| What is Availability Management | | | | have a catastrophic effect on the business. |
| As you will have learned on your ITIL Managers | | | | The Threat too would be assigned its maximum value |
| training course, the most important feature of a quality | | | | 3 as the entire data centre would almost certainly be |
| IT service is availability. Users / customers need the | | | | destroyed. |
| service to be there when they need to use it! | | | | As the chances of any plane crashing in the UK is low, |
| Availability Management aims to deliver these levels of | | | | of it actually landing on this building even more remote |
| availability at the appropriate cost and despite | | | | and as the data centre is not situated on any climb-out |
| hardware failures and major contingencies. | | | | or approach to an airport - the Vulnerability would be |
| Availability Management takes into account a number | | | | assigned a value of just 1. |
| of sub activities all of which a crucial to the delivery of | | | | So when one multiplies Asset x Threat x Vulnerability, |
| an I.T. service the organisation can depend on. These | | | | in this example, one arrives at a Risk value of 30. |
| are: | | | | Again, on its own, this number means very little but |
| Reliability | | | | when assessed relative to another Risk as in example |
| The ability of a configuration item (usually a hardware | | | | 1, one can see that taking action to reduce the |
| or software component) to operate as it is designed | | | | Vulnerability of the E-mail server is a higher priority than |
| providing it is correctly used. | | | | dealing with the improbable consequences of a plane |
| Maintainability | | | | crash. |
| The ease with which a Configuration Item can be | | | | Risk Management Policy |
| maintained in or restored to its operational state. | | | | By assessing and ranking the Risks to the business of |
| Serviceability | | | | the various Threats to its Assets one can set a policy |
| Contractually assured (usually with a 3rd party) | | | | to (say) address all risks with a value greater than 60 |
| availability, reliability and maintainability. | | | | in year one, progressively reducing the Risk threshold |
| Recoverability | | | | year by year to (say) 50 then 40. The cost of |
| The capability to restore normal operation after a | | | | mitigating the Risk weighed against the business |
| failure. | | | | benefit will be the determining factor in deciding when it |
| Resilience | | | | is no longer necessary to lower the threshold. |
| Ensuring a single failure will not affect the delivered | | | | Using ITIL |
| service. | | | | Many Risks can be significantly reduced by adopting |
| Getting Priorities Right | | | | better procedures and processes. Some Risks are |
| Determining Priorities | | | | generated from within - consider the DWP premature |
| In 2001 Gartner published research that analysed | | | | roll-out of desktop software that brought their systems |
| system downtime -allocating the causes to one of | | | | to a grinding halt. The ITIL service-management |
| seven categories - thus: | | | | disciplines, developed to improve the quality of I.T. |
| Assessing Risk | | | | services, are now universally accepted as "best |
| Many organisations fail to realise that risk is a | | | | practice" by governmental and private sector |
| combination of threat and vulnerability and that | | | | organisations alike. |
| management of risk is about evaluating one risk | | | | ITIL is supported in the worldwide marketplace by |
| relative to another and determining which risks need | | | | three not-for-profit organisations: itSMF, The Institute of |
| attention more urgently. A methodology for doing just | | | | Service Management and the Information Systems |
| this is the widely used CRAMM (CCTA Risk Analysis | | | | Examination Board (ISEB) a subsidiary of the British |
| Management Methodology). This methodology weighs | | | | Computer Society (BCS).itSMF |
| the value of the asset to the organisation, against the | | | | Formed in the UK in 1991, the IT Service Management |
| threat and the vulnerability - see example below: | | | | Forum (itSMF) is now an internationally recognised |
| Definitions: | | | | organisation dedicated to IT Service Management. It is |
| Asset | | | | a not-for-profit organisation, wholly owned, and |
| A component of a business process. Assets can | | | | principally operated, by its membership. The itSMF is a |
| include people, accommodation, computer systems, | | | | major influence on, and contributor to, industry "best |
| networks, paper records, fax machines, etc. Score | | | | practice" and Standards worldwide, working in |
| from 1-10 | | | | partnership with a wide range of governmental and |
| Threat | | | | standards bodies.itSMF aimso To develop and |
| An indication of an unwanted incident which could | | | | promote industry best practice in service |
| impinge on the system in some way. Threats may be | | | | managemento To engender professionalism within |
| deliberate (e.g. wilful damage) or accidental (e.g. | | | | service management personnelo To provide a vehicle |
| operator error). Score from 1-3 | | | | for helping members improve service performanceo |
| Vulnerability | | | | To provide members with a relevant forum in which to |
| A weakness of the system and its assets which could | | | | exchange information and share experiences with their |
| be exploited by threats. Score from 1-3 | | | | peers on both sides of the industry |
| Example 1 | | | | The Institute of IT Service Management |
| The E-mail service (being a relatively critical business | | | | The Institute of IT Service Management aims to |
| Asset) might be assigned an asset value of 7. | | | | promote and support the standing of its members by |
| The Threat of (say) a major server hardware failure | | | | establishing high-standards of professional and ethical |
| would render the entire service inoperable and would | | | | conduct, ensuring continuing professional development |
| therefore be assigned a maximum value of 3. | | | | of its members in order to demonstrate their |
| The Vulnerability might also be assigned a maximum | | | | competence and commitment. |
| value of 3 because the server hardware is known to | | | | The ITIL Managers Certificate |
| be ageing and therefore more vulnerable to failure. | | | | The principal qualification for entry to the Institute of |
| When one multiplies Asset x Threat x Vulnerability, in | | | | Service Management is the holding of the ITIL |
| this example, one arrives at a Risk value of 63. This | | | | Managers Certificate. Qualification is gained only after |
| number, on its own means very little but it serves as a | | | | gaining the ITIL Foundation certificate and attending a |
| mean of assessing this risk relative to another - see | | | | further 10 days of accredited training and passing both |
| example 2. | | | | papers in an exacting 6 hour examination. |
| Example 2 | | | | In 2003, 1,500 people sat and passed the Manager's |
| In this example we explore the stereotypical I.T. | | | | certificate examinations. Their training was almost |
| disaster scenario - a plane crashing onto the data | | | | entirely supported by their employer's - testimony to |
| centre. | | | | the business benefit these organisations have gained |
| Here one would assign an Asset value of 10 (the | | | | from adopting ITIL "best practice" across their I.T. |
| maximum) as the total loss of the data centre would | | | | estate. |