Free Downloads

ISO 20000: 2011
ITIL 2011 MMap

Request for Change (RFC) Template

Major Incident Report Template

ISO 20000/ITIL Timeline poster


Sponsored Links



Dec 30, 2011

What is Password Reset: Service Request, Incident or Change?

I browsed through a few social networks lately discussing basic Service Support activities like password reset. Interesting to see how even experienced IT professionals have different points of view on elementary procedures like this one.

One of discussions goes on and on about what is a Password Reset procedure: is it a Service Request, Incident or Change?
We can take for granted that these portals consider the simplest case of Password Reset event: the user forgot hers/his password. In a consolidated service desk of 2000s this was the most frequent event, making 50-80% of all calls.

Is it an Incident?
So, could it be an Incident? Obviously NOT. Incident definition requires a service downtime or probability of downtime. No service downtime here, only end user can't log in, by his own fault.
Why then a plenty of Service organizations treat these events as Incidents? Because of the Service Desk TOOL they (miss)use. They have a nice little tool which is ITIL approved by some elephant. It can do all the process, you name it. But implementation of additional modules costs money and time. They already have Incident Management. Their implementer sucks, their ITSM consultant could do better, and they are often the same person. So they created a category "Password reset" in Incident Management module and they treat password reset as an incident. That's why it has to be an incident. If the only tool you have is a hammer, every problem is a nail. Let's move further.

Is it a Service Request?
Is password reset request a Service Request? Of course it is, there it is in the ITIL definition of a Service Request:
  • A request from a User for information or advice, or for a Standard Change or for Access to an IT Service. For example to reset a password, or to provide standard IT Services for a new User. Service requests are usually handled by a Service Desk, and do not require an RFC to be submitted.
So it's a small preapproved standard Change which is processed thru Request Fulfillment process.
Yes, it is a Change, but no need for Change Manager and CAB to get involved since it happens frequently and can be dealt with on the 1st level. And thank you God for technology you provided so that lately any end user password can be reset via a simple self-help portal. User just answers a secret question, puts in his employee ID and receives the new password via text message or such.
What other special flavors of password reset are there?
  • Simple web application user passwords are a mild example of the above described case.
  • Enterprise domain user password is closer to what first comes to our mind when we think about password reset. Now, we said it is a Service Request. In which cases it escalates to a Change Request? Well, if you have a strong security policy, implemented SOX or ISO/IEC 27001 and influential security officer, then it's possible that they require formalized approval cycle and implemented operational Standard Change procedure.
  • VPN account passwords which enable user to connect from the outside of the company to internal network are a very sensitive security case, so all concerns regarding domain user accounts apply to them, and then some. A special case is a VPN account given to a 3rd party employee. Usually such a request has to have defined start and end of usage and approval from a high position (chief security, IT manager or CEO).
  • Application Administrator account passwords enable the user to create a significant amount of damage to a company according to the importance of the application to the business. Examples: Intranet applications, CRM, ERP. Which one contains the most sensitive data for your company? Probably the ERP application.
  • System Administrator Account presents the highest possible level of trust to an employee. Only security officer , Operations or IT Manager should approve these account creations and their password reset requests.
  • Service Accounts under which different IT services are executed. These have to be taken care by the security officers, their catalogue has to point to services they enable (1:M relation) and access to their passwords has to be restricted only to most confidential people. Usually these accounts have broad authorization and they are set to rarely or never expire, so they should be maintained with utmost care, especially in organizations with frequent employee fluctuation. Best practice is to deposit them in a safe box by a single person.
Note: there are significant changes lately in best practices and recommendations with large vendors and consulting companies about the password lockout policy.
Until recently, the recommendation was to lock the user account after three to five unsuccessful attempts. What changed? Implementation of security standards and best practices introduced higher password complexity and more frequent user password changes. Majority of users have some kind of mobile device for connecting to an enterprise mail system. These devices cache user credentials and often lock-out user's accounts after password change. Virtualization also contributed to simplification of lockout policy since various user credentials can be cached on different physical and virtual machines.
Brute force attacks are measured in hundreds if not thousands of attempts in a short period of time, so it is now advised to lift the lockout attempt number to 60-100, or to turn the policy off completely and survey security logs with adequate tools.

Let me just finish here in a nicer tone. ITIL is not too prescriptive in telling you how exactly to do things.
In the above example, if you process Service Requests as a special category Incidents, you are still in the green. Customers get their service, all needed reports can be generated as agreed, KPIs are there, you are good!

We are in business of keeping the customer business going. In the spirit of current holidays, I wish you the very best of luck with it. Because you are going to need it :)

For further reading I recommend 4.2 Incident Management, 4.3 Request Fulfilment and 4.5 Access Management chapters in ITIL Service Operation book.
Also, have a look at articles:

May 25, 2011

ISO/IEC 20000 - A Brief History

From DISC PD 005 over BSI 15000 to ISO/IEC 20000. Specifications, requirements, Code of practice.

History is a myth that men agree to believe.

ISO/IEC 20000 Timeline
ISO/IEC 20000 Timeline

I have been looking around for some brief document with ISO/IEC 20000 history, and I could not find anything useful.
Here are a few major points I have collected from various sources in ISO/IEC 20000 history.

1995: British Standard Institution (BSI) published the first version of DISC PD 0005:1995 - Code of Practice for IT Service Management. It described only four basic ITSM processes.

1998: BSI publishes a revised version of DISC PD 0005:1998 and it already described all five process areas and 13 processes as we know it today.

2000: Published BS 15000:2000 - Specification for IT Service Management which was used together with the code of practice DISC PD 0005.
Also in 2000, the third supplementary document entitled DISC PD 0015:2000 IT Service Management Self-Assessment Workbook was published.  It was a questionnaire that enabled anyone to make an assessment of its compliance degree with BS 15000.
Some serious revisions and rewriting followed, resulting in standard documents very similar to today's norm:

2002: BS 15000-1:2002 IT service management - Specification for Service Management;
PD 0015:2002 - Self-Assessment Workbook

2003: BS 15000-2:2003 IT service management - Code of Practice for Service Management
The same year a new PD 0005:2003 Guide to Management of IT Service Management was published with explanations of the purpose of BS 15000, and also the framework guidance on how to use the standard processes and implement them.
BSI 15000 was adopted by many service companies in UK, and countries worldwide accepted it.

2005: BS-15000 was placed on the “fast track” by the ISO. By the end of the year, with some moderate changes, it was published as ISO/IEC 20000 standard:
  • ISO/IEC 20000-1:2005 Specification  is very formal, it defines processes and provides assessment/ audit criteria.
  • ISO/IEC 20000-2:2005 Code of Practice that gives HOW-TOs and describes best practices for implementation of Part 1.
Standard was unchanged for four years. Adoption was a bit slower due to somewhat lower ISO maturity level of the standard. The norm requirements were very demanding, and supplemental documentation was scarce and sometimes ambiguous. There was a need for some additional documentation:
2009: ISO/IEC TR 20000-3:2009 Guidance on scope definition and applicability  was published. It provided guidance on scope , applicability and of conformance for service providers

  • ISO/IEC TR 20000-4:2010 Process reference model - describes  the service management system processes implied by ISO/IEC 20000-1 at an abstract level.
  • ISO/IEC TR 20000-5:2010 Exemplar implementation plan for ISO/IEC 20000 -1 - provided guidance  to implementation of ISO/IEC 20000 by example and advice.
2011. April:  ISO/IEC 20000-1:2011 - new version of specification is out.

2012. February: ISO/IEC 20000-2:2012 - new Guidance on the application of service management systems published.

If someone has an update or a correction to this, I will be very glad to update the post. Thank you.

Related posts:

ISO/IEC 20000 Essentials
A few more words on ISO/IEC 20000

ISO/IEC 20000 Rediscovered
Describing differencies and similarities of ITIL and ISO/IEC 20000

ITIL and ISO/IEC 20000 Compared
ITIL V2 - ITIL V3 - ISO20000 comparisson table

Hope this helps. Have a nice day!

Mar 24, 2011

ITIL Major Incident - All you want to know

What is a Major Incident in ITIL? What are the roles and responsibilities? How to avoid common mistakes? What to do After the Resolution?

Trust me, I know what I'm doing!
Sledge Hammer

What is a Major Incident?
Definition of a Major Incident has to be clear to every employee in Service Support. Therefore it has to be clearly described in a separate document, Major Incident Procedure.

What makes a Major Incident? It is usually defined by the impact outage has or could have on customer’s business process. Also, it may be determined by priority of the incident or by its urgency.

How come that the impact isn’t allways the only factor in defining the Major incident? For example, an incident of high impact can be resolved by Service Desk thru a simple resolution procedure, like switch resetting after network down event, or connecting a backup provider after internet down event.

Both examples are definitely high impact but we don’t have to recruit a bunch of higher level people on it just yet. We just have to have in mind that they are Priority 1 and they have to be resolved ASAP. In case they can’t be resolved by standard procedure, THEN they can be marked Major and handled with appropriate procedure and policy. That’s why most leading Incident Management tools on the market have a separate checkbox Major or Hot incident.

This was all theory. In practice, to simplify the procedure and make it easier to Service Desk staff, this is what I usually advise: all priority 1 incidents are Major Incidents, if they are not exceptions. Exceptions can be easily defined for particular customers, contracts and incident categories. For example: Major incidents are all Priority 1 incidents except cash register tickets, which are urgent but can be fixed by technicians, no need to involve for more important people. Or: all categories except end user incidents. Simple.

Major Incident Team
OK, now we have determined it’s a Major Incident. What next? We establish a Major Incident Team. Members are:
  • Service Desk Manager – he will be responsible for communication with resolution team and timely reporting to the customer
  • Incident Manager – in reasonable service organizations Incident Manager is usually also the Service Desk Manager. If not, then these two have to work closely together.
  • Major Incident Manager: a frequent mistake is to promote Incident or Service Desk Manager into Major Incident Manager. This doesn’t have to, but can cause some serious conflicts of interests: he has to survive somewhere between Incident Management, Problem Management, Business Management and the customer.
    Major Incident Manager has to be a liaison between all internal parties involved, also acquainted well to technical aspects of the outage. So he will often be recruited between people formerly engaged in a project, or those involved in service catalogue definition.
  • Problem Manager: remember him? He will be most helpful here in investigative phase, towards closure phase, and a life saver in post mortem reporting. Better keep him on our side. Mind you, Major Incident is still an incident, but usually has some underlying cause which will be recognized as a Problem. Hence Incident and Problem Manager have to work closely here, each with his own goal in mind (service restoration vs. underlying cause).
  • Other members of Major Incident Team: representatives of all people involved, impacted users, competent technical staff, vendors... Good practice would be to choose people here the same way you would choose ECAB (Emergency Change Advisory Board) members. There is always a chance that you will be implementing an Emergency Change during a Major Incident resolution process.

Resolution Process
Major Incident resolution works on tight SLA parameters. Service Desk takes care of them. Also, ticket updates and frequent feedback to customers is performed by Service Desk. Remember, customer hates to be kept in the dark, even if news are bad (no progress) they must be updated frequently.

Major Incident Procedure has to define the escalation policy in case of SLA breech. Usually the incident is escalated vertically to higher level IT / Business management and to vendors of services/equipment underpinning the service.

After the battle
Upon the resolution, Incident Management Team stays “on call” and monitors the service for the period defined by Major Incident Manager. He also schedules a short team meeting for the next day.

Incident Review is performed on this meeting, points for improvement and lessons learned are defined and Post Mortem Major Incident Report is created.

Incident Manager sends the report to the customer.

I have prepared for you a template for Major Incident Report, free for download here.

Related posts:

Incident Management Elements
Key elements of Incident management.

Incident Management Mind Map
Download the incident management mind map.

All About Incident Classification
How to deal with incident categories.
Incident prioritization in ITIL.

Hope this helps. Have a nice day!

Jan 7, 2011

Customer Satisfaction Survey: What Methods To Use?

How to gather customer satisfaction data? What methods are there? What ITIL says? What methods will work for you?

USA Today has come out with a new survey - apparently, three out of every four people make up 75% of the population.
David Letterman
In my last post I spoke about Customer Satisfaction. OK, but how to gather data? How to interview customers? How to get the best results in surveys and help educate the customer about the proces?
Here I give you a list of basic ITIL methods for gathering customer satisfaction data and my coments of its worth in my company. Mind you, we are in Managed Service business, so my grades are biased.

If you are a small IT in  government agency or an IT in Airline company, you may look for different values. Still, this will give you an idea.

Customer Satisfaction

After-Call Survey
Callers are asked to remain on the phone after the call and then asked to rate the service they were provided.

This method requires that you have some kind of telephony automation like Interactive Voice Response (IVR). The thing with this method is, however you set the system it will often be despised by the customer. Most of the people don’t like to hear recorded messages and even more people hate moving down the menu tree with phone keyboard. Outcome? Only extremes: customer which are very satisfied and wish to reward an agent by giving him good grades or, more often, a very pissed off customer who will go out of his way to express his low level of satisfaction.

Call Center organizations are doomed to use this technology since phonecalls are the only way of communicating with the customer. In ITSM there are usually more ways to talk to customer.

My worth: 1/5

Mail Surveys
We never considered sending mail interviews to customers as an option. Not in this century at least. What kind od IT-related person would fill the received paper form and send it back to us? Do we need a feedback from this kind of person? No, thanks.

With e-mail it's maybe slightly better. We used to have a ServiceDesk application which would send an automated notification on incident resolve event, asking the customer contact to reply in an email grading their satisfaction with speed and quality of resolution by grades 1 to 5. So lame. Response percentage of 0,05% was enough to pacify our ISO9001 auditor but it was next to worthless to us otherwise. One good thing was that receiving a small number of answers in an unstructured text email made the result processing much easier :-)

My worth: 1.5/5

Group Interviews
In this method, customers should be gathered in small groups and interviewed together. This can maybe be somewhat useful in a group of people working together, even then their answers will be biased and dependent. Possible value I see in this one is that they will help to develop communication between customers of different knowledge levels and enhance collective process knowledge.

In my organization we try to keep different SLA customers as far from each other as possible. We do not conduct group interviews but we do organize ITSM workshops here and there for our customers, feedback is usually very good.

My worth: 2/5

Phone Surveys
Some time after the interaction with Service Desk, an independent agent calls the customer.

You are in the middle of your monthly report, juggling a database and three spreadsheets, and some guy calls you to grade your experience with Service Desk from ten days ago? You will brush him off. OK, maybe not the first time, but the next, for sure.

So, if you want to get the results with this method, you need trained people with strong communication skills and good opening lines. Also, a good idea is not to have surveys for all calls, to let the customer rest from you periodically. If they anticipate your call, they start thinking up good excuses to brush you off. Surprise them periodically.

My worth: 2/5

Personal interviews
Surveying person is usually Incident Manager or Service Desk manager, while the Customer representative is a person responsible for SLA on their side. These can be contact persons on Major incidents after the post mortem reporting, but that’s another story and this should be defined in Major incident procedure.

These interviews are usually periodic and should be conducted at least annually (usually they are, during a contract renewal), but more preferably on quarterly basis. During these, the two parties communicate customer needs and help focusing Service Support towards things important to customer. So the questions in a survey should be aligned with Service Desk and Incident Management KPIs.

These are of great value to us.

My worth: 4/5

Online Surveys
We worked with several Service Desk automation tools, different vendors. In the end, we developed a Web application which enables us to send different surveys to our customers. They can be Ticket related, periodical or Ad Hoc surveys with predefine templates of multiple choice and freeform answers. We like it so much that we host it to other departments of our company. And we do not sell it, it’s that good :-)

Customers fill it in their own convenience (ok, we sometimes call and beg them to fill surveys), and after they submit the form they are automatically in the report.

Web-based surveys are a life-saver to us.
My worth: 5/5

Other Methods
Blogs, tweets, wikis, forum discussions and chats are all nice to have and, if maintained well, they will influence customer experience positively.

However, it is next to impossible to mine a structured measurement of customer satisfaction out of them, and they shouldn’t be used for that purpose.

Additional About Surveys

It will be best to define simple questions with multiple choice number ratings. How many different grades? For fine gradation in longer interviews we use grades 1-10. For faster, ticket-focused surveys we opted for a coarser gradation. We used 1-5 for a long time, but a lot of the grades were distributed to 1, 5 and 3. Eliminating the middle value and shifting to 1-4 made our customers think more. We still use (1-4) system for most surveys and we are satisfied with it.

In addition, it is often nice to put an optional comment field under every question. Doesn’t cost much, and sometimes customers leave very useful info there.

How many questions?
You certainly don’t want to scare of the customer with a bunch of questions. OK, annual interviews can be longer, and internal ITIL/ISO20000 audits and assessments can gave a gazillion questions, but survey on incident performance can have only one (how satisfied are you?), ideally three, or maximum five multiple choice questions. You fish for quantity here.

Anonymous or named?
Some customers will answer an anonymous survey rather then named. Well, their problem. This is one case where customer is not always right. You want to know who is satisfied, who is not, so you can decide on your further actions.

Related posts:

Customer Satisfaction in ITIL Service Management: Do You Get It?
Elementary facts about ITSM Customer Satisfaction - How bad do we need it in IT Service Management? Where is it mentioned and where is it dealt with in ITIL V3? How do we manage it in real life?