IT Best Practices With ITIL

Consultants and contractors with ITIL expertise, as well as nonprofit organizations like itSMF (IT Service Management Forum) and ITPI (Information Technology Process Institute), say the benefits of ITIL include lower IT operating, start-up and resource costs, fewer network and system errors, shorter MTTR (mean time to repair) and longer MTBF (mean time between failures).

Taxing Taxonomy

ITIL has a well-defined but complex taxonomy. This Workshop offers an overview of the ITIL framework--to serve business needs successfully and predictably, you must commit ample time and resources toward studying, implementing and maintaining ITIL.

ITIL's best practices fall into seven groups: service support, service delivery, infrastructure management, planning to implement service management, application management, business perspective and security management. We'll delve deepest into service support and delivery--these offer the best way to begin understanding ITIL.Service support is the set of day-to-day operational tasks needed to keep track of change in an IT organization. It comprises five basic disciplines: configuration management, problem management, change management, helpdesk and software control and distribution.

Configuration management involves placing all IT configuration data in a repository called the CMDB, which may be either a single database or a confederation of databases. This data includes information about an asset's importance, such as whether it's a centralized router, a server in a pool or an edge switch.

Like most inventory systems, the CMDB will typically use "make," "model" and "serial number" fields. Other fields may include "status" and "relationship."

Status describes the procurement life of an asset, using terms like "ordered," "testing," "obsolete" and "stolen." Such classifications help you track whether an asset is doing meaningful work, or whether it requires attention or is no longer involved in production operations.

Relationship mapping defines the asset's importance and impact, telling you, for example, what the asset is connected to, where it's resident and whether it's being used by another device. Often, the knowledge of how network devices are connected, or what server is running which applications, is held only by IT staffers. This CMDB relationship connection at the highest level attempts to map services, such as e-mail, onto a supporting infrastructure like Microsoft Exchange or SMTP. These services are then mapped onto servers, which rely on operating systems, hardware and network connections. Documenting relationships lets senior IT folks devote more time to development, while making it easier for less experienced IT people to handle incidents.Vendors can create and leverage the CMDB database. Opsware and Tripwire, for example, both create asset entries with the CMDB in mind. Asset-management vendors, which scan and inventory desktops, servers and network infrastructures, will use CMDB to create targets for configuration backup and software delivery. Service-management vendors such as Managed Objects already leverage their data integration and collection across third-party vendors to create CMDBs. And service-support products such as FrontRange Solutions' HEAT service-desk package can read an existing CMDB to identify impact, send alerts and track changes.

The second ITIL best-practice task for configuration management is access control. This specifies who can change a record in the CMDB for a device or group of devices. The third task is recording and maintaining the status of every asset in the CMDB, an obvious task and one that should be automated using network- and systems-management software. The final task is auditing and verifying the CMDB to assure its accuracy.

ITIL incident and problem management maps closely to what operators in an NOC do all day--identifying, finding and fixing faults. Remember: Incidents are single events that are indicative of a larger problem. The root cause of an incident is resolved and recorded during the problem-management process, and it can help you sleuth a real underlying problem. The goals of ITIL's problem-management discipline are preventing recurrences and doing preventive maintenance to avoid failures.

Change management, meanwhile, is something many IT organizations currently employ. It involves planning for change and recognizing its impact and benefit. In addition, change management encompasses testing, as well as devising backout plans in case a change fails.

Helpdesk is the front line of IT service, and many organizations already have helpdesks in place. It's part incident coordination and logging, and part diagnostics. This discipline puts a face on IT and gives users a voice.The final ITIL service-support discipline is software control and distribution, aka release management (depending on who you talk to). It involves software-feature development, installation and software-distribution planning. This may sound like a desktop-management suite, but it isn't. Rather, it's about the IT tasks that use desktop management.

The second ITIL core group is service delivery. This encompasses best practices for planning, including service-level management, capacity management, contingency planning, availability management and cost management for IT services.

Service-level management, according to ITIL, is the central purpose of IT. Though it may seem obvious, that philosophy de-emphasizes technology and puts control in the hands of business customers. SLM is sometimes considered synonymous with service-level agreements, but SLAs are basically an outcome of SLM. ITIL further defines service-contract maintenance: for example, outlining for customers what services you'll manage, as well as planning growth and establishing priorities for service delivery and remediation.

Capacity management defines monitoring, forecasting, sizing and modeling so you can determine what resources you need to meet SLM guidelines. Performance monitoring--the collection of statistical usage data--is paramount to this process, requiring instrumentation in the network, systems and applications in order to collect the data. But it's only a piece of the capacity-management puzzle. ITIL also defines how to apply this data to the services being delivered, and helps you project any additional IT resources (people, computers and software) that may be needed to deliver new or altered services.

Contingency planning is designed to help you restore operational services as quickly as possible and to maintain services even during a failure. This disaster-recovery planning attempts to identify all possible failures and then formally define recovery actions.ITIL's availability management, meanwhile, digs into the details of an SLA. This includes uptime percentages and MTTR values, but it also involves things like the number of calls to the helpdesk, the number of supported users, and report creation and distribution to business customers, as well as cost and service violation penalties.

Cost management for IT services is the final broad category of ITIL service delivery. Here, people, hardware and software are figured into the capital and ongoing costs to provide IT services.

Need Help?

With regulatory pressures pushing IT toward ITIL, a standard for ITIL compliance is now available from the OCG: BS 15000 is a set of certified specifications designed along the same lines as ISO 9000, where an enterprise seeks to obtain ITIL certification. It doesn't specify certification for vendor products, however: Vendors selling products such as service-desk and asset-management tools can advertise their wares as having ITIL features, but not that they're ITIL-certified.There are plenty of products and consultancies offering ITIL verification (see "Sites to See," below). This isn't certification, but consulting and training. These organizations can provide audits that conclude whether your organization's IT practices appear to be ITIL-compliant.

Vendors also can get some ITIL peace of mind: Pink Elephant, for example, offers ITIL verification (not certification) to vendors, for a price, and publishes the criteria it uses in PinkVerify, its verification service. The company also offers a do-it-yourself survey that provides a snapshot of ITIL compliance. And the itSMF site has a self-evaluation for both vendors and enterprises that gives some basic verification of ITIL compliance.

But ITIL is no silver bullet. It's more an encyclopedia of all possible best practices, consisting of code books that cost a couple of hundred bucks apiece. You can't use all the ITIL documents as one big cookbook. Instead, think of ITIL as a raw repository of best practices from which you can pick and choose to fit your organization.

Bruce Boardman, executive editor of Network Computing, tests and writes about network management and systems. Write to him at [email protected].

Find the IT Infrastructure Library a bit daunting? For guidance on how to implement its best practices, pick up a copy of The Visible Ops Handbook: Starting ITIL in Four Practical Steps, published by ITPI (Information Technology Process Institute).Step 1 calls for containing firefighting by severely limiting access and change. This reduces the number of unplanned, unknown changes and shortens diagnostic time during failures.

In Step 2, you take inventory. That means finding out what's out there in software, hardware and applications, then determining which of your failed systems will really be a pain to get running again--for example, the server set up two years ago by the consultant who's moved to Bolivia.

Step 3 entails creating a repeatable configuration for all IT assets. It also includes managed change and release management so the repeatable configuration images remain accurate.

In Step 4, you develop a process for continuously refining this change and release management. The object is to get IT planning and designing on the front end of change so you can avoid problems altogether.