Define a framework that provides a formalized service level management process between the customer and service provider. The framework should maintain continuous alignment with business requirements and priorities and facilitate common understanding between the customer and provider(s). The framework should include processes for creating service requirements, service definitions, SLAs, OLAs and funding sources. These attributes should be organized in a service catalogue. The framework should define the organizational structure for service level management, covering the roles, tasks and responsibilities of internal and external service providers and customers.

There are no PSGs published for this topic; however, the topic is under review for future PSGs

Base definitions of IT services on service characteristics and business requirements. Ensure that they are organized and stored centrally via the implementation of a service catalogue portfolio approach.

There are no PSGs published for this topic; however, the topic is under review for future PSGs

Define and agree to SLAs for all critical IT services based on customer requirements and IT capabilities. This should cover customer commitments; service support requirements; quantitative and qualitative metrics for measuring the service signed off on by the stakeholders; funding and commercial arrangements, if applicable; and roles and responsibilities, including oversight of the SLA. Consider items such as availability, reliability, performance, capacity for growth, levels of support, continuity planning, security and demand constraints.

Define OLAs that explain how the services will be technically delivered to support the SLA(s) in an optimal manner. The OLAs should specify the technical processes in terms meaningful to the provider and may support several SLAs.

There are no PSGs published for this topic; however, the topic is under review for future PSGs

Continuously monitor specified service level performance criteria. Reports on achievement of service levels should be provided in a format that is meaningful to the stakeholders. The monitoring statistics should be analyzed and acted upon to identify negative and positive trends for individual services as well as for services overall.

There are no PSGs published for this topic; however, the topic is under review for future PSGs

Regularly review SLAs and underpinning contracts (UCs) with internal and external service providers to ensure that they are effective, up to date and that changes in requirements have been taken into account.

There are no PSGs published for this topic; however, the topic is under review for future PSGs

Identify all supplier services, and categorize them according to supplier type, significance and criticality. Maintain formal documentation of technical and organizational relationships covering the roles and responsibilities, goals, expected deliverables, and credentials of representatives of these suppliers.

There are no PSGs published for this topic; however, the topic is under review for future PSGs

Formalize the supplier relationship management process for each supplier. The relationship owners should liaise on customer and supplier issues and ensure the quality of the relationship based on trust and transparency (e.g., through SLAs).

There are no PSGs published for this topic; however, the topic is under review for future PSGs

Identify and mitigate risks relating to suppliers’ ability to continue effective service delivery in a secure and efficient manner on a continual basis. Ensure that contracts conform to universal business standards in accordance with legal and regulatory requirements. Risk management should further consider non-disclosure agreements (NDAs), escrow contracts, continued supplier viability, conformance with security requirements, alternative suppliers, penalties and rewards, etc.

There are no PSGs published for this topic; however, the topic is under review for future PSGs

Establish a process to monitor service delivery to ensure that the supplier is meeting current business requirements and continuing to adhere to the contract agreements and SLAs, and that performance is competitive with alternative suppliers and market conditions.

There are no PSGs published for this topic; however, the topic is under review for future PSGs

Establish a planning process for the review of performance and capacity of IT resources to ensure that cost-justifiable capacity and performance are available to process the agreed-upon workloads as determined by the SLAs. Capacity and performance plans should leverage appropriate modeling techniques to produce a model of the current and forecasted performance, capacity and throughput of the IT resources.

There are no PSGs published for this topic; however, the topic is under review for future PSGs

Assess current performance and capacity of IT resources to determine if sufficient capacity and performance exist to deliver against agreed-upon service levels.

There are no PSGs published for this topic; however, the topic is under review for future PSGs

Conduct performance and capacity forecasting of IT resources at regular intervals to minimize the risk of service disruptions due to insufficient capacity or performance degradation, and identify excess capacity for possible redeployment. Identify workload trends and determine forecasts to be input to performance and capacity plans.

There are no PSGs published for this topic; however, the topic is under review for future PSGs

Provide the required capacity and performance, taking into account aspects such as normal workloads, contingencies, storage requirements and IT resource life cycles. Provisions such as prioritizing tasks, fault-tolerance mechanisms and resource allocation practices should be made. Management should ensure that contingency plans properly address availability, capacity and performance of individual IT resources.

There are no PSGs published for this topic; however, the topic is under review for future PSGs

Continuously monitor the performance and capacity of IT resources. Data gathered should serve two purposes:

• To maintain and tune current performance within IT and address such issues as resilience, contingency, current and projected workloads, storage plans, and resource acquisition
• To report delivered service availability to the business, as required by the SLAs

Accompany all exception reports with recommendations for corrective action.

There are no PSGs published for this topic; however, the topic is under review for future PSGs

Develop a framework for IT continuity to support enterprise-wide business continuity management using a consistent process. The objective of the framework should be to assist in determining the required resilience of the infrastructure and to drive the development of disaster recovery and IT contingency plans. The framework should address the organizational structure for continuity management, covering the roles, tasks and responsibilities of internal and external service providers, their management and their customers, and the planning processes that create the rules and structures to document, test and execute the disaster recovery and IT contingency plans. The plan should also address items such as the identification of critical resources, noting key dependencies, the monitoring and reporting of the availability of critical resources, alternative processing, and the principles of backup and recovery.

Develop IT continuity plans based on the framework and designed to reduce the impact of a major disruption on key business functions and processes. The plans should be based on risk understanding of potential business impacts and address requirements for resilience, alternative processing and recovery capability of all critical IT services. They should also cover usage guidelines, roles and responsibilities, procedures, communication processes, and the testing approach.

Focus attention on items specified as most critical in the IT continuity plan to build in resilience and establish priorities in recovery situations. Avoid the distraction of recovering less-critical items and ensure response and recovery in line with prioritized business needs, while ensuring that costs are kept at an acceptable level and complying with regulatory and contractual requirements. Consider resilience, response and recovery requirements for different tiers, e.g., one to four hours, four to 24 hours, more than 24 hours and critical business operational periods.

Encourage IT management to define and execute change control procedures to ensure that the IT continuity plan is kept up to date and continually reflects actual business requirements. Communicate changes in procedures and responsibilities clearly and in a timely manner.

There are no PSGs published for this topic; however, the topic is under review for future PSGs

Test the IT continuity plan on a regular basis to ensure that IT systems can be effectively recovered, shortcomings are addressed and the plan remains relevant. This requires careful preparation, documentation, reporting of test results and, according to the results, implementation of an action plan. Consider the extent of testing recovery of single applications to integrated testing scenarios to end-to-end testing and integrated vendor testing.

There are no PSGs published for this topic; however, the topic is under review for future PSGs

Provide all concerned parties with regular training sessions regarding the procedures and their roles and responsibilities in case of an incident or disaster. Verify and enhance training according to the results of the contingency tests.

There are no PSGs published for this topic; however, the topic is under review for future PSGs

Determine that a defined and managed distribution strategy exists to ensure that plans are properly and securely distributed and available to appropriately authorized interested parties when and where needed. Attention should be paid to making the plans accessible under all disaster scenarios.

There are no PSGs published for this topic; however, the topic is under review for future PSGs

Plan the actions to be taken for the period when IT is recovering and resuming services. This may include activation of backup sites, initiation of alternative processing, customer and stakeholder communication, and resumption procedures. Ensure that the business understands IT recovery times and the necessary technology investments to support business recovery and resumption needs.

There are no PSGs published for this topic; however, the topic is under review for future PSGs

Store offsite all critical backup media, documentation and other IT resources necessary for IT recovery and business continuity plans. Determine the content of backup storage in collaboration between business process owners and IT personnel. Management of the offsite storage facility should respond to the data classification policy and the enterprise’s media storage practices. IT management should ensure that offsite arrangements are periodically assessed, at least annually, for content, environmental protection and security. Ensure compatibility of hardware and software to restore archived data, and periodically test and refresh archived data.

Determine whether IT management has established procedures for assessing the adequacy of the plan in regard to the successful resumption of the IT function after a disaster, and update the plan accordingly.

There are no PSGs published for this topic; however, the topic is under review for future PSGs

Manage IT security at the highest appropriate organizational level, so the management of security actions is in line with business requirements.

Translate business, risk and compliance requirements into an overall IT security plan, taking into consideration the IT infrastructure and the security culture. Ensure that the plan is implemented in security policies and procedures together with appropriate investments in services, personnel, software and hardware. Communicate security policies and procedures to stakeholders and users.

Ensure that all users (internal, external and temporary) and their activity on IT systems (business application, IT environment, system operations, development and maintenance) are uniquely identifiable. Enable user identities via authentication mechanisms. Confirm that user access rights to systems and data are in line with defined and documented business needs and that job requirements are attached to user identities. Ensure that user access rights are requested by user management, approved by system owners and implemented by the security-responsible person. Maintain user identities and access rights in a central repository. Deploy cost-effective technical and procedural measures, and keep them current to establish user identification, implement authentication and enforce access rights.

Address requesting, establishing, issuing, suspending, modifying and closing user accounts and related user privileges with a set of user account management procedures. Include an approval procedure outlining the data or system owner granting the access privileges. These procedures should apply for all users, including administrators (privileged users) and internal and external users, for normal and emergency cases. Rights and obligations relative to access to enterprise systems and information should be contractually arranged for all types of users. Perform regular management review of all accounts and related privileges.

Test and monitor the IT security implementation in a proactive way. IT security should be reaccredited in a timely manner to ensure that the approved enterprise’s information security baseline is maintained. A logging and monitoring function will enable the early prevention and/or detection and subsequent timely reporting of unusual and/or abnormal activities that may need to be addressed.

There are no PSGs published for this topic; however, the topic is under review for future PSGs

Clearly define and communicate the characteristics of potential security incidents so they can be properly classified and treated by the incident and problem management process.

Make security-related technology resistant to tampering, and do not disclose security documentation unnecessarily.

There are no PSGs published for this topic; however, the topic is under review for future PSGs

Determine that policies and procedures are in place to organize the generation, change, revocation, destruction, distribution, certification, storage, entry, use and archiving of cryptographic keys to ensure the protection of keys against modification and unauthorized disclosure.

There are no PSGs published for this topic; however, the topic is under review for future PSGs

Put preventive, detective and corrective measures in place (especially up-to-date security patches and virus control) across the organization to protect information systems and technology from malware (e.g., viruses, worms, spyware, spam).

Use security techniques and related management procedures (e.g., firewalls, security appliances, network segmentation, intrusion detection) to authorize access and control information flows from and to networks.

Exchange sensitive transaction data only over a trusted path or medium with controls to provide authenticity of content, proof of submission, proof of receipt and non-repudiation of origin.

Identify all IT costs, and map them to IT services to support a transparent cost model. IT services should be linked to business processes such that the business can identify associated service billing levels.

There are no PSGs published for this topic; however, the topic is under review for future PSGs

Capture and allocate actual costs according to the enterprise cost model. Variances between forecasts and actual costs should be analyzed and reported on, in compliance with the enterprise’s financial measurement systems.

Establish and use an IT costing model based on the service definitions that support the calculation of chargeback rates per service. The IT cost model should ensure that charging for services is identifiable, measurable and predictable by users to encourage proper use of resources.

There are no PSGs published for this topic; however, the topic is under review for future PSGs

Regularly review and benchmark the appropriateness of the cost/recharge model to maintain its relevance and appropriateness to the evolving business and IT activities.

There are no PSGs published for this topic; however, the topic is under review for future PSGs

Establish and regularly update a curriculum for each target group of employees considering:
• Current and future business needs and strategy
• Value of information as an asset
• Organizational values (ethical values, control and security culture, etc.)
• Implementation of new IT infrastructure and software (i.e., packages, applications)
• Current and future skills, competence profiles, and certification and/or credentialing needs as well as required reaccreditation
• Delivery methods (e.g., classroom, web-based), target group size, accessibility and timing

Based on the identified education and training needs, identify target groups and their members, efficient delivery mechanisms, teachers, trainers, and mentors. Appoint trainers and organize timely training sessions.  Record registration (including prerequisites), attendance and training session performance evaluations.

There are no PSGs published for this topic; however, the topic is under review for future PSGs

Evaluate education and training content delivery upon completion for relevance, quality, effectiveness, the retention of knowledge, cost and value. The results of this evaluation should serve as input for future curriculum definition and the delivery of training sessions.

There are no PSGs published for this topic; however, the topic is under review for future PSGs

Establish a service desk function, which is the user interface with IT, to register, communicate, dispatch and analyze all calls, reported incidents, service requests and information demands. There should be monitoring and escalation procedures based on agreed-upon service levels relative to the appropriate SLA that allow classification and prioritization of any reported issue as an incident, service request or information request. Measure end users’ satisfaction with the quality of the service desk and IT services.

There are no PSGs published for this topic; however, the topic is under review for future PSGs

Establish a function and system to allow logging and tracking of calls, incidents, service requests and information needs. It should work closely with such processes as incident management, problem management, change management, capacity management and availability management. Incidents should be classified according to a business and service priority and routed to the appropriate problem management team, where necessary. Customers should be kept informed of the status of their queries.

There are no PSGs published for this topic; however, the topic is under review for future PSGs

Establish service desk procedures, so incidents that cannot be resolved immediately are appropriately escalated according to limits defined in the SLA and, if appropriate, workarounds are provided. Ensure that incident ownership and life cycle monitoring remain with the service desk for user-based incidents, regardless which IT group is working on resolution activities.

There are no PSGs published for this topic; however, the topic is under review for future PSGs

Establish procedures for the timely monitoring of clearance of customer queries. When the incident has been resolved, ensure that the service desk records the resolution steps, and confirm that the action taken has been agreed to by the customer. Also record and report unresolved incidents (known errors and workarounds) to provide information for proper problem management.

There are no PSGs published for this topic; however, the topic is under review for future PSGs

Produce reports of service desk activity to enable management to measure service performance and service response times and to identify trends or recurring problems, so service can be continually improved.

There are no PSGs published for this topic; however, the topic is under review for future PSGs

Establish a supporting tool and a central repository to contain all relevant information on configuration items. Monitor and record all assets and changes to assets. Maintain a baseline of configuration items for every system and service as a checkpoint to which to return after changes.

There are no PSGs published for this topic; however, the topic is under review for future PSGs

Establish configuration procedures to support management and logging of all changes to the configuration repository. Integrate these procedures with change management, incident management and problem management procedures.

There are no PSGs published for this topic; however, the topic is under review for future PSGs

Periodically review the configuration data to verify and confirm the integrity of the current and historical configuration. Periodically review installed software against the policy for software usage to identify personal or unlicensed software or any software instances in excess of current license agreements. Report, act on and correct errors and deviations.

There are no PSGs published for this topic; however, the topic is under review for future PSGs

Implement processes to report and classify problems that have been identified as part of incident management. The steps involved in problem classification are similar to the steps in classifying incidents; they are to determine category, impact, urgency and priority. Categorize problems as appropriate into related groups or domains (e.g., hardware, software, support software). These groups may match the organizational responsibilities of the user and customer base, and should be the basis for allocating problems to support staff.

There are no PSGs published for this topic; however, the topic is under review for future PSGs

Ensure that the problem management system provides for adequate audit trail facilities that allow tracking, analyzing and determining the root cause of all reported problems considering:

• All associated configuration items

• Outstanding problems and incidents

• Known and suspected errors

• Tracking of problem trends

Identify and initiate sustainable solutions addressing the root cause, raising change requests via the established change management process. Throughout the resolution process, problem management should obtain regular reports from change management on progress in resolving problems and errors. Problem management should monitor the continuing impact of problems and known errors on user services. In the event that this impact becomes severe, problem management should escalate the problem, perhaps referring it to an appropriate board to increase the priority of the (RFC or to implement an urgent change as appropriate. Monitor the progress of problem resolution against SLAs.

There are no PSGs published for this topic; however, the topic is under review for future PSGs

Put in place a procedure to close problem records either after confirmation of successful elimination of the known error or after agreement with the business on how to alternatively handle the problem.

There are no PSGs published for this topic; however, the topic is under review for future PSGs

Integrate the related processes of configuration, incident and problem management to ensure effective management of problems and enable improvements.

There are no PSGs published for this topic; however, the topic is under review for future PSGs

Verify that all data expected for processing are received and processed completely, accurately and in a timely manner, and all output is delivered in accordance with business requirements. Support restart and reprocessing needs.

Define and implement procedures for effective and efficient data storage, retention and archiving to meet business objectives, the organization’s security policy and regulatory requirements.

There are no PSGs published for this topic; however, the topic is under review for future PSGs

Define and implement procedures to maintain an inventory of stored and archived media to ensure their usability and integrity.

Define and implement procedures to ensure that business requirements for protection of sensitive data and software are met when data and hardware are disposed or transferred.

Define and implement procedures for backup and restoration of systems, applications, data and documentation in line with business requirements and the continuity plan.

There are no PSGs published for this topic; however, the topic is under review for future PSGs

Define and implement policies and procedures to identify and apply security requirements applicable to the receipt, processing, storage and output of data to meet business objectives, the organization’s security policy and regulatory requirements.

Define and select the physical sites for IT equipment to support the technology strategy linked to the business strategy. The selection and design of the layout of a site should take into account the risk associated with natural and man-made disasters, while considering relevant laws and regulations, such as occupational health and safety regulations.

There are no PSGs published for this topic; however, the topic is under review for future PSGs

Define and implement physical security measures in line with business requirements to secure the location and the physical assets. Physical security measures must be capable of effectively preventing, detecting and mitigating risks relating to theft, temperature, fire, smoke, water, vibration, terror, vandalism, power outages, chemicals or explosives.

Define and implement procedures to grant, limit and revoke access to premises, buildings and areas according to business needs, including emergencies. Access to premises, buildings and areas should be justified, authorized, logged and monitored. This should apply to all persons entering the premises, including staff, temporary staff, clients, vendors, visitors or any other third party.

Design and implement measures for protection against environmental factors. Install specialized equipment and devices to monitor and control the environment.

There are no PSGs published for this topic; however, the topic is under review for future PSGs

Manage facilities, including power and communications equipment, in line with laws and regulations, technical and business requirements, vendor specifications, and health and safety guidelines.

There are no PSGs published for this topic: however, the topic is under review for future PSGs.

Define, implement and maintain procedures for IT operations, ensuring that the operations staff members are familiar with all operations tasks relevant to them. Operational procedures should cover shift handover (formal handover of activity, status updates, operational problems, escalation procedures and reports on current responsibilities) to support agreed-upon service levels and ensure continuous operations.

Organize the scheduling of jobs, processes and tasks into the most efficient sequence, maximizing throughput and utilization to meet business requirements.

Define and implement procedures to monitor the IT infrastructure and related events. Ensure that sufficient chronological information is being stored in operations logs to enable the reconstruction, review and examination of the time sequences of operations and the other activities surrounding or supporting operations.

There are no PSGs published for this topic; however, the topic is under review for future PSGs

Establish appropriate physical safeguards, accounting practices and inventory management over sensitive IT assets, such as special forms, negotiable instruments, special purpose printers or security tokens.

There are no PSGs published for this topic;  however, the topic is under review for future PSGs

Define and implement procedures to ensure timely maintenance of infrastructure to reduce the frequency and impact of failures or performance degradation.

There are no PSGs published for this topic; however, the topic is under review for future PSGs