ITSM Maturity Assessment

2012

Table of Contents
Introduction .................................................................................................................................................. 2 What is ITSM? ........................................................................................................................................... 2 What is ITIL.............................................................................................................................................. 2 Is ITS doing ITSM today? ........................................................................................................................... 3 Where is ITS in relation to ITIL best practices? ....................................................................................... 3 Readiness and Awareness Assessment......................................................................................................... 5 Overall Results .......................................................................................................................................... 5 Detailed Results ........................................................................................................................................ 6 Analysis and Recommendations ............................................................................................................... 7 Process Maturity Assessment ....................................................................................................................... 9 Overall Results ........................................................................................................................................ 10 Detailed Results ...................................................................................................................................... 11 Analysis and Recommendations ............................................................................................................. 20 Incident Management (1.33) .............................................................................................................. 20 Problem Management (0.87) .............................................................................................................. 21 Service Desk (2.04) .............................................................................................................................. 21 Change Management (1.29) ............................................................................................................... 21 Release and Deployment Management (1.29) ................................................................................... 22 IT Asset and Configuration Management (0.58) ................................................................................. 22 Service Portfolio Management (0.64) ................................................................................................. 23 Service Catalog Management (0.60) ................................................................................................... 23 Service Level Management (0.38)....................................................................................................... 24 References .................................................................................................................................................. 24 Author ......................................................................................................................................................... 24

Introduction
In 2011, the Office of the Vice President and Chief Information Officer (VPCIO) launched the Predictability Project, and in support of that project, Information Technology Service (ITS) has engaged in many projects and initiatives. One of ITSs initiatives is to implement Information Technology Service Management (ITSM) improvements based on the Information Technology Infrastructure Library (ITIL).

What is ITSM?
ITSM, or Information Technology Service Management, is a set of specialized organizational capabilities for providing value to customers in the form of services. In ITS, those capabilities are the people, process, and technology we have to deliver services such as network connectivity and email to the University. The value that we provide is in delivering services that do what our users need them to and work the way we say they will. This is also known as utility and warranty, thus: Value = Utility and Warranty A service is a means of delivering value to customers by facilitating outcomes customers want to achieve without the ownership of specific costs and risks. For example, we provide storage solutions for the University because we can do so at a reasonable cost with appropriate security and support. That way, departments can focus on their core competencies such as education and research, while we focus on delivering the technology they need.

What is ITIL
ITIL, or Information Technology Infrastructure Library, is a set of ITSM best practices (like PMP is a set of best practices for project management). In fact, it is the most widely adopted set of best practices for ITSM. It is non-proprietary and is maintained by experts and incorporates the learning experiences and practices of leading organizations. Most major corporations such as IBM, Bank of America, and WalMart have adopted ITIL, and many universities have as wellOhio State, Stanford, BYU and Wake Forest to name a few. The reason that ITIL is so popular is that it provides many benefits such as: Alignment with University priorities and objectives Known and manageable IT costs Negotiated, achievable service levels Predictable, consistent processes Efficiency in service delivery Measurable, improvable services and processes A common set of terminology

ITIL was created in the 1980s by the Office of Government Commerce in the United Kingdom. The current version is ITIL v3 2011, and its basic concept is based on the lifecycle of a service. In total the

current set of best practices is split into five Service Lifecycles that are made up of 24 processes and four functions (see diagram below).

Image: Crown 2007

Is ITS doing ITSM today?

ITS is doing ITSM activities today in some of its groups. For example, there is a Service Desk (the UVa Help Desk), and ITS is doing Release and Deployment Management activities. There are ITSM related projects that are underway such as Portfolio Management and Service Level Agreements. But where are we in relation to best practices? What should we be working to improve? How will we know when we get there?

Where is ITS in relation to ITIL best practices?

The best way to determine where ITS is today is to benchmark ourselves against ITIL best practices. To do this, we conducted two internal assessmentsa Readiness and Awareness Assessment and a Process Maturity Assessment. There were thirty assessment participants that included the ITS Leadership Team, ITS Directors, and other leaders in ITS from: Custom Applications and Consulting Services Enterprise Applications Enterprise Infrastructure User Experience and Engagement

Both assessments were conducted in a single, two-hour session, and participants used clickers to respond to each of the questions and could view the results in real-time.

The objectives of the assessments were to: Provide a baseline assessment of current process maturity Identify key areas of improvement in relation to organizational needs Compare our IT Service Management practices against a set of best practices (ITIL)

Another set of assessments is planned for 2014 so that we can compare results between the two and see where we have matured as an organization. The results of the assessments follow.

Readiness and Awareness Assessment

The Readiness and Awareness Assessment gauged how ready the organization is to take on ITSM implementation activities and how aware it is of core concepts that underlie ITSM. The assessment consisted of nine statements which the participants rated: 1-Strongly Disagree 2-Disagree 3-Agree 4-Strongly Agree

Overall Results

Readiness and Awareness

A customer driven culture exists in our organization. I know where to go to find documentation about how services are supported.

4 2.90 3 2.43 2 2.67

We understand how each of our services add value to the University.

We understand what work is most important to accomplish.

2.67 1

2.27

We are able to measure the services we provide in a relevant manner.

We have clearly defined roles and responsibilities for how we deliver and support our services.

2.47 2.07 2.60

2.60

We have defined service delivery and support processes in our organization.

A culture of continuous service improvement exists in our organization.

We operate with a common set of service support and delivery terminology across our organization.

Detailed Results
A customer driven culture exists in our organization. 1-Strongly Disagree 2-Disagree 3-Agree 4-Strongly Agree Totals 1 4 22 3 30 3.33% 13.33% 73.33% 10.00% 100%
Strongly Disagree Disagree Agree Strongly Agree

We understand how each of our services add value to the University. 1-Strongly Disagree 2-Disagree 3-Agree 4-Strongly Agree Totals 0 10 20 0 30 0.00% 33.33% 66.67% 0.00% 100%

Strongly Disagree Disagree Agree Strongly Agree

We are able to measure the services we provide in a relevant manner. 1-Strongly Disagree 2-Disagree 3-Agree 4-Strongly Agree Totals 3 17 9 1 30 10.00% 56.67% 30.00% 3.33% 100%

Strongly Disagree Disagree Agree Strongly Agree

We have defined service delivery and support processes in our organization. 1-Strongly Disagree 2-Disagree 3-Agree 4-Strongly Agree Totals 1 11 17 1 30 3.33% 36.67% 56.67% 3.33% 100%

Strongly Disagree Disagree Agree Strongly Agree

We operate with a common set of service support and delivery terminology across our organization. 1-Strongly Disagree 2-Disagree 3-Agree 4-Strongly Agree Totals 4 21 4 1 30 13.33% 70.00% 13.33% 3.33% 100%

Strongly Disagree Disagree Agree Strongly Agree

A culture of continuous service improvement exists in our organization. 1-Strongly Disagree 2-Disagree 3-Agree 4-Strongly Agree Totals 1 11 17 1 30 3.33% 36.67% 56.67% 3.33% 100%

Strongly Disagree Disagree Agree Strongly Agree

We have clearly defined roles and responsibilities for how we deliver and support our services. 1-Strongly Disagree 2-Disagree 3-Agree 4-Strongly Agree Totals 2 14 12 2 30 6.67% 46.67% 40.00% 6.67% 100%

Strongly Disagree Disagree Agree Strongly Agree

We understand what work is most important to accomplish. 1-Strongly Disagree 2-Disagree 3-Agree 4-Strongly Agree Totals 3 6 19 2 30 10.00% 20.00% 63.33% 6.67% 100%

Strongly Disagree Disagree Agree Strongly Agree

I know where to go to find documentation about how services are supported. 1-Strongly Disagree 2-Disagree 3-Agree 4-Strongly Agree Totals 1 16 12 1 30 3.33% 53.33% 40.00% 3.33% 100%

Strongly Disagree Disagree Agree Strongly Agree

Analysis and Recommendations

The Readiness and Awareness Assessment showed overall ITS falls slightly above the midpoint (2.50) on the readiness and awareness scale. Five of the responses were above the midpoint and four were below, but none of the responses were at the highest or lowest ends of the scale. Overall the responses were balanced and showed a base upon which we can build our culture and increase maturity. The highest response recorded was the existence of a customer driven culture (2.90). 83.33% of the participants rated this as agree or strongly agree. While a customer focus is generally regarded as a good thing, and understanding customer needs are central to good ITSM practices, there are some 7

notes of caution. Organizations that focus too much externally can risk achieving good customer performance to the detriment of the IT services they provide. It can create a culture where the organization is constantly in reactive mode trying to create custom solutions to meet every customer need. The result is the lack of a comprehensive underlying strategy for the technology itself, creating a patchwork of solutions that are difficult and expensive to support. The lowest response recorded was for the existence of a common set of service delivery and support technology (2.07). 83.33% of the participants rated this as disagree or strongly disagree. This is typical for organizations with low levels of process maturity. Part of the challenge for ITS is that we are a new organization consisting of two groups that operated fairly independently in the past. Introducing common terminology across ITS will improve our efficiency and effectiveness. ITIL will provide the common language and terminology that is needed. The ITS Leadership Team rated readiness and awareness lower than all other participants on each of the questions. Their overall ratings fell closer to disagree, while all others fell closer to agree. This is likely due to the scope of the Leadership Teams responsibilities and their view across the organization as well as their sense of urgency to mature the organizations ITSM practices. All other participants were more focused on their particular areas when answering the questions. Enterprise Applications rated themselves higher than any other group, and this is common for groups the support applications. This is partly due to their very direct relationship with the customers and the integration of the services they provide with business processes. It is also due to audit requirements related to working with human resource, financial, and student applications.

Process Maturity Assessment

The Process Maturity Assessment used ITIL as a benchmark for assessing ITS process maturity, and it consisted of 91 questions. There are many processes and functions with ITIL, so ITS chose to nine of them that represent processes that already exist in ITS, processes that are currently being implemented or processes that may be implemented in the near future. Those that were selected are: Incident Management Problem Management Change Management IT Asset and Configuration Management Service Desk Service Level Management Service Portfolio Management Service Catalog Management Release and Deployment Management

The Assessment responses were based on the ITIL Process Maturity Framework (PMF) which borrows from maturity level concepts developed by the Software Engineering Institute at Carnegie Mellon University. The responses are: 0 - I dont know OR not at all 1 - Initial Loosely defined, undocumented, reactive, unplanned 2 - Repeatable Defined, documented, largely reactive, unplanned, unmeasured 3 - Defined Clearly defined, good documentation, planned, measured, somewhat automated 4 - Managed Well-defined, mainly proactive, continuously improved, automated 5 - Optimizing Well-defined, proactive, business value focus, fully automated Please note that the values represent the level at which a process is executed and are not necessarily a direct measure of performance.

Overall Results

Process Maturity
Incident Mgt 5 Release & Deployment Mgt 4 3 1.29 Service Catalog Mgt 0.60 0.64 0.38 Service Portfolio Mgt Asset & Configuration Mgt 2 1 0 0.58 1.29 1.33 0.87 Change Mgt Problem Mgt

2.04

Service Level Mgt

Service Desk

10

Detailed Results

Incident Management
0
The organization has clearly defined process goals, objectives, policies and procedures for the Incident Management process. A shared repository of Incident Management documentation is in place. Clear roles and responsibilities for the Incident Management process have been identified, defined, documented and appointed. The definition of an Incident is clearly understood and is applied across the organization. An Incident is understood as distinct and separate from a Problem. There are clearly defined policies and procedures for logging all Incidents.

2 1.43 1.38 1.00 1.29 1.38 1.00

3 2.45

2.73

1.00 0.88

2.00 1.50

2.00 1.14 1.63 1.50 0.43 1.64 1.00 1.00 1.36

Enterprise Applications Enterprise Infrastructure

Incidents are categorized using a method that enables meaningful reporting. A measurement framework has been established for Incident Management that identifies, measures and reports on metrics aligned to Key Performance Indicators (KPIs).

0.14 0.25 0.50 0.71 0.63 0.50

1.82

User Experience & Engagement Custom Apps & Consulting Srvcs

All Incidents are assigned a priority based on impact and urgency.

The definition of and procedure for handling a Major Incident based on impact and urgency is clearly documented and understood. Customers are informed of the status of Incidents that affect them in a consistent and defined manner.

1.00 1.00

1.43

2.18

1.00 0.43 0.91

2.09 2.00 1.63

Procedures are in place to assess the user satisfaction levels related to the resolution of the Incident. There is a searchable Knowledge Database that contains workarounds, resolutions, and known-errors, as well as work instructions regarding how to apply these resolutions. Incident Management exists as a standardized and repeatable process across our organization.

1.38 1.50 1.14 0.88 1.00 1.64

0.57 0.88 1.00

1.55

11

Problem Management
0
The organization has clearly defined process goals, objectives, policies and procedures for the Problem Management process. A shared repository of Problem Management documentation is in place. Clear roles and responsibilities for the Problem Management process have been identified, defined, documented and appointed. There is a procedure by which potential problems are classified in terms of category, urgency, priority and impact and assigned for investigation and root cause analysis. A role exists in Problem Management that is responsible for proactive problem management (looking for potential areas of failure before they occur). A role exists in Problem Management that is responsible for analyzing incident information to look for incident trends. Problem records include current status of the problem investigation, categorization of the problem, and any changes in status for the problem. Problem Management ensures (following a Post Implementation Review) that changes have been successfully implemented before closing associated Known Errors and/or Problems and any associated Incidents. All Problems and Known Errors are linked to Configuration Items when relevant. A measurement framework has been established for Problem Management that identifies, measures and reports on metrics aligned to Key Performance Indicators (KPIs).

1 1.27 0.29 0.63 1.00 0.86 0.88 1.00 0.71 0.38 1.00 1.18 0.86 0.75 1.00 0.29 0.73 0.75 1.00

1.55

2.09

Enterprise Applications Enterprise Infrastructure User Experience & Engagement Custom Apps & Consulting Srvcs

0.57 0.50

1.73 1.00 1.64

0.71 0.75 1.00 0.14 0.63 1.00 1.00 1.00

1.27

0.00 0.13

12

Service Desk
0
The Organization has clearly defined process goals, objectives, documented policies and procedures for the Service Desk function.

2 1.91 2.14 1.50

2.88

Clear roles and responsibilities for the Service Desk function have been identified, defined, documented and appointed.

1.50

2.27 2.43 2.75 2.82 3.29 3.50

There is a Service Desk in place which is the known contact point for all IT inquiries and problems.

1.50 1.09 0.71

Enterprise Applications

Calls recorded by the Service Desk are distinguished as Incident, Request for Change, or Service Request.

1.88 Enterprise Infrastructure 2.00

User Experience & Engagement

Reports for Service Desk metrics, such as numbers of calls received, types of calls, etc. are easily accessible.

0.86

1.91 Custom Apps & Consulting Srvcs 1.88 2.00 2.73 2.50 3.00 2.25 2.00 2.73 2.71 2.88

There is a user satisfaction survey system in place.

1.00 1.09

The Service Desk provides trending information and customer satisfaction rating reports to Management.

0.29

There is an escalation process in place for calls that cannot be resolved at first point of contact with the Service Desk.

3.50

There is a regular, reported review of Service Desk performance against expected Key Performance Indicators (KPIs).

0.43

1.09 1.88 2.50

13

Change Management
0
The organization has clearly defined process goals, objectives, policies and procedures for the Change Management process. A shared repository of Change Management documentation is in place. Clear roles and responsibilities for the Change Management Process have been identified, defined, documented and appointed. A role exists within the Change Management process that is responsible for the coordination of each change being built, tested, implemented, and reviewed according to the specification contained within the Request for Change. A change authorization model defines various change categories, and what level of authorization is required for each change category. A Change Advisory Board (CAB) exists as a formal body responsible for reviewing and authorizing changes.

1 1.00 1.13 1.00 0.71 1.25 1.00 0.57 0.88 1.00 0.43 0.50 0.00 0.13 0.50 0.14 0.50 0.50 0.57 0.00 1.09

3 2.64

2.45

2.36

1.82 1.00 2.64

Enterprise Applications Enterprise Infrastructure User Experience & Engagement

An Emergency CAB exists to review and authorize emergency changes. An IT Management Board is responsible for reviewing and authorizing Changes bearing significant risk to the university and/or that impact multiple services or organizational areas. University representatives (from non-IT areas) are involved in the review of major proposed changes.

1.36 1.00 1.00 1.25 1.00 1.00 1.00 1.45

Custom Apps & Consulting Srvcs

3.00

Changes are assessed for potential impacts to existing services as defined in Service Level Agreements. A measurement framework has been established for Change Management that identifies, measures and reports on metrics aligned to Key Performance Indicators (KPIs). A Request for Change (RFC) is used to record and control all information related to Changes and proposed changes.

0.50 0.43 0.13 0.00 0.14 0.50

1.09

2.91 1.00 2.36

The priority for a submitted Change Request is determined through the assessment of the changes impact and urgency.

0.57 0.75 1.00 0.71 0.88 1.00 1.14 1.00 1.00 0.86 1.63 1.00 1.55

A calendar of Change is communicated to all change stakeholders (including the Service Desk).

All Changes (including emergency changes) are tested prior to implementation. The scope of Change Management includes the introduction of new services and changes to existing services in the production environment.

3.73

3.09

14

Release & Deployment Management

0
The Organization has clearly defined process goals, objectives, documented policies, activities and procedures for the Release & Deployment Management process. A shared repository of Release & Deployment Management documentation is in place. A Release & Deployment Management process owner with accountability for the process across the organization has been appointed. The process owner has the authority to ensure compliance to and governance of the process. Release and deployment plans are defined and agreed upon with customers and stakeholders.

1 0.43 0.75 0.50 0.00

3 2.73

1.55 0.63 0.50 0.57 0.88 0.50 1.29 1.38 2.00

Release packages are deployed to the live environment following an agreed plan and schedule.

3.27

0.50

Release packages are tracked, installed, tested, and verified.

1.00 1.25 1.00 0.57 0.63 0.50 0.86 1.13 1.00 1.00 1.00 1.00 0.14 0.13 0.50 0.91 1.64

3.27
Enterprise Applications Enterprise Infrastructure User Experience & Engagement Custom Apps & Consulting Srvcs

There are procedures to ensure that new or changed services are capable of delivering the agreed utility and warranty.

Knowledge and skills are transferred to enable to the customers and users to optimize their use of the service to support their business activities. Knowledge and skills are transferred to service operation and support functions to enable them to effectively and efficiently deliver, support and maintain the service according to required warranties and service levels. There are regular reviews (including testing) on performance of this process area against documented Key Performance Indicators (KPIs).

2.18

2.00

15

IT Asset & Configuration Management

0
The organization has clearly defined process goals, objectives, policies and procedures for the Service Asset & Configuration Management process. A shared repository of Asset & Configuration Management documentation is in place. A Service Asset and Configuration Management process owner with accountability for the process across the organization has been appointed. The process owner has the authority to ensure compliance to and governance of the process. Clear roles and responsibilities for the Asset & Configuration Management process have been identified, defined, documented and appointed. All Configuration Items (CIs), attributes, owners, and relationships are recorded and maintained in a central repository that is subject to rigorous Change Management controls and is maintained only by designated personnel. The Configuration Management System (CMS) provides a logical model of all service assets used in providing services and enables information about service assets to be used in meeting business requirements. Configuration Items (CIs) contained in the CMS include services, systems, hardware and software components, databases, documentation and support staff roles related to the maintenance and support of these CIs. There is a Definitive Software Library (DSL) and a Definitive Hardware Store (DHS) within the organization (physical storage locations for software and hardware). A measurement framework has been established for Service Asset and Configuration Management that identifies, measures, and reports on metrics aligned to Key Performance Indicators (KPIs). Registered Configuration Items are physically identified through labeling according to organizational policy using a standard coding model.

1 1.27 1.29 1.25 1.00 1.09 0.71 0.63 1.00 1.27 1.00 1.00 1.00 1.36 1.00

0.25 0.50

0.82 0.57 0.25 0.50 0.29 0.25 0.00 0.91

Enterprise Applications Enterprise Infrastructure User Experience & Engagement

0.00

0.73 0.43 1.00

Custom Apps & Consulting Srvcs

0.36 0.43 0.25 0.50 0.36 0.57 0.38 0.00 0.18 0.14 0.38 0.00 0.09 0.14 0.25 0.00 0.27 0.29 0.13 0.50

A scheduled and regularly occurring audit is used to verify the accuracy of the Configuration Management System (CMS).

The Configuration Management System (CMS) audit includes a comparison of Configuration Items in the environment with the data contained in the CMS. Service Asset and Configuration Management provides up-to-date information about infrastructure and application configurations to support definition of technical services in the Service Catalog.

16

Service Portfolio
0
The Organization has clearly defined process goals, objectives, documented policies, activities and procedures for the Service Portfolio Management process. A shared repository of Service Portfolio Management documentation is in place. A Service Portfolio Management process owner with accountability for the process across the organization has been appointed. The process owner has the authority to ensure compliance to and governance of the process. There is a process for enabling ITS to investigate and decide on which services to provide based on an analysis of potential return and acceptable level of risk.

1 0.29 0.38 0.82 1.00

0.64 0.14 0.50 0.64 0.57 1.00 0.50 0.82 0.29 0.50 1.00 0.36 0.14 0.50 0.00 1.00 1.14 1.13 1.00 0.00 0.25 0.50 1.09

2.00

Enterprise Applications Enterprise Infrastructure User Experience & Engagement Custom Apps & Consulting Srvcs

There is definitive portfolio of services with the articulated business needs each service meets and the business outcomes it supports.

Investments in services are tracked throughout their lifecycle.

Services are reviewed on a regular basis to determine which are no longer viable and should be retired.

There is a central, documented service pipeline listing all service that are under consideration or development, but are not yet available to customers.

17

Service Catalog
0
The Organization has clearly defined process goals, objectives, documented policies, activities and procedures for the Service Catalog Management process. A shared repository of Service Catalog Management documentation is in place. A Service Catalog Management process owner with accountability for the process across the organization has been appointed. The process owner has the authority to ensure compliance to and governance of the process.

1 0.45 0.71 0.63

0.00

0.36 0.00 0.63 0.50 1.18 0.86 0.88 1.00 0.27 1.43 1.50

There is a generally-accepted definition of what a service is.

Enterprise Applications Enterprise Infrastructure User Experience & Engagement Custom Apps & Consulting Srvcs

There is a Service Catalog that describes the services offered by ITS.

0.50
The Service Catalog is accurate and reflects the current details, status, interfaces and dependencies of all services in the live environment.

0.36 0.57 0.50 0.50 0.36 0.86 1.25 1.00

The Service Catalog is available to those who need access to it.

There are regular reviews (including testing) on performance of this process area against documented Key Performance Indicators (KPIs).

0.18 0.00 0.25 0.00

18

Service Level Management

0
The organization has clearly defined process goals, objectives, policies and procedures for the Service Level Management process. A shared repository of Service Level Management documentation is in place. A Service Level Management process owner with accountability for the process across the organization has been appointed. The process owner has the authority to ensure compliance to and governance of the process.

1 0.14 1.00

0.75 0.50

0.36 0.00 0.75 0.00 0.82 0.14 0.50 0.50 0.45 0.43 0.38 0.50 0.27 0.14 0.25 0.00 0.27 0.29 0.50 0.36 0.00 0.25 0.00 0.36 0.00 0.25

Clear roles and responsibilities for the Service Level Management Process have been identified, defined, documented and appointed.

Service Level Agreements (SLAs) which define the services and levels of services provided by IT for the customers exist for all services. Operational Level Agreements (OLAs) which are aligned with requirements defined in the SLAs have been documented and agreed among individual provider IT groups within the Organization.

Enterprise Applications Enterprise Infrastructure User Experience & Engagement

Service Level Agreements are regularly reviewed to ensure they are current and aligned with customer requirements.

1.00

Custom Apps & Consulting Srvcs

Service levels achieved by all operational services are monitored and measured against targets within SLAs, OLAs, and Contracts.

Regular communications and reports concerning levels of service contained within SLAs occur with IT management, the Service Desk, and all internal functional areas involved in the provision of the service. Service review meetings are held regularly with customers to discuss Service Level achievements and any plans for improvements that may be required.

1.00

0.64 0.14 0.25 1.00 0.45 0.71 0.38 0.50 0.00 0.00 0.00

Service Improvement Programs are used to improve the quality of services and are initiated for services that are underperforming.

SLAs, OLAs, and Underpinning Contracts are stored in a Definitive Document Library and are controlled as Configuration Items in the Configuration Management Database.

0.50

19

Analysis and Recommendations

ITSM is a relatively new concept for ITS, and the results of the Process Maturity Assessment are typical for where we are as an organization. We rated highest for processes such as the Service Desk, Incident Management, Change Management, and Release and Deployment Management. These are processes that tend to mature early because of customer demands and/or audit requirements. Enterprise Applications had the highest ratings for those four processes coming in near or above a Repeatable level for all of them. This is partly due to their very direct relationship with the customers they support and the integration of the services they provide with business processes. It is also due in part to the audit requirements related to working with human resource, financial, and student applications. Generally, the ratings came out as expected across the nine processes. The highest rated process (or function) overall was the Service Desk with rating of 2.04 or Repeatable. The lowest rated was Service Level Management which had a rating of 0.38 putting it closest to a Not at all rating. While many of the process scored low on the maturity scale, some best practices are in place in parts of our organization that provide a great starting point. With the guidance of ITIL, ITS can move up the scale of maturity over future years. Incident Management (1.33) Purpose: To restore normal service operation as quickly as possible and minimize the adverse impact on business operations, thus ensuring that the best possible levels of service quality and availability are maintained. Incident Management rated Initial in the assessment. Part of this is related to the Service Desk function which has driven `the Incident Management process with defined ticketing workflows and a ticketing tool. There is also a Knowledge Base for the Service Desk, but it is limited to information where the Service Desk is the audience. A broader Knowledge Base that is shared across all support areas with different access levels to information such as workarounds and known-errors would be an improvement. Across ITS, participants indicated that customers are kept informed of their issues in a consistent and defined manner. This agrees with the Readiness and Awareness Assessment where customer focus was rated highest. Building on this concept, a standard approach to contacting customers and defined response and resolution times would improve the customer experience. Work is already underway in this area. Generally, a defined and documented Incident Management process would improve how incidents are handled on a daily basis and, in turn, customer satisfaction. Assigning urgency and impact to incidents would drive defined response and resolution times that can be used to set customer expectations and measure performance. In addition, a defined process for identifying and handling Major Incidents would reduce the response and resolution times for larger scale issues and outages lessening their impact on users while improving customer communications during such events. ITS is currently implementing on a new oncall process with the goal of improving Major Incident response. 20

Problem Management (0.87) Purpose: The goal of Problem Management is to minimize the adverse impact of Incidents and Problems on the business that are caused by underlying errors within the IT Infrastructure, and to prevent recurrence of incidents related to these errors. Problem Management was assessed just below Initial. The concepts behind Problem Management are not new to ITS, but talking about a problem as being distinct and different from an incident is new. ITS could begin to use the incident and problem terminology across the organization and take steps to differentiate them. Incident Management is about restoring service as quickly as possible. Problem Management is about doing root cause analysis and implementing permanent fixes. ITS should consider defining and documenting an overall Problem Management process. First steps can be taken in the area of reactive Problem Management, where root cause analysis follows a Major Incident or trend analysis is triggered by a reoccurring incident. Then proactive Problem Management can be introduced where problems are identified and permanent fixes implemented before any incidents occur. Service Desk (2.04) Purpose: (1) To provide a single point of contact for Customers. (2) To facilitate the restoration of normal operational service with minimal business impact on the Customer within agreed service levels and business priorities. The Service Desk rated the highest of any process (or function). The UVa Help Desk plays the role of Service Desk for ITS and this function is outsourced to a vendor. The outsourcing plays a key role in the maturity of the Help Desk because using a vendor requires a contract and Service Level Agreement (SLA). The SLA defines the performance metrics and targets for the Help Desk. The Help Desk is well known as the first point of contact for ITS services and for some other services that are not under ITS. There is a clear process for the escalation of incident tickets with all of the referral support groups which is handled through a ticketing and workflow tool. All tickets that are resolved through the ticketing tool generate a customer satisfaction survey for the user to complete. Based on the assessment results, one area that could improve the Service Desk would be additional management reporting. The SLA metrics are published publicly as of October 2011, but additional awareness about their existence would improve assessment ratings. In addition, more management level reporting regarding incident trends that is easily available to ITS resources would be useful. Change Management (1.29) Purpose: To control the lifecycle of all changes, enabling beneficial changes to be made with minimum disruption to IT services. The assessment results for Change Management show its maturity as Initial, but there are clear differences in the results across ITS. Enterprise Applications rated higher on all questions and overall rated above Repeatable which was nearly one point higher than the next group. It is common for application groups to score higher for Change Management on initial assessments. As mentioned 21

earlier, application groups tend to have more well-defined customers with whom they work closely on projects. In addition, the groups under Enterprise Applications are subject to more and tighter audits due to the types of applications they manage. ITS has taken initial steps in Change Management by requiring that changes be logged after they have been completed. ITS should consider implementing a Change Management process where Requests for Change (RFCs) are reviewed and approved prior to implementation. Reviewing RFCs will give ITS the opportunity assess the impact and urgency of each change, its overall risk, the best date and time for the change, and whether multiple changes will impact each other. A Change Advisory Board (CAB) can be established to review the highest level RFCs. Having changes requested in advance will also allow ITS to ensure the necessary support and communications are in place for a change. A report of future changes, known as a Forward Schedule of Change (FSC), can be generated that will let everyone see what upcoming changes may affect their areas. Release and Deployment Management (1.29) Purpose: To plan, schedule, and control the build, test and deployment of releases, and to deliver new functionality required by the business while protecting the integrity of existing services. Like Change Management, Enterprise Applications rated higher than other groups and had a Repeatable rating. This too is not uncommon for application groups especially those that are supporting vendor software solutions such as Oracle or PeopleSoft. It is likely that Enterprise Applications will receive the greatest benefit from a documented Release and Deployment Management process, but infrastructure and custom development teams can also benefit. Implementing Release and Deployment Management will provide accountability at all stages of the deployment process and ensure that release packages are tracked, installed, tested, and verified prior to implementation. It will also ensure that knowledge is transferred to service operation and support functions as well as customers. The Release and Deployment process that is followed by Enterprise Applications can be compared against ITIL best practices to begin the implementation of an organization-wide process. IT Asset and Configuration Management (0.58) Purpose: To ensure that the assets required to deliver services are properly controlled, and that accurate and reliable information about those assets is available when and where it is needed. IT Asset and Configuration Management rated below Initial. ITS would benefit greatly from documenting its Configuration Items (CIs) and their relationships. CIs are any component that needs to be managed in order to deliver an IT service, including other IT services, hardware, software, documentation, buildings, and people. Having a central repository for CIs, or a Configuration Management System (CMS), would allow the organization to better manage it services and make Change Management, Incident Management, Service Level Management, and other processes more effective. 22

Careful thought should be put in to the approach to IT Asset and Configuration Management. Organizations that attempt to document the smallest details in the CMS sometimes find they cannot complete the scope of their implementation. It is recommended that ITS identify the most critical or important services to start with and drill-down only as far as is deemed useful and practical. Then expand to additional services and details in later phases as needed. Service Portfolio Management (0.64) Purpose: To ensure that the service provider has the right mix of services to balance the investment in IT with the ability to meet business outcomes. Service Portfolio rated below Initial. Service Portfolio Management is about managing all of ITSs services including those that are conceptual, those currently being offered to customers, and those that have been retired. Having a process to manage the portfolio will be critical as emphasis is placed on higher education budgets and UVas new budget model is introduced. The VPCIOs organizations have recently undertaken a project to identify the cost of services. This information will provide a tremendous opportunity for ITS to determine what services it provides, how money is invested in each, and lay the groundwork for Portfolio Management. Portfolio Management is a current, named initiative for ITS. ITS rated above Initial for reviewing and retiring services on a regular basis. There is a crossdepartmental team in ITS that meets on a regular basis to discuss the retirement of services. This team has been effective in proposing the retirement of services and managing a list of services to be retired and their status. Service Catalog Management (0.60) Purpose: To provide and maintain a single source of consistent information on all operational services and those being prepared to be run operationally, and to ensure that it is widely available to those who are authorized to access it. Service Catalog Management rated less than Initial. Service Catalog Management is composed of two types of catalogs: a customer-facing Service Catalog and a Technical Service Catalog. Currently, there is a customer-facing Service Catalog available, but it is not current and does not include all ITS services. Enterprise Infrastructure has an internal list of services they offer that is a good input into a Technical Service Catalog and perhaps even a Service Catalog depending on how services are defined. In addition, with the Cost of Services project to identify the cost of services, there is a great opportunity to use the services delineated as part of that as an input to an updated Service Catalog. It is recommended that ITS start with the most important or critical services when updating the Service Catalog and work from there to expand the list. Keeping the list to a manageable size so that it can be properly maintained is advised.

23

Service Level Management (0.38) Purpose: To ensure that all current and planned IT services are delivered to agreed achievable targets. Service Level Management had the lowest rating of all processes and scored Not at all. The main reason for the low rating is that there are few documented Service Level Agreements (SLAs) for ITSs services. ITS has initiated one project to begin the documenting of SLAs and another to implement a SLA process to keep the SLAs current after the have been negotiated and agreed upon. For some services, ITS has documented Service Level Requirements such as maintenance windows. The challenge will be to negotiate and measure service level metrics such as availability and reliability which have not been done before. These will be important tools for managing ITS services and customer expectations.

References
Executive Briefing: The Benefits of ITIL, Maggie Kneller, The Stationary Office, 2010. ITIL: The Basics, Valerie Arraj, Official Accreditor of the OGC ITIL Portfolio: APM Group Limited, 2010. ITIL v3 Service Strategy, Office of Government and Commerce, London: TSO, 2011. ITIL v3 Service Design, Office of Government and Commerce, London: TSO, 2011. ITIL v3 Service Transition, Office of Government and Commerce, London: TSO, 2011. ITIL v3 Service Operation, Office of Government and Commerce, London: TSO, 2011. ITIL v3 Continual Service Improvement, Office of Government and Commerce, London: TSO, 2011. CMMI for Services, Version 1.2, Software Engineering Institute, Carnegie Mellon University, Pittsburgh, 2009.

Author
This assessment was conducted and prepared by: Dave Strite, ITIL Expert Director, Help Services Information Technology Services University of Virginia drs4h@virginia.edu

24