THE FOLLOWING ITIL OPERATIONAL SUPPORT AND ANALYSIS CAPABILITY INTERMEDIATE EXAM OBJECTIVES ARE DISCUSSED IN THIS CHAPTER:
Event management is the process that deals with modern infrastructure management’s requirement for the use of event monitoring tools. These tools are able to monitor large numbers of configuration items simultaneously, identifying any issues as soon as they arise and notifying the appropriate tool or team. The process of event management is responsible for managing events throughout their lifecycle. Event management is one of the main activities of IT operations.
Request fulfillment is the process for handling requests for standard services, equipment, or information. ITIL uses the expression service request to describe all those repeat, low-risk change/information requests that occur in any environment.
Access management is the process of granting authorized users the right to use a service while preventing nonauthorized users from gaining access. It is also sometimes referred to as rights management or identity management. Access requirements can change frequently, and service operation is responsible for granting access quickly, in line with the needs of the business, while ensuring that all requests are properly authorized.
To begin, let’s consider some definitions from the ITIL Service Operation publication. These should be familiar from ITIL Foundation Exam Study Guide (Sybex, 2012).
An event can be defined as any change of state that has significance for the management of a configuration item (CI) or IT service. Remember, an event is not necessarily an indication that something is wrong; it can merely be a confirmation that the system is working correctly. Many events are purely informational. Informational events could include notification of a user logging onto an application (significant because the use of the application may be metered) or a transaction completing successfully (significant because the notification of the successful completion may trigger the start of the next transaction).
An event that notifies staff of a failure or that a threshold has been breached is called an alert. An alert could be, for example, notification that a server has failed or a warning that the memory or disk usage on a device has exceeded 75 percent. If you consider these concepts in a non-IT environment, a car console may issue an event to say that the system has successfully connected to a Bluetooth device, or it might raise an alert (together with a beep or flashing light) to warn that a threshold has been breached and the car is now low on gas.
Effective service operation is dependent on knowing the status of the infrastructure and detecting any deviation from normal or expected operation. Event management monitors services for any occurrences that could affect their performance. It also provides information to other processes, including incident, problem, and change management.
There are two types of event monitoring tools:
The purpose of event management is to detect events, understand what they mean, and take action if necessary.
Many devices are designed to communicate their status, and event monitoring will gather these communications and act on any that need action. Some communications report operational information, such as “backup of file complete,” “print complete,” and so on. These events show that the service is operating correctly. They can be used to automate routine activities such as submitting the next file to be backed up or the next document to be printed. They may also be used to monitor the load across several devices, issuing automated instructions to balance the load depending on the events received. If the event is an alert, such as “backup failed,” “printer jam,” or “disk full,” the necessary corrective steps will be taken. An incident should be logged in the case of a failure.
Event management has the following objectives:
Event management can be applied to any aspects of service management that need to be controlled and that could benefit from being automated. For example, the service management toolset automatically logs incidents in response to emails or events being received, escalates incidents when thresholds have been reached, and notifies staff of certain conditions (for example, a priority one incident being logged).
Configuration items can be monitored by event management tools. This monitoring can be for two different reasons:
Tracking licenses is another possible use for event management tools; licenses can be tracked to make sure there is no illegal use of an application by checking to see that the number of people using the software does not exceed the licenses held. This may also save money; if IT can show that there is less demand for concurrent use than was thought, the number of licenses can be reduced.
Monitoring for and responding to security events, such as detecting intruders, is another use; the tools can also be used to detect a denial-of-service attack or similar event.
Another use is the monitoring of environmental conditions. This might be for detecting a sudden increase in temperature in the server room or for other environmental changes.
Event management offers many benefits to a business:
Next, let’s consider suggested policies for event management.
The first policy states that event notifications should go to only those who have responsibility for acting on them. This means that a target audience must be identified for every event that we have chosen to handle—it is not acceptable to send a notification to everyone and hope that someone will do something.
The second policy relates to the centralization of event management. This ensures that notifications are handled consistently, that none are missed, and that none are handled by more than one person or team. It implies that a single rules engine will be used to process notifications, and of course that set of rules should be subject to change management.
The third policy provides guidance and constraints for the designers of new applications. There should be a common set of standards for events generated by applications. This will ensure consistency across applications and, of course, reduce the time to engineer event handling in new applications.
The fourth policy is that the handling of events should be automated as much as possible. The advantages of automation in general are well known: reduced costs and fewer errors, among others.
The fifth policy mandates the use of a standard classification scheme for events to ensure that similar types of events are handled in a consistent way.
The last policy states that all recognized events should, at the very least, be logged. This will provide a source of valuable information that might have a number of uses, for example, in problem investigation. A more sophisticated analysis of logged events might identify patterns of events that can be used to predict failures before they actually occur.
It is important to understand the difference between the two similar activities of monitoring and managing events. These are similar processes, but with specifically different emphasis.
We need to monitor events, but monitoring covers more than events. Monitoring can be used, for example, to make sure devices are operating correctly, even without any events being generated. Monitoring actually looks for conditions that do not generate events.
Event management is about having useful notifications about the status of the IT infrastructure and services. Event management sets up rules to ensure that events are generated so they can be monitored, captured, and acted on if necessary. Action is the key to event management.
The particular notifications themselves may be vendor specific. However, they are likely to use Simple Network Management Protocol (SNMP), an Internet standard protocol for managing devices on IP networks. Devices that typically support SNMP include routers, switches, servers, workstations, printers, modem racks, and more. Because SNMP is an open standard, it makes interaction between different products simpler. Events must generate useful notifications. The time taken to create meaningful descriptions, with suggested actions, will save effort later.
Event management can be enormously useful in managing large and complex infrastructures. It is often the case, however, that the full value of these tools is not realized. This is usually because there has been insufficient time spent making sure they are configured correctly to only notify staff of events for which they actually need notification. Failing to specify the correct thresholds, for example, will mean that far too many breaches are reported, causing staff to ignore them because they are seldom significant. Of course, this means that significant events may be missed. If events are not filtered properly, the service management tool would be flooded with multiple spurious events, which would make it difficult to use its ability to automatically raise incidents.
Another important definition is that of an alert: An alert is a warning that a threshold has been reached, something has changed, or a failure has occurred. Alerts are often created and managed by system management tools and the event management process. Creating an alert when a disk or mailbox is nearly full is one such example.
Some events indicate a failure that must be fixed, whereas others simply flag that something has happened and should be recorded. These are two types of event: the first is an exception and the second informational. There is a third type—a warning event. A warning event signifies unusual but not necessarily exceptional behavior. Warning events require further analysis to determine whether any action is required. Events will be handled according to their type.
Here are some examples of each type of event:
Notice that not all of these examples relate to a failure. (Failures would be alerts.) Some simply contain information, but information that for some reason it is important to record. For example, the business might want to maintain a record of who is using an application for audit purposes.
There are no definitive criteria for determining the type of an event; it depends very much on the specific situation of the organization. For example, an event might be that a previously unknown device has been detected on the network. Some organizations allow their staff to attach their own laptops to the corporate network, in which case the event would be informational. In a highly secure organization, it would almost certainly be treated as an exception.
The next topic we’ll examine is event filtering. We don’t have complete control over the notifications that are generated by the configuration items. Hardware manufacturers determine which notifications will be generated, and they may not have provided their customers with the ability to switch them off. A common experience when first beginning to monitor networks is that the monitoring tool is swamped by unrecognized and therefore unneeded notifications.
Filtering prevents the event management system from being overwhelmed by discarding notifications of events that have no significance to the organization.
There are four possible approaches to the problem:
These approaches are not mutually exclusive; many organizations will adopt some hybrid of them.
Successful event management in service operation requires analyzing and planning for what will be required. This should happen in the service design phase, although it will continue to be adjusted in service operation. Many organizations attempt and abandon event management, or they fail to achieve real value from it because this crucial design phase has been neglected.
The following questions should be asked when designing a service or planning the introduction of new technology:
Why are we monitoring?
When event management is first established, these questions should be asked about the existing services and infrastructure. Stakeholders who must be consulted include the business, process owners, and operations management staff. Each of these groups will have monitoring requirements, and each could be involved in handling events when they occur.
Instrumentation refers to specific ways to monitor and control the infrastructure and services. A number of practical issues need to be addressed when designing an event management system:
As events are detected, the event management system must interpret and make decisions about how to handle them. This is done by software known as a correlation engine. The correlation engine allows the creation of rule sets that it will use to process events.
Using a correlation engine will enable the system to determine the significance of each event and whether there is any predefined response to an event. Patterns of events are defined and programmed into correlation tools for future recognition. The correlation engine can translate component-level events into service impacts and business impacts, as shown in Figure 3.1.
Next, we’ll take a look at the event management process. The process steps are shown in Figure 3.2.
The initial sequence of activities in the event management process is as follows:
At this point, the event type (exception, warning, or informational) has been identified. No further processing is required for informational events. For exception events, one or more of the service management processes will be triggered. If the event concerns something that has broken and requires restoring to normal service levels, an incident should be raised. A problem record may be updated if another example of a fault under investigation occurs. The automated response to an event may include raising a change. Some events, such as a “toner low” message, may require a service request to be handled by the request fulfillment process.
Warning events will then enter second-level correlation, which identifies how to proceed. In some cases, the event will be treated as informational or as an exception. Other cases will trigger either an automated response or an alert for human intervention, as detailed in the following section.
Let’s look at the initial process activities in a little more detail. Event notification refers to the communication of information about an event. You’ve already seen that some components will generate notifications independently, whereas others have to be prompted by polling.
Some events will be detected directly by the event management tool. Other events will be detected by a software agent running on the device being monitored. This agent then generates a notification that can be detected by the event management tool. All events are logged.
In first-level correlation, a decision about whether any further action is required is made, including whether the event has any significance to the organization. Correlation will determine whether an event is informational, a warning, or an exception. We discussed filtering earlier; this is necessary to stop staff from being overwhelmed with events that do not require any action, or multiple reports of the same fault.
Informational events are closed at this point. Exception events will trigger one of the other service management processes. Warning events will go forward to second-level correlation.
Next, we consider the criteria that might be used by the second-level correlation engine to interpret an event:
The correlation engine determines whether the event requires some action or whether it can be treated as informational and closed.
Response selection covers a number of possible options. These include the following:
Automation Some events indicate conditions that can be resolved automatically without human intervention. For example, if a file server is detected to be nearly full, then a script could be run that would free up space by archiving old data.
Human Intervention Some events will require human intervention—an alert from a smoke detector, for example. It’s important that the alert be directed to the right person and that the individual knows what to do.
Incident Exception events will normally trigger the incident management process. Ideally, the event and incident management systems will be integrated so that an incident record can be raised automatically. A word of warning, however: this should be implemented only when you are happy that the filtering of events is working correctly. If this is not the case, your incident management system will be flooded with thousands of spurious incidents!
Problem The problem management process might be triggered if the organization has a policy of always investigating the root causes of incidents that impact key services. Event management can support such a policy by automatically raising a problem record when it detects such an incident.
Change Change management can be triggered in two circumstances:
Remember, sometimes it will be necessary to trigger a combination of these responses.
There could be thousands of events each day, so it’s unlikely that every one of them could be reviewed. It’s sensible to review only what the service provider considers to be significant events. It is probably unnecessary to review events that have triggered other service management processes except to ensure that the triggers were effective.
Most events are neither opened nor closed but just logged in management systems or system logs. Many others can be closed automatically. For example, when a script is triggered to respond to an issue, the script itself could check that the corrective action has worked and generate an event to that effect.
We’ll now consider the event management process triggers, inputs, outputs, and interfaces.
Any type of change in state can trigger event management, and an organization should define which of these state changes need to be acted on. Some examples are shown here:
Inputs to event management usually come from service design and service transition. They include the examples listed here:
Outputs from event management are usually passed to other service management processes, such as incident management, change management, and request fulfillment. They include the examples listed here:
The most obvious output of the process is the events themselves. These should have been communicated and escalated to the appropriate people. Another output is a chronological event log describing what events took place and any escalation and communication activities taken. This may be useful information if further investigation is required or to spot possible improvement opportunities.
Some events output by event management will indicate that an incident has occurred, and others will warn of the potential breach of an SLA or OLA objective. Of course, as we have said, not all events show that something is wrong, and many events will just indicate successful completion of deployment or operational activities. The data output from event management can be used to populate the SKMS with the event information and history.
Finally, let’s consider the interfaces event management has with the other lifecycle stages and their associated processes. Event management can interface with any process that requires monitoring and control, especially those that don’t require real-time monitoring but do require some form of intervention following an event or group of events. First we’ll consider how the process can even help the business directly.
The information provided by event monitoring may be used to help manage unusual occurrences with business processes.
Event management interfaces with a number of service design processes. Examples include the following:
Event management tools may also be used to support service transition processes:
Event management is a service operation process, and it interfaces with the other processes in that lifecycle stage:
There are several elements that should be considered as key in the management of information for event management:
Messages (Simple Network Management Protocol [SNMP] messages) are a standard way of communicating technical information on the status of an individual component or set of components of IT infrastructure.
Databases that form the basis of information about an IT device (for example, information about the operating system; the basic input/output [BIOS] version; configuration parameters) are useful sources of information for event management. But the systems in place must be able to interrogate these databases and then compare them to a norm, which is crucial to the success of the process in generating events.
Vendors’ own monitoring systems are often key sources for information.
Correlation engines provide considerable information, as described earlier in this chapter.
There is no standard event record for all types of event. It can cover many areas, but there is normally a requirement for the following data sets:
In Chapter 1, “Introduction to Operational Support and Analysis,” we explored the generic roles applicable to all processes throughout the service lifecycle. These are relevant to the event management process, but specific additional requirements also apply. Remember that these are not “job titles”; they are guidance on the roles that may be needed to successfully run the process.
It is unusual to find a specific “event manager” role in an organization, as events are often managed in a number of different areas in the IT environment. But it is important to ensure that there is a consistent approach to the management of events across the organization, as well as coordination of the tools and effort, to avoid duplication.
The event management process owner’s responsibilities may include
The event management process manager’s responsibilities may include
There may not be a specific identification of a “practitioner” role in the event management process, but the activities are carried out by a number of other roles.
The service desk may not be involved unless the event requires action that falls within the scope of service desk duties—for example, notifying the user of a completed action. Event management is normally carried out by the operations bridge, if this exists, but in some organizations the service desk and the operations bridge may have been combined.
If an event has been identified as an incident, then this may be handled through the service desk in the normal course of the process. This will include communication to the user, and support teams, of progress.
Technical and application management may play several important roles, as follows:
If IT operations management is separate from the service desk and technical or application management functions, it is common for event management to be carried out by this group. They will carry out monitoring and first-line support activity for events.
If there is an operations bridge, then this is the area that will carry out the monitoring of the alerts set up by the event management process. The operations bridge can initiate and coordinate, or even perform, the responses required.
The next topics for discussion are critical success factors (CSFs) and key performance indicators (KPIs). Before we look at the CSFs and KPIs relevant to event management, let’s take a minute to understand what these terms mean.
Here are some examples of CSFs and KPIs for event management:
The following KPIs would enable the CSF to be assessed:
The following challenges could be encountered in event management:
The following risks are associated with event management; in many cases the risks are the result of failing to meet the challenges listed earlier.
If any of these risks are not addressed, they could adversely impact the success of event management.
There is no absolute definition as to what will be classed as a request because this may vary from organization to organization. Many may, in fact, be small changes, falling under the definition of standard changes because they require a change to the configuration management system, such as equipment relocation or the installation of additional software. Service requests occur frequently, at a low cost, with an understood and acceptable low risk. Examples of service requests that are not standard changes could include a password reset or information requests. Service requests are usually handled by a service desk, without a requirement for an RFC to be submitted.
The definition used by ITIL is “a formal request from a user for something to be provided—for example, a request for information or advice, to reset a password or to install a workstation for a new user.”
Service requests relate to small-scale, clearly defined, and acceptable low-risk activities, such as the provision of a single workstation or supply of a toner cartridge. An important feature of what ITIL calls service requests is that they represent things that the service provider will be asked for repeatedly. They are all opportunities to provide the user with something they have asked for, and the request fulfillment process is used to handle them.
Many service requests require a change—the installation of a workstation, for example. If you think back to your Foundation studies, you may remember standard changes, which are low-risk, simple, preauthorized changes. The only changes that can be handled by the request fulfillment process are those for which a standard change exists. Be careful here, though—not all standard changes are implemented through request fulfillment, and not all service requests involve standard changes. Requests for information or advice also fall within the scope of request fulfillment.
Request fulfillment is the process responsible for managing the lifecycle of all service requests from the users. The process has five objectives:
Request fulfillment provides an efficient way to supply standard equipment to users once an item has been assessed and accepted as compatible with the infrastructure. The provision of such equipment can be preapproved and handled as a standard change. It can be added as a service within the service catalog, and all future requests of this type can be handled through this process. This encourages users to request the standard equipment and software because it is the easiest and fastest to obtain. This is beneficial to IT because the equipment has been assessed as supportable and compatible with the infrastructure.
The scope of request fulfillment will vary from one organization to another; it can include any requests that can be standardized and used where the organization has agreed to use it. Each request should be broken into agreed activities, each with a documented procedure. The procedures are then used to build the request models.
ITIL calls all these service requests; they are all opportunities to provide the user with something they have asked for, such as information, advice, a standard change, or access to an IT service (such as resetting a password or providing standard IT services for a new user), and as mentioned in the introduction, the request fulfillment process is used to handle them.
The ITIL Service Operation publication suggests that other sorts of requests, such as requests for building maintenance, may be handled together with IT requests. Take a moment to consider the advantages of this approach:
It will be up to each organization to decide and document which service requests it will handle through the request fulfillment process and which will have to go through other processes, such as business relationship management (BRM) processes for dealing with requests for new or changed services.
The request fulfillment process benefits the business in a number of ways.
First, it improves the productivity of the business by giving its staff quick and effective access to the services they need to do their jobs. By providing a straightforward means of having its requests fulfilled, business staff can remain productive. Centralization encourages consistency and efficiency. Bureaucracy and delay is reduced, thus reducing the cost of fulfillment. Second, the process provides an efficient way to handle requests, again reducing bureaucracy. A formal process implies the centralization of sourcing and purchasing, enabling the service provider to standardize the hardware and software used and reducing support costs. Central purchasing through approved suppliers can also reduce costs through economies of scale.
The standardized nature of request fulfillment means that it is an obvious candidate for self-help. Although not essential, automating the process with a self-help front end enables the requester to interface directly with the process and thus speeds up the fulfillment process. Typically, users can access a list of possible requests on a company external website or intranet. This ensures that the user provides all the necessary information and can be informed as to expected lead times (defined in the SLA).
Automation can simplify the logging of requests. It can also automate the fulfillment process, without the intervention of the service desk if there is a direct interface into the necessary systems. An example of such automated fulfillment is when you request and receive a password reset from an Internet shopping site such as Amazon without any human intervention. Financial approval of requests can also be automated, with the request being sent to the appropriate budget holder for approval or rejection before fulfillment.
Next, we consider the policies, principles, and basic concepts of the request fulfillment process. Let’s start with policies.
In this section, we’ll consider some of the policies that support effective request fulfillment.
Policy: Process flows should be defined for each service request. A process flow should be defined for the entire lifecycle of each service request. This will ensure that requests are satisfied effectively, efficiently, and consistently. Service designers should include new requirements for standard services in their design efforts.
Policy: Process should be owned by a centralized function. A centralized function should own all service requests. This does not mean that there should be a single function for fulfilling the requests. Rather, the central function will be a single point of contact to monitor progress of requests and take action should progress be slow. This central function will also provide requesters with updates on progress where appropriate. Often the service desk takes this role.
Policy: A standard change process should be used when a change to a configuration item is involved. If a request involves a change to a configuration item, then it must be implemented by a standard change. In other words, request fulfillment must follow normal change management procedures.
Policy: All service requests should be handled by a single system. Service requests should be handled by a single system. The parallel here is with incident management and the service desk.
Policy: All service requests must be authorized. All requests must be authorized before they are fulfilled. Many requests incur costs, such as the purchase of hardware or a software license, and those costs must be authorized.
Policy: All service requests should be prioritized according to business criteria. The activity needed to fulfill a request must align with the needs and objectives of the business. In other words, each request must be prioritized using business criteria. Here is another parallel with incident management.
Policy: Users must be able to submit requests and obtain updates easily. Users must have a clear means of submitting a request and of getting an update on progress. This could be the single point of contact that is provided by the service desk for incidents. For request fulfillment, the point of contact could be the service desk or the web portal.
Many organizations use their existing incident management process (and tools) to handle service requests because key steps are often the same. In each case, the following questions need to be answered:
Some organizations separate requests from incidents because incidents are unplanned and unwanted; a major aim of service management is to reduce the number of incidents through improved design, problem management, and continual service improvement. In contrast, there may be a policy of increasing the number of items that can be dealt with through the request fulfillment process. The targets for incidents and requests may be very different: requests often have specified lead times, which are dependent on other factors (such as the user not being given access until they have attended a training course), whereas with incidents, the aim is to resolve each one as quickly as possible. Where there are a significant number of requests to be fulfilled, a separate process with a different record type should be used. This allows the service provided to be monitored and reported on in a more appropriate way than using incident reporting. Also, it is likely incidents will be given priority over requests, resulting in requests not meeting SLA targets because fixes take precedence. Similarly, if dealing with requests has an impact on incident resolution, the customer will be dissatisfied.
The process needed to fulfill a request will vary depending on exactly what is being requested, but it can usually be broken down into a set of activities that have to be performed. For each request, these activities should be documented into a request model. In this case, a request model defines how to handle a particular, frequently occurring request.
The model should define the sequence of actions that must be performed, who will perform them, and the required timescales for each of the steps as well as for the fulfillment of the complete request. Any escalation paths that may be required should also be included.
The effectiveness of request fulfillment is hugely enhanced if it is supported by a software tool, and probably a tool that is web based. Such a tool should feature a menu of available services from which the user is able to select. The provision of all the required information can be enforced by using mandatory fields and providing drop-down lists of possible options. In addition, the tool should set the user expectations by showing lead times, costs, and so on.
Where organizations are already offering a self-help IT support capability to the users, it makes sense to combine this with a request fulfillment system as described.
Specialist web tools that offer this type of “shopping basket” experience can be used together with interfaces directly to the back-end integrated ITSM tools used to manage the request fulfillment activities.
The request owner must be able to track requests through their lifecycle and report progress to the requester where appropriate. Each organization will choose the appropriate statuses for its needs, but let’s consider the most common statuses that are used:
The other common statuses—Waiting Authorization, Rejected, Canceled, In Progress, Completed, and Closed—are self-explanatory.
All service requests should be prioritized based on a standard set of criteria. This can be done by considering the impact and urgency of a request, as with incident management. Alternatively, an organization might have set lead times for different request types.
A variety of reasons exist for escalating a request. Perhaps the obvious one is that a request might not be fulfilled within agreed timescales. Escalation might also be required if the process is being misused by the business. For example, the relocation of up to five workstations might be a service request but more than five would require the submission of a change request. Some managers in the business might try to get around this limitation by submitting several requests, each for five workstations but amounting to a large number in total. The request owner should be on the alert for this and escalate in the agreed manner.
As you’ve seen, many requests will incur a cost that must be approved. Some requests will have a standard charge—a software license or a standard workstation, for example. In other cases, the fulfillment group must establish the cost in the context of what exactly has to be done, as with an equipment move, for example. The role within the business responsible for approving the spend should be identified within the request model. Financial approval can be automated, and it may take place before the request is seen by the service desk. Requests for standard cost items may be routed to the approver before arriving at the desk.
Sometimes other types of approval are needed. These may include compliance with the organization’s policies, especially in regard to information security, or technical approval to confirm that the request will work with the infrastructure. Request fulfillment must have the ability to define and check such approvals where needed. Procedures for obtaining required approvals should be included as part of the request fulfillment models to save time in processing the service request.
A request, including fulfillment, can be handled in many ways. Some requests can be automated—password resets, for example. When human intervention is needed, the request can be fulfilled by a dedicated fulfillment group, the technical support teams, suppliers, or a combination of these. Remember, though, that ownership of requests should remain with one team—usually the service desk, unless a dedicated request team exists.
The service desk should monitor and chase progress and keep users informed throughout, regardless of the actual fulfillment source.
When the service request has been fulfilled, it must be referred back to the service desk for closure. The service desk should go through a closure process that checks to see whether the user is satisfied with the outcome.
We are now going to review the process flow shown in Figure 3.3. Although you do not need to know the process flow in detail for the exam, an understanding of what is involved in fulfilling service requests will help you grasp its objectives.
First we will look at the process flow and then discuss the high-level activities.
Figure 3.3 shows the complete request fulfillment process flow. You can see that it includes logging, categorizing, and prioritizing a request as you would an incident. It also includes some activities that are specific to this process. The request is logged and validated, categorized, and prioritized. Any necessary authorizations are then obtained, and the request is reviewed to ascertain who will fulfill it. The appropriate request model is then executed, and finally, the request is closed, with the requester’s agreement. We’ll look at each of these steps in turn.
The first activity is receiving the request. Most service requests are received either from the web portal or at the service desk, but they could come in by other routes, such as email or even as requests for change (RFCs). From the point of view of the service provider, the preferred route is through the web portal because this will reduce the calls to the service desk. Not all incoming requests will be service requests; they could be incidents or change requests, in which case they must be routed to the appropriate process.
When a request is received, it should be logged and allocated a unique reference number, and all necessary information should be recorded. The web portal should be designed to help the requester provide the necessary information. The request record should be updated as necessary as the request proceeds through its lifecycle with date- and time-stamping to maintain a track of what happened and when.
The request is examined to confirm that it is valid; this includes making sure the request is within the scope of the IT services being offered. The web portal may help by restricting what can be logged to the available types of service requests. These tools ensure that the source of the request is valid and that only valid types of request are issued. Any requests that are invalid should be returned to the requester with an explanation; for example, the requested service might not be provided by the service provider.
Categorizing the request will enable future analysis and reporting. As with the categorization of incidents, some thought should be given to the system employed. Requests can be categorized in a number of ways. For example, they can be categorized by activity, such as password reset or software installation. Another example is categorizing by the function that will fulfill the request.
Prioritization will be in line with business need, taking into account the impact and urgency of the request. A model like the one described in Chapter 2, “Incident and Problem Management,” for the prioritization of incidents could also be used here.
We discussed the need for all requests to be authorized as one of the request policies. The degree of rigor needed here depends very much on the type of request. Requests that cannot be authorized should be returned to the requester with an explanation of rejection.
After a request has been authorized, it is reviewed by the service desk and the appropriate fulfillment function is determined. In some cases, this will be the service desk itself; in others it might be a dedicated fulfillment team or even a supplier.
The request is then fulfilled by performing the actions specified in the appropriate request model. The request model can take a number of forms. In many organizations, it will simply be described in a written document; in others, a workflow tool will be used.
When the request has been fulfilled, it can be closed. Usually there will be a two-stage closure. The first stage simply records that, so far as the service provider is concerned, the fulfillment actions are complete. The second stage is the final closure, which should be performed only after consulting the requester.
If the service performed is chargeable, then at this point the appropriate charging mechanism is triggered. This might be sending a bill or registering a recharge. The service desk should check that the request documentation is up-to-date and that it is correctly categorized before final closure. Any updates to the CMS need to have been completed. This is also the time to conduct a satisfaction survey.
ITIL requires that every process should have a trigger and inputs to and outputs from the process activities. Each process will also have interfaces with a number of other processes.
As previously explained, the request fulfillment process is triggered when a user submits a request. As you have seen, this may be delivered directly to the service desk or via the web portal where users can choose from a list of possible requests.
The main input to the process is a request from the user. As you’ve seen, this can come by a variety of routes, each with its own format of information. Another significant input is the authorization form that may be required for some requests. Some requests may be logged as RFCs. Some requests will be for information, whereas others are for standard goods or services to be supplied.
The following list includes examples of outputs from the process:
Examples of primary interfaces with request fulfillment are as follows:
Financial Management for IT Services Some requests may be chargeable, and financial approval may be required.
Service Catalog Management The services that can be requested should be listed in the service catalog.
Release and Deployment Management This will interface with request fulfillment when the request concerns the automatic deployment of new or upgraded components. In such cases, the release is predefined, built, and tested and then deployed on request.
Service Asset and Configuration Management The CMS will need to be updated following any changes that may have been made as part of fulfillment activities. Where appropriate, software license checks and updates will also be necessary.
Change Management When a change is required to fulfill a request, it will need to be logged as an RFC and progressed through change management.
Incident and Problem Management As discussed, requests may be handled using the incident management process. Where appropriate, it will be necessary to relate service requests issued by IT to any incidents or problems that created the need for the requests.
Access Management This process may be involved with request fulfillment activities to ensure that those making requests are authorized to do so in accordance with the information security policy. Request fulfillment can act as the input to the access management process in relation to the creation and deletion of accounts.
The process of request fulfillment is heavily dependent on information from formal service requests, and these can include the following:
Each organization will have to define their own requirements, as the process of request fulfillment will vary from organization to organization.
There are a number of roles that need to be performed in support of the request fulfillment process, which are not job titles, but each organization needs to understand their requirements and allocate roles appropriately.
The request fulfillment process owner’s responsibilities may include
The request fulfillment process manager’s responsibilities may include
This role is responsible for the day-to-day activities and ensures that service requests are completed to a high level of customer satisfaction. The role includes the following:
The initial handling of service requests is commonly carried out at the service desk, but the eventual fulfillment will be undertaken by the appropriate service operational staff, or suppliers, as required. Often there is no need for additional or specific roles to be identified. In certain circumstances, where the workload justifies it, a dedicated team may be created to carry out the process.
There are several possible CSFs for request fulfillment, each of which will have KPIs to show whether the CSF is being achieved. Before we look at the CSFs and KPIs, let’s take a minute to understand what these terms mean:
Here are some examples of CSFs and KPIs for request fulfillment:
Possible associated KPIs for this CSF are as follows:
The number and percentage of service requests completed within agreed target times
The first KPI relates to the requirement to fulfill requests in a timely manner and the second to meeting agreed targets. You may be able to think of other KPIs.
This could be measured by the following KPIs:
The following examples would be relevant KPIs for this CSF:
There are some common challenges encountered when implementing and running a request fulfillment process:
Five common risks are faced by the request fulfillment process:
Access management is the process of granting authorized users the right to use a service while preventing nonauthorized users from gaining access. It is also sometimes referred to as rights management or identity management.
As part of your Foundation training, you will have covered the process of information security management and its role in defining security policies. The process for implementing many of these policies is access management. This process provides users who have the required authorization with the ability to use the services they require. Ensuring that only authorized individuals are given access to data is a concern of every IT service provider; failure to carry this out correctly can be damaging and possibly breach legal or regulatory requirements. Consider the damage that could be done to an organization discovered to have allowed unauthorized access to medical or banking records because of poor access management processes.
Organizations need to ensure that access is managed not only when a new member of staff is appointed and set up with access to the systems and services, but also when the staff member leaves. A challenge many organizations face is keeping up-to-date with changing access requirements as a staff member moves between departments. Often new access rights are requested, but it’s never determined whether the existing access rights are still required in the new position; therefore, the individual may amass significant rights over a period of years if this step is not carried out. It is dependent, in part, on the business informing the IT service provider of staff moving between departments; the IT provider should routinely query whether existing access is still required when additional access is requested.
There may also be occasions when access is restricted—for example, during an investigation into suspected wrongdoing to prevent any evidence from being destroyed. Such requests would normally be made by senior management or human resources department.
The objectives of the access management process are to do the following:
The scope of access management, as we have said, is the efficient execution of information security management policies. Carrying these out ensures that the confidentiality, integrity, and availability (CIA) of the organization’s data and intellectual property are protected. Confidentiality here means that only authorized users are able to see the data. Integrity means that the data is kept safe from corruption or unauthorized change. Access management ensures that users are given the right to use a service. This does not guarantee that it will always be available during service hours, which is the responsibility of availability management.
A request for access will often be made through the request management process. Some organizations will maintain a specialized team to carry out requests, but more commonly they are carried out by other functions. Technical and application management functions are involved, and a significant part of the process may be handled within the service desk. There should be a single coordination point to ensure consistency.
The access management process provides a number of benefits to the business:
The ITIL Service Operation publication describes five useful policies for access management.
We’re now going to examine a number of basic access management concepts.
Access Refers to the level and extent of a service’s functionality or data that a user is entitled to use.
Identity Refers to the information about a user that distinguishes them as an individual, makes them uniquely identifiable, and verifies their status within the organization.
Rights or Privileges Refer to the settings whereby a user is provided access—for example, read, write, execute, change, and delete.
Service Groups Provide a means of simplifying the task of allocating rights. The idea behind service groups is that there are groups of users who will require exactly the same rights to the same set of services. Instead of rights being granted individually, a service group is created that has the required set of rights. Users are linked to the service group and will inherit the rights of the group.
Directory Services Refer to specific types of tools that are used to manage access and rights.
It is important to understand the steps and activities in the process, as shown in Figure 3.4, the access management process flow. We are going to look at each step of the process.
A request for access can be made in a number of ways:
All requests, whether or not they are valid, are logged.
The access request must then be verified. The identity of the requester must be confirmed, and the access requirement must be judged as legitimate.
Usually, an existing user’s username and password are accepted as proof of identity. In more secure environments, biometric data or physical identification devices can be used.
For new users, some physical evidence of identity will be required, such as official proof of identity (such as a passport or driver’s license).
New users include not only new permanent staff members but also temporary and third-party users such as visitors, contract staff, and vendors. The organization will define how a request will be verified.
The second aspect of verification is checking that the request is legitimate—that is, the user is authorized to have the rights requested. This verification must be independent of the requester. A user cannot verify the legitimacy of their own request. Often a request will be verified by a line manager or HR. Requests that come by way of a RFC will have been authorized through the change management process.
Some services will be available for use by anyone who requests them; there should be a policy that defines this. If the request is not valid, then it will be logged and returned to the requester. An incident may be raised to investigate why an invalid request was created, if thought necessary. A valid request will be actioned appropriately.
The task of providing rights is often delegated to a specialist technical or application team that has the necessary knowledge and skills. This task can be automated by using access management tools that interface with multiple applications. This is only possible, of course, if the design of the applications included this as a requirement.
Access rights are associated with a role: a payroll clerk has the right to use the payroll system. Users can occupy multiple roles, each of which brings a set of rights, and sometimes these conflict with some enterprise policy such as the separation of duties. For example, it is usual practice to ensure that a person who places an order with a supplier is not able to authorize payment. Where a role conflict occurs, access management should escalate the issue to the appropriate stakeholder, who will be someone in the business area concerned. (For example, if the roles are within the finance department, the issue would be referred to the appropriate stakeholder in that department; if the roles are within the IT department, the appropriate IT manager would be consulted.)
Once the access has been granted, the status of the user should be monitored to ensure that they still have a valid requirement for the access. In practice, this can be difficult to achieve. Access management should be notified of staff who leave so that their access can be revoked, and many organizations have robust procedures to ensure that this is done. Many organizations encounter difficulty in tracking the changing roles and accompanying access requirements of users, especially those who have been in the organization for many years. In this situation, new access requirements are added to existing rights, with no verification that the existing rights are still required. Consideration should be given to adding questions about existing access requirements to the access request form. The HR department needs to be made aware of the importance of supplying information regarding changing job roles to access management in order to protect the organization’s data. Access management should understand these different types of staff changes and determine how it will become aware of them. Ideally, this will be automated by an interface with the HR system. The failure to respond to changes in status is a common security issue. It leads, for example, to computer accounts remaining available for use even though the users have left the organization.
The tracking access activity might trigger a security incident if, for example, an unsuccessful attempt to access a service is made by a valid user.
The last activity that we’ll look at is removing or restricting a user’s rights. There are a number of circumstances when this might be necessary. Although in many cases the modification is permanent, such as in the case of dismissal or promotion, there may be situations where this is only temporary. For example, in some organizations, a user’s computer account is suspended when they go on leave.
Access should be permanently revoked when a user leaves an organization; again, the HR department needs to understand the importance of informing access management quickly in this situation.
Access management has to ensure that rights are not improperly used, which will require that access is logged and tracked. The degree of oversight required is determined when the service is designed and the appropriate logging mechanisms are provided. Should possible misuse be detected, the process must respond appropriately. This will usually entail raising a security incident and alerting stakeholders. In this situation, access may be temporarily revoked during the investigation, with access being restored if the misuse is deemed to have been an innocent mistake or permanently revoked if it is found to be deliberate. The access management process may be required to provide a record of access, perhaps in the context of the investigation of criminal behavior.
Next let’s consider the triggers for the process, its inputs and outputs, and the interfaces it shares with other processes.
Access management is triggered by a request for a user or users to access a service or group of services. This could originate from a number of circumstances.
The first possible trigger is an RFC, especially where a large number of access changes are required, perhaps as part of a rollout or project.
Another possible trigger is a service request. This is usually initiated through the service desk, or input directly into the request fulfillment system, and executed by the relevant technical or application management teams.
A request from human resources is another possible trigger. In this situation, HR management personnel make the request through the service desk. These requests are usually as a result of hiring, promoting, relocating, termination, or retirement.
The final trigger may be a request from the manager of a department, who could be performing a human resources role or who could have made a decision to start using a service for the first time.
The inputs to the process are those that relate to the triggers, such as these:
Other inputs are the operational and service level requirements for granting access to services, performing access management administrative activities, and responding to events related to access management.
The access management process has the following outputs:
The access management process interfaces with a number of other service management processes.
A key interface is the one with information security management. As already stated, access management acts under the guidance and instruction of information security management and plays an essential part in ensuring that the requirements of the information security policies are met.
Many requests for access will come from the change management process in the form of authorized requests for change or even standard changes.
It is through the service level management process that access requirements and criteria are agreed on with the business on a service-by-service basis.
The relationship of the process with IT service continuity management is interesting. Access requirements may need to be varied should the continuity plan be invoked. Also, there may be a need to grant temporary access when the plan is being tested.
Request fulfillment provides a route for users to submit access requests.
Information is critical to the success of access management and is part of the definition of identity.
Examples of things that may be included in the identity of a user are
Access management should provide access to IT services or organizational information to any legitimate users. These could include permanent employees or contractors temporarily engaged by the organization, vendor personnel such as account managers or support staff, or customers.
It is normally the responsibility of the organization to verify a user’s identity before they join the organization and are granted access to IT systems or services. But IT will need to verify that the correct person is associated with the information provided. The higher the level of organizational security, the more information will be required to verify an individual.
Temporary access is just as important to manage as permanent access. Any identification will be captured and filed as part of an employee record.
It is often helpful to group numbers of users together to make the management of access rights more effective. The term user profile or user template can be used to describe these.
Many organizations have a standard set of services that users can access and may use this for grouping users together. But it must be flexible enough for the individual requirements to be catered for, as well as providing sufficient control. A catalog of user roles may be useful to help the definition of user groups.
However, the data profiles of all groups or users must be subject to the relevant legislation or governance—for example, the Data Protection Act (UK), or state-specific legislation in the US. This should be specified as part of the information security management policy.
These are the roles and responsibilities carried out by the access management process. As with all service management processes, the roles defined for an organization will depend on its needs.
The access management process owner’s responsibilities may include
The access management process manager’s responsibilities may include
Access management is the operational execution of the information security management and availability management processes. As a consequence, the practitioner roles are most likely to be defined by these design processes, based on the content of the information security policy. These roles can be identified as follows.
The service desk will often be the first point of contact to validate a request for access to a service. This may be done using a service request, which may require validation of the correct level of authorization, and also the identity of the user requesting the access.
Once validated, the request may be passed to the appropriate team for action. Depending on the security levels required by the organization, this may be at the service desk or require a higher level of technical access.
Incidents relating to the process of access management will also be handled by the service desk.
Technical and application management may play several important roles:
If there is an operations management function, it is common practice for the access management activities to be delegated to this group. This will include providing or revoking access to services or systems, and there will need to be clear instructions for the management of such access.
If the operations bridge also exists, it may have the responsibility for managing the monitoring for access events.
The ITIL Service Operation publication suggests three CSFs for access management.
The first is “Ensuring that the confidentiality, integrity, and availability of services are protected in accordance with the information security policy.” The KPIs show whether the CSFs are being achieved. The first KPI is the percentage of incidents that involved inappropriate security access or attempts at access to services. You can see that this is measuring actual consequences of poor access management. The second KPI is the number of audit findings that discovered incorrect access settings for users who have changed roles or left the company. This is measuring the potential for security lapses caused by poor access management.
The second CSF for access management is “Provide appropriate access to services in a manner that’s timely enough to meet business needs.” The example KPI for this is the percentage of requests for access that were provided within established SLAs and OLAs.
The last CSF for access management is “Provide timely communications about improper access or abuse of services.” This and the suggested KPI of a reduction in the average duration of access-related incidents (from time of discovery to escalation) are about ensuring that any issues are dealt with expeditiously.
For access management to be successful, it must overcome a number of challenges. It must be able to do the following:
Meeting these challenges requires a considerable effort.
Finally, we consider the risks faced by access management. Failure to meet any of the challenges described in the preceding section is a risk, of course. There are five additional risks:
This chapter explored the next processes in the service operation stage, event management, request fulfillment, and access management.
We covered the use of event monitoring to manage large numbers of items and how automated responses to particular events may improve the delivery of services. We also explained the role of events in automating processes.
We discussed the key ITIL concepts of events and alerts and how event management can improve availability by preempting failures or reducing the time taken to identify them. Finally, for this process, we considered the technical and staff challenges of implementing the event management process, and the roles included in the process.
We also explored the process of request fulfillment. We discussed the key ITIL concepts of service requests and how the request fulfillment process can save time and money in expediting simple user requirements.
We examined the process in depth, covering its purpose, objectives, scope, and value. We considered its policies, principles, activities, and basic concepts and how its success might be measured. We also discussed what factors might work against a successful implementation. The chapter also explored the appropriate roles for the process.
This chapter also covered access management’s purpose, objectives, scope, and value. We discussed policies, principles, and basic concepts; process activities, methods, and techniques; triggers, inputs, outputs, and interfaces; critical success factors and key performance indicators; and challenges and risks.
You learned about the key ITIL concepts of access, identity, rights, and service groups.
We discussed the importance of access management in preventing unauthorized access to data and some of the issues that arise in monitoring access rights. This included exploration of the roles and responsibilities of staff involved in managing this activity.
We examined the following key ITIL concepts:
Understand the purpose, objectives, and scope of event management. Describe events (a change of state that has significance for the management of a CI) and alerts (a failure or breach of a threshold) and the difference between them. Be able to give examples of each.
Understand the role of event management in automation. Describe passive and active monitoring and the difference between them. Be able to give examples of each. Understand the importance of filtering events and explain how effective event management can reduce downtime. Be able to explain automatic responses to certain types of events.
Know how event management benefits the customer and the IT department. Understand the efficiency benefits to be gained by being able to have a small number of staff monitor huge numbers of CIs and services. Understand how improved availability through reduced downtime benefits the business.
Understand how event management can be used to monitor business events and environmental conditions. Be able to explain how the process of event management can be applied beyond the technical IT environment.
Understand the purpose, objectives, and scope of request fulfillment. Request fulfillment provides an efficient means of delivering defined standard services to customers, with low-risk requests and a defined fulfillment process. It can include IT and non-IT requests and be accessed through a self-help web portal.
Know how request fulfillment benefits the customer and the IT department. Request fulfillment provides the customer with an easy, efficient means of requesting defined standard services and enables the requests to be fulfilled by service desk and second-line staff with minimum bureaucracy.
Understand the use of request models. Because requests have a predefined fulfillment process, they are very well suited to the use of request models, which can be programmed into the service management toolset.
Understand the need for technical and financial approval. Although some requests are preauthorized, there may be occasions when authorizations are required. The usual corporate financial controls still apply, so the budget holder may need to approve, for example, the purchase of equipment. Technical authorization may be necessary as a confirmation that the request is compatible with the user’s existing equipment.
Understand the use of a web portal and menu selection in implementing an efficient user interface. Request fulfillment can be greatly enhanced by providing the equivalent of an online shop, complete with “Add to Cart” facility. Users are familiar with this approach through Internet shopping, and it reduces the need for data entry at the service desk.
Understand the purpose, objectives, and scope of access management. Explain the relationship between access management and information security management. Access management is not just granting access—it is also restricting or removing it as required.
Understand the main process activities of access management. Explain the following access management activities: requesting access, validating and verifying a request, providing a request and monitoring how it is used, and finally, where necessary, removing it.
Understand and recognize the roles and responsibilities for each process. This includes not only the generic roles applicable in all cases but also the specific relating to each process.
You can find the answers to the review questions in the appendix.
For which of these situations would implementing automation to support event management by using event management be appropriate?
Event management can be used to monitor which of the following?
Which of the following are types of event monitoring?
The request fulfillment process is suitable for which of the following?
Requests are most likely to be fulfilled by which of the following?
Which of the following statements is incorrect?
Which of the following is the best description of access management?
Why is effective access management important for an organization?
Which of the following is not a challenge for access management?
When might access management reduce or remove access?