Standardization of IT Processes

• 1. Standardization of IT Processes Irshadh Rasheed, Ernst & Young 6-Sep-2013

2. Can you imagine a world without standards 3. A few in our daily life A lot more.. in every day life.. We are not conscious of them 4. More important in Technology Monitors Storage Devices Processors Hard Disks Communication protocols Communication medium U name anything in Technology you will have standards 5. Why Standadization? Users / Consumers Easier life Compatibility & Reusability Lower prices Better quality Trust & Confidence Industry - Products Larger market with fewer varieties Increases productivity & efficiency Increased competition Industry Processes Internal benchmarking against Best practices Compatibility / compliance Time / effort savings Gaining competitive advantage Assurance of smooth communications Corporate cultures / loyalty 6. IT Standards IT Infrastructure Hardware Software Applications Data IT Processes Software Development Service Delivery Information Security Risk & Governance 7. Standardization Level, Industry & Area 8. IT Processes Pyramid & Standards.. CobiT, ISO 38500 ISO 20000, ISO 22301 ISO 27001 & many more IT Governance 9. Who develops IT Standards 10. IT Governance: 38500 11. ISO 20000: IT Service Management ISO 20000 is the international standard for IT Service Management (ITSM) published by the International Organization for Standardization (ISO). The standard ISO 20000 consists of two parts Part 1: Specification Part 2: Code of Practice ISO/IEC 20000-1 (Part 1-Specifications) promotes the adoption of an integrated process approach to effectively deliver managed services to meet the business and customer requirements. ISO/IEC 20000-2 (Part 2-Code of Practice) represents an industry consensus on quality standards for IT service management processes. Service Management System (SMS) Design and transition of new or changed services Service delivery processes Relationship processes Capacity management Service level management Information security management Service continuity and availability management Service reporting Budgeting and accounting for services Incident and service request management Problem management Business relationship management Resolution processes Supplier management Control processes Configuration management Change management Release and deployment management Management responsibility Establish SMS Governance of processes operated by other parties Documentation management Resource management 12. ISO 27000: Information Security ISO 27002 Clauses/ Controls objectives (Domains addressed) Security policy Organization of Information Security Asset management Human resources security Physical and environmental security Communications and operations management Access control Information systems acquisition, development and maintenance Information Security incident management Business continuity management Compliance ISO 27001 System ISO 27003 Implementation Guide ISO 27004 - Security Measurements ISO 27005 Risk Management 13. ISO 22301: Business Continuity Management Clause 1 - Scope Clause 2 Normative references Clause 3 Terms and definitions Clause 4 Context of the organization (Plan) Clause 5 - Leadership (Plan) Clause 6 - Planning (Plan) Clause 7 - Support (Plan) Clause 8 - Operation (Do) Clause 9 - Performance evaluation (Check) Clause10 Improvement (Act) 14. 1 2 Management support for information security 3 4 Develop/ Update of existing IS polices & procedures (ISPP) 5 6 Develop implementation plan for rollout of ISPP 7 8 9 10 11 12 13 15 14 1 Information security awareness rollout Implement the identified controls as per SOA Develop implementation plan for observations ISO 27001 pre- certification assessment Define ISO 27001 certification scope Perform risk assessment and develop SOA Update ISPP as per Statement of Applicability (If required); develop L1 documentation Setup PMO to manage the roll-out of ISPP Implementation of the ISPP as per implementation plan ISMS effectiveness and implementation check ISO 27001 certificati audit KPI and ISMS effectiveness audit A Typical ISO 27001 certification roadmap Surveillance audit every 6 months 15. Benefits of Implementing IT Standards Improving the quality, responsiveness and reliability Improving the achievability, predictability and repeatability of outcomes Reducing risks, incidents and project failures Increased efficiencies and reduced costs Enhanced compliance and respect from regulators Trust & Confidence to all stakeholders 16. Benefits of implementing - ISO 27001 An organizations case 17. Benefits of Implementing - ISO 20000 SLA Compliance to resolution 60% to 92% Customer satisfaction 74% to 90% Customer calls reduced from 300 to 50 An organizations case 18. ISO 20000 process areas 1. Incident management Identification and logging of calls Incident classification, categorization and prioritization Incident investigation and diagnosis Resolution and recovery of incidents Incident closure Periodic analysis and reporting of incidents 2. Problem management Problem detection and logging Problem classification and prioritization Problem investigation and diagnosis Error control Closure of problems Proactive identification and management of problems (Proactive problem management) Periodic analysis and reporting of problems Periodic status updates to the relevant stakeholders 3. Change management Change request initiation, logging, validation and approval Impact assessment, change categorization and prioritization Change Advisory Board (CAB) approvals Change planning and scheduling Change building and testing Post Implementation Review (PIR) Roll-back of changes Change closure, analysis and reporting 4. Release management Release policy development Release planning and preparation Release building and testing Release transfer, deployment and retirement Release monitoring and verification Release closure 19. ISO 20000 process areas 5. Configuration management Identification of the configuration items (CI) Managing control of CI Status accounting and reporting of CI Verification and audit of CI Periodic backup and housekeeping of CI 6. Service level management Design of the service level agreement framework Identification and agreement with business (service beneficiary) on the service requirements and expectations Monitoring and reporting of service performance Periodic review and improvement of agreed service Identification and implementation of the process improvements Periodic review of service level agreement and contract 7. Business Relationship management Service catalogue development Service level agreement (SLA) development facilitation Service review meeting facilitation Customer satisfaction survey Complaint management process Periodic review of the service catalogue 8. Supplier management Design of the supplier risk management framework Identification and selection of supplier Assessment of the supplier risk, project risk and contract risk Formulation of supplier contracts Management of contractual disputes Periodic review of supplier performance Periodic review of supplier contracts 20. ISO 20000 process areas 9. Service reporting Defining the service report Periodic analysis of the service data Periodic preparation and circulation of the service report Periodic review and improvement of agreed service 10. Capacity Management Identification of current capacity and performance Capacity plan development Monitoring, forecasting and tuning Assess, agree and document new requirements and capacity Planning new capacity 12. Budgeting and Accounting of IT services Budgeting And Accounting Policy IT budgeting IT accounting and costing Financial review 11. Service continuity and availability management Perform business impact analysis (BIA) Develop business continuity strategy Develop business continuity plans Develop it continuity plan(s) Review and testing of it continuity plan(s) Training for it continuity Availability monitoring and reporting 13. Information security management Information security policy Information security risk management Security controls management Information security incidents management Security audits