[policy name] - procurepoint | one place for all nsw ... · web viewself-service administration...
Post on 25-Apr-2018
218 Views
Preview:
TRANSCRIPT
ITSM Service Design Standard
CONTENTS
1. CONTEXT 3
1.1. Background 3
1.2. Purpose 3
1.3. Scope and application 3
1.4. Policy context 3
1.5. The ICT Services Catalogue 4
2. KEY PRINCIPLES 4
3. REQUIREMENTS 5
3.1. ITSM Service Design 5
3.2. Service level and complexity 5
3.3. Requirements tables 5
3.3.1 ITSM Service Design – Use Cases / Scenarios 6
3.4. Elements of this standard 7
3.4.1 ITSM Service Design requirements 7
3.4.2 Service Management requirements 10
DOCUMENT CONTROL 12
APPENDIX A – ABBREVIATIONS AND DEFINITIONS 13
APPENDIX B – REFERENCES 14
APPENDIX C – STANDARDS 15
Developing technical standards 15
Management and implementation 15
APPENDIX D – SAMPLE KEY PERFORMANCE INDICATORS 16
ITSM Service Design Standard
1. CONTEXT
1.1. Background This is a technical standard developed through the NSW ICT Procurement and Technical Standards Working Group. The standard contains technical and functional requirements that agencies should consider when procuring IT Service Management (ITSM) Service Design solutions.
By defining the necessary and common elements across agencies the standard provides an opportunity to leverage the buying power of Government as a whole, improve procurement efficiency and increase interoperability.
1.2. PurposeThe purpose of this standard is to assist NSW Government agencies to develop, procure and implement ITSM Service Design solutions and tools, as well as take full advantage of their benefits. This standard also helps agencies procure in a strategic manner that reflects the NSW Government’s priorities as outlined in the NSW Government ICT Strategy.
This standard details the issues that need to be considered so each agency can identify the available options that best suit their business requirements, helping agencies achieve value for money through cost savings and improved flexibility of service offerings.
1.3. Scope and applicationThis standard applies to all NSW Government departments, statutory bodies and shared service providers. It does not apply to state owned corporations, but is recommended for their adoption.
For the purposes of this standard, ITSM Service Design is defined as:
The design of new or changed services for introduction into the live environment.
This standard sets out service definitions as minimum requirements that vendors must meet to be able to offer their services through the NSW ICT Services Catalogue. Agencies should consider any specific operational or regulatory factors that impact their requirements, and specific requirements they have in addition to those detailed in this standard.
1.4. Policy contextThe NSW Government ICT Strategy and Digital + 2016 Final Update set out the Government’s plan to: build capability across the NSW public sector to deliver better, more customer-focused services that are available anywhere, anytime; and to derive increased value from the Government’s annual investment in ICT.
Developing whole of NSW Government ICT technical standards is a key initiative of the NSW Government ICT Strategy, driven by the ICT Procurement and Technical Standards Working Group. These standards leverage principles defined in the NSW Government ICT Strategy and the NSW Government Cloud Policy, and they support the NSW ICT Services Catalogue.
The standards set out service definitions as minimum requirements that vendors must meet to be able to offer their services through the NSW Services Catalogue. This helps achieve consistency across service offerings, emphasising a move to as-a-service sourcing strategies in line with the NSW Government ICT Strategy, and it signals government procurement priorities to industry.
ITSM Service Design Standard
Solutions should also assist agencies in their alignment with the NSW Government Enterprise Architecture (NSW GEA), which encompasses all aspects of enterprise architecture activity at the business, information, application and technology infrastructure layers. The NSW GEA is about providing direction and practical guidance to accelerate the development of agency EA capability and enabling a common, intra and inter agency approach to the design of digital government.
This standard should be applied along with existing NSW Government policies and guidance, including the NSW Digital Information Security Policy. More information on the process for the development of standards that populate the ICT Services Catalogue is at Appendix C – Standards.
1.5. The ICT Services CatalogueThis catalogue provides suppliers with a showcase for their products and services, and an opportunity to outline how their offerings meet or exceed standard government requirements. The standards, together with supplier service offerings, help to reduce red tape and duplication of effort by allowing suppliers to submit service details only once against the standards. The offerings are then available to all potential buyers, simplifying procurement processes for government agencies.
Implementing this category management approach will embed common approaches, technologies and systems to maintain currency, improve interoperability and provide better value ICT investment across NSW Government.
2. KEY PRINCIPLESThis standard is informed by the following principles:
End-to-end digital: Service Design solutions should enable end-to-end digital business processes and management.
Control technical diversity: Service Design solutions should help control technical diversity to minimise costs associated with maintaining expertise in and connectivity between multiple processing environments.
Data security: Meet any applicable requirements of the NSW Digital Information Security Policy and ISO 27001.
Technology currency: Solutions should be designed to maintain technology currency for key systems, and to maintain a pace that aligns with business context and risk profile.
Facilitating as a service: Service Design solutions should facilitate the agency transition to as a service, and ensure agency alignment with broader NSW ICT Strategy.
Interoperability: Service Design solutions should meet applicable recognised open standards across the elements of compute, storage, network, and pre-production and testing.
Business continuity: Service Design solutions should meet business continuity requirements, particularly with transition in and out (see the NSW Digital Information Security Policy and ISO 27031-2011 for more guidance).
ITSM Service Design Standard
3. REQUIREMENTS
3.1. ITSM Service DesignWhen considering any aspect of ITSM Service Design (as defined in this standard) an agency must consider the Service Management aspects of the service(s) on offer.
The following ITSM Frameworks can be considered when assessing requirements for ITSM Service Design:
ITIL IT4IT ISO/IEC 20000 Business Process Framework (eTOM) COBIT FitSM Microsoft Operations Framework (MOF)
3.2. Service level and complexityThe following requirements use case tables are separated into three service levels – silver, gold and platinum, reflecting the complexity of the ITSM Service Design solution required:
Silver: Offerings that conform to a minimum number of processes of an identified ITSM methodology.
Gold: Offerings that conform to an identified ITSM framework and updated by the solution provider to reflect changes to the nominated ITSM methodology.
Platinum: Offerings that conform with the NSW Government Standard Business Processes. Solutions to this level must be able to adapt and change at no extra cost to agencies to the evolving requirements defined.
3.3. Requirements tablesThe following tables set out the recommended business and technical requirements for NSW Government. They provide a consistent approach for all NSW Government agencies regardless of their size.
Key to table requirements:
Required Optional, but beneficial
Explanations for each element of the following use cases are provided at section 3.4.
ITSM Service Design Standard
3.3.1 ITSM Service Design – Use Cases / Scenarios
‘Use cases’ for ITSM Service Design that are anticipated in agencies are included in the table below. The corresponding requirement sections of this standard are ticked in the columns.
Use Case / ScenarioITSM Service Operations
ITSM Service Design Service Management
Desig
n Co
ordi
natio
n
Serv
ice
Cata
logu
e M
anag
emen
t
Serv
ice
Leve
l Man
agem
ent
Risk
Man
agem
ent
Capa
city
Man
agem
ent
Avai
labi
lity
Man
agem
ent
IT S
ervi
ce C
ontin
uity
M
anag
emen
t
Info
rmati
on S
ecur
ity
Man
agem
ent
Com
plia
nce
with
NSW
Go
vern
men
t St
anda
rd
Busin
ess p
roce
sses
Self-
serv
ice
adm
inist
ratio
n
Full-
serv
ice
adm
inist
ratio
n
Clou
d co
mpl
iant
hos
ting
faci
lity
NSW
Gov
ernm
ent D
ata
Cent
re
Ons
hore
/offs
hore
m
anag
emen
t
Serv
ice
leve
l man
agem
ent
Mul
ti-se
rvic
e br
oker
pro
visio
n
Silver -
Gold -
Platinum
6
ITSM Service Design Standard
3.4. Elements of this standard
3.4.1 ITSM Service Design requirements
Generic considerations for ITSM Service Design may include the provision of the following components. Solutions that should address the overarching Service Design element are included in the service requirements below:
Generic Service Design Requirements Silver Gold Platinum
Management of service lifecycle stages SLA/OLA contractual and supplier measurement reporting and management
Consolidated views across all processes, systems, technologies and groups
A configuration management system (CMS)
A service knowledge management system (SKMS) Full integration of services across service provider(s) -
Central service design authority -
(a) Design Coordination
Providing and maintaining a single point of coordination and control for all activities and processes within the design stage of the service lifecycle. Solutions that should address the Design Coordination element are included in the service requirements below:
Design Coordination Requirements Silver Gold Platinum
Integration with other ITSM processes
Service Design Packaging -
Standardised design framework -
(b) Service Catalogue Management
Provide and maintain and single source of consistent information on all operational services and those being prepared to run operationally, whilst ensuring it is accessible to authorised users. Solutions that should address the Service Catalogue Management element are included in the service requirements below:
Service Catalogue Requirements Silver Gold PlatinumConfiguration Management System (CMS) Integration
Pre-packaged Standard Catalogue
ERP Integration
Service Lifecycle management and support -
Business agreement management -
Design Service Content Framework -
7
ITSM Service Design Standard
(c) Service Level ManagementTo ensure that all current and planned IT services are delivered to agreed achievable targets. Solutions that should address the Service Level Management element are included in the service requirements below:
Service Level Management Requirements Silver Gold Platinum
Service and SLA Reporting Measuring and monitoring SLAs/OLAs/underpinning contracts
Integration with other ITSM processes
Service Performance Dashboard -
SLA frameworks -
Customer Satisfaction survey management -
(d) Risk Management
Solutions that should address the Risk Management element are included in the service requirements below:
Risk Management Requirements Silver Gold Platinum
Risk Management Framework
Risk management templates -
(e) Capacity Management
Ensure the capacity of IT services and IT infrastructure meets the agreed capacity and performance-related requirements in a cost-effective and timely manner. Solutions that should address the Capacity Management element are included in the service requirements below:
Capacity Management Requirements Silver Gold Platinum
Capacity Management Monitoring and Measuring
Capacity Management Reporting
Capacity Management Trend analysis/Forecasting -
Integration with other ITSM processes -
(f)Availability Management
Ensure that the level of availability delivered in all IT services meets agreed availability needs and/or service level targets in a cost-effective and timely manner. Solutions that should address the Availability Management element are included in the service requirements below:
Availability Management Requirements Silver Gold Platinum
Availability Management Monitoring
Availability Management Reporting
CMS Integration -
Integration with other ITSM processes -
8
ITSM Service Design Standard
Supplier Serviceability assessment -
(g) IT Service Continuity Management
To support the overall business continuity management (BCM) process by ensuring that, high impact risks that could seriously affect IT services are managed, and the IT service provider can always provide minimum agreed business continuity-related service levels. Solutions that should address the IT Service Continuity Management element are included in the service requirements below:
IT Service Continuity Management Requirements Silver Gold Platinum
Recovery capabilities to support continuity plans
Integration across other ITSM processes -
Business Continuity Testing -
Crisis Management -
(h) Information Security Management
To align IT security with business security, ensuring confidentiality, integrity and availability of organisational assets, information, data and IT Services always matches the agreed business needs. Solutions that should address the Information Security Management element are included in the service requirements below:
Information Security Management Requirements Silver Gold PlatinumInformation Security Controls, Monitoring and Measuring
Information Security Reporting
Legislative Compliance
Access Control
Security management information systems
Integration across other ITSM processes -
IT Security Framework -
3.4.2 Service Management requirements
(i) Compliance with NSW Government Standard Business Process
Solutions that wish to comply with this element (for Platinum services) must accept full and ongoing compliance with the current version(s) of the NSW Government Standard Business Processes. To be endorsed against this element, suppliers must meet the following requirements:
Compliance with NSW Government Standard Business Processes
Silver Gold Platinum
The supplier’s solution meet all requirements in the appropriate standard(s), related materials and process artefacts as defined within the NSW Government Standard Government Processes
- -
Sign a legal contract under the ProcureIT framework related to the appropriate standard(s) - -
9
ITSM Service Design Standard
Pay for cost of on-going (annual) certification against the relevant standard(s) - -
(j) Self-service administration
The ability to automatically provision and de-provision for all agency resources within the system, together with other appropriate administration and management tasks that can be delegated from the service provider that do not impinge on the solution being provided to other customers.
(k) Full-service administration
All provisioning, de-provisioning, together with all other administration and management tasks required to operate the environment, are provided as part of the service offering. The only exception will be service management of the provider which remains the sole responsibility of the initiating agency.
(l) Cloud compliant hosting facility
All relevant cloud services for the solution may be provisioned from a compliant hosting facility. A compliant hosting is defined as having the following attributes and/or capabilities:
The location of the hosting facility must be identified either by name and/or location (city and country) in any response.
The hosting location cannot be changed without first informing the agency concerned.
The service provider undertakes, maintains and provides access to SSAE 16 Service Organization Control (SOC) Type II reports (or equivalent) for the services and facilities in scope for the engagement.
The hosting facility must comply with minimum Tier 3, as defined by the Uptime Institute, ANSI TIA-942, or an equivalent industry standard.
The hosting facility must be certified against ISO 27001; compliance with the following international standards is desirable:
o ISO 9001
o ISO 27002
o ISO 20000-1:2011
o ISO 14001
Other desirable certifications may include, but are not limited to:
o PCI-DSS v3.0 or later
o Australian Signals Directorate
o ASIO-T4
o Uptime Institute
o CSA
Also consider contractual obligations relating to the service provider allowing security assessments and treatment of outcomes as agreed with the client.
If the hosting facilities changes to a location that is deemed unacceptable either to NSW Government or to the agency and/or loses attributes and/or capabilities identified above, the agency may need to consider termination of services.
(m) NSW Government Data Centre
10
ITSM Service Design Standard
All relevant services for the solution may be provisioned from one or both NSW Government Data Centre(s) (GovDC). Depending on the service offering and agency requirements, it may be possible to ‘burst’ some elements of services to other location(s), subject to agreement with the commissioning agency.
Burst data centres must be deemed ‘compliant’. If the ‘burst’ data centre facilities change to a location that is deemed unacceptable either to NSW Government or to the agency, the agency may need to re-examine the ‘burst’ service or the full service.
(n) Onshore/offshore management
All solution providers must be able to articulate where their services will be provided from, including any remote support services.
For example, with a ‘follow the sun’ support model: the locations of each of their support sites around the globe need to be identified any changes to these need to be communicated to the customer agency promptly if this causes issues, the agency has the right to cancel the service with appropriate
notification.
(o) Service level management
Agencies will retain ultimate responsibility for service level management in any solutions engagement which would ordinarily be covered by a Service Level Agreement (SLA). Agencies, service-brokers and solution providers need to agree all SLA reporting and other related activities as part of any transition-in process.
(p) Multi-service broker provision
Any solution provider must work within the confines of a multi-service provider environment where either the agency or nominated provider will perform broker service provision. This will be defined as one provider being made accountable for the provision of all associated services, whether these are provided by the provider itself, or other third-party providers.
11
ITSM Service Design Standard
DOCUMENT CONTROL
Document historyStatus: Draft
Version: 1.0
Approved by:
Approved on: ?? 2016
Issued by: IDG Policy and Innovation, ICT & Digital Government Division, Department of Finance, Services & Innovation (DFSI)
Contact: IDG Policy and Innovation, ICT & Digital Government Division, Department of Finance, Services & Innovation (DFSI)
Email: standards@finance.nsw.gov.au
Telephone: (02) 9372 7445
Review This standard will be reviewed as required.
12
ITSM Service Design Standard
APPENDIX A – ABBREVIATIONS AND DEFINITIONS
AIIA Australian Information Industry Association
ASD Australian Security Directorate
ASIO Australian Secret Intelligence Organisation
CSA Canadian Standards Association
GovDC Government Data Centre
ICT Information & Communication Technology
ISO/TC International Organization for Standardization / Technical Committee
IT Information Technology
MAM Mobile Application Management
MDM Mobile Device Management
OS Operating System
PCI-DSS Payment Card Industry – Data Security Standard
PTS Procurement & Technical Standards
RTCE Real Time Collaborative Editing
SLA Service Level Agreement
Term Definition
13
ITSM Service Design Standard
APPENDIX B – REFERENCES Agencies should have regard to the following statutes, NSW Government policies and standards:
AS/NZS ISO 31000 Risk management – Principles and guidelines Electronic Transactions Act 2000 Government Information (Public Access) Act 2009 Health Records and Information Privacy Act 2002 ISO 27031-2011 Information technology – Security techniques – Guidelines for information and
communication technology readiness for business continuity ISO 27001 Information technology – Security techniques – Information security management systems
– Requirements ISO 24762 – IT Security Techniques – Guidelines for ICT Disaster Recovery Services NIST Definition of Cloud Computing SP800-145 NSW Government Digital Information Security Policy NSW Government Open Data Policy NSW Government Cloud Policy NSW Government Standard for Data Quality Reporting NSW Government ICT Strategy NSW Government Digital + 2015 Final Update NSW Government Information Classification, Labelling and Handling Guidelines NSW Procurement: Small and Medium Enterprises Policy Framework Privacy and Personal Information Protection Act 1998 Public Finance and Audit Act 1983 Public Interest Disclosures Act 1994 State Records Act 1998 TPP 09-05 - Internal Audit and Risk Management Policy for the NSW Public Sector
14
ITSM Service Design Standard
APPENDIX C – STANDARDS
Developing technical standardsDevelopment of a standard begins with identifying the need for a new standard, which is followed by the development of the standard in consultation with the industry and experts groups, including the Australian Information Industry Association (AIIA).
The following diagram outlines the process.
The ICT Procurement and Technical Standards Working Group (PTS Working Group) is chaired by the Department of Finance, Services & Innovation and includes senior representation from across NSW Government.
Agencies engage with the PTS Working Group concerning services for inclusion in the ICT Services Catalogue. This drives the development of technical standards, where none exist. The PTS Working Group has the leading role in reviewing and endorsing the technical standards developed in response to agencies’ requirements.
The PTS Working Group is supported by two sub-groups responsible for the areas of Telecommunications and Services and Solutions. The sub-groups are responsible for initial development and review of standards relating to their areas of responsibility.
Management and implementationThere is scope to modify standards through the NSW Government ICT governance arrangements as necessary. Standards are designed to add value, augment and be complementary to, other guidance, and they are continually improved and updated.
This standard does not affect or override the responsibilities of an agency or any employee regarding the management and disposal of information, data, and assets. Standards in ICT procurement must also address business requirements for service delivery.
NSW Procurement facilitates the implementation of the standards by applying them to the goods and services made available through the ICT Services Catalogue.
15
Need for new or amended standard
identified
Standard developed (Industry/agencies
consulted)
Standard approved and released by PTS
Working Group
Market engagement for services which meet the standard
Services added to Catalogue
Business requirements change
ITSM Service Design Standard
APPENDIX D – SAMPLE KEY PERFORMANCE INDICATORS
Key Performance Indicator (KPI) Definition
Service Level Management
Services covered by SLAs # services covered by SLAs
Services covered by OLAs/ UCs # services where SLAs are backed up by corresponding OLAs/ UCs
Monitored SLAs # monitored services/ SLAs, where weak-spots and counter-measures are reported
SLAs under review # services/ SLAs which are regularly reviewed
Fulfilment of service levels # services/ SLAs where the agreed service levels are fulfilled
# service issues # issues in the service provision, identified and addressed in an improvement plan
Capacity Management
Incidents due to capacity shortages
# incidents occurring because of insufficient service or component capacity
Exactness of capacity forecast Deviation of predicted capacity development from actuals
Capacity adjustments # adjustments to service and component capacities due to changing demand
Unplanned capacity adjustments # unplanned increases to service/component capacity due to capacity bottlenecks
Resolution time of capacity shortage Resolution time for identified capacity bottlenecks
Capacity reserves % capacity reserves at times of normal and maximum demand
% capacity monitoring % services and infrastructure components under capacity monitoring
Availability Management
service availability Availability of IT Services relative to agreed SLAs/OLAs
# service interruptions # service interruptions
Duration of service interruptions Average duration of service interruptions
Availability monitoring % services and infrastructure components under availability monitoring
Availability measures # implemented measures with the objective of increasing availability
IT Service Continuity Management
Business processes with continuity agreements % business processes covered by explicit service continuity targets
Gaps in disaster preparation # identified gaps in preparation for disaster events (major threats without any defined counter measures)
Implementation duration Duration from the identification of disaster-related risk – implementation of suitable continuity mechanism
# disaster practices # disaster practices actually carried out
# identified shortcomings during disaster practices
# identified shortcomings in preparation for disaster events identified during practices
16
ITSM Service Design Standard
Key Performance Indicator (KPI) Definition
Information Security Management
# implemented preventive measures
# preventive security measures implemented in response to identified security threats
Implementation duration Duration from identification of security threat to implementation of suitable counter measure
# major security incidents # identified security incidents, classified by severity category
# security-related service downtimes # security incidents causing service interruption/reduced availability
# security tests # security tests and trainings carried out
# identified shortcomings during security tests
# identified shortcomings in security mechanisms identified during tests
Supplier Management
# agreed UCs % contracts underpinned
# contract reviews # conducted contract and supplier reviews
# identified contract breaches # contractual obligations not fulfilled by suppliers (identified during contract reviews)
18
top related