itsm gap analysis - template

Service Continuity

IT Service Management - High Level Concerns

S# Concerns Compliance

1

Are there established IT Service Management:

no

2 Are all end-to-end IT services identified?

3

Are the IT services defined in terms of:

5

6

7

8

9 Is there a published policy on service improvement?

10

a) policies?

b) objectives?

c) plans?

a) Customers / end users?

b) Suppliers/vendors?

c) Resources – Hardware

d) Resources – Software

e) Resources – Documentation

f) Resources – People

Is the executive responsibility for the co-ordination and management of all services allocated to an individual or post?

Does a management forum that includes IT service stakeholders operate to give clear direction and visible management support?

Are resources made available to determine and provide planning, implementation, monitoring, reviewing and improvement of service delivery?

Are risks to the service management organisation and to the services identified, considered and managed?

Are roles and responsibilities for service improvement activities clearly defined?

11

12

Do current/existing practices define:

13

Do the existing IT service practices clearly identify:

14

15

Are service reports considered in making decisions and taking corrective actions?

a) objectives and requirements to be achieved from existing processes?

b) interfaces between activities of each IT service?

c) dependencies of each IT service?

d) framework of management roles and responsibilities, including process owners?

e) key roles and responsibilities of each IT service team member?

f) required budget, facilities and other resources?

g) provide an approach to managing, auditing and continuously improving the quality of services delivered?

h) where appropriate, address the use of third party suppliers within each IT service?

a) which service reports are needed?

b) from where the data for these are derived?

Are there procedures and responsibilities for creating and maintaining relevant documents?

Do the existing IT service practices ensure that documents are:

a) created when required?

b) actively brought to the attention of all parties who could usefully refer to them?

c) legible and identifiable?

15

16

17

18

19

Are staff and other stakeholders aware of:

20

Are all suggested service improvements:

d) readily identifiable and available to all relevant parties?

e) dated and authorized as appropriate?

f) maintained under version control?

g) reviewed and updated as required?

h) promptly withdrawn when obsolete and either retained or disposed off as required?

Are staff competencies and training needs reviewed and managed such that staff can deliver their responsibilities effectively?

For all existing roles and responsibilities are the competencies defined and maintained?

Are proposals for new or significantly changed services considered in terms of:

a) potential cost?

b) organisational impact?

c) technical impact?

d) commercial impact?

e) regulatory impact?

f) security concerns?

a) the importance of meeting objectives and the need for continual improvement?

b) relevance and importance of their activities to the delivery of services?

c) how they contribute to the achievement of service objective?

a) assessed?

b) recorded?

c) prioritsed?

20

21 Are customer requirements determined?

22

23

24

25

Are service reports produced with clear description of:

26

Percentage of Compliance

d) authorized?

Are customer requirements met? If yes, what is the evidence?

Are current service levels recorded for measuring improvements at a later date?

Do the current operational practices demonstrate any evidence of continual improvement in service quality?

a) identity?

b) audience?

c) purpose?

d) data source details?

e) communicated to all relevant parties?

Is there a planned audit programme to audit existing processes / practices?

IT Service Management - High Level Concerns

Findings

Apex policy needs to be defined

ComplianceLevel (%)

Service Delivery - Service Level Management


1

2 Is there an identified process owner?

3

4

5

6

7

8

Is there an agreement on:

9

10

11

12

Does a formal/informal Service Level Management process exist for this service?

Have the aims and objectives of the process been defined and documented?

Have the roles and responsibilities for the process been clearly defined and allocated?

Are there formal agreements, agreed by all parties, for all services that support SLAs and are provided internally within the organisation (OLAs) ?

Is there a service catalogue showing the full range of IT services available to customers?

Have all underpinning support services relevant to SLAs/services been identified?

a) service level targets?

b) expected service workloads?

Is there a procedure for the agreement of temporary variations to the service?

Are the service level targets expressed in terms of customer’s business?

Are OLAs and underpinning contracts regularly reviewed and renegotiated as part of significant change control?

Are the reasons for non-conformance to targets:

a) reported?

b) reviewed?

c) acted upon?

13

14


Is there monitoring and reporting of current and trend information on:

a) the service levels achieved?

b) the resources used?

c) the cost of the service

Are there adequate documentary records to enable audit of the existing process?

Service Delivery - Service Level Management

Findings

ComplianceLevel(%)

Service Deliver - Financial Management Of IT Services


1

2 Is there a clear policy on:

3

4

5

6

7

8

9


Is budgeting and accounting of IT services done for all IT services?

a) budgeting and accounting for all components?

b) apportioning and allocating all indirect costs to relevant services?

c) effective financial control and authorization?

d) establishing the anticipated and actual costs of each delivered service?

Is there a process synergy with the organisation’s financial control section?

Is the basis for cost recovery defined and widely understood?

Is IT expenditure budgeted for the future to enable effective control and decision-making?

Are changes to the services costed as part of the change approval process?

Are the main areas of expenditure broken down in cost units?

Are costs monitored and reported against budgets?

Are service cost units and expenditure cost types reviewed at each new costing period, e.g. annually?

Service Deliver - Financial Management Of IT Services

Findings


Compliance Level (%)

Service Delivery - Availability Management


1

2

3

4

5

6

7

8

9

10

Do availability requirements include:

11 Are there any availability records?

12

Do availability records reflect:

Does a formal/informal Availability Management process exist for IT services?

Is there an identified process owner to ensure availability of the services?

Have the aims and objectives for the availability of the services been defined and documented?

Have the roles and responsibilities for the availability of the services been clearly defined and allocated?

Is there an Availability Plan that reflects the availability requirements of the customer into internal availability targets?

Are business plans and risk assessments used as inputs to establishing availability requirements?

Have the availability requirements, including maintainability and serviceability, been considered during system design and major change?

Are issues that might affect availability predicted and prevented?

Is availability defined, measured, monitored and delivered in terms of the service required for business process?

a) End-to-end availability from the user perspective?

b) Access rights?

a) The organisation’s relative dependence on the IT service?

b) Identify the relative reliance of the IT service at different periods of time?

13

14

15 Is historical availability information maintained?


Are availability audits carried out to identify weak and potentially weak areas and single points of failure?

Are availability requirements reviewed periodically to ensure that requirements are being met?

Service Delivery - Availability Management

Findings


Service Delivery - IT Service Continuity


1

2

3

4

5

6

7

8

9

Does the service continuity process address:

Does a formal/informal IT Service Continuity Management process exist for IT services?

Is there an identified process owner to ensure availability of the IT services?Have the aims and objectives for continuity of the services been defined and documented?Have the roles and responsibilities for the continuity of the services been clearly defined and allocated?

Is there a DR Plan for the restoration of the services following a failure or a disaster?

Are business plans and risk assessments used as inputs to establishing continuity requirements?

Is management authority for invoking a contingency/DR plan unambiguous and documented?

Does the DR Plan cover all administrative and non-IT processes within the service management function?

a) the implementation of continuity plans?

b) the implementation of standby arrangements?

c) how risk reduction measures are devised and implemented?

9

10

11

12

13


d) operational management during contingency situations?

e) the maintenance and testing of continuity plans?

Are all data backed up at intervals appropriate to business?

Are data backups stored safely from live data?

Are reports produced on test of the continuity plans?

Are test reports reviewed with stakeholders and acted upon?

Service Delivery - IT Service Continuity

Findings

ComplianceLevel(%)

Rakesh Gupta

Informal Continuity Plans and processes do exist at individual app level, but such data is not available for review

Business Risk assessment, RTO, RPO are not calculated

Service Delivery - Capacity Management


1

2 Is there a Capacity Plan?

3

4

5

6

7

8

Do existing practices address:


Does a Capacity Management process/activity exist in the current scenario?

Are capacity implications considered during system development or modifications?Are all services assessed for capacity implications at suitable intervals?

Are services assessed for all relevant capacity factors including non-IT resources?

Are there appropriate tools to provide the data required?

Have methods, procedures, and techniques identified and applied in order to:

a) monitor service capacity?

b) tune service performance?

c) provide adequate capacity?

a) predicted future business requirements

b) time-scales, thresholds and cost of service upgrades?

c) current capacity and performance requirements?

d) anticipated capacity and performance requirements?

e) data and process to enable predictive analysis?

f) the anticipated effect of new technologies, techniques and upgrades?

Service Delivery - Capacity Management

Findings



Service Delivery - Security Management


1


3

4

5

6

7

8

9

10

11 Are security controls documented?

12

Does a formal/informal Security Management process exist for IT Services?



Are the information security aims and objectives established via risk management considerations?

Are the controls of the Information Security Policy published and communicated as appropriate to all system users including:

a) service management personnel?

b) customers?

c) suppliers?

d) Temporaries?

Are customer’s specified requirements taken into account in implementing appropriate security controls?

Are arrangements that involve third party access to systems based on formal agreements that define necessary security arrangements?

Are there appropriate security controls to manage the risks associated with access to services and systems?

Are security incidents reported in line with incident management procedure as soon as possible after the incident is discovered?

Is automatic protection in place for business critical systems (h/w, s/w, documentations, etc)?

13


Are the types, volumes and impacts of security incidents and malfunctions monitored and quantified?

Service Delivery - Security Management

Findings

ComplianceLevel(%)

Relation Management - Business Relationship Management


1


3

4

5

6

8

9

10

11

12 Are meetings with customers documented?

Is there a complaints procedure?

13

14


Does a formal/informal Business Relationship Management process exist for this service?



Is the service provider aware of the business needs and major changes such that they can prepare responses to customer need?

Are the business needs of the customer documented (formally/informally)?

Are stakeholders of services identified and documented?

Are customer satisfaction measurements that cover all customers, in place?Do the customer and service provider attend a service review to discuss changes to scope, SLA/contract, business needs at least annually? Are interim meetings held to discuss performance, achievements and action plan?

Has it been agreed with the customer what constitutes a formal complaint?

Are all customer complaints recorded, investigated, acted upon and formally closed?

Relation Management - Business Relationship Management

Findings


ComplianceLevel(%)

Relationship Management - Supplier Management


1


3

4

5

6

7

8

9

10

11

12

13

14


Does a formal/informal Supplier Management process exist for this service?



Is a named contract manager responsible for each supplier?

Are customers aware, if necessary, of when and where services are supplied by third parties?

Is there a policy covering the circumstances when services can or must be supplied by third party?

Is the process scopes, level of service and communication processes provided by the supplier documented unambiguously and agreed by all parties?

Are there agreements with internal and external service providers aligned with the SLAs/business needs of the customer?

Is there a process to follow in the event of a contractual dispute?

Is there a change management process to amend the process, scope, level of service or contract?

Are third parties actively encouraged to search for and implement improvements?

Are suppliers notified of change requirements in timely fashion?

Are role and relationships between lead and subcontracted suppliers clearly documented?

Relationship Management - Supplier Management

Findings


ComplianceLevel(%)

Resolution Process - Incident Management


1


3

4

5

6

7 Are all incidents recorded?

8 Are all calls logged?

9

10

11

12

13

Does a formal/informal Incident Management process exist for IT services?


Are the procedures designed to minimize the impact of service incidents?

Are major incidents defined classified and managed according to a defined process?

Is the method of contacting IT service support well publicized throughout the organisation?

Are all calls routed via a central point of contact?

Do the staffs who receive calls have knowledge/training in the business processes being supported?

Does the staff in Incident management process have access to a knowledge base?

Are customers/users kept informed of the progress of incidents they have reported?

For all service incidents do the procedures define:

a) recording?

b) prioritisation?

e) classification?

g) allocation?

h) escalation?

i) resolution?

j) formal closure?

14

15

16

17


Are appropriate details of each incident recorded?

Does the Incident Management process or a mechanism exists to monitor the status and progress of all open incidents against service levels regularly?

Does the Incident Management process or a mechanism exists to monitor incidents that are reassigned between different specialist support groups closely?

Does the Incident Management process confirm with the originator the satisfactory resolution of the incident?

Resolution Process - Incident Management

Findings

ComplianceLevel(%)

Resolution Process - Problem Management

S# Concerns

1


3

4

5 Are all known errors identified?

6 Are all identified problems recorded?

7

8

9

10

11

12

13

14

15

Does the problem closure process ensure that:

Compliance

Does a formal/informal Problem Management process exist?



Does a knowledge base of incident information exists and is up-to-date?

Are all problems classified, cross-referenced and related to relevant, previously logged and resolved incidents, problems and known errors?

Is problem prevention considered a fundamental part of managing IT services?

Are there procedures to identify, minimize or avoid the impact of service problems?

Are all suggested changes and improvements that might remove errors and prevent incidents routed via change management?

Are incident records analysed regularly to detect the increase or reduction of incidents and problems?

Are all identified known errors, workarounds and solutions fed back into a service improvement programme?

Are impact and urgency evaluated in respect of the business needs of the organisation?

a) the details of the problem resolution have been accurately recorded?

15

16

17


b) the cause of the problem has been categorized to facilitate analysis?

Are problem reviews (post mortems) held following the resolution of a problem?

Are regular management reviews held to highlight problems requiring immediate attention, determine and analyse trends and to provide inputs for other processes, such as customer or service desk education?

Resolution Process - Problem Management

Findings


Contol Process - Configuration Management


1


3

4

5

7

8

9

10

11

Does the degree of control meet:

12

13

14

Does a formal/informal Configuration Management process exist for this service?



Is there an integrated change and configuration management plan?

Is there a well understood policy defining what constitutes a configuration item?Is the information to be recorded for each item defined, including relationships and documentation?Does configuration management process/mechanism cover all elements of the infrastructure?For configurable components of the service and infrastructure, does configuration management provides mechanisms for:

a) identifying?

b) controlling?

c) tracking versions?

a) business needs?

b) risk of failure?

c) service criticality?

Is information on any configuration item available on need-to-know basis to customer/supplier/service staff?

Is there a defined owner for each configuration item type at each applicable life cycle stage?

Are configurable items (CIs) uniquely identifiable (Item code)?

15

16

17 Are critical configuration items (CIs) identified?

18

19 Are appropriate statuses defined for CIs?

20

21

22

23

24 Is there a central data repository (CMDB)?

25

26 Is random check on CIs carried out (audits)?


Are there procedures to prevent unauthorised updating of configuration records?

Can configuration baselines, builds and releases be easily and accurately identified?

Are logical and physical relationships between CIs recorded?

Is the inventory actively managed and verified to ensure its reliability and accuracy?Are master copies of software and documents controlled in a secure physical or electronic library?Are changes to configuration items traceable and auditable?

Do configuration records include ownership and identification details?

Are regular and accurate reports produced for management?

Contol Process - Configuration Management

Findings

ComplianceLevel(%)

Control Process - Change Management


1


3

4

5

6

7 Are all changes to CIs recorded?

8

9

Does a formal/informal Change Management process exist for this service?



Are there formal procedures to ensure that all changes are approved, checked and implemented in a controlled manner?

Are customers aware, if necessary, of when and where services are supplied by third parties?

Is the implementation of new or changed services, including closure of a service, planned and approved through a change management process?Does the planning for new/changed service address:

a) all relevant roles and responsibilities?

b) changes to existing service management framework and services?

c) communication to relevant parties?

d) consequential contracts/agreements to align with new/changed business need?

e) manpower and recruitment requirements?

f) skills and training requirements?

g) processes, measures, methods and tools to be used with new/changed services

h) budgets and timescales?

i) service acceptance criteria?

j) expected outcomes expressed in measurable terms?

10

11

12

13

14

Are change requests assessed for:

15

16

17

18

19

20

21

22 Are change records audited and verified?

Does change management cover all elements of the infrastructure?

Are changes initiated through a formal procedure (Request for Change – RFC)

Are there appropriate authorisation and implementation procedures for each category of change?

Is there a procedure to assess the impact, urgency and consequences of each change?

a) risks, business benefit and impact?

b) cost and urgency?

c) impact on availability and service continuity?

d) impact on security controls?

e) impact on incident management process (service desk workload)?Is a change schedule, taking account of all factors, including scheduled implementation dates, published and accessible to all appropriate parties?Is release/implementation plan required for all except the simple changes?

Are back-out plans always produced and checked for practicality?

Is appropriate testing planned and executed, including formal customer acceptance as appropriate?

Are all changes reviewed, results reported to relevant parties and actions taken after implementation?

Is there a formal documented and well understood emergency change procedure?

Are change records analysed regularly to detect increasing levels of change, frequently recurring types, emerging trends and other relevant information?

23


Are audit trails retained in accordance with regulatory, contractual and business requirements?

Control Process - Change Management

Findings

ComplianceLevel(%)

Release Process - Release Management


1


3

4

5

6

7

8

9

10

11

Do release plans:

12

13

Does a formal/informal Release Management process exist for this service?



Is there an agreed and documented policy stating the frequency and type of release?

Are there appropriate and comprehensive plans on how to roll out a release to each site and user, agreed and signed off by all potentially affected parties?

Are there software libraries and related repositories for managing and controlling software baselines and releases?

Do procedures include the access and update of configuration records and versions of software, hardware and documentation used in the build and release processes?

Does the existing process include the manner in which the release will be backed out or remedied if unsuccessful?

Are release packages formally verified for completeness and accuracy?

a) record release date and deliverables?b) record related RFCs, problems and known errors?c) record related incidents, affected users and services?

Does release procedure include the updating of change and configuration records?

Is there an emergency release procedure that interfaces with emergency change procedure?

14

15

16

17

18


Are all release built and tested in a controlled acceptance test environment before release?

Are releases and distribution designed so that the integrity of hardware and software is maintained during installation, handling, packaging and delivery?

Are release plans communicated to incident management?

Are the successes and failures of releases analysed regularly to assess their impact on business, IT operations and support staff resources?

Are incidents related to release measured for a period following release?

Release Process - Release Management

Findings

ComplianceLevel(%)