410 likes | 559 Views
M anagement of IT Environment (3) Riadenie IT prostredia. Standardization in terms of IT service management. Karol Furdík Department of Cybernetics and AI, FEI TU Košice. Lecture content. Definitions of basic terms normalization , norm a nd standard
E N D
Management of IT Environment (3) Riadenie IT prostredia Standardization in terms of IT service management Karol Furdík Department of Cybernetics and AI, FEI TU Košice
Lecture content • Definitions of basic terms • normalization, norm andstandard • task, properties and characteristics of a technical norm • types of standards,factors and stages of standardisation, norm life-cycle • Standardization organisations • Legislative framework of norms • Standardization in IT servis management • standards for quality management • standards formodeling and management of business processes • standards for IT services and management • standards for IT security management • standardsfor related technologies • Certification
Standardization - definitions 1. Standardization – creation and application of norms, standards, recommendations and rules in certain field of study - in our case implementation and application of IT/ICT in organisation 2. Standardization - definition of framework, which ensures compliance of minimal level of quality, technological or management processes, system management, interface provision, etc. Objective of implementation of standards created by the precess of standardisation: • increase the competitiveness of organisation, where the norms are implemented • guaranteeing the prescribed quality of output products/services • streamlining and optimalisation of decision and management processes • increase of prestige and credit of the organisation opposing the competition, which does not have the standard implemented
Prerequisites for standard implemnentation • Standard should beprogrssive, and according to the newest knlovledge and trends – impotrant mostly in the field of IT • result – standardization is an iterative process, in which the standards undergo several stages from the proposal through implementation up to the termination of the standard • However, the standard should be sufficiently stable, accepted by a wide range of proffessionals and with proved aplication in real life • Standard has to be sufficiently clear, understandable, explicit and controllable • therefore it should include implementation guides, application examples and it is also appropriate to include a recommended certification procedure
Norm andstandard Norm – Established binding rule, custom etc., resp. set of such rules. E.g.moral, social, legal, governmental (technical)norm • Technical norm – prescribed technical solution of a product, equipment, technology etc. Standard- common (good) quality level, stable, normal rate, basic level of evaluation • Technical standard - common, pattern, governing the production so that a certain type products of accordingtype,quality, compositionor size were made; (in some countries)label of technical standard • Norm is a more „strict“ term, containing a binding feature. • Standard has in slovak environment a more general, loosemeaning; standard does not have to be binding / obligatory to apply (Remark: in the past STN were obligatory, nowadays they are not) • In English the term standard is used, so the terms norm and standard may be regarded as synonyms.
Standard -definition, purpose, characteristics Def. according to ISO: standard is a documment, based on an agreement and approved by a respected organisation, that provides common and repeatable set of rules, guides, restrictions or charatcetistics for processes and their outcomes such that in a given context an optimal level of arrangement is achieved. Purpose of (technical) standardsis to provide a precise specification in the given field of industry, sales or services which serves as a reference framework for application in production or business. Standard should be: • Result of broad consensus among experts -> eligibility for practise • Verifies and stable • Progressive to correspond with the latest knowledge and trends • Predictive, forward-looking
Properties of technical standard(1) Represents a certain levelof know-how andtechnology, that should be as progressive as possible, but already prooved in practise. • Therefore a presense of wide consortium of industry representatives and experts is necessary in the process of standard creation. Result of cooperation, so it reflects the combined results of all associated patries and is confirmed by an agreement of the consotrium. • should represent all relevant interests of: manufacturers, users, laboratories, government, consumers etc. Never a compromise nor neutral. In contrary, standard expresses a strict and exact specification of a certain approach or process (production, technological, managerial, etc.).
Properties of technical standard(2) Consistent and coherent. Is created by technical committees that are coordinated by specialized patries which ensure that the obstacles and differences between different areas and business activities are overcome. Reference documentused specifically in relation to public contracts between business or industrial partners, in international trade contracts or for creation of business agreements. Usedby industrialistsas a non-negotiationable reference, which simplifies and unites business relationship between economic partners. Although a standardis not necessarily legally bindingit is a generally accepted document that may be used in court litigations. Standards arewidely available, they can be studied or traded with no restrictions. However, thay cannot be published or coppied.
Types of standards (1) According to content: • Basic standards - terminology, metrology, conventions, symbols etc. Wide range, general provisions for one particular area. • Test methods and analysis standards – measurements of certain properties. • Product and service standards- parameters of a certain type of product (product standards) or of a certain service. • describe the lowest acceptable levels of parameters a product or service has to achieve (e.g. health protection, security, docummentation, ...) • Organizational standards – description of company function and relationships, modeling of activities inside the company (e.g.quality management, value analysis, logistics, project and system management, production organization etc.).
Types od standards (2) According to geographical scope: • National (in Slovakia - STN, ANSI – USA, DIN – Germany, BS – Great Britain, Ö NORM – Austria, NF - France, JISC – Japan) • Regional (e.g. European – EN, ETS ) • International (e.g. ISO, IEC, IEEE, W3C and other) Technical harmonisation principle - at European level there are defined as common technical specifications so-calledharmonized standards (created by European standardization organizations). • National standardization organizations take over these harmonized standards as their own using qualified translation of the original European standard and harmonize all other standards with respect to the European one. • In Slovakia it is done according to zákon č. 264/1999 Z. z., resulting in harmonized slovak technical norms.
Designation form of STN standards signSTN anda 6-digit number: • STN XX XX XX – original national standard, two digits represent class, group and order in the catalog (cca 40% of the total number of STN standards). • STN EN XXXXX resp. STN ISO/IEC XXXXX – took over European or international standard,5-digit number reflects the number of the initial European or international standard (cca 60% of standards) After the marking of took over standards there is a index sign that represents national STN standard under which the standard issued, for example: • STN ISO/IEC 20000-1 (36 9788) – after inclusion into STN this standard has been given class 36: Electrical Engineering,Information technologies,group 97, serial number 88.
Standardization and creation of standards Standardization (resp. normalization): • targeted activity that creates and puts standards (norms) into practise • aims to achieve an optimum degree of order in a particular area with respect to the actual state of knowledge, to address known problems and expected future prospects. Activitiesassociated with stanardization: • drafting of the standard • official issue of the standard • implementation Contribution of technical standardization: • improve the suitability of products,processes and services for their intended use avoiding obstacles and ensure technical cooperation.
Standardization factors • Production justifying factor.Standard allows to achieve desired technical parameters, satisfy the customer, confirm the production method, affect the productivity growth, and provide a defined level of quality and safety. • Transaction clarification factor.Existence of reference documents, standards and regulations enables you to better evaluate the offer and to reduce uncertainty in trade relations. • Inovation and further development factor.Participation in standardization allows you to anticipate future development and continually upgrade your product or service -> gaining advantage through knowledge transfer. • New technology transfer factor.Normalization facilitates and accelerates the transfer of technology on various importand areas (new materials, information systems, biotechnologies, ITSM etc.) • Factor influencing strategic decisions.Participation in standardization makes a significant need to implement new solutions, what maked the company more competitive. This highlights the need to actively participate in standardization and not just to take it as inevitable evil.
Standardization stages(1) 1. First draft of the standard.From idea to working draft. • Identification of the market need for new standard. • Define requirements (commetioan, user, functional and technical) that represent the needs of the market and serve as a basis for standard development. • First working draft (draft specification) of the standard which is a consensual result from all of the interested parties. 2. Development and official release.From design to final formulation. • Process of approving the proposal in a broader consortium of experts, usually coordinated by a relevant standardization organization. • Assess the wider impact of standards on the area and beyond, as well as on the structure of already existing standards.Potential conflicts are addressed cy recasting the draft and its reassessment. • Official release of the standard and its inclusion into the existing catalog of standards.
Standardization stages (2) 3. Implementation.From formulation of the standard to implementation • Specification of testing and certification, which is usually published as an amendment to the standard. • May also contain more or less detailed guides for implementation including example of reference implementation. • These amendments ensure interoperability ie. the consistency between different implementations. • Process of continous and periodic assesment of compliance with the standard, regular assessment of standard application, particulary with regard to changing needs and marked requiremens. • This process may result into proposals to update or amend the standard (or a proposal to repeal the standard for not being up to date).
Standardization organizations Organizations dealing with standardization, management of standardization activities and standard publication. • Categorization based on teritorial scope: • international • regional • national • Coordination of work is ensured by common structures and cooperation agreements. In Slovakia: SÚTN, Slovenský ústav technickej normalizácie, http://www.sutn.sk • State subsidized organization; founder: ÚNMS SR • Represents SR in international organizations • Creation, approval and publication of STN, harmonization with European standards
International standardization(1) ISO,International Organization for Standardization, http://www.iso.org • World federation of national standardization org (163 members) • Role – support the development of standardization and related activities on a global scaleto facilitate international exchange of good and services and to achieve alliance in intelectual, scientific, techncal and economic area. • ISO activity is focused on all standardizaton areas • The area of electrical engineering, electronics and IT is addressed in close collaboration with IEC. IEC, International Electro technical Commission, http://www.iec.ch • Prepares and pubishes international standards for all electrical, electronic and related technologies. • In the field of IT, based on an agreement with ISO, a joint committee ISO/IEC JTC1 has been established, in which the IEC participates on developement of the ISO/IEC 20000 standard.
International standardization (2) ITU, International Telecommunication Union, http://www.itu.int • Specialized United Nations agency for telecommunication and radiocommunication IEEE, Institute for Electrical and Electronics Engineers, http://www.ieee.org • International non-profit proffesional organization seeking to improve technology related to electrical engineering • W3C, World Wide Web Consortium, http://www.w3.org • International association of stakeholder organizations and individuals which has been developing standards for web environment
Regional standardization in Europe CEN, European Committee for Standardization, http://www.cen.eu • The most important standardization body in Europe • Job description – creation and management of European EN standards in all areas where standardization is applied except the areas of electrical engineering (CENELEC) and telecommunications (ETSI). CENELEC, European Committee for Electrotechnical Standardization, http://www.cenelec.eu • Non-profit organization, main European standardization organization for the area of electrical engineering ETSI, European Telecommunications Standards Institute, http://www.etsi.org • Non-profit organization that creates European ETS standards for the area of telecommunication
National standardization ANSI, American National Standards Institute, http://www.ansi.org • managesabout 20% of commissions sub-committees and workgroups of ISO and IEC • e.g. ANSI code tables (ASA X3.4-1963 – adopted as ISO 8859), standardization of C programing language (ANSI X3.159-1989), ANSI initiative to publish ISO standard using on-line library, etc. BSI, British Standards Institution, http://www.bsigroup.com • BSI standards known as BS (British Standard) • E.g. ISO/IEC 20000 (formerly BS 15000), group of standards for system management quality ISO 9000 (formerly BS 5750), information security management standard ISO/IEC 27001 (formerly BS 7799), etc.
Standardization legislation General principle – in principle, standards are not binding / obligatory and compliance is voluntary. This does not mean that there are no rules and you can use them as you want Legislative framework provides: • definition of the standard and its types • basic principles of creation and compliance • determining the rights, duties and responsibilities of subjects creating and applying standards • Broader aspects of the framework: • legal specification of authorship • Definition of conformity assessment and certification.
Standard legislation inSR Zákon č. 264/1999 Z. z.o technických požiadavkách na výrobky a o posudzovaní zhody (as amended) Describes: • method for provision of technical requirements for products that could endanger health, safety or property of people or the invironment • rights and obligations of SÚTN • procedures for assessing conformity of products with technical standards • rights and obligations of subjects related to the conformity assessment • rights and obligations, resulting from the standards, of businesses that produce, import products on the market • scope of state administration in the field of technical ztandardization and conformity assessment • supervision of compliance with the law including penalties • relation between Slovak and other standards, harmonization and standard acceptance
Authorization, conformity assessment, certification Definitions under the law No. 264/1999 Z. z.: Authorization (§ 11) assignment of the operator or other legal entity to implement conformity assessment. The mandate is issued by department. Holder of the authorization (ie. „authorized person“) may be in accordance to the scope of the authorization content authorized to provide certification, conformity assessment, inspection and product testing. Conformity assessment(§ 12) investigating whether the real properties of the product match the technical requirements. If OK the manufacturer/importer is issued with a declaration of conformity (§13), that is necessary for the product to be placed on thenational market. Certification (§ 14) activity of authorized person, issuing the certificate proving that the properties of the product and/or activities relatedto its production are in accordance with the technical requirements.
Standardization of IT environment/services IT environment – infrastructure, that includes IT/ICT in given organization to achieve specific business objectives(income, long-term development,etc.). Objectives of the organization are defined at the level of corporate strategy, namely its focus on medium and long term horizon. Strategy defines: • what is the main objective of the business • which activities does the business deal with • how is the organization managed • What are the goals in the area of marketing, sales, production, etc. Corporate strategy is then specified in detail and realized usingappropriate business processes – sequences of actions, activities and tasks necessary for creation of a particular product or service for the customer. Particular form of business processes is given by the aquired business strategy while the criteria of quality and adequacyis the level of compliance with the stategic goals of the organization.
Progressive IT service management For meaningful and effective functioning of business processes, we use IT services which run on a particular IT/ICT infrastructure. • Role of IT service management – is to align individual components of the infrastructure to support the business processes of the company in the most appropriate, efficient and optimal way.
Classification of IT management standards ITIL framework – the basis, from which the most importand standard is ISO/IEC 20000 Standards related to IT management (as a whole): • quality management standards (ISO 9000) • business process management and modeling standards • IT service management standards • including ISO/IEC 20000 • information security management standards • standards for some technologies suitable for designing and operation of IT service systems
Quality management standards ISO 9000standards, defining so-called Quality management system Other standardsregarding QMS e.g.: • STN ISO 10006:2003. Quality management systems. Instructions for quality management in projects. • STN EN ISO 14001:2004. Environmental management systems. Requirements and usage guides. • ISO 26000:2010. Social responsibilty of companies
Business process management standards Business process management: • optimalisation of business processes • setting the activities on the mose appropriate level of quality, effectivity in terms of time, resources and cost • Possible automation of BP, adequate level of human interaction BPM standards: Object Management Group, http://www.omg.org • BPMN (BP Modelling Notation), http://www.bpmn.org • BPDM (BP Definition Metamodel), http://www.omg.org/spec/BPDM/ • UML (Unified Modeling Language), http://www.uml.org Organization WfMC (Workflow Management Coalition), http://www.wfmc.org • XPDL (http://www.wfmc.org/xpdl.html), defines format for storing and exchanging process representations. • BPAF (BP Analytics Format, http://www.wfmc.org/business-process-analytics-format.html), XML scheme for assessment and evaluation of process efficiency.
ISO 20000 standard for ITSM (1) ISO/IEC 20000 - parts: 1. Introduction:defines the purpose, scope and application of the standard. 2. Terms and definitions:defines the basic terminology. 3. Management system requirements:defines the responsibilities od senior management in the area of service quality management, documentation requirements , responsibilitiy assignment and required training of presonnel. 4. Planing and implementation:defines the system, of continous improvement using PDCA. 5. New services and changes:defines requirements for planning and assessment of cost, impacts and risks of changes.
ISO 20000 standard for ITSM(2) ISO/IEC 20000 - parts: 6. Service delivery process: definition of tactical service planing processes (service level management, reporting, continuity management, financial resources managemetn, information security management). 7. Relation processes:defines processes for managing relationships with customer, suppliers and third parties. 8. Recovery processes:defines operational service management processes (incidents and problem management). 9. Control process:defines processes of information support, security checks and changes(configuration and change management). 10. Deployment process:defines the requirements of process that physically makes, implements and deploys changes (issues managemet).
Structure of ISO/IEC 20000 standard ISO/IEC 20000-1:2005. Part 1: Specification. Defines basic requirements for ITSM within the organisation and server as a reference framework for certification od IT service providers. ISO/IEC 20000-2:2005. Part 2: Code of practice (user manual). Serves as a supporting guide for ITSM implementation. ISO/IEC TR 20000-3:2009. Part 3: Guidance for the scoping and applicability of ISO/IEC 20000-1. Defines the scale and applicability ofITSM within an organisation. ISO/IEC TR 20000-4:2010. Part 4: Process reference model. Defines the logical representation os abstract processes of ITSM and its parts including the goals and requires outputs. ISO/IEC TR 20000-5:2010. Part 5: Exemplar implementation plan for ISO/IEC 20000-1. Practical example of ITSM implementation.
Structure of STN ISO/IEC 20000 standard ISO/IEC 20000 standard has been translated into slovak in august 2008 andincluded into STN system, where it consists of these rules: STN ISO/IEC 20000-1:2005. Information technologies. Service management. Part 1: Specification. STN ISO/IEC 20000-2:2005. Information technologies. Service management. Part2: Pactise recommendations.
Other ITSM standards ISO/IEC 38500 (http://www.38500.org), standard forIT Governance. Standard covers a higher level of ITSM including the management of company processes and strategic goals of a company. Is comes from Austarlian stadard AS 8015:2005 and is based on COBIT of version 4.1 ISO/IEC 15504, also known as SPICE (Software Process Improvement and Capability dEtermination). Standard defines a reference model pro organisational processes, creation, delivery, support and maintanacne in area of precess types and their performance. ISO/IEC 15288describes life-cycle processes of artifical human constucted systems. These processes are defined in four categories: technical, project, contract and supplementary organisation processes.
Security standards forIT systems Information security managemet system (ISMS) is defined by ISO/IEC 27000 (http://www.27000.org) and consists of these documents: • ISO/IEC 27000:2009. Definition of terms. • ISO/IEC 27001:2005. Requirements. Main standard for ISMS based on British standard BS 7799-2. Represents a complex ISMS throughimplementation, maintanance, and improving within an organisation. • ISO/IEC 27002:2005. Code of practice. Set of guidelines for ISMS. • ISO/IEC 27003:2010. Implementation guide for ISMS. • ISO/IEC 27004:2009. Measurement. Implementation and maintanace guide for standardised markers and efficiency measurements. • ISO/IEC 27005:2008. Information security risk management. Recommendations and techniques for security risk management analysis. • ISO/IEC 27006:2007. Requirements andguides for ISMS cefrification. • ISO/IEC 27011:2008. ISMSfor telecommunication. • ISO 27799:2008. ISMSfor healthcare facilities.
Some technology standards for IT systems ISO/IEC 29361-29363:2008. Web Services Interoperability. These standards define profiles of web services – communication via SOAP, WSDL parametres description, linking of parameters SOAP binding, etc. W3C specifiactions: • SOAP (Simple Object Access Protocol, http://www.w3.org/TR/soap12/). W3C Recommendation: SOAP Version 1.2 • WSDL (Web Services Description Language, http://www.w3.org/TR/wsdl20/). W3C Recommendation: Web Services Description Language Version 2.0 • SAWSDL (http://www.w3.org/TR/sawsdl/). W3C Recommendation: Semantic Annotations for WSDL and XML Schema OASIS consortiom specifications: • SOA (http://docs.oasis-open.org/soa-rm/v1.0/). OASIS standard: Reference Model for Service Oriented Architecture 1.0,
Certification of compliance with ITSM norms Certification and conformity assessment is usuallycarried out by various government and private companies ( not directly by the standardisation organisations!), which are qualified and authorised for this kinds of activities (authorised presonel). Framework rules are restricted by law – in Slovakia zákon č. 264/1999 Z. z. o technických požiadavkách na výrobky a o posudzovaní zhody. Standardisation framework for conformity assesment and certification is specified in ISO /IEC 17000:2004, as well as STN ISO /IEC 17000. Accreditationin Slovakia is issued bySlovak national accreditation service (SNAS, http://www.snas.sk) Forcertifiacationin the field of quality management and IT service managementin our country consult the following certification authorities: • Bureau Veritas, http://www.bureauveritas.sk • TÜV NORD Slovakia, http://www.tuvnord.sk
Certification process for ISO/IEC 20000 Conclusion: Standard(like ISO/IEC 20000 or any other) is not the goal, butpath. Therefore it is not right to be guided solely by our effort to increase our prestige by getting a certificate, but try to achieve the best results possible through understanding the companies processes and customer needs.
Questions? For more info: – SUTN: http://www.sutn.sk – ITIL / ITSM: http://www.itsmf.sk orhttp://www.itsm.sk