by legal and regulatory requirements. Any findings and recommendations are reported to applicable ITS management Risk Response Response to any potential risk to service in general will be initially handled by correspondence from ITSM & ITAM Services via detailing the event. Depending on the level and degree of the risk, an emergency meeting of the ITSM & ITAM Governance Council will be held as deemed necessary Maintenance and Monitoring of a Risk Action Plan The maintenance and monitoring of a Risk Action plan will be developed by the ITSM & ITAM Services Governance Council in 2008 and will be reviewed on a quarterly basis or as deemed necessary. 17

18 1.7 Manage Projects ITSM & ITAM Services will comply with any applicable policies and procedures set forth and outlined in the IT General Statue and PPM Workflow Supporting Information implemented as part of the State SB991 Project Portfolio Management Process. 18

19 2 Acquisition and Implementation 2.1 Acquisition of Resources, Software, Hardware ITSM & ITAM Services Governance Council will review, decide on [vote], and prioritize the allocation of any additional IT resources, software, hardware, infrastructure, licensing, support maintenance agreements, and any other recommendations that may affect changes to the current cost model during or outside the normal scheduled yearly budget cycle. Any decisions may be based on but not limited to any of the following: Major Upgrades and Enhancements to Existing Test Tools and Service Feasibility Study and Impact Assessment Risk Analysis Cost Analysis Operational Benefits Requirements and Feasibility Decision and Approval 2.2 Maintaining Service and Test Tools Refer to section Enable Operation and Use Knowledge Transfer to End Users & Train the Trainer Standard documentation, training materials, and procedures are available from ITSM & ITAM Services to assist training new tenants and users of the service. This material covers basic functionality of the application which is common across all modules as well as material that covers the specific modules available for use by the various state agencies. The documentation covers the following topics: Description of Application / Module Roles and Responsibilities of Users Logins and Passwords User and Usage Guidelines Use of the application in alignment with the OEP Processes 19

20 Service Orientation ITSM & ITAM Services schedules and holds a kickoff meeting for any new agency joining the services to address any questions or concerns related to the topics described above in section ITSM & ITAM Services provides an overview covering such topics as use of the service, accessibility, best practices, procedures, and user guidelines Vendor Support Any issues, problems, or general questions relating to the actual usage of the tools which can not be addressed by local agency application administrators or by ITSM & ITAM Services staff will be escalated to Column Technologies for Support. Column Technologies will act as the escalation point to BMC if this level of escalation is required Knowledge Transfer to Operations and Support Staff All procedures related to the operation of the service are stored in Documentum which is managed by the Electronic Document Management and Project Collaboration service within ITS. The ITSM & ITAM Services Product Manager will handle transfer of knowledge of such procedures Remedy Application Training Individual agencies are solely responsible for procuring administrator training for their local application administrators. ITS will provide Train the trainer sessions for a limited number of agency users who will be expected to act as agency trainers for ITSM & ITAM Services. ITS will also, as part of this service offering, provide training materials used by ITS in training its own staff. Each agency is free to use this material in its original form, or as a template for creating agency specific training materials. 20

21 2.4 Procurement of IT Resources Procurement Control ITSM & ITAM Services will comply with any applicable policies and procedures set forth by the ITS Statewide Procurement office including Title 9 of the NC Administrative Code which contains the Information Technology Procurement Rules developed in response to Senate Bill 222. This applies to the following when procuring IT goods and services: Supplier Contract Management Supplier Selection Software Acquisition Acquisition of Professional Services Resources 21

22 2.5 Manage Changes Change Standards and Procedures ITSM & ITAM Services will comply with any applicable policies and procedures set forth by Change Management and contained in the Change Management Library within ITS as it pertains to any of the following criteria: Impact Assessment, Prioritization, and Authorization Emergency Changes Change Closure and Documentation The Change Management documentation was developed to meet the standards of the Information Technology Infrastructure Library (ITIL) methodology as part of the Operational Excellence Program (OEP) in the Office of Information Technology Services Change Status Tracking and Reporting ITSM & ITAM Services uses the ITS Remedy tracking and reporting system for reviewing and keeping users and relevant stakeholders up to date regarding the status of any change requests pertaining to the service, testing tools, system platforms, and infrastructure. 22

23 2.6 Manage Releases ITSM & ITAM Services Implementation Plan An Implementation plan will be developed by the ITSM & ITAM Services and presented to the ITSM & ITAM Services Governance Council for approval each time any new software or hardware installations, upgrades, patch releases, or other changes to the service are required that directly effect the user community. ITSM & ITAM Services will comply with any applicable policies and procedures set forth by Change Management or Release Management and contained in the Change Management or Release Management Library within ITS. The Change Management and Release Management documentation was developed to meet the standards of the Information Technology Infrastructure Library (ITIL) methodology as part of the Operational Excellence Program (OEP) in the Office of Information Technology Services ITSM & ITAM Services Test Environment A plan for a separate environment for User Acceptance Testing is being proposed for the upcoming 08/09 Fiscal Year. This environment will allow agency users to test any new software, updates, or patches before they are implemented in the existing production environment Testing of Changes ITSM & ITAM Services will ensure that changes are tested in accordance with the defined implementation plan and follow the existing Change Management and Release Management processes. A fallback/back out plan will also be developed and tested prior to promotion of the change to production. The ITSM & ITAM Services Governance Council will select a subcommittee for testing of changes. This committee will report the testing results to the ITSM & ITAM Services Governance Council, which will then vote on whether to approve the change based on the test results submitted. The ITSM & ITAM Services Council Chairperson will then submit the decision of the council to the ITSM & ITAM Services team. 23

24 3 Service Delivery and Support 3.1 Define and Manage Service Levels Service Level Management ITSM & ITAM Services will comply with any applicable policies and procedures set forth by the Service Level Management and contained in the Service Level Management Library within ITS. The process maintains continuous alignment with business requirements and priorities and facilitates common understanding between the customer and ITSM & ITAM Services. The process includes a mechanism for creating service requirements, service definitions, Service Level Agreements (SLAs), Operating Level Agreements (OLAs), and funding sources. The Service Level attributes are organized and maintained in a service catalog. The process also defines the organizational structure for service level management, covering the roles, tasks, and responsibilities of internal and external service providers and customers. The Services Level Management documentation was developed to meet the standards of the Information Technology Infrastructure Library (ITIL) methodology as part of the Operational Excellence Program (OEP) in the Office of Information Technology Services Definition of Services Service Level Agreements ITSM & ITAM Services will comply with the standard Service Level Agreement (SLA) documents provided by ITS to support the service. The ultimate objective of this agreement is to define the support and procedures necessary to ensure high quality and timely delivery of this service. This document clarifies all parties responsibilities to ensure customer needs are met in a timely manner. Although the SLA is in the form of a document that defines a level of service, the desired outcome is to represent the result of an agreement between ITS and its customers Operating Level Agreements ITSM & ITAM Services will comply with the standard Operating Level Agreement (OLA) documents provided by ITS to support the service. 24

25 3.1.5 Review of Service Level Agreements Service Level Agreement reviews will be conducted at a minimum on a quarterly basis or as needed and are facilitated by ITS Business Relationship Management. A Business Account Manager and the respective subscribing agency of the ITSM & ITAM Services will participate in the reviews. Service Level Agreements (SLA) will be reviewed and/or renewed at least once per year. A review of Service Level Agreements may be requested at any time in writing to ITS Business Relationship Management by customer management. The SLA will also require review under any of the following conditions: Whenever there is a significant and/or sustained change to the delivery of the service. Whenever there is a significant change requested to the SLA that supports the ITS service. As a result of these reviews or as other pertinent information is provided, Service Improvement Programs will be implemented as needed Monitoring and Reporting of Service Level Agreements The Service Management Tool [Remedy] in conjunction with ITS Business Relationship Management provides monitoring activity and reports to ITSM & ITAM Services Product Manager on a monthly basis. ITSM & ITAM Services Product Manager will share these reports with the ITSM & ITAM Services Governance Council monthly Service Contract Agreements Conditions on any service contract agreements are handled through a Memorandum of Understanding ( MOU or Agreement ) between a subscribing agency and the North Carolina Office of Information Technology Services ( ITS ). The purpose of this MOU is to define the roles, responsibilities, and other business commitments between each party with respect to the Agency s use of the ITSM & ITAM Services offering provided by ITS. 25

26 3.2 Manage Performance and Capacity Performance and Capacity Planning ITSM & ITAM Services will comply with any applicable policies and procedures set forth by Performance and Capacity Management and contained in the Performance and Capacity Management Library within ITS as it pertains to any of the following criteria: Current Capacity and Performance Future Capacity and Performance IT Resources Availability Monitoring and Reporting The Performance Management and Capacity Management documentation was developed to meet the standards of the Information Technology Infrastructure Library (ITIL) methodology as part of the Operational Excellence Program (OEP) in the Office of Information Technology Services Service Monitoring All servers managed by ITSM & ITAM Services are monitored by the Computing Services group within ITS using the BMC Patrol monitoring tool. 26

27 3.3 Ensure Continuous Service ITSM & ITAM Services will comply with any applicable policies and procedures set forth by IT Service Continuity Management and contained in the Service Continuity Management Library within ITS as it pertains to any of the following criteria: IT Continuity Framework IT Continuity Plans Critical IT Resources Maintenance of the IT Continuity Plan Testing of the IT Continuity Plan IT Continuity Plan Training Distribution of the IT Continuity Plan IT Services Recovery and Resumption Offsite Backup Storage Post-resumption Review The Service Continuity Management documentation was developed to meet the standards of the Information Technology Infrastructure Library (ITIL) methodology as part of the Operational Excellence Program (OEP) in the Office of Information Technology Services. 27

28 3.4 Ensure Service Security IT Security Plan ITSM & ITAM Services will comply with any applicable policies and procedures set forth by the Information Security Threat Management and Incident Response services. These services are offered and provided to help State agencies safeguard citizens data and meet the requirements of the security standards legislation, N.C.G.S through , and other legal and regulatory requirements including the following: User Account Management Threat Management NC-ISAC Security Consulting and Training Security Testing and Monitoring Security Incident Definition Protection of Security Technology Cryptographic Key Management Malicious Software Prevention, Detection and Correction Network Security Exchange of Sensitive Data Management of IT Security ITSM & ITAM Services will manage and ensure security is at the highest appropriate organizational level, so the management of security actions is in line with business requirements. As part of the security management criteria, ITSM & ITAM Services requires an NCID account to authenticate and access the application. In addition, VPN access will also be required for some reporting tasks associated with the ITSM & ITAM Services Identity Management ITSM & ITAM Services will comply with any applicable policies and procedures set forth and developed by the NCID group within ITS which provides a provisioning environment for managing application access. The service infrastructure provides a unified platform for e- business authentication and authorization. As the standard identity management and access service provided to State, local, business, and citizen users by the Office of Information Technology Services, NCID enables its customers to achieve an elevated degree of security and access control for real-time resources such as customer based applications and information retrieval. 28

29 3.4.4 User Intrusion ITSM & ITAM Services will comply with any applicable policies and procedures set forth and developed by Intrusion Prevention Service (IPS) within ITS which provides a critical defensive layer of security for the customer's network that monitors network activities for malicious behavior and can block or prevent those activities. 29

30 3.5 Identify and Allocate Costs Definition of Services Refer to section under Define and Mange Service Levels IT Accounting ITSM & ITAM Services will comply with any applicable policies and procedures set forth by Financial Management and contained in the Financial Management for IT Library within ITS. Disclosure of the capture and allocation of actual costs as it pertains to the current cost model is available upon request. Any variances between forecasts and actual costs will be reported to the ITSM & ITAM Services Governance Council for review and evaluation. The Financial Management documentation was developed to meet the standards of the Information Technology Infrastructure Library (ITIL) methodology as part of the Operational Excellence Program (OEP) in the Office of Information Technology Services Cost Modeling and Charging Refer to section Billing and Cost Recovery Model Cost Model Maintenance The ITSM & ITAM Services Governance council will review and benchmark the current cost/subscription charge model on a annual basis in conjunction with the ITS yearly budget cycle to ensure the cost recovery model is fair and appropriate for the level of service provided by ITSM & ITAM Services. 30

31 3.6 Manage Service Desk and Incident Management ITSM & ITAM Services will comply with any applicable policies and procedures set forth by Service Desk and Incident Management and contained in the Service Desk and Incident Management Library within ITS. The Service Desk and Incident Management documentation was developed to meet the standards of the Information Technology Infrastructure Library (ITIL) methodology as part of the Operational Excellence Program (OEP) in the Office of Information Technology Services Service Desk The ITS Service Desk (ITSSD) handles all incidents related to ITSM & ITAM Services. The ITS Service Desk (ITSSD) agents are on duty 24 hours a day, seven days a week and provide business and technical infrastructure analysis, problem solving, and first and second level diagnostics for hardware. A monitoring and escalation procedure is based upon service levels relative to the appropriate SLA that allows classification and prioritization of any reported issue as an incident, service request or information request. Measurement of end users satisfaction with the quality of the service desk and the ITSM & ITAM Services is also provided Registration of Customer Queries ITSM & ITAM Services uses the ITS Remedy help desk application to log and track incidents, service requests, change requests, and other service related information needs. ITS Service Desk (ITSSD) within ITS works closely with such processes as incident management, problem management, change management, release management, capacity management, and availability management. Incidents are classified according to a business and service priority/severity model and are routed to the appropriate problem management team if a solution or workaround cannot be found Incident Escalation The ITS Service Desk (ITSSD) handles incident escalation for all incidents related to the ITSM & ITAM Services. Incidents that cannot be immediately resolved are appropriately escalated according to limits defined in the SLA and, if appropriate, workarounds are provided. Incident ownership and life cycle monitoring remain with the ITS Service Desk (ITSSD) for user-based incidents regardless of which group is working on resolution activities Incident Closure 31

32 ITSM & ITAM Services works in conjunction with the ITS Service Desk (ITSSD) to resolve and provide timely closure to service incidents. When an incident has been resolved, ITS Customer Care Center (CSC) will record the root cause, if known, and confirm that the action taken has been agreed upon with the customer Trend Analysis Daily incident reports and service level reports are generated from the Service Desk Management tool [Remedy] and provide ITSM & ITAM Services visibility on incidents that have not been responded to or resolved in a timely manner as per the SLA. These reports can be produced as needed to enable management to measure service performance and service response times and to identify trends or recurring problems, so service can be continually improved. 32

33 3.7 Manage the Configuration Configuration Repository and Baseline All relevant information regarding configuration items for ITSM & ITAM Services will be collected, stored, and housed in a central repository and handled by the Information Technology Asset Management (ITAM) group within ITS via the asset management function of Remedy. This repository includes hardware, software, documentation, and operating procedures. Relevant information includes naming, version numbers, and licensing details Identification and Maintenance of Configuration Items ITSM & ITAM Services will abide by and comply with any applicable policies and procedures set forth by Configuration Management and contained in the Configuration Management Library within ITS. This may include one or more of the following activities: Identify configuration items and their attributes Record new, modified, and deleted configuration items Identify and maintain the relationships among configuration items in the configuration repository Update existing configuration items into the configuration repository Prevent the inclusion of unauthorized software These procedures also provide proper authorization and logging of all actions on the configuration repository, which are then properly integrated with change management and problem management procedures. The Configuration Management documentation was developed to meet the standards of the Information Technology Infrastructure Library (ITIL) methodology as part of the Operational Excellence Program (OEP) in the Office of Information Technology Services Configuration Integrity Review Audits and review of configuration integrity will be handled by the ITAM group within ITS and the APM process, when necessary, to verify and confirm the current status and historical configuration items against the actual items in use, existence of any personal or unlicensed software, or any software instances in excess of current license agreements. Any discovery of errors and deviations will be reported to proper authorities responsible for handling such discrepancies. 33

34 3.8 Manage Problems ITSM & ITAM Services will comply with any applicable policies and procedures set forth by Problem Management and contained in the Problem Management Library within ITS which include the following controls: Problem Control o Problem Identification and Recording o Problem Classification and Resource Allocation o Problem Investigation and Diagnosis (Root Cause Analysis) Error Control o Error Identification and Recording o Error Assessment o Record Error Resolution o Integration of Change, Configuration, and Problem Management o Problem Error and Closure The Problem Management documentation was developed to meet the standards of the Information Technology Infrastructure Library (ITIL) methodology as part of the Operational Excellence Program (OEP) in the Office of Information Technology Services. 34

35 3.9 Manage Data Storage and Retention Arrangements Each agency must follow policies and procedures set forth by the Statewide Information Security Manual for handling and storing sensitive data while performing testing of their applications to ensure any sensitive information is secure and encrypted Media Library Management System ITSM & ITAM Services will comply with any applicable policies and procedures set forth by the ITAM group within ITS for maintenance of onsite or electronic software media as it applies to the service [i.e. Remedy AR System Application Software] Disposal Each agency must follow policies and procedures set forth by the Statewide Information Security Manual for disposing of sensitive data and software from equipment or media when transferred for the purpose of testing Backup and Restoration Backup and restoration of ITSM & ITAM Services and any associated Databases is handled by Computing Services group within ITS Security Requirements for Data Management ITSM & ITAM Services and subscribers of the service will comply with any applicable policies and procedures set forth by Statewide Information Security Manual when dealing with physical storage and output of data and sensitive messages. This includes physical records, data transmissions, and any data stored offsite. Individual agencies are shielded from one another by means of individually assigned user logins and projects to ensure an agency s data is isolated from other agencies. Following is a link to access this information directly: 35

36 3.10 Manage the Physical Environment The physical environment which houses ITSM & ITAM Services is supported and maintained by ITS which is responsible for but not limited to the following: Service Hardware Location and Layout Physical Security Measures Physical Access Protection Against Environmental Factors Physical Facilities Management 36