1 / 48

North Coast HDI Audit Proof Your ITIL Processes John Livingston February 2011

North Coast HDI Audit Proof Your ITIL Processes John Livingston February 2011. Agenda. Introduction Why learn how to Audit Proof your ITIL Processes? Audit Tools and Techniques ITIL Processes – Incident, Problem, Configuration Mgmt (CMDB) and Change Mgmt Other Resources

allayna
Download Presentation

North Coast HDI Audit Proof Your ITIL Processes John Livingston February 2011

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. North Coast HDI Audit Proof Your ITIL Processes John Livingston February 2011

  2. Agenda • Introduction • Why learn how to Audit Proof your ITIL Processes? • Audit Tools and Techniques • ITIL Processes – Incident, Problem, Configuration Mgmt (CMDB) and Change Mgmt • Other Resources • Recap what we covered today • Questions

  3. Introduction • University Hospitals • Mission: To Heal. To Teach. To Discover. • 17,000 physicians and employees; 4.8 million outpatient procedures; 63,000 inpatient discharges; $1.9 billion revenue annually • Rainbow Babies ranked top 5 nationally for neonatal care • Vision 2010

  4. Introduction • Instructor • IT Auditor for University Hospitals, prior experience 8 years in IT Operations for Fortune 500 company • 7-person ITIL department responsible for Change, Problem, Incident and Configuration Management • Certified Information Systems Auditor, Lean Six Sigma Black Belt, ITIL and COBIT certifications

  5. Why learn how to Audit Proof your ITIL Processes? • Benefits • More prepared for audits • Input into the direction of the audit • Better manage your ITIL process • Understand organization’s risks and controls • Career opportunities

  6. Audit Tools & Techniques – Audit Process • Audit Dept. reports to Board of Directors • Independent activity • Audit Committee determines the audit plan

  7. Audit Tools & Techniques – Risk Control Matrix

  8. Audit Tools & Techniques – Frameworks COSO ISO9000 IT Governance Fiduciary Governance Other Governance COBIT ISO 27000 ISO 20000 CMM ISO 9126 ITIL ISO 15504 ISO 12207 Security Management TickIT Source: Peter Davis + Associates

  9. Audit Tools & Techniques – ITIL Service Strategy Service Design Service Operation Service Improvement Service Transition Process Relationships – 29 Total

  10. Audit Tools & Techniques – COBIT

  11. Audit Tools & Techniques – COBIT

  12. Audit Tools & Techniques – COBIT

  13. Incident Management - Introduction • Goals: • restore normal service operation ASAP • minimize the adverse impact on business operations.

  14. Incident Management - Introduction • Incident - unplanned interruption to or reduction in the quality of an IT service. • Failure of a Configuration Item (CI) that has not yet affected service.

  15. Incident Management – Basic Concepts • Incident management should consider the following elements: • Time limits – agree on time limits for all phases and use them as targets in Operational Level Agreements (OLAs) and Underpinning Contracts (UCs) • Incident models – a way to determine the steps necessary to execute a process correctly.

  16. Incident Management - Activities • Key Challenges • Detection of incidents, especially prior to user impacts • Logging of incidents – getting all incidents logged by all IT staff • Ability to identify recent problems and changes • Clear understanding (coming from service level mgmt) of the user impact and associated priority allocation for incidents • Well-functioning Configuration Management Database (CMDB) with relationships between CIs.

  17. Incident Management – Metrics • Total number of incidents • Number and percentage of incidents by priority • Average cost per incident (Level 0, 1, 2, 3) • The number and percentage of incorrectly routed incidents • The percentage of incidents handled within the agreed timeframe • Number and percentage of incidents processed per service desk agent

  18. Problem Management - Introduction • Goals: • Find and resolve the root cause of a problem and prevent additional incidents • Return the service to normal level as soon as possible, with smallest possible business impact.

  19. Problem Management - Introduction • Incident - unplanned interruption to an IT service or reduction in the quality of an IT service. Failure of a CI that has not yet affected service is also an incident. • Problem - cause of one or more incidents. • A problem can be identified from: • Multiple incidents exhibiting common symptoms • A single significant incident indicative of a single error, for which the cause is unknown.

  20. Problem Management - Introduction High-performing IT organizations spend less than 5% of their time on unplanned and urgent work (“firefighting”). In contrast, typical IT organizations spend between 35-45% of their time on unplanned and unscheduled work. source: The Visible Ops Handbook

  21. Problem Management – Basic Concepts • Incident management should stop working on an incident when the service to the user(s) has been restored. • It’s the responsibility of Problem Management to permanently “fix” the issue

  22. Problem Management - Activities • Problem management consists of two important processes: • Reactive problem management • Proactive problem management

  23. Problem Management - Activities • Problem Process • Problem detection • Problem logging • Categorization • Prioritization • Investigation and diagnosis • Resolution • Closure

  24. Problem Management - Activities • Techniques for investigation and diagnosis • 5-why analysis • Ishikawa (fishbone) diagram

  25. Risk Control Matrix – Incident and Problem Management

  26. Configuration Management - Introduction • Goals: • Provide accurate configuration information to enable people to make the right decisions at the right time • Minimize the number of quality and compliance issues caused by improper configuration of services and assets.

  27. Configuration Management– Basic Concepts • A configuration item (CI) is an asset, service component or other item that needs to be managed in order to deliver an IT Service.

  28. Configuration Management – Basic Concepts • Configuration management database (CMDB) - contains details about configuration items throughout their lifecycle. • A federated CMDB pulls the CI information from many different sources.

  29. Configuration Management– Basic Concepts • CMDB design encompasses four dimensions: • Scope – which components to include • Level of detail – how much detail to break a CI into • Relationship – between CIs • Attribute – a piece of information about a CI

  30. Change Management - Introduction • Goals: • Reduce incidents, disruptions and rework • Respond to customer’s changing business requirements “80% of unplanned downtime is caused by people and process issues, including poor change management practices, while the remainder is caused by technology failures and disasters.” Donna Scott VP & Research Director Gartner

  31. Change Management - Introduction • Objective: ensure that changes are recorded, assessed, prioritized, planned, tested, implemented, and documented in a controlled manner. • Change - addition, modification, or elimination of a CI and its related documentation.

  32. Change Management - Introduction • Every organization must itself define which changes its change management process does and does not cover. • Examples include: • Changes to PCs • Changes to user accounts • Other examples?

  33. Change Management – Basic Concepts • Change Advisory Board (CAB:) Consultation Body that meets at fixed intervals to assess changes and help change management prioritize the changes. It may include representatives from all important IT departments, as well as: • Customers • End users • Application developers • System administrators • Service desk representatives • Supplier representatives

  34. Change Management - Activities • 1. Create and record • An individual or department may submit an RFC • All RFCs are registered and it must be possible to identify them.

  35. Change Management - Activities • 2. Review the RFC • Does it make good business sense? • Is it technically feasible?

  36. Change Management - Activities • 3. Assess and evaluate changes • Impact x Probability = Risk Category

  37. Change Management - Activities • 3. Assess and evaluate changes (cont.) • Examples of priority codes are: • Standard • Urgent • Emergency

  38. Change Management - Activities • 3. Assess and evaluate changes (cont.) • Schedule of Change (SC). Calendar which contains the details for all approved changes.

  39. Change Management - Activities • 6. Evaluate and Close (Cont.) • Post Implementation Review (PIR)

  40. Change Management – Relation to other ITIL Processes • Incident Management • Help Desk/IT Operations attends CAB meeting • Once an outage in the IT Environment is identified, Help Desk/IT Operations reviews change records for possible root causes.

  41. Change Management – Relation to other ITIL Processes • Problem Management • Frequently submits RFCs and makes an important contribution to CAB discussions • Reviews implemented changes for possible root causes of Problems.

  42. Change Management – Relation to other ITIL Processes • Configuration Management (CMDB) • RFC will include CIs to be able to assess potential impact of change on the IT environment. Also related CIs (not included in RFC) are reviewed for possible upstream and downstream impact. • CIs will have a record of implemented changes and success rate of those changes (CI fragility.) • Release Management • The Release process is triggered by an approved RFC. • Change management will conduct a Post Implementation Review (PIR) after the release is deployed.

  43. Change Management – Metrics • Metrics • Number of RFCs implemented per month • % of RFCs per category (Risk and Impact, Priority, Emergency, etc.) • % of RFCs which were unsuccessful • Average amount of time from submission to implementation of RFC • Cost to process each RFC (Quality Review of RFC Implementation, Testing and Backout Plans)

  44. Risk Control Matrix – Change Management

  45. Other Resources • Appendix on Preparing for IT Audits • How to become a High-Performing IT Organization • Four Phases of Visible Ops • Phase 1: “Stabilize the patient” • Phase 2: “Catch & Release” and “Find Fragile Artifacts” • Phase 3: Establish Repeatable Build Library • Phase 4: Enable Continuous Improvement http://www.itpi.org

  46. Other Resources • COBIT • http://www.isaca.org • Click on Knowledge Center, then COBIT • National Institute of Standards and Technology • http://www.nist.gov

  47. What we learned today • Why learn how to Audit Proof your ITIL Processes? • Audit Tools and Techniques • ITIL Processes – Incident, Problem, Configuration Mgmt (CMDB) and Change Mgmt • Additional resources for learning more about ITIL

  48. Questions ? john.livingston@uhhospitals.org LinkedIn

More Related