1
ITSM Service Operations Standard
CONTENTS
1.CONTEXT
1.1.Background
1.2.Purpose
1.3.Scope and application
1.4.Policy context
1.5.The ICT Services Catalogue
2.KEY PRINCIPLES
3.REQUIREMENTS
3.1.ITSM Service Operations
3.2.Service level and complexity
3.3.Requirements tables
3.3.1 ITSM Service Operations – Use Cases / Scenarios
3.4.Elements of this standard
3.4.1ITSM Service Operations requirements
3.4.2Service Management requirements
DOCUMENT CONTROL
APPENDIX A – ABBREVIATIONS AND DEFINITIONS
APPENDIX B – REFERENCES
APPENDIX C – STANDARDS
Developing technical standards
Management and implementation
APPENDIX D – Sample Key Performance Indicators
- CONTEXT
1.1.Background
This is a technical standard developed through the NSW ICT Procurement and Technical Standards Working Group. The standard contains technical and functional requirements that agencies should consider when procuring IT Service Management (ITSM) Service Operations solutions.
By defining the necessary and common elements across agencies the standard provides an opportunity to leverage the buying power of Government as a whole,improve procurement efficiency and increase interoperability.
1.2.Purpose
The purpose of this standard is to assist NSW Government agencies to develop, procure and implement ITSM Service Operations solutions and tools, as well as take full advantage of their benefits. This standard also helps agencies procure in a strategic manner that reflects the NSW Government’s priorities as outlined in the NSW Government ICT Strategy.
This standard details the issues that need to be considered so each agency can identify the available options that best suit their business requirements, helping agencies achieve value for money through cost savings and improved flexibility of service offerings.
1.3.Scope and application
This standard applies to all NSW Government departments, statutory bodies and shared service providers. It does not apply to state owned corporations, but is recommended for their adoption.
For the purposes of this standard,ITSM Service Operations is defined as:
To execute activities and processes for effective delivery and support of services at agreed levels to business users and customers, whilst managing the technology that supports the services.
This standard sets out service definitions as minimum requirements that vendors must meet to be able to offer their services through the NSW ICT Services Catalogue. Agencies should consider any specific operational or regulatory factors that impact their requirements, and specific requirements they have in addition to those detailed in this standard.
1.4.Policy context
The NSW Government ICT Strategyand Digital + 2016 Final Updateset out the Government’s plan to: build capability across the NSW public sector to deliver better, more customer-focused services that are available anywhere, anytime; and to derive increased value from the Government’s annual investment in ICT.
Developing whole of NSW Government ICT technical standards is a key initiative of the NSW Government ICT Strategy, driven by the ICT Procurement and Technical Standards Working Group. These standards leverage principles defined in the NSW Government ICT Strategy and the NSW Government Cloud Policy, and they support the NSW ICT Services Catalogue.
The standards set out service definitions as minimum requirements that vendors must meet to be able to offer their services through the NSW Services Catalogue. This helps achieve consistency across service offerings, emphasising a move to as-a-service sourcing strategies in line with the NSW Government ICT Strategy, and it signals government procurement priorities to industry.
Solutions should also assist agencies in their alignment with the NSW Government Enterprise Architecture(NSW GEA), which encompasses all aspects of enterprise architecture activity at the business, information, application and technology infrastructure layers. The NSW GEA is about providing direction and practical guidance to accelerate the development of agency EA capability and enabling a common, intra and inter agency approach to the design of digital government.
This standard should be applied along with existing NSW Government policies and guidance, including the NSW Digital Information Security Policy. More information on the process for the development of standards that populate the ICT Services Catalogue is at Appendix C – Standards.
1.5.The ICT Services Catalogue
This catalogue provides suppliers with a showcase for their products and services, and an opportunity to outline how their offerings meet or exceed standard government requirements. The standards, together with supplier service offerings, help to reduce red tape and duplication of effort by allowing suppliers to submit service details only once against the standards. The offerings are then available to all potential buyers, simplifying procurement processes for government agencies.
Implementing this category management approach will embed common approaches, technologies and systems to maintain currency, improve interoperability and provide better value ICT investment across NSW Government.
- KEY PRINCIPLES
This standard is informed by the following principles:
- End-to-end digital: Service Operations solutions should enable end-to-end digital business processes and management.
- Control technical diversity: Service Operations solutions should help control technical diversity to minimise costs associated with maintaining expertise in and connectivity between multiple processing environments.
- Data security: Meet any applicable requirements of the NSW Digital Information Security Policy and ISO 27001.
- Technology currency: Solutions should be designed to maintain technology currency for key systems, and to maintain a pace that aligns with business context and risk profile.
- Facilitating as a service:Service Operations solutions should facilitate the agency transition to as a service, and ensure agency alignment with broader NSW ICT Strategy.
- Interoperability: Service Operations solutions should meet applicable recognised open standards across the elements of compute, storage, network, and pre-production and testing.
- Business continuity: Service Operations solutions should meet business continuity requirements, particularly with transition in and out (see the NSW Digital Information Security Policyand ISO 27031-2011for more guidance).
- REQUIREMENTS
3.1.ITSM Service Operations
When considering any aspect of ITSM Service Operations (as defined in this standard) an agency must consider the Service Management aspects of the service(s) on offer.
The following ITSM Frameworks can be considered when assessing requirements for ITSM Service Operations:
- ITIL
- IT4IT
- ISO/IEC 20000
- Business Process Framework (eTOM)
- COBIT
- FitSM
- Dev Ops
- Microsoft Operations Framework (MOF)
3.2.Service level and complexity
The following requirements use case tables are separated into three service levels–silver, gold and platinum, reflecting the complexity of the ITSM Service Operationssolution required:
Silver:Offerings that conform to a minimum number of processes of an identified ITSM methodology.
Gold: Offerings that conform toan identified ITSM framework and updated by the solution provider to reflect changes to the nominated ITSM methodology.
Platinum: Offerings that conform with the NSW Government Standard Business Processes. Solutions to this level must be able to adapt and change at no extra cost to agencies to the evolving requirements defined.
3.3.Requirements tables
The following tables set out the recommended business and technical requirements for NSW Government. They provide a consistent approach for all NSW Government agencies regardless of their size.
Key to table requirements:
/ Required / Optional, but beneficial
Explanations for each element of the following use cases are provided at section 3.4.
1
ITSM Service Operations Standard
3.3.1 ITSM Service Operations – Use Cases / Scenarios
‘Use cases’ for ITSM Service Operations that are anticipated in agencies are included in the table below. The corresponding requirement sections of this standard are ticked in the columns.
Use Case / ScenarioITSM Service Operations / ITSM Service Operations / Service Management
Incident Management / Problem Management / Request Fulfilment / Access Management / Facilities Management / Event Management / IT Operations Control / Application Management / Technical Management / Compliance with NSW Government Standard Business processes / Self-service administration / Full-service administration / Cloud compliant hosting facility / NSW Government Data Centre / Onshore/offshore management / Service level management / Multi-service broker provision
Silver / / / / / / / / / / - / / / / / / /
Gold / / / / / / / / / / - / / / / / / /
Platinum / / / / / / / / / / / / / / / / /
1
ITSM Service Operations Standard
3.4.Elements of this standard
3.4.1ITSM Service Operationsrequirements
Generic considerations for ITSM Service operations may include the provision of the following components. Solutions that should address the overarching Service Operations element are included in the service requirements below:
Generic Service Operations Requirements / Silver / Gold / PlatinumDashboard technology (for Gold and Platinum) / - / /
Remote control / - / /
Workflow or process engine / / /
Integration to Configuration Management System (CMS), incl IT assets (for Gold and Platinum) / - / /
Reporting capabilities / / /
(a)Event Management
Event Management monitors all events that occur throughout the ICT environment monitoring normal events and detecting and escalating exceptions. Solutions that should address the Event Management element are included in the service requirements below:
Event Management Requirements / Silver / Gold / PlatinumConsolidated view of multi-environments
Support for design/test stages of event configuration / - / /
Centralised routing of events / - / /
Configurable and programmable functionality to correlate similar/identical events / / /
Integration to Incident management system / - / /
Open interfaces to accept standard event input and generation of multiple alerting / - / /
Capability to supress or flag events during periods of scheduled outages / - / /
Event escalation/notifications / / /
Event reporting / / /
(b)Incident Management
Incident Management is concerned with the restoration of unexpected degraded/disrupted services to customers as quickly as possible to minimise business impacts. Solutions that should address the Incident Management element are included in the service requirements below:
Incident Management Requirements / Silver / Gold / PlatinumIncident creation/re-open, date/time stamp / / /
Incident categorisation, prioritisation, tracking, and resolution / / /
Automated incident population/escalation/notification / / /
Incident and Service Request fragmentation / / /
Predefined Incident workflow / / /
Incident/Problem linking / - / /
Incident parent/child relationship (for major incidents) / / /
Open interfacing to event management tools / - / /
Integration to Known Error Database (KEDB) / - / /
Incident reporting / / /
(c)Problem Management
Problem Management is concerned with root-cause analysis to determine and then resolve the cause of incidents, proactive activities to detect and prevent future problems/incidents and have a known error sub-process to allow improved diagnosis and resolution if further incidents occur. Solutions that should address the Problem Management element are included in the service requirements below:
Problem Management Requirements / Silver / Gold / PlatinumProblem categorisation/prioritisation/tracking/resolution / - / /
Automated Problem escalation/notification / - / /
Predefined Problem workflow / - / /
Problem conversion and integration to Request for Changes (RFCs) / - / /
Multiple incident matching against problem records / - / /
Effective Known error database (KEDB) easy storage and retrieval of data / - / /
Integration of KEDB to incidents and RFC / - / /
Problem reporting / - / /
(d)Request Fulfilment
Request fulfilment deals with service requests (for smaller/low-risk changes) in a similar but different process to Incident/Problem issues. Solutions that should address the Request Fulfilment element are included in the service requirements below:
Request Fulfilment Requirements / Silver / Gold / PlatinumService Request creation, date/time stamp / / /
Service Request categorisation, prioritisation, tracking, resolution / / /
Automated Service Request population, escalation,
notification / / /
Predefined Service Request workflow / / /
Self Help Service Request configuration including access control / - / /
Service Request billing / - / /
Service Request reporting / / /
(e)Access Management
Access (Identity or Rights) management deals with granting authorised users the right to use a service while preventing non-authorised users from gaining access. Solutions that should address the Access Management element are included in the service requirements below:
Access Management Requirements / Silver / Gold / PlatinumDirectory services technology / - / /
Access profiles/service group creation and notifications / / /
Access management features in various systems e.g. operating systems, applications etc / / /
Access audit log / / /
Integration to Request Fulfilment and change management (RFCs) / - / /
Access management reporting / / /
(f)Facilities Management
Facilities management is concerned with the physical ICT environment, such as data centres and similar environments. Solutions that should address the Facilities Management element are included in the service requirements below:
Facilities Management Requirements / Silver / Gold / PlatinumBuilding Management (e.g. upkeep, cleaning, waste disposal, access control) / - / /
Equipment hosting / / /
Power management / - / /
Building management systems (monitoring systems – smoke/fire detection, water, heating/cooling) / / /
Safety requirements – compliance/policies / / /
Physical access control – detect and manage unauthorised access / / /
Shipping and receiving of goods in and out of building / - / /
(g)IT Operations Control
IT operations control deals with the provision of centralised monitoring and control activities to ensure routine operational tasks are performed efficiently. Solutions that should address the IT Operations Control element are included in the service requirements below:
IT Operations Control Requirements / Silver / Gold / PlatinumDesktop and Mobile device support / - / /
Application Operation / / /
Backup and restore / / /
Storage and archive / / /
Directory Services management / - / /
Internet/Web management / - / /
Print and output management / - / /
Database management / - / /
Network management / / /
Middleware management / - / /
Server/mainframe management / - / /
Integration with Service Design/Service Transition/ Continual Service Improvement / - / /
(h)Application Management
Application management is responsible for management of applications throughout their lifecycle.
Solutions that should address the Application Management element are included in the service requirements below:
Application Management Requirements / Silver / Gold / PlatinumApplication requirements (functional, manageability, usability, architectural, interface and service level requirements) / / /
Application design/build/testing / / /
Application deployment / / /
Application optimization / - / /
Integration with other ITSM modules (Service Strategy/Design/Transition/Operation and Continual Service Improvement / - / /
(i)Technical Management
Technical management deals with the detailed technical skills and resources required to support the ongoing operations of the ICT environment. Solutions that should address the Technical Management element are included in the service requirements below:
Technical Management Requirements / Silver / Gold / PlatinumIT Resource management / / /
Technical documentation / / /
Design and delivery of training / / /
Infrastructure maintenance (patch management) / / /
Compliance management / - / /
IT Vendor management / - / /
3.4.2Service Managementrequirements
(j)Compliance with NSW Government Standard Business Process
Solutions that wish to comply with this element (for Platinum services) must accept full and ongoing compliance with the current version(s) of the NSW Government Standard Business Processes. To be endorsed againstthis element, suppliers must meet the following requirements:
Compliance with NSW Government Standard Business Processes / Silver / Gold / PlatinumThe supplier’s solution meet all requirements in the appropriate standard(s), related materials and process artefacts as defined within the NSW Government Standard Government Processes / - / - /
Sign a legal contract under the ProcureIT framework related to the appropriate standard(s) / - / - /
Pay for cost of on-going (annual) certification against the relevant standard(s) / - / - /
(k)Self-service administration
The ability to automatically provision and de-provision for all agency resources within the system, together with other appropriate administration and management tasksthat can be delegated from the service provider that do not impinge on the solution being provided to other customers.
(l)Full-service administration
All provisioning, de-provisioning, together with all other administration and management tasks required to operate the environment, are provided as part of the service offering. The only exception will be service management of the provider which remains the sole responsibility of the initiating agency.
(m)Cloud compliant hosting facility
All relevant cloud services for the solution may be provisioned from a compliant hosting facility. A compliant hosting is defined as having the following attributes and/or capabilities:
- The location of the hosting facility must be identified either by name and/or location (city and country) in any response.
- The hosting location cannot be changed without first informing the agency concerned.
- The service provider undertakes, maintains and provides access to SSAE 16 Service Organization Control (SOC) Type II reports (or equivalent) for the services and facilities in scope for the engagement.
- The hosting facility must comply with minimum Tier 3, as defined by the Uptime Institute, ANSI TIA-942, or an equivalent industry standard.
- The hosting facility must be certified against ISO 27001; compliance with the following international standards is desirable:
- ISO 9001
- ISO 27002
- ISO 20000-1:2011
- ISO 14001
Other desirable certifications may include, but are not limited to:
- PCI-DSS v3.0 or later
- Australian Signals Directorate
- ASIO-T4
- Uptime Institute
- CSA
Also consider contractual obligations relating to the service provider allowing security assessments and treatment of outcomes as agreed with the client.
If the hosting facilities changes to a location that is deemed unacceptable either to NSW Government or to the agency and/or loses attributes and/or capabilities identified above, the agency may need to consider termination of services.
(n)NSW Government Data Centre
All relevant services for the solution may be provisioned from one or both NSW Government Data Centre(s) (GovDC). Depending on the service offering and agency requirements, it may be possible to ‘burst’ some elements of services to other location(s), subject to agreement with the commissioning agency.