USG Information Technology Handbook, Summaries of Credit and Risk Management

Handbook or provide supporting documentation (e.g., templates, risk registers, system risk assessment tools and project tracking tools) to ...

Typology: Summaries

2022/2023

Uploaded on 05/11/2023

shashwat_pr43
shashwat_pr43 🇺🇸

4.5

(15)

233 documents

1 / 123

Toggle sidebar

This page cannot be seen from the preview

Don't miss anything!

bg1
USG
I
NFORMATION
T
ECHNOLOGY
H
ANDBOOK
VERSION 2.9.6
6/2/2022
SENSITIVE
Abstract: USG Information Technology Handbook’s purpose is to primarily set forth the essential
standard components USG organizations must follow to meet statutory or regulatory requirements of
the federal government, state government, Board of Regents (BOR) policy, information technology and
cybersecurity best practices. Secondly, it is designed to provide new IT professionals within the USG the
necessary information and tools to perform effectively. Finally, it serves as a useful reference document
for seasoned professionals at USG organizations who need to remain current with changes in federal,
state law and BOR policy.
pf3
pf4
pf5
pf8
pf9
pfa
pfd
pfe
pff
pf12
pf13
pf14
pf15
pf16
pf17
pf18
pf19
pf1a
pf1b
pf1c
pf1d
pf1e
pf1f
pf20
pf21
pf22
pf23
pf24
pf25
pf26
pf27
pf28
pf29
pf2a
pf2b
pf2c
pf2d
pf2e
pf2f
pf30
pf31
pf32
pf33
pf34
pf35
pf36
pf37
pf38
pf39
pf3a
pf3b
pf3c
pf3d
pf3e
pf3f
pf40
pf41
pf42
pf43
pf44
pf45
pf46
pf47
pf48
pf49
pf4a
pf4b
pf4c
pf4d
pf4e
pf4f
pf50
pf51
pf52
pf53
pf54
pf55
pf56
pf57
pf58
pf59
pf5a
pf5b
pf5c
pf5d
pf5e
pf5f
pf60
pf61
pf62
pf63
pf64

Partial preview of the text

Download USG Information Technology Handbook and more Summaries Credit and Risk Management in PDF only on Docsity!

USG I NFORMATION T ECHNOLOGY H ANDBOOK

VERSION 2.9.

S ENSITIVE

Abstract: USG Information Technology Handbook’s purpose is to primarily set forth the essential standard components USG organizations must follow to meet statutory or regulatory requirements of the federal government, state government, Board of Regents (BOR) policy, information technology and cybersecurity best practices. Secondly, it is designed to provide new IT professionals within the USG the necessary information and tools to perform effectively. Finally, it serves as a useful reference document for seasoned professionals at USG organizations who need to remain current with changes in federal, state law and BOR policy.

Introduction

The University System of Georgia (USG) comprises public institutions of higher learning, a University System Office, Georgia Public Library System (GPLS), Shared Services Center (SSC), Georgia Archives and Georgia Film Academy; hereinafter referred to as USG organizations. These USG organizations represent the rich diversity of a state system spanning the spectrum of educational and research offerings. This manual respect the value of the diversity of USG organizations while providing guidance with regards to information technology (IT) operations within the USG.

Version Control

Date Version Description of Change

04/18/2016 1.0 Section 4.

05/02/2016 2.0 PDF, structure and format, initial redesign referenced in a new structure and format.

05/17/2016 2.1 Section 5.12.

05/27/2016 2.2 Section 3.

11/1/2016 2.3 As of Nov. 1, 2016, the department name changed to Cybersecurity; Section 5.13; Section 5.

11/17/2016 2.4 Section 1.3.2; Section 4.

05/15/2017 2.5 Section 1.2, Section 1.3, Section 3.0, Section 3.1, Section 3.2, Section 3.3, Section 5.3, and Section 5..

09/07/2017 2.6 Section 5

09/07/2017 2.7 Section 5

01/02/2019 2.8 Section 5.

03/18/2019 2.9 Migrated to MS Word format, Export to PDF. Relocated Section 9 to the BPM. Value added Appendix: References, Glossary, Acronyms, and Index. Updated BOR policy reference from section 11 to section 10.

02/24/2020 2.9.1 Section 5.3, Section 5.9, Section 5.10, and Section 3.1.2.

04/30/2020 2.9.2 Section 3.1.2, Section 3.3.1, Section 5.1.1, Section 5.1.2, Section 5.3.1, Section 5.5, Section 5.5.2, Section 5.5.5, Section 5.10.1, Section 5.11.7, Section 5.13, Section 5.14, and Section 5.14.5.

07/08/2020 2.9.3 Section 3.1, Section 3.3, Section 5, Section 5.3, and Section 6. Entire Document, Performed a “harmful language” review.

12/18/2020 2.9.4 Entire Document, “Critical Systems” renamed to “Mission-Critical Systems” alignment to BPM, Section 3, Section 4.1.1, Section 5.1, and Section 5.2.

07/15/2021 2.9.5 Entire Document, Updated Index, Section 5.3, Section 5.5, Section 5.7, Section 5.12, Section 5.14, Section 5.15, Section 7.1, and Section 10.

06/02/2022 2.9.6 Section 3.1.2, Section 3.2, Section 3.5, Section 5.1.4, Section 5.5.2, Section 5.8, Section 5.12, Section 5.14.5, and Section 8.

Scope

This standard applies to USG organizations and suppliers and affiliates under contract with the USG that accesses, stores, or processes protected information.

Implementation and Applicability

A system wide or enterprise approach to IT operations and cybersecurity operations shall be adopted by USG organizations. It is expected that cybersecurity compliance will be embedded into each organization’s cybersecurity plan. All compliance efforts will be focused on supporting the organization’s objectives. Therefore, USG organizations’ executive leaders or designee shall determine the direction and develop the organization’s cybersecurity plans, standards and guidelines to:

  • Identify and document applicable policies, procedures, laws, and regulations.
  • Establish the roles and responsibilities necessary to manage an information technology and cybersecurity program.
  • Appoint skilled personnel into the identified roles.
  • Communicate the importance of polices, standards and guidelines as defined in BOR Policy Manual , Section 10.
  • Submit annually the Cybersecurity Program Review and required reporting as defined by BOR Policy Manual , Section 10.4.

Companion Documentation

USG Cybersecurity shall develop and publish companion documentation to enhance the USG IT

Handbook or provide supporting documentation (e.g., templates, risk registers, system risk assessment tools and project tracking tools) to aid in the development of organizational plans and procedures.

Exceptions

Exceptions to any standard, procedure or guideline set forth in the USG IT Handbook shall be at the discretion of, and approved in writing by, the USG CIO or the USG Chief Information Security Officer (USG CISO) with executive review and approval. In each case, USG organizations or vendors must complete and submit an Exception Request Form (Access to the document is restricted to authorized users only) including the need, scope and extent of the exception, safeguards to be implemented to mitigate risks, specific timeframe, requesting organization and management approval. Contact USG Cybersecurity to obtain more information. Denials of requests for exceptions may be appealed.

Definitions

The following definitions of Shall , Will , Must , May , May Not , and Should are used throughout this USG IT Handbook.

  1. Shall , Will and Must indicate a legal, regulatory, standard or policy requirement. Shall and Will are used for persons and organizations. Must is used for inanimate objects.
  2. May indicates an option.
  3. May Not indicates a prohibition.
  1. Should indicates a recommendation that, in the absence of an alternative providing equal or better protection from risk, is an acceptable approach to achieve a requirement.
  • Introduction
    • Version Control
    • Governance, Compliance and Authority
    • Scope
    • Implementation and Applicability.............................................................................................................
    • Companion Documentation
    • Exceptions
    • Definitions
    • Table of Contents
    • Table of Figures
  • Section 1 Information Technology (IT) Governance
    • Section 1.0 Introduction
    • Section 1.1 Chief Information Officer Role and Responsibilities
    • Section 1.2 Governance Structure
      • 1.2.1 Shared Governance Framework
      • 1.2.2 Strategic Alignment....................................................................................................................
    • Section 1.3 IT Organization, Roles, Responsibilities and Processes
      • 1.3.1 Organization...............................................................................................................................
      • 1.3.2 IT System Ownership Roles and Responsibilities.......................................................................
    • Section 1.4 Strategic Planning.................................................................................................................
      • 1.4.1 Technology Direction Planning
      • 1.4.2 Standards and Quality Practices
      • 1.4.3 Development and Acquisition Standards
    • Section 1.5 Resource Management
  • Section 2 Project and Service Administration.............................................................................................
    • Section 2.0 Introduction
    • Section 2.1 Service Administration
      • 2.1.1 Service Level Management Framework
      • 2.1.2 Definition of IT Services
      • 2.1.3 Service Support
    • Section 2.2 Project Administration
      • 2.2.1 Initiation
      • 2.2.2 Planning
      • 2.2.3 Execution
      • 2.2.4 Monitoring and Controlling
      • 2.2.5 Closing
    • Section 2.3 Project Documentation Templates
      • 2.3.1 Project Scope
      • 2.3.2 Change Management Plan
      • 2.3.3 Project Risk Management Plan
  • Section 3 Information Technology Management
    • Section 3.0 Introduction
    • Section 3.1 Information System User Account Management.................................................................
      • 3.1.1 Information System User Account Management
      • 3.1.2 Managing Multifactor Authentication
    • Section 3.2 Log Management
      • 3.2.1 Purpose
      • 3.2.2 Objective
      • 3.2.3 Requirements.............................................................................................................................
    • Section 3.3 Continuity of Operations Planning
      • 3.3.1 USG Continuity of Operations Planning Standard
    • Section 3.4 Network Services..................................................................................................................
      • 3.4.0 Purpose
      • 3.4.1 Network Services Standard
    • Section 3.5 Configuration Management
      • 3.5.1 Configuration Management Plan Requirements
  • Section 4 Financial and Human Resource Management
    • Section 4.0 Introduction
    • Section 4.1. Technology Procurement Approval Process
      • 4.1.1 Spending Limits
      • 4.1.2 IT Procurement Policies
      • 4.1.3 Requesting Approval
    • Section 4.2 Financial Management
    • Section 4.3 Human Resource Management
  • Section 5 Cybersecurity...............................................................................................................................
    • Section 5.0 Cybersecurity Charter
    • Section 5.1 Cybersecurity Program
      • 5.1.1 Organizational Responsibilities
      • 5.1.2 Cybersecurity Program Plan Requirements
      • 5.1.3 Policy and Procedure Management Requirements
  • Section 5.2 Appropriate Usage Standard
    • 5.2.1 Appropriate Usage Requirements
    • 5.2.2 Mobile Workforce Requirements
    • 5.2.3 Enforcement
  • Section 5.3 Cybersecurity Incident Management
    • 5.3.1 Cybersecurity Incident Response Plan Requirements
    • 5.3.2 Cybersecurity Incident Reporting Requirements.......................................................................
    • 5.3.3 Cybersecurity Events/Incidents Involving Personal Information...............................................
    • 5.3.4 Cybersecurity Events/Incidents Involving Suppliers
  • Section 5.4 Information Asset Management and Protection
    • 5.4.1 Information Asset Management Requirements
    • 5.4.2 Information Asset Protection Requirements
  • Section 5.5 Risk Management.................................................................................................................
    • 5.5.1 Organizational Responsibilities
    • 5.5.2 Cybersecurity Risk Management Plan Requirements................................................................
    • 5.5.3 Defining Risk Tolerance..............................................................................................................
    • 5.5.4 Risk Assessment and Analysis Requirements
    • 5.5.5 Risk Register
  • Section 5.6 Information System Categorization
    • 5.6.1 Purpose
    • 5.6.2 Requirements.............................................................................................................................
  • Section 5.7 Classification of Information
    • 5.7.1 Classification Structure
    • 5.7.2 Defining Personal Information...................................................................................................
  • Section 5.8 Endpoint Management
    • 5.8.1 Purpose
    • 5.8.2 Discovery and Inventory
    • 5.8.3 Vulnerability Scanning
    • 5.8.4 Patch Management....................................................................................................................
    • 5.8.5 Anti-virus, malware, and spyware Controls
    • 5.8.6 Host-Based Firewall/Intrusion Prevention Software
    • 5.8.7 Encrypted Authentication
    • 5.8.8 Unnecessary Services
    • 5.8.9 Network Segmentation
    • 5.8.10 Physical Security
    • 5.8.11 Maintenance
  • Section 5.9 Cybersecurity Awareness, Training and Education
    • 5.9.1 Roles and Responsibilities..........................................................................................................
    • 5.9.2 Cybersecurity Awareness, Training and Education Requirements
  • Section 5.10 Required Reporting - 5.10.1 Required Reporting Activities - 5.10.2 Remediation and Mitigation Tracker
    • Section 5.11 Open for Future Use...........................................................................................................
    • Section 5.12 Password Management
      • 5.12.1 Password Authentication Standard
    • Section 5.13 Domain Name System Management
      • 5.13.1 DNS Security.............................................................................................................................
    • Section 5.14 Information Protection Management
      • 5.14.1 Purpose
      • 5.14.2 Identifying Red Flags
      • 5.14.3 Detecting Red Flags..................................................................................................................
      • 5.14.4 Responding to Red Flags
      • 5.14.5 Protecting Personal Information
    • Section 5.15 Email Use and Protection
      • 5.15.1 Purpose
      • 5.15.2 Requirements...........................................................................................................................
      • 5.15.3 Retiree Email Account Management
  • Section 6 Data Privacy.................................................................................................................................
    • Section 6.0 Introduction
    • Section 6.1 Data Privacy Standard
      • 6.1.1 Purpose
      • 6.1.2 Standard
      • 6.1.3 Applicability and Compliance.....................................................................................................
    • Section 6.2 Web Privacy Standard
      • 6.2.1 Information Collection and Use
    • Section 6.3 Data Privacy Risks
      • 6.3.1 IDENTIFY
      • 6.3.2 GOVERN
      • 6.3.3 CONTROL....................................................................................................................................
  • Section 7 Facilities
    • Section 7.0 Introduction
    • Section 7.1 Physical and Environmental Security Requirements
  • Section 8 Mobile Device Management
    • Section 8.0 Introduction
    • Section 8.1 General Requirements to Manage Mobile Devices
    • Section 8.2 Organization-Owned Devices
    • Section 8.3 Personally Owned Devices
    • Section 8.4 Travel
      • 8.4.1 Domestic Travel
      • 8.4.2 International Travel
      • 8.4.3 Export Controls
  • Section 9 Open for Future Use....................................................................................................................
  • Section 10 Learning Management System (LMS)
    • Section 10.0 Introduction
    • Section 10.1 Service Description.............................................................................................................
    • Section 10.2 Governance and Institutional Oversight
    • Section 10.3 Resource Model
      • 10.3.1 Licensing and Hosting Costs
    • Section 10.4 Change Management
    • Section 10.5 Supplier Integration
  • Appendix A: References
  • Appendix B: Glossary
  • Appendix C: Acronyms (Common Abbreviations)
  • Index..........................................................................................................................................................
  • Figure 1: People, Process and Technology Framework Table of Figures
  • Figure 2: Recommended Process Flow
  • Figure 3: Multi-Factor Authentication
  • Figure 4: Required Reporting Calendar.......................................................................................................
  • Figure 5: Risk Relationship Diagram – Cybersecurity and Privacy
  • Figure 6: Using NIST Frameworks to Manage Cybersecurity and Privacy Risks

Section 1 Information Technology (IT) Governance

Section Control

Table 1.1: Revision History

Date Description of Change

05/02/2016 Initial redesign referenced in a new structure and format. PDF, structure, and format

11/17/2016 Section 1.3.2 – added clarification of information system owner roles and responsibilities within the framework of people, process, and technology. Clarification of information system owner

05/15/2017 Section 1.2 – added the correct title to 1.2.1. Revised section for consistency in format and content. Added title.

05/15/2017 Section 1.3 – deleted a misplaced word. Revised section for consistency in format and content.

Table 1.2: Compliance

Section Number Section Name Compilation Date Published Date Compliance Date

1.1 Service Administration July 2015 July 2015 December 2015

Section 1.0 Introduction

Achieving strategic alignment between the Information Technology (IT) organizations and the enterprises they serve is an important goal for any organization. This alignment requires a process to assure that investments in IT projects and assets are directed toward achieving the organization’s strategic vision, goals, and objectives. Without alignment of purpose, intent and actions, the IT organization will not contribute purposefully to the overall mission.

Alignment is achieved through a variety of means, but three essential elements that should be formally prescribed are:

  • Well-defined and understood role for the organization’s Chief Information Officer (CIO).
  • Well-defined and cultivated working relationships between the CIOs and the other Chief Officers (CxOs) also known as a governance structure.
  • Well-defined and adopted organizational roles and responsibilities.
  • Well-defined and implemented strategic planning process.
  • A well-defined and recurring resource management program.

Section 1.1 Chief Information Officer Role and Responsibilities

A CIO in a higher education institution must be operationally sound and a skilled leader of staff, peers, and causes. The CIO position must function as a fundamental partner with the other CxOs of the organization and must anticipate the organization’s needs. Therefore, this position must be a contributing member of the leadership team; understand the organization’s mission, purpose, and intent; and provide a sound operating platform on which to launch new initiatives. The CIO may not be the subject matter expert on all things that the organization requires Information Technology (IT) to

1.2.2 Strategic Alignment

The framework will lead to the collective understanding of how IT resources are deployed as well as the potential opportunities for their use. This information can then be used to determine the best use of these resources for the maximum institutional benefit. Priorities should be informed by not only the operational requisites, but also by organizational strategic plan and goals using a disciplined approach to portfolio, program, and project management. The organization must have a methodology and set of practices to demonstrate prioritization of IT services and initiatives.

Section 1.3 IT Organization, Roles, Responsibilities and Processes

The IT organization must be defined by considering the requirements of the primary organization it serves. Its placement within the overall structure should be considered based on the scope and breadth of services it is expected to provide to the organization. The organization should have a reporting structure that incorporates IT into planning and decision making at the leadership level.

The CIO should be a regular contributing member of the executive leadership team to participate in relevant decision processes of the stakeholder groups to anticipate technology resource needs, offer advice on technology enabled opportunities and respond to emergent requirements. Decisions about staffing levels, skills, functions, accountability, authority, and supervision should be derived from these expectations.

1.3.1 Organization

Organizational Placement of the IT Function

The CIO should be placed in the overall organizational structure based on the scope and breadth of services the IT unit is expected to provide to the organization. Often in complex organizations, a matrix reporting relationship among the most senior executive staff is not unusual. In smaller, less complex organizations, such hierarchies may not be necessary and a direct reporting relationship to the CEO is feasible. The key point is that it should not matter to whom the CIO reports, if the position is incorporated into the organization’s leadership team decision-making processes.

It is also important to distinguish between the role of the CIO and the most senior centralized line management function of the centralized IT function (VP, Director, etc.) Regardless of whether the IT functions are managed in a highly centralized or decentralized manner, the role of the CIO must be recognized as that of the Chief Information (technology) Officer. The responsibilities and authority of this role should span any direct reporting structures and cross over organizational boundaries to encompass all IT functions of the organization. This is so that the CIO is responsible for the organization’s total IT footprint as it relates to policy, compliance, security, and risk management of IT- enabled functions, regardless of any decentralized line management of departmental IT functions.

Management Structure

Decisions about the appropriate balance of a centralized vs. decentralized resource pool of staffing and budget resources is related to the expectations of the organization. The centralized IT organization structure must be defined by considering the requirements of the primary organization it serves.

IT Continuous Improvement Expectations

As with all administrative and educational support functions in higher education organizations, the Commission on Colleges expects units to engage in systematic planning and assessment processes to assure institutional effectiveness (See SACS Core Requirement 3.3). Processes for planning, assessing,

and improving services must be documented. IT processes and services should be periodically and systematically assessed for effectiveness. Opportunities for improvement should be incorporated into the planning process and implemented over time.

1 .3.2 IT System Ownership Roles and Responsibilities

Definition of Information System

Information system is a discrete set of information resources organized for the collection, processing, maintenance, use, sharing, dissemination, or disposition of information. (FIPS 199&200; SP 800-18; SP 800 - 37; SP 800-53A; SP 800-60 and 44 U.S.C Section 3502.)

Selecting, implementing, and maintaining an appropriate set of security controls to protect the information systems, products, or services employed by USG organizations requires strong collaboration between three primary audiences: information system owners, operation and cybersecurity managers, and information system developers. For responsible operation, it is critical each audience understands how evolving mission and business requirements, operational environment and system uses impact system operations.

Information System Ownership Roles

At the highest level, every IT application and service should have an identified information system owner. This individual should be the senior person in the organization responsible for the application or service and ensures that the application or services renders value to the organization. For most infrastructure services such as the local area network, the CIO is that information system owner. For most business and educational support systems, the CxO, vice chancellor, or executive director to whom the function reports are normally the information system owner. However, the designation is dependent upon the organizational structure.

Figure 1: People, Process and Technology Framework

Information system owners may appoint a functionally responsible designee as the primary liaison between the IT service unit and the customers served by the system or services provided by IT. For example, the VP of Enrollment Management who is the information system owner for the student information system might appoint the registrar as the day-to-day liaison between the customers of the enrollment management system and IT for support and service provisioning. Within the USO, the vice chancellor of academic affairs for example may be the designated system owner of GeorgiaBEST. Information system owners serve as the focal point for the information systems, products, or services. In

Section 1.4 Strategic Planning

Each USG organization should have an IT strategic plan that is integrated with the organization’s strategic plan. The effective management of information technology services should include a strategic planning component to direct IT resources across the organization in line with the business strategy and priorities. This direction should be inclusive of all IT resources, regardless of the departmental structure. Within the planning effort, the CIO and other CxOs of the organization assume shared responsibility for ensuring that IT resources are expended toward a catalog of services and projects that provide the maximum benefit to the organization. Strategic planning efforts and discussions also improve key stakeholders’ understanding of IT opportunities and limitations, provide opportunities to assess current performance, identify resource requirements and clarify the level of investment required.

IT strategic planning should be a documented process, which is considered in business goal setting and results in discernible business value through investments in IT. Risk and value-added considerations should be periodically updated in the IT strategic planning process. Realistic long-range IT plans should be developed and regularly updated to reflect changing technology and business developments. Benchmarking against well-understood and reliable industry norms should take place and be integrated with the strategy formulation process. The strategic plan should include how recent technology developments can drive the creation of new business capabilities and improve the competitive advantage of the organization.

1.4.1 Technology Direction Planning

Existing and emerging technologies should be analyzed to determine which technological direction is appropriate for IT strategy and business systems architecture. The planning should include identification of which technologies have the potential to create business opportunities and should address systems architecture, technological direction, migration strategies and contingency aspects of infrastructure components.

1.4.2 Standards and Quality Practices

Standards, procedures, and practices for key IT processes should be identified and maintained. Industry best practices should be used for reference when improving and tailoring the organization’s quality practices.

1.4.3 Development and Acquisition Standards

Standards for all development and acquisition that follow the life cycle of the ultimate deliverable should be adopted and maintained. This should include sign-off by the CIO and Executive Sponsor, or their designees, at key milestones based on agreed-upon criteria.

Section 1.5 Resource Management

The CIO must establish a process to periodically review current performance and capacity of IT resources, as well as forecast future needs based on workload, storage, and contingency requirements. This process should highlight the adequacy, or lack, of the resources needed to support the organization.

As a goal, performance and capacity plans should be fully synchronized with the business demand forecasts; for example, enrollment growth or a notable change in business process that results in the peak demand for a resource. The IT infrastructure and business demand should be subject to regular reviews to ensure that optimum capacity is achieved at the lowest possible cost.

Trend analysis should be performed to show imminent performance problems caused by increased business volumes to enable planning and avoid unexpected issues. The CIO should adjust the planning for performance and capacity following analysis of these measures.

Section 2 Project and Service Administration

Section Control

Table 2.1: Revision History

Date Description of Change

05/02/2016 Initial redesign referenced in a new structure and format. PDF, structure, and format.

Table 2.2: Compliance

Section Number Section Name Compilation Date Published Date Compliance Date

Section 2.0 Introduction

IT service can be defined as a set of related functions provided by IT systems, products, or services in support of one or more business areas, which in turn may be made up of software, hardware and communications facilities perceived by the customer as a coherent and self-contained entity. An IT service may range from access to a single application, such as a general ledger system, to a complex set of facilities including many applications, as well as office automation that might be spread across several hardware and software platforms. Effective communication between IT management and their customers regarding services required is enabled by a documented definition of, and agreement on, IT services and service levels. This process also includes monitoring and timely reporting to stakeholders on service level accomplishments. This process enables alignment between IT services and the related business requirements.

A project, by definition, is a temporary activity with a starting date, specific goals and conditions, defined responsibilities, a budget, a plan, a fixed end date and multiple parties involved. Clear and accurate definition of a project is one of the most important actions you can take to ensure the project’s success. The clearer the target the more likely you are to hit it. Defining a project is a process of selection and reduction of the ideas and perspectives of those involved into a set of clearly defined objectives, key success criteria and evaluated risks. A project management framework will help maintain the organization’s portfolio of projects that support its IT-enabled programs by identifying, defining, evaluating, prioritizing, selecting, initiating, managing and controlling these projects in order to ensure that the projects support the organization’s objectives. The framework will help coordinate the activities and interdependencies of multiple projects, manage the contribution of all the projects within the organization to expected outcomes and resolve resource requirements and conflicts.

A documented definition of, and agreement on, required IT services and service levels must be established between IT management and organization customers. A framework for the management of all IT projects must be established to ensure the correct prioritization and coordination of all projects.

information requests. It should be the single point-of-contact for all end user issues. Its first function should be to create a ticket in an issue tracking system that will allow logging and tracking of service support requests. Issues must be classified according to type, business, and service priority. There must be monitoring, and escalation procedures based on agreed-upon service levels relative to the appropriate SLA that allow classification and prioritization of any service support requests (e.g., an incident, problem, service request, information request, etc.).

Once an issue has been logged, an attempt should be made to solve the issue at this level. If the issue cannot be resolved at this level, then it should be passed to a second or third level within the issue tracking system and routed to the appropriate personnel for analysis and resolution. The service desk or service request function should work closely with related processes such as change management, release management and configuration management. Customers must be kept informed of the status of their requests. The function must also include a way to measure the end user’s satisfaction with the quality of the service support and IT services. As a goal, the service desk and service request function should be established and well organized and take on a customer service orientation by being knowledgeable, customer-focused, and helpful. Advice should be consistent, and incidents resolved quickly within a structured escalation process. Extensive, comprehensive FAQs should be an integral part of the knowledge base, with tools in place to enable a user to self-diagnose and resolve issues. Metrics must be systematically measured and reported. Management should use an integrated tool for performance statistics of the service desk and service request function. Processes should be refined to the level of best industry practices, based on the results of analyzing performance indicators, continuous improvement, and benchmarking with other organizations.

Clarification of Issues

Processes to classify issues that have been identified and reported by end users must be implemented to determine category, impact, urgency, and priority. Issues should be identified as incidents or problems, and be categorized into related groups, such as hardware, software, etc., as appropriate. These groups may match the organizational responsibilities of the end user and customer base and should be the basis for allocating problems to the IT support staff. Note that incident management differs from problem management. The purpose of incident management is to return the service to normal level as soon as possible with the smallest possible business impact. The principal purpose of problem management is to find and resolve the root cause of a problem and prevent further incidents.

Incident Management

An incident is any event that is not part of the standard operation of the service and causes, or may cause, an interruption or a reduction of the quality of the service. Incident Management aims to restore normal service operation as quickly as possible and minimize the adverse effect on business operations. Normal service operation is defined here as service operation within SLA limits.

Problem Management

A problem is a condition often identified because of multiple incidents that exhibit common symptoms. Problems can also be identified from a single significant incident, indicative of a single error, for which the cause is unknown. Problem Management aims to resolve the root causes of incidents to minimize the adverse impact of incidents and problems and to prevent recurrence of incidents. The objective of problem management is to reduce the number and severity of incidents and report findings in documentation that is available for the first line and second line of the service desk and service request function.

Tracking of Issues

The issue management process must provide for adequate audit trail capabilities that allow for tracking, analyzing, and determining the root cause of all reported issues considering:

  • All outstanding issues.
  • All associated configuration items.
  • Known and suspected issues and errors.
  • Tracking of issue trends.

The process should be able to identify and initiate sustainable solutions to reported issues that address the root cause, raising change requests via the established change management process. Throughout the resolution process, regular reports should be made on the progress of resolving reported issues. The continuing impact of reported issues on end user services and against established SLAs should also be monitored.

If this impact becomes severe or reaches established SLA thresholds, the issue management process must escalate the problem.

Escalation of Issues

Service desk and service request function procedures must be established so that issues that cannot be resolved immediately are appropriately escalated according to the guidelines established in the SLAs. Workarounds should be provided if appropriate. These procedures should ensure that issue ownership and life cycle monitoring remain with the service desk for all user issues, regardless of which IT group is working on the resolutions.

Resolution and Closure of Issues

Procedures must be put in place to close issues either after confirmation of successful resolution of the issue or after agreement on how to alternatively manage the issue. When an issue has been resolved, these procedures should ensure that the service desk records the resolution steps and confirms that the customer agrees with the action taken. Unresolved issues should be recorded and reported to provide information for the timely monitoring and clearance of such issues.

Reporting and Analysis

The issue management system must be able to produce reports of service desk activity so that management can measure service performance and service response times, as well as identify trends or recurring issues so that service can be continually improved.

Assessment

An effective service support process requires well-defined monitoring procedures, including self- assessments and third-party reviews. These procedures should allow continuous monitoring and benchmarking to improve the customer service environment and framework. Remedial actions arising from these assessments and reviews should be identified, initiated, implemented, and tracked.

Service Metrics

The need for metrics is driven by the desire to deliver and demonstrate high-quality service. The type of metrics collected is driven by the business and IT requirements for service reporting and Key Performance Indicators (KPIs). Metrics collection and aggregation provide input into key business decisions such as how to equitably allocate costs. Service metrics represent the KPIs of an IT service.