Version 1.0. IT Service Management & IT Asset Management Services (ITSM & ITAM Services) Governance Process

(1)

IT Service Management &

IT Asset Management Services

(ITSM & ITAM Services)

(2)

The Control Objectives for Information and related Technology version 4.0 (COBI T® 4.0) specification document was used as the basis for developing this Governance Framework Template. The COB IT® 4.0 specification is produced and maintained by The IT Governance Institute® (ITGI www.itgi.org). The ITGI was established in 1998 to advance international thinking and standards for directing and controlling the use of information technology. Effective IT governance helps ensure that IT supports business goals, optimizes business investment in IT, and appropriately manages IT related risks and opportunities. The IT Governance Institute offers original research, electronic resources, and case studies to assist organizations in their IT governance responsibilities.

ITGI (the “Owner”), has designed and created the COB IT® 4.0 specification (the “Work”), primarily as an educational resource for senior IT management and control professionals. The Owner makes no claim that use of any of the Work will assure a successful outcome. The Work should not be considered inclusive of any proper information, procedures and tests or exclusive of other information, procedures and tests that are reasonably directed to obtaining the same results. In determining the propriety of any specific information, procedure or test, senior IT management and control professionals should apply their own professional judgment to the specific circumstances presented by their particular systems or information technology environment.

(6)

1 Planning and Organization

1.1 Executive Overview

Mission statement

The ITSM & ITAM Services Governance Council mission is to provide a highly reliable, scalable, secure, and cost effective IT Service Management, Asset Management and

Customer Relationship Management tool that NC State agencies can leverage for managing tasks and activities associated with the OEP implementations of the processes designed within the ITIL Framework.

Purpose and Role

The purpose of this document is to provide all interested parties with a formal structure that outlines how the ITSM & ITAM Services Group conducts business and responds to business requirements that affects the service as a whole.

This governance mechanism also provides a vehicle for each member to make decisions on behalf of their respective agency and to share in the responsibilities and goals of the ITSM & ITAM Services within the State of NC.

1.1.1 ITSM & ITAM Services Value Management

ITSM & ITAM Services provides State of NC agencies with the ability to access and leverage a “best in class” IT Service Management and Asset Management software solution as a shared service utility without having to fund the significant up-front investment that would normally be associated with the acquisition and deployment of a comparable in-house solution. Other value provided by the service includes:

Access to the ITS OEP processes, procedures and documents developed in accordance with the ITIL Framework which is also the basis for the ITSM & ITAM Services implementation.

Adhesion to the ITIL Framework and methodology for the management of IT Services. A collection of “Best Practices” for the processes of Incident Management, Problem

(7)

A complete solution of integrated tool and processes which will bring higher levels of efficiency and effectiveness to your Service Management and Asset Management activities.

Economies of scale from a shared service offering that would offer lower entry costs for using the ITSM & ITAM Services when it would normally be out of reach for most agencies.

1.1.2 ITSM & ITAM Services Business Alignment

The concept of a shared ITSM & ITAM Services hosted under a single agency started several years ago. The current ITSM application is the third application hosted by ITS providing a means of managing and tracking activities related to Incidents, Service Requests, Changes, and root cause analysis functions of Problem Management. Asset Management is a new offering with the latest tool. Several Service Desks / Call Centers have utilized the previous tools offered by ITS to fill their needs for managing Incidents and Service Requests. These Agencies are positioned to move to the new ITSM & ITAM Services as it offers significantly enhanced capabilities over the previous offerings and provides a substantially less expensive alternative than implementing a tool only for their agency’s use.

This new offering has generated a high level of interest from several new state agencies that recognize the strength and cost effectiveness of the offering. As a result the support staff was increased with the goal of shortening the time to market for the ITSM & ITAM Services offering.

These agencies have agreed to participate on the ITSM & ITAM Services Governance

Council and to contribute in helping to shape and define how the ITSM & ITAM Services meet the needs of the State of North Carolina, its agencies and its citizens. ITS, in turn agreed to host and maintain the service including software, hardware, and infrastructure and to offer State agencies the following ITSM & ITAM Services tool options:

IT Service Management

♦_{Service Desk tools to manage Incidents, Service Requests, Problems and in some} cases Customer Relationship Management:

An Incident Management Application for managing and tracking Incidents and Service Requests. This Incident Management application allows for management of the entire Incident Management process in order to assist in restoring service as quickly as possible. The ability to prioritize Incidents and Service Requests

according to business impact allows staff to focus efforts where it matters most. A Problem Management Application for managing and tracking Problem

(8)

Control, Error Control, and Pro-Active Problem Analysis. Problem Management processes remove defects from the IT infrastructure, eliminate recurring Incidents, and stabilize the environment.

♦_{A Change Management Application for managing and tracking infrastructure} changes which includes process management and planning capabilities that help increase the speed and consistency in the way changes are implemented while minimizing risk and errors. This module includes built-in approval process for Change and Release management. This module is completely integrated with Incident,

Problem, Asset and Service Level Management Applications.

♦_{A Service Level Management Application for managing and tracking SLA}

commitments and breaches allowing management to pinpoint weaknesses and take corrective action.

IT Asset Management

♦_{Asset Management tools to discover and manage assets:}

A Configuration Discovery Application automates collection of hardware, software, and system information, which provides accurate data for reporting and license compliance. This tool can help reduce support costs by providing support staff with details that will allow them to remotely troubleshoot and resolve issues. A Topology Discovery Application can provide fast, accurate dependency

mapping of components within an IT environment. This application provides an up-to-date view of dependencies and relationships of assets.

An Asset Management Application gives greater visibility to assets and allows for managing and tracking assets along with their physical and financial attributes and disposition. This module includes a Definitive Software Library (DSL) as well as the ability to manage contracts. This allows automated links between assets and software license, lease, warranty, and support contracts to ensure compliance. Asset Management also allows tracking of total cost of ownership of assets. Additional information about the service in general and how it aligns itself in regards to the business perspective can be found on the ITS website under ITS Service Catalog, Application Services, ITSM & ITAM Services. Below is a link to access this information directly.

http://www.its.state.nc.us/ServiceCatalog/XXXXXXXXXXXXXXXXXXXX.asp 1.1.3 ITSM & ITAM Services Performance Management

(9)

1.1.4 ITSM & ITAM Services Strategic Plan

ITSM & ITAM Services achieved the goal of introducing an enterprise level ITIL compliant IT Asset Management application in June, 2007 and IT Service Management application in October, 2007. This application is available for other State Agencies to utilize for managing their day to day tasks and activities associated with the core ITIL processes of Incident Management, Problem Management, Change Management, Release Management and Configuration Management as well as Asset Management based on the close alignment of the ITSM application with the ITIL Framework. Any agency electing to follow the ITIL Best Practices may do so utilizing the tool.

1.1.5 ITSM & ITAM Services Tactical Plan

(10)

1.2 Technological Direction

1.2.1 ITSM & ITAM Services Information Architecture Model Insert Multi Tenancy Diagram and Concept

1.2.2 Technological Direction Planning

ITSM & ITAM Services group will provide any new technological, software, or service options and/or recommendations to assist with determining the most appropriate strategy when issues with the current service or Remedy ARSystem occur. These will be presented to the ITSM & ITAM Services Governance Council for review. ITSM & ITAM Services currently has a multi-year agreement with Column Technologies for the support and maintenance of the Remedy AR System and applications utilized as part of ITSM & ITAM Services.

1.2.3 Technological Infrastructure Plan

Technical Infrastructure plans are handled and developed by the Architecture and

Engineering (A&E) group in conjunction with the ITSM & ITAM Services. The service was implemented in June of 2007. The only updates currently scheduled are an addition of a test environment for User Acceptance Testing.

1.2.4 Monitoring of Future Trends and Regulations

The ITSM & ITAM Services Governance Council, under the guidance of the ITSM & ITAM Services group, will monitor business sector/industry, technology, infrastructure, legal, and regulatory environment trends.

1.2.5 Technology Practices, Standards and Guidelines

ITSM & ITAM Services will comply with any applicable principles, practices, standards, guidelines, processes set forth by the State of North Carolina Statewide Technology

Architecture (NCSTA) and any state-level information technology strategies, plans, policies, and procedures set forth by Architecture and Engineering (A&E).

Below are links to access this information directly: http://www.ncsta.gov/

(11)

1.3 Organizational Roles and Relationships

1.3.1 ITSM & ITAM Services Steering Committee

The ITSM & ITAM Services Steering Committee includes the State CIO, Deputy State CIO (ITS), ES Director, and current members of the TPG. Their primary focus may include all or one of the following:

Determine prioritization of IT-enabled investment programs in line with the enterprise’s business strategy and priorities

Track status of projects and resolve resource, software, or hardware conflicts Monitor service levels and service improvements

1.3.2 ITSM & ITAM Services Governance Council

The ITSM & ITAM Services Governance Council is comprised of current subscribers of the service. Appendix A provides a current list of agencies and members along with their roles and responsibilities.

1.3.3 Organizational Structure of Application Service

ITSM & ITAM Services is part of the Enterprise Solutions group within ITS and reports to the ES Director. The following sections detail the Organizational Placement and Structure of the service.

1.3.4 Roles and Responsibility of Application Service

The responsibility for ITSM & ITAM Services includes but is not limited to the following: Work with agency designees in the initial implementation and deployment activities

and tasks providing guidance and leadership in the execution.

Participate in daily operations, coordination, and support of agency application administrators, users, and customers using the ITSM & ITAM Services.

Provide support and maintenance of the application to ensure its ongoing availability to the agencies that utilize the service in alignment with the published SLA for the ITSM & ITAM Services.

(12)

Provide and manage functional and performance testing of the ITSM & ITAM Services. Serve (as needed) in a subject matter expert (SME) role to support ITSM & ITAM

Services for local application administrators using the Remedy AR System tools, forms and application.

Receive and provide feedback on the product life cycle and Road Map for ITSM & ITAM Services as it pertains to development and maintenance of strategic

business/technology plans; logical and physical platform architecture; and configuration, maintenance, and version upgrades of ITSM & ITAM Services infrastructure.

1.3.5 Responsibility for Risk, Security, and Compliance

ITSM & ITAM Services will comply with any applicable policies, standards, and procedures set forth by the Enterprise Security and Risk Management Office as it pertains to potential security risks.

Below is a link to access this information directly: http://www.iso.scio.nc.gov/SecurityFramework.htm

1.3.6 ITSM & ITAM Services Data and System Ownership 1.3.6.1 ITSM & ITAM Services Data

Any data stored within any specific tenancy of the ITSM & ITAM Services database will be fully owned by the agency tenant. With the exception of the ITSM & ITAM Services System Administrators, data within each tenancy is visible and available only to the respective tenant agency unless the tenant agrees to make data visible to other tenancies.

Excluding any activities which must be or can only be carried out by ITS ITSM & ITAM Services System Administrators, the management of all data and records within any specific tenancy shall be the sole

responsibility of the tenant agency.

1.3.6.2 System Ownership

(13)

1.3.7 ITSM & ITAM Services Personnel

ITSM & ITAM Services will comply with any applicable policies and procedures set forth by ITS and OSP office in regards to the process for hiring and staffing of state employees.

1.3.7.1 Security Clearance Procedures

ITSM & ITAM Services will comply with any applicable policies and procedures set forth by ITS for personnel security clearance. Any adherence to additional security clearance policies required by other State Agencies will be determined as necessary.

1.3.7.2 Contracted Staff Policies and Procedures

ITSM & ITAM Services will comply with any applicable policies and procedures set forth by ITS Statewide Procurement office in regards to the process for hiring and staffing of contracted personnel.

1.3.8 Service Relationships (Operational Level Agreements and Underpinning Contracts)

ITSM & ITAM Services administers, supports, and maintains the Remedy AR System

application tool suite and the Atrium CMDB. The hosting of the service is provided by several support groups within ITS. In conjunction with ITSM & ITAM Services, they are responsible for supporting and maintaining the following components that complete the service.

Computing Services - Server hardware and software platform including OS patches/ updates, virus protection, monitoring, and re-imaging

Telecommunication Services – Network hardware, connectivity, firewalls, VPN profiles, and security

NCID – Single sign on authentication and identity management

ITS Enterprise Security and Risk Management Services – oversight and security scanning, user intrusion detection, and security patch enforcement

(14)

Column Technologies support – 24 X 7 support of the Remedy AR System tool suite administrated by ITSM & ITAM Services for critical incidents

NCAS – Fixed Asset System Ariba – eProcurement System

Business Relationship Management – Business relationships between agencies and ITSM & ITAM Services

(15)

1.4 Manage Financials

1.4.1 Billing and Cost Recovery Model

Charges for the usage of ITSM & ITAM Services will be invoiced on a monthly basis to each tenant agency in accordance with the approved annual rates and the license counts to which they have committed. General usage of the application, standard application maintenance, application hosting, and infrastructure support for all ITSM & ITAM Services specific

hardware, software, and OS are included in the approved annual rates. Any optional work requested by and carried out for a specific agency tenant or group of agency tenants will be charged at the time and material rate set for the current year. Specific rates are available on the rates page at :

http://www.its.state.nc.us/About/Rates/Current/CMRS.asp?printit=no 1.4.2 ITSM & ITAM Services Budget Prioritization

ITSM & ITAM Services Governance Council will review and prioritize any allocation of IT resources, software, hardware, licensing, infrastructure, support maintenance agreements, and other recommendations that may affect changes to the current cost model. Changes to the cost model must be reviewed by the ITSM & ITAM Services Governance Council prior to submission to the State CIO.

1.4.3 ITSM & ITAM Services Budgeting Process

ITSM & ITAM Services will comply with any applicable budgeting policies and procedures set forth by Financial Management and contained in the Financial Management for IT Library within ITS or the ITS Financial Budget office.

The Financial Management for IT documentation was developed to meet the standards of the Information Technology Infrastructure Library (ITIL) methodology as part of the Operational Excellence Program (OEP) in the Office of Information Technology Services.

1.4.4 Cost Management

ITSM & ITAM Services Governance Council, in conjunction with the budgetary

recommendations set forth by ITSM & ITAM Services, will review and approve any changes, recommendations, or additional service charges to the cost model on an annual basis. 1.4.5 Benefit Management

(16)

1.5 Manage Quality

To ensure ongoing business requirements are properly aligned, ITSM & ITAM Services has established standards and practices to help manage the quality of services provided and delivered to subscribing agencies and customers by continuous measurement of and concentration on the following criteria:

Customer focus and communication Customer feedback and satisfaction

Continuous improvement of service delivery Preventive maintenance and conflict resolution Service usage, monitoring, and review

(17)

1.6 Assess and Manage Service Risks

1.6.1 Risk Assessment

ITSM & ITAM Services will comply with any applicable policies or procedures set forth and developed by Risk Management Services, part of the Enterprise Security and Risk

Management Office, which supports the State CIO. Their performance of duties and responsibilities are directly associated with any involvement as it pertains to information technology risk management, continuity of operations/continuity of government, and

audits/assessments as they relate to information technology and include but are not limited to any of the following:

ITSM & ITAM Services and Business Risk Management Alignment Establishment of Risk Context

Event Identification

Risk Management Services reviews and evaluates State Agency plans including ITSM & ITAM Services on an annual basis against industry standards, State policy, and best practices.

Audits and assessments are conducted as prescribed by legal and regulatory requirements. Any findings and recommendations are reported to applicable ITS management.

1.6.2 Risk Response

Response to any potential risk to service in general will be initially handled by correspondence from ITSM & ITAM Services via email detailing the event. Depending on the level and degree of the risk, an emergency meeting of the ITSM & ITAM Governance Council will be held as deemed necessary.

1.6.3 Maintenance and Monitoring of a Risk Action Plan

The maintenance and monitoring of a Risk Action plan will be developed by the ITSM & ITAM Services Governance Council in 2008 and will be reviewed on a quarterly basis or as

(18)

1.7 Manage Projects

(19)

2 Acquisition and Implementation

2.1 Acquisition of Resources, Software, Hardware

ITSM & ITAM Services Governance Council will review, decide on [vote], and prioritize the allocation of any additional IT resources, software, hardware, infrastructure, licensing,

support maintenance agreements, and any other recommendations that may affect changes to the current cost model during or outside the normal scheduled yearly budget cycle. Any decisions may be based on but not limited to any of the following:

Major Upgrades and Enhancements to Existing Test Tools and Service Feasibility Study and Impact Assessment

Risk Analysis Cost Analysis

Operational Benefits

Requirements and Feasibility Decision and Approval

2.2 Maintaining Service and Test Tools

Refer to section 1.3.8

2.3 Enable Operation and Use

2.3.1 Knowledge Transfer to End Users & Train the Trainer

Standard documentation, training materials, and procedures are available from ITSM & ITAM Services to assist training new tenants and users of the service. This material covers basic functionality of the application which is common across all modules as well as

material that covers the specific modules available for use by the various state agencies. The documentation covers the following topics:

Description of Application / Module Roles and Responsibilities of Users Logins and Passwords

User and Usage Guidelines

(20)

2.3.1.1 Service Orientation

ITSM & ITAM Services schedules and holds a kickoff meeting for any new agency joining the services to address any questions or concerns related to the topics described above in section 2.3.1. ITSM & ITAM Services provides an overview covering such topics as use of the service, accessibility, best practices, procedures, and user guidelines.

2.3.1.2 Vendor Support

Any issues, problems, or general questions relating to the actual usage of the tools which can not be addressed by local agency application administrators or by ITSM & ITAM Services staff will be escalated to Column Technologies for Support. Column Technologies will act as the escalation point to BMC if this level of escalation is required.

2.3.2 Knowledge Transfer to Operations and Support Staff

All procedures related to the operation of the service are stored in Documentum which is managed by the Electronic Document Management and Project Collaboration service within ITS. The ITSM & ITAM Services Product Manager will handle transfer of knowledge of such procedures.

2.3.3 Remedy Application Training

(21)

2.4 Procurement of IT Resources

2.4.1 Procurement Control

ITSM & ITAM Services will comply with any applicable policies and procedures set forth by the ITS Statewide Procurement office including Title 9 of the NC Administrative Code which contains the Information Technology Procurement Rules developed in response to Senate Bill 222. This applies to the following when procuring IT goods and services:

Supplier Contract Management Supplier Selection

Software Acquisition

(22)

2.5 Manage Changes

2.5.1 Change Standards and Procedures

ITSM & ITAM Services will comply with any applicable policies and procedures set forth by Change Management and contained in the Change Management Library within ITS as it pertains to any of the following criteria:

Impact Assessment, Prioritization, and Authorization Emergency Changes

Change Closure and Documentation

The Change Management documentation was developed to meet the standards of the Information Technology Infrastructure Library (ITIL) methodology as part of the Operational Excellence Program (OEP) in the Office of Information Technology Services.

2.5.2 Change Status Tracking and Reporting

(23)

2.6 Manage Releases

2.6.1 ITSM & ITAM Services Implementation Plan

An Implementation plan will be developed by the ITSM & ITAM Services and presented to the ITSM & ITAM Services Governance Council for approval each time any new software or hardware installations, upgrades, patch releases, or other changes to the service are

required that directly effect the user community.

ITSM & ITAM Services will comply with any applicable policies and procedures set forth by Change Management or Release Management and contained in the Change Management or Release Management Library within ITS.

The Change Management and Release Management documentation was developed to meet the standards of the Information Technology Infrastructure Library (ITIL) methodology as part of the Operational Excellence Program (OEP) in the Office of Information Technology

Services.

2.6.2 ITSM & ITAM Services Test Environment

A plan for a separate environment for User Acceptance Testing is being proposed for the upcoming 08/09 Fiscal Year. This environment will allow agency users to test any new software, updates, or patches before they are implemented in the existing production environment.

2.6.3 Testing of Changes

ITSM & ITAM Services will ensure that changes are tested in accordance with the defined implementation plan and follow the existing Change Management and Release Management processes. A fallback/back out plan will also be developed and tested prior to promotion of the change to production.

(24)

3 Service Delivery and Support

3.1 Define and Manage Service Levels

3.1.1 Service Level Management

ITSM & ITAM Services will comply with any applicable policies and procedures set forth by the Service Level Management and contained in the Service Level Management Library within ITS.

The process maintains continuous alignment with business requirements and priorities and facilitates common understanding between the customer and ITSM & ITAM Services. The process includes a mechanism for creating service requirements, service definitions, Service Level Agreements (SLAs), Operating Level Agreements (OLAs), and funding sources. The Service Level attributes are organized and maintained in a service catalog. The process also defines the organizational structure for service level management, covering the roles, tasks, and responsibilities of internal and external service providers and

customers.

The Services Level Management documentation was developed to meet the standards of the Information Technology Infrastructure Library (ITIL) methodology as part of the Operational Excellence Program (OEP) in the Office of Information Technology Services.

3.1.2 Definition of Services 3.1.3 Service Level Agreements

ITSM & ITAM Services will comply with the standard Service Level Agreement (SLA)

documents provided by ITS to support the service. The ultimate objective of this agreement is to define the support and procedures necessary to ensure high quality and timely delivery of this service. This document clarifies all parties’ responsibilities to ensure customer needs are met in a timely manner. Although the SLA is in the form of a document that defines a level of service, the desired outcome is to represent the result of an agreement between ITS and its customers.

3.1.4 Operating Level Agreements

(25)

3.1.5 Review of Service Level Agreements

Service Level Agreement reviews will be conducted at a minimum on a quarterly basis or as needed and are facilitated by ITS Business Relationship Management. A Business Account Manager and the respective subscribing agency of the ITSM & ITAM Services will participate in the reviews.

Service Level Agreements (SLA) will be reviewed and/or renewed at least once per year. A review of Service Level Agreements may be requested at any time in writing to ITS Business Relationship Management by customer management. The SLA will also require review under any of the following conditions:

Whenever there is a significant and/or sustained change to the delivery of the service. Whenever there is a significant change requested to the SLA that supports the ITS

service.

As a result of these reviews or as other pertinent information is provided, Service Improvement Programs will be implemented as needed.

3.1.6 Monitoring and Reporting of Service Level Agreements

The Service Management Tool [Remedy] in conjunction with ITS Business Relationship Management provides monitoring activity and reports to ITSM & ITAM Services Product Manager on a monthly basis. ITSM & ITAM Services Product Manager will share these reports with the ITSM & ITAM Services Governance Council monthly.

3.1.7 Service Contract Agreements

(26)

3.2 Manage Performance and Capacity

3.2.1 Performance and Capacity Planning

ITSM & ITAM Services will comply with any applicable policies and procedures set forth by Performance and Capacity Management and contained in the Performance and Capacity Management Library within ITS as it pertains to any of the following criteria:

Current Capacity and Performance Future Capacity and Performance IT Resources Availability

Monitoring and Reporting

The Performance Management and Capacity Management documentation was developed to meet the standards of the Information Technology Infrastructure Library (ITIL) methodology as part of the Operational Excellence Program (OEP) in the Office of Information Technology Services.

3.2.2 Service Monitoring

(27)

3.3 Ensure Continuous Service

ITSM & ITAM Services will comply with any applicable policies and procedures set forth by IT Service Continuity Management and contained in the Service Continuity Management Library within ITS as it pertains to any of the following criteria:

IT Continuity Framework IT Continuity Plans Critical IT Resources

Maintenance of the IT Continuity Plan Testing of the IT Continuity Plan IT Continuity Plan Training

Distribution of the IT Continuity Plan IT Services Recovery and Resumption Offsite Backup Storage

Post-resumption Review

The Service Continuity Management documentation was developed to meet the standards of the Information Technology Infrastructure Library (ITIL) methodology as part of the

(28)

3.4 Ensure Service Security

3.4.1 IT Security Plan

ITSM & ITAM Services will comply with any applicable policies and procedures set forth by the Information Security Threat Management and Incident Response services. These services are offered and provided to help State agencies safeguard citizens’ data and meet the requirements of the security standards legislation, N.C.G.S. § 147-33.110 through 33.113, and other legal and regulatory requirements including the following:

User Account Management Threat Management

NC-ISAC

Security Consulting and Training Security Testing and Monitoring Security Incident Definition

Protection of Security Technology Cryptographic Key Management

Malicious Software Prevention, Detection and Correction Network Security

Exchange of Sensitive Data 3.4.2 Management of IT Security

ITSM & ITAM Services will manage and ensure security is at the highest appropriate organizational level, so the management of security actions is in line with business

requirements. As part of the security management criteria, ITSM & ITAM Services requires an NCID account to authenticate and access the application. In addition, VPN access will also be required for some reporting tasks associated with the ITSM & ITAM Services. 3.4.3 Identity Management

ITSM & ITAM Services will comply with any applicable policies and procedures set forth and developed by the NCID group within ITS which provides a provisioning environment for managing application access. The service infrastructure provides a unified platform for e-business authentication and authorization. As the standard identity management and access service provided to State, local, business, and citizen users by the Office of Information Technology Services, NCID enables its customers to achieve an elevated degree of security and access control for real-time resources such as customer based applications and

(29)

3.4.4 User Intrusion

(30)

3.5 Identify and Allocate Costs

3.5.1 Definition of Services

Refer to section 3.1.2 under Define and Mange Service Levels. 3.5.2 IT Accounting

ITSM & ITAM Services will comply with any applicable policies and procedures set forth by Financial Management and contained in the Financial Management for IT Library within ITS. Disclosure of the capture and allocation of actual costs as it pertains to the current cost model is available upon request. Any variances between forecasts and actual costs will be reported to the ITSM & ITAM Services Governance Council for review and evaluation. The Financial Management documentation was developed to meet the standards of the Information Technology Infrastructure Library (ITIL) methodology as part of the Operational Excellence Program (OEP) in the Office of Information Technology Services.

3.5.3 Cost Modeling and Charging

Refer to section 1.4.1 Billing and Cost Recovery Model. 3.5.4 Cost Model Maintenance

(31)

3.6 Manage Service Desk and Incident Management

ITSM & ITAM Services will comply with any applicable policies and procedures set forth by Service Desk and Incident Management and contained in the Service Desk and Incident Management Library within ITS.

The Service Desk and Incident Management documentation was developed to meet the standards of the Information Technology Infrastructure Library (ITIL) methodology as part of the Operational Excellence Program (OEP) in the Office of Information Technology Services. 3.6.1 Service Desk

The ITS Service Desk (ITSSD) handles all incidents related to ITSM & ITAM Services. The ITS Service Desk (ITSSD) agents are on duty 24 hours a day, seven days a week and provide business and technical infrastructure analysis, problem solving, and first and second level diagnostics for hardware.

A monitoring and escalation procedure is based upon service levels relative to the appropriate SLA that allows classification and prioritization of any reported issue as an incident, service request or information request. Measurement of end users’ satisfaction with the quality of the service desk and the ITSM & ITAM Services is also provided.

3.6.2 Registration of Customer Queries

ITSM & ITAM Services uses the ITS Remedy help desk application to log and track

incidents, service requests, change requests, and other service related information needs. ITS Service Desk (ITSSD) within ITS works closely with such processes as incident

management, problem management, change management, release management, capacity management, and availability management. Incidents are classified according to a

business and service priority/severity model and are routed to the appropriate problem management team if a solution or workaround cannot be found.

3.6.3 Incident Escalation

The ITS Service Desk (ITSSD) handles incident escalation for all incidents related to the ITSM & ITAM Services. Incidents that cannot be immediately resolved are appropriately escalated according to limits defined in the SLA and, if appropriate, workarounds are provided. Incident ownership and life cycle monitoring remain with the ITS Service Desk (ITSSD) for user-based incidents regardless of which group is working on resolution activities.

(32)

ITSM & ITAM Services works in conjunction with the ITS Service Desk (ITSSD) to resolve and provide timely closure to service incidents. When an incident has been resolved, ITS Customer Care Center (CSC) will record the root cause, if known, and confirm that the action taken has been agreed upon with the customer.

3.6.5 Trend Analysis

(33)

3.7 Manage the Configuration

3.7.1 Configuration Repository and Baseline

All relevant information regarding configuration items for ITSM & ITAM Services will be collected, stored, and housed in a central repository and handled by the Information Technology Asset Management (ITAM) group within ITS via the asset management function of Remedy. This repository includes hardware, software, documentation, and operating procedures. Relevant information includes naming, version numbers, and licensing details.

3.7.2 Identification and Maintenance of Configuration Items

ITSM & ITAM Services will abide by and comply with any applicable policies and procedures set forth by Configuration Management and contained in the Configuration Management Library within ITS. This may include one or more of the following activities:

Identify configuration items and their attributes

Record new, modified, and deleted configuration items

Identify and maintain the relationships among configuration items in the configuration repository

Update existing configuration items into the configuration repository Prevent the inclusion of unauthorized software

These procedures also provide proper authorization and logging of all actions on the

configuration repository, which are then properly integrated with change management and problem management procedures.

The Configuration Management documentation was developed to meet the standards of the Information Technology Infrastructure Library (ITIL) methodology as part of the Operational Excellence Program (OEP) in the Office of Information Technology Services.

3.7.3 Configuration Integrity Review

(34)

3.8 Manage Problems

ITSM & ITAM Services will comply with any applicable policies and procedures set forth by Problem Management and contained in the Problem Management Library within ITS which include the following controls:

Problem Control

o_{Problem Identification and Recording}

o_{Problem Classification and Resource Allocation}

o_{Problem Investigation and Diagnosis (Root Cause Analysis)} Error Control

o_{Error Identification and Recording} o_{Error Assessment}

o_{Record Error Resolution}

o_{Integration of Change, Configuration, and Problem Management} o_{Problem Error and Closure}

(35)

3.9 Manage Data

3.9.1 Storage and Retention Arrangements

Each agency must follow policies and procedures set forth by the Statewide Information Security Manual for handling and storing sensitive data while performing testing of their applications to ensure any sensitive information is secure and encrypted.

3.9.2 Media Library Management System

ITSM & ITAM Services will comply with any applicable policies and procedures set forth by the ITAM group within ITS for maintenance of onsite or electronic software media as it applies to the service [i.e. Remedy AR System Application Software].

3.9.3 Disposal

Each agency must follow policies and procedures set forth by the Statewide Information Security Manual for disposing of sensitive data and software from equipment or media when transferred for the purpose of testing.

3.9.4 Backup and Restoration

Backup and restoration of ITSM & ITAM Services and any associated Databases is handled by Computing Services group within ITS.

3.9.5 Security Requirements for Data Management

ITSM & ITAM Services and subscribers of the service will comply with any applicable policies and procedures set forth by Statewide Information Security Manual when dealing with

physical storage and output of data and sensitive messages. This includes physical records, data transmissions, and any data stored offsite. Individual agencies are shielded from one another by means of individually assigned user logins and projects to ensure an agency’s data is isolated from other agencies.

Following is a link to access this information directly:

(36)

3.10 Manage the Physical Environment

The physical environment which houses ITSM & ITAM Services is supported and maintained by ITS which is responsible for but not limited to the following:

Service Hardware Location and Layout Physical Security Measures

Physical Access

(37)

3.11 Manage Operations

3.11.1 Operations Procedures and Instructions

ITSM & ITAM Services has a standard procedure in place outlining the IT operations of the service including the following topics:

Handling of daily operational tasks, activities, and incidents Coverage of service

On call schedule Escalation procedure Status reporting

3.11.2 Infrastructure Monitoring

All procedures to monitor the IT infrastructure and related events are handled by Computing Services within ITS. Computing Services ensures sufficient chronological information is being stored in operations logs to enable the reconstruction, review, and examination of the time sequences of operations and the other activities surrounding or supporting operations. Infrastructure monitoring will comply with the appropriate ITS procedures (Incident Management, Problem Management and Service Level Management).

3.11.3 Sensitive Documents and Output Devices

ITSM & ITAM Services uses the Documentum application managed by the Electronic

Document Management and Project Collaboration service within ITS to protect and store any sensitive documents related to the service.

3.11.4 Preventive Maintenance for Hardware

Preventative maintenance for hardware is handled by Computing Services within ITS. Maintenance windows are used only when needed for planned changes that have gone through the ITS Change Management Process. In addition to the standard ITS maintenance windows, site-specific and service-specific changes may be coordinated with customers at non-standard times.

(38)

4 Monitoring and Evaluation

4.1 Monitor and Evaluate Performance

4.1.1 Definition and Collection of Monitoring Data

ITSM & ITAM Services Governance Council will ensure a set of performance objectives, measures, targets, and benchmarks are defined in 2008, agreed upon, and signed off on by subscribing agencies and other relevant stakeholders. Performance indicators should include but are not limited to the following:

Business contribution including, but not limited to, financials Performance against the strategic business and IT plan Risk and compliance with regulations

Internal and external user satisfaction

Application availability and user response time

Key ITSM & ITAM Services processes including development and service delivery Future-oriented activities; for example, emerging technology, reusable infrastructure,

business and ITSM & ITAM Services staff personnel skill sets 4.1.2 Monitoring Methods

ITSM & ITAM Services Governance Council will employ a monitoring process in 2008 that provides a concise, detailed summary of the performance status of ITSM & ITAM Services and will ensure this method is appropriate and measurable within the overall enterprise monitoring system.

4.1.3 Performance Assessment

ITSM & ITAM Services Governance Council will develop a performance assessment strategy in 2008/2009 to monitor performance and quality management goals.

4.1.4 Board and Executive Reporting

ITSM & ITAM Services will provide any applicable status reports requested by the Deputy State CIO and any other executive management for review of the organization’s progress toward identified goals.

(39)

A remedial action plan will be developed in 2008 by the ITSM & ITAM Services Governance Council to identify and initiate any action as it relates to performance monitoring, assessment, and reporting. This includes follow-up of all monitoring, assessments, and reporting with:

Review, negotiation, and establishment of management responses Assignment of responsibility for remediation

Tracking of the results of actions committed

4.2 Ensure Regulatory Compliance

4.2.1 Laws & Regulations w/ Potential Impact on ITSM & ITAM Services ITSM & ITAM Services will comply with any or all applicable statewide and federal

government regulatory requirements, policies, and standards and ensure timely identification of any legal, contractual, policy, and regulatory requirements related to information or

(40)

Appendix A – Governance Roles and Responsibilities

ITSM & ITAM Services Governance Committee – Roles and

Responsibilities

The ITSM & ITAM Services Governance Council’s primary role is to set and ensure compliance with the policies that govern this service usage statewide. This council must have the authority to make decisions that may impact all units or functional areas of the State.

Tasks include:

Setting strategic directions Determining priorities Committing resources

Planning, acquiring, and allocating funding Monitoring and evaluating initiatives

Communicating status Influencing key people

This Council puts principles, policies, and procedures in place to monitor and measure results to ensure that the most beneficial work, from an enterprise perspective, is being performed. Any Service related project requests should be viewed as ways to improve the business, and governance is the process that ensures that these improvements occur.

Council members’ roles and responsibilities:

Ensure Agencies’ projects align with the long term vision and key business objectives of the State

Set principles and policies that govern Service use in the State

Ensure an enterprise-wide “business” perspective in formulating and supporting Service technical initiatives

Establish priorities of projects

Monitor and evaluate project deliverables

Communicate regularly with Service stakeholders

Ensure that the projects are adhering to the standards of the Service

Be Service “champions”; remind decision makers and end users of the long-term benefits

Ensure adherence to the enterprise’s guiding principles Manage business and IT expectations

(41)

Key Council Roles:

Council Chairperson

Customer Business Representative ITSM & ITAM Services Product Manager Administrative Secretary (optional)

Council Chairperson – This role is a voting member of the council. A person from the business side should fill the chairperson role because strong business knowledge and

ownership is what drives ITSM & ITAM Services success. In addition to all the characteristics of the Customer Business Representative role, the chairperson must also possess:

Sense of ownership of the governance process Patience and determination

Strong business perspective

Strong meeting management skills (i.e. Roberts Rules of Order)

Consensus orientation – Decisions are mediated to reach a consensus on what provides the greatest benefit to the State as a whole

Customer Business Representative – This role is a voting member of the council. This person is an agency representative that has been sanctioned by their agency’s executive leadership to represent the interests of the agency and is delegated decision making authority on their agency’s behalf. They have the following characteristics:

Good communicator

Excellent knowledge of their agency’s business processes A thought-leader and motivator

Open to new ideas Results-oriented

Able to separate their functional role from their governance role

Have the will and passion for governance and see it as an important part of their overall job accountabilities

Enthusiastic about governance and leadership

Ability to navigate their organization to achieve consensus on business and technical requirements to drive the strategic direction of the ES Service

Good understanding of the historical, cultural, and social complexities of the organization

ITSM & ITAM Services Product Manager – This role is a non-voting member of the council. The following responsibilities are owned by this role:

(42)

Facilitates Planning and process

Provides regular updates and monitors progress Implements changes to the service

Over-all responsibility for the success of the service

Administrative Secretary – This role is an optional non-voting member of the council. The responsibilities of this role are:

Manage communications and meeting minutes

Support the ITSM & ITAM Services Product Manager with administrative tasks Agenda and Minutes:

The ITSM & ITAM Services Product Manager will circulate a meeting agenda to council members and to the ITSM & ITAM Services Council Chairperson no less than three working days before next scheduled ITSM & ITAM Services Governance Council meeting.

Minutes of each meeting should be prepared and circulated with five working days after each ITSM & ITAM Services Governance Council meeting.

ITSM & ITAM Services Governance Council Meetings: Purpose

The purpose of the ITSM & ITAM Services Governance Council Meeting is to foster dialogue among all of the council members regarding any allocation of IT resources, software, hardware, licensing, infrastructure, support maintenance agreements, and other recommendations that may affect changes to the current cost model. In addition, the Council will resolve any testing or service conflicts and plan for future growth.

Meeting Frequency and Structure

The ITSM & ITAM Services Governance Council Meetings will take place quarterly according to a schedule established by the ITSM & ITAM Services Governance Council Chairperson.

Attendance and Participation

Attendance is mandatory for all scheduled meetings. If for some reason a

(43)

Chairperson and ensuring an alternate representative can attend the meeting. Two-thirds of the total membership constitutes a quorum for meetings.

Officers and Meeting Procedures

The ITSM & ITAM Services Governance Council Meetings are facilitated by the ITSM & ITAM Services Product Manager and moderated by the ITSM & ITAM Services Council Chairperson.

The ITSM & ITAM Services Council Chairperson is selected and voted upon by the ITSM & ITAM Services Governance Council members and will serve a term of one year, with consecutive and multiple terms allowed.

The agenda of each ITSM & ITAM Services Governance Council Meeting will be structured to facilitate discussion of issues raised by each subscribing agency. Each meeting will include minutes or a report from the ITSM & ITAM Services Council Chairperson.

The ITSM & ITAM Services Governance Council Meetings will be conducted in accordance with Robert’s Rules of Order or similar structure.

Voting:

Voting on key issues will be scheduled in advance and members who are unable to attend may vote by proxy.

Decisions will be based on a 2/3rds majority vote of the members. Filling Vacancies:

If a vacancy occurs during the ITSM & ITAM Services Council Chairperson term of office, the ITSM & ITAM Services Product Manager will arrange for the election of a replacement.

Current ITSM & ITAM Services Governance Council Members DENR – David Johnson

DHHS – Vernon Brown, Larry Forrister DOR – Angela Altice

(44)

(45)

Appendix B – ITSM & ITAM Services Governance Process Diagram

ES Service Product Manager

ITS

ITSM & ITAM Services Governance

Process

Deputy State CIO ES Director Others as Needed Strategic Recommendations State CIO Decision Process Technology Planning Group TPG Workgroups T A C T I C A L S T R A T E G I C

Decisions, Plans and Communications

Agency

ITSM & ITAM Services Tactical Governance Process Agency Agency

Customer Business Rep Governance Chairperson Customer Business Representative Customer Business Representative Customer Business Representative ES Administrative ES Service Product Manager ITS ITS BRM Representative

ITSM & ITAM Services Strategic Governance

(46)

Deputy State CIO ES Director SQA Services Product Manager

ITSM & ITAM Services Tactical Governance Process State CIO TPG and Subsidiary TPG Workgroups

(47)

Appendix C –ITIL Mappings for ITS and ITSM & ITAM Services

Service Support ITS Document Name and Location

Relationship Between

Processes Refer to Actual ITIL Library

The Service Desk

P:\Z_Shared\OEP Finished Document Repository\Service Desk Library Incident Management

P:\Z_Shared\OEP Finished Document Repository\Incident Management Library Problem Management

P:\Z_Shared\OEP Finished Document Repository\Problem Management Library Change Management

P:\Z_Shared\OEP Finished Document Repository\Change Management Library Release Management

P:\Z_Shared\OEP Finished Document Repository\Release Management Library

Configuration Management

P:\Z_Shared\OEP Finished Document Repository\Configuration Management Library

Service Management Software Tools

P:\Z_Shared\OEP Finished Document Repository\Service Level Management Library

Planning for the

Implementation of Service

Management Refer to Actual ITIL Library

Service Delivery ITS Document Name and Location