NSW Government

IT Service Management –

Service Transition Standard

V1.0

August 2016

ITSM Service Transition Standard

CONTENTS

1. CONTEXT 3

1.1. Background 3

1.2. Purpose 3

1.3. Scope and application 3

1.4. Policy context 3

1.5. The ICT Services Catalogue 4

2. KEY PRINCIPLES 4

3. REQUIREMENTS 5

3.1. ITSM Service Transition 5

3.2. Service level and complexity 5

3.3. Requirements tables 5

3.3.1 ITSM Service Transition – Use Cases / Scenarios 6

3.4. Elements of this standard 7

3.4.1 ITSM Service Transition requirements 7

4.4.1 Service Management requirements 10

DOCUMENT CONTROL 12

APPENDIX A – ABBREVIATIONS AND DEFINITIONS 13

APPENDIX B – REFERENCES 14

APPENDIX C – STANDARDS 15

Developing technical standards 15

Management and implementation 15

APPENDIX D – Sample Key Performance Indicators 16

ITSM Service Transition Standard

1. CONTEXT

1.1. Background This is a technical standard developed through the NSW ICT Procurement and Technical Standards Working Group. The standard contains technical and functional requirements that agencies should consider when procuring IT Service Management (ITSM) Service Transition solutions.

By defining the necessary and common elements across agencies the standard provides an opportunity to leverage the buying power of Government as a whole, improve procurement efficiency and increase interoperability.

1.2. PurposeThe purpose of this standard is to assist NSW Government agencies to develop, procure and implement ITSM Service Transition solutions and tools, as well as take full advantage of their benefits. This standard also helps agencies procure in a strategic manner that reflects the NSW Government’s priorities as outlined in the NSW Government ICT Strategy.

This standard details the issues that need to be considered so each agency can identify the available options that best suit their business requirements, helping agencies achieve value for money through cost savings and improved flexibility of service offerings.

1.3. Scope and applicationThis standard applies to all NSW Government departments, statutory bodies and shared service providers. It does not apply to state owned corporations, but is recommended for their adoption.

For the purposes of this standard, ITSM Service Transition is defined as:

To ensure new, modified or retired services meet expectations of the business as documented in the service strategy and service design stages of the lifecycle.

This standard sets out service definitions as minimum requirements that vendors must meet to be able to offer their services through the NSW ICT Services Catalogue. Agencies should consider any specific operational or regulatory factors that impact their requirements, and specific requirements they have in addition to those detailed in this standard.

1.4. Policy contextThe NSW Government ICT Strategy and Digital + 2016 Final Update set out the Government’s plan to: build capability across the NSW public sector to deliver better, more customer-focused services that are available anywhere, anytime; and to derive increased value from the Government’s annual investment in ICT.

Developing whole of NSW Government ICT technical standards is a key initiative of the NSW Government ICT Strategy, driven by the ICT Procurement and Technical Standards Working Group. These standards leverage principles defined in the NSW Government ICT Strategy and the NSW Government Cloud Policy, and they support the NSW ICT Services Catalogue.

The standards set out service definitions as minimum requirements that vendors must meet to be able to offer their services through the NSW Services Catalogue. This helps achieve consistency across service offerings, emphasising a move to as-a-service sourcing strategies in

ITSM Service Transition Standard

line with the NSW Government ICT Strategy, and it signals government procurement priorities to industry.

Solutions should also assist agencies in their alignment with the NSW Government Enterprise Architecture (NSW GEA), which encompasses all aspects of enterprise architecture activity at the business, information, application and technology infrastructure layers. The NSW GEA is about providing direction and practical guidance to accelerate the development of agency EA capability and enabling a common, intra and inter agency approach to the design of digital government.

This standard should be applied along with existing NSW Government policies and guidance, including the NSW Digital Information Security Policy. More information on the process for the development of standards that populate the ICT Services Catalogue is at Appendix C – Standards.

1.5. The ICT Services CatalogueThis catalogue provides suppliers with a showcase for their products and services, and an opportunity to outline how their offerings meet or exceed standard government requirements. The standards, together with supplier service offerings, help to reduce red tape and duplication of effort by allowing suppliers to submit service details only once against the standards. The offerings are then available to all potential buyers, simplifying procurement processes for government agencies.

Implementing this category management approach will embed common approaches, technologies and systems to maintain currency, improve interoperability and provide better value ICT investment across NSW Government.

2. KEY PRINCIPLESThis standard is informed by the following principles:

End-to-end digital: Service Transition solutions should enable end-to-end digital business processes and management.

Control technical diversity: Service Transition solutions should help control technical diversity to minimise costs associated with maintaining expertise in and connectivity between multiple processing environments.

Data security: Meet any applicable requirements of the NSW Digital Information Security Policy and ISO 27001.

Technology currency: Solutions should be designed to maintain technology currency for key systems, and to maintain a pace that aligns with business context and risk profile.

Facilitating as a service: Service Transition solutions should facilitate the agency transition to as a service, and ensure agency alignment with broader NSW ICT Strategy.

Interoperability: Service Transition solutions should meet applicable recognised open standards across the elements of compute, storage, network, and pre-production and testing.

Business continuity: Service Transition solutions should meet business continuity requirements, particularly with transition in and out (see the NSW Digital Information Security Policy and ISO 27031-2011 for more guidance).

ITSM Service Transition Standard

3. REQUIREMENTS

3.1. ITSM Service TransitionWhen considering any aspect of Platform as a Service (as defined in this standard) an agency must consider the Service Management aspects of the service(s) on offer.

The following ITSM Frameworks can be considered when assessing requirements for ITSM Service Transition:

ITIL IT for IT ISO/IEC 20000 Business Process Framework (eTOM) COBIT FitSM Dev Ops Microsoft Operations Framework (MOF)

3.2. Service level and complexityThe following requirements use case tables are separated into three service levels – silver, gold and platinum, reflecting the complexity of the ITSM Service Transition solution required:

Silver: Offerings that conform to a minimum number of processes of an identified ITSM methodology.

Gold: Offerings that conform to an identified ITSM framework and updated by the solution provider to reflect changes to the nominated ITSM methodology.

Platinum: Offerings that conform with the NSW Government Corporate Shared Services (CSS) Processes. Solutions to this level must be able to adapt and change at no extra cost to agencies to the evolving requirements defined.

3.3. Requirements tablesThe following tables set out the recommended business and technical requirements for NSW Government. They provide a consistent approach for all NSW Government agencies regardless of their size.

Key to table requirements:

Required Optional, but beneficial

Explanations for each element of the following use cases are provided at section 3.4.

ITSM Service Transition Standard

3.3.1 ITSM Service Transition – Use Cases / Scenarios

‘Use cases’ for ITSM Service Transition that are anticipated in agencies are included in the table below. The corresponding requirement sections of this standard are ticked in the columns.

Use Case / ScenarioITSM Service Transition

ITSM Service Transition Service Management

Chan

ge M

anag

emen

t

Chan

ge E

valu

ation

Proj

ect M

anag

emen

t (T

rans

ition

Pla

nnin

g an

d Su

ppor

t)

Rele

ase

and

Depl

oym

ent

Man

agem

ent

Serv

ice

Valid

ation

and

Tes

ting

Serv

ice

Asse

t and

Co

nfigu

ratio

n M

anag

emen

t

Know

ledg

e M

anag

emen

t

Com

plia

nce

with

NSW

Go

vern

men

t St

anda

rd

Busin

ess p

roce

sses

Self-

serv

ice

adm

inist

ratio

n

Full-

serv

ice

adm

inist

ratio

n

Clou

d co

mpl

iant

hos

ting

faci

lity

NSW

Gov

ernm

ent D

ata

Cent

re

Ons

hore

/offs

hore

m

anag

emen

t

Serv

ice

leve

l man

agem

ent

Mul

ti-se

rvic

e br

oker

pro

visio

n

Silver -

Gold -

Platinum

6

ITSM Service Transition Standard

3.4. Elements of this standard

3.4.1 ITSM Service Transition requirements

4 Generic considerations for ITSM Service Transition may include the provision of the following components. Solutions that should address the overarching Service Transition element are included in the service requirements below:

Generic Service Transition Requirements Silver Gold PlatinumEnterprise frameworks with integration capabilities

Workflow management

Collaboration tools -

Integration across all other ITSM processes

Policy development -

Data mining tools -

Measurement and Reporting

Discovery and Audit tools -

(a) Project Management (Transition Planning and Support)

To provide overall planning for service transitions and coordinate the resources they require. Solutions that should address the Project Management (Transition Planning and Support) element are included in the service requirements below:

Project Management (Transition Planning and Support) Requirements Silver Gold Platinum

Integration across all ITSM processes

Performance Monitoring and Reporting

Stakeholder management -

(b) Change Management

To control the lifecycle of all changes, enabling beneficial changes to be made with minimum disruption to IT services. Solutions that should address the Change Management element are included in the service requirements below:

Change Management Requirements Silver Gold Platinum

Integration across all ITSM processes

Change Control and Reporting

Risk management framework -

7

ITSM Service Transition Standard

(c) Service Asset and Configuration Management

To ensure that the assets required to deliver services are properly controlled, and that accurate and reliable information about those assets is available when and where it is needed. Solutions that should address the Service Asset and Configuration Management element are included in the service requirements below:

Service Asset and Configuration Management Requirements Silver Gold Platinum

Service Asset and Configuration Reporting

Integration with other ITSM processes

IT Service and Asset Audit Control

IT Service and Asset Management -

(d) Release and Deployment Management

To plan, schedule and control the build, test and deployment of releases, and deliver new functionality required by the business while protecting the integrity of existing services. Solutions that should address the Release and Deployment Management element are included in the service requirements below:

Release and Deployment Requirements Silver Gold Platinum

Audit Control

Integration with other ITSM processes

Release and Deployment Reporting

Architecture Release design packaging -

Early Life Support -

(e) Service Validation and Testing

To ensure that a new or changed IT service matches its design specification and will meet the needs of the business. Solutions that should address the Service Validation and Testing element are included in the service requirements below:

Service Validation and Testing Requirements Silver Gold Platinum

Validation and Test management

Service Quality and Assurance

Integration with other ITSM processes

Measurements and Monitoring

Validation and Testing Reporting -

(f)Change Evaluation

To provide a consistent and standardised means of determining the performance of a service change in the context of likely impacts on business outcomes, and on existing and proposed services and IT infrastructure. Solutions that should address the Change Evaluation element are included in the service requirements below:

Change Evaluation Requirements Silver Gold Platinum

Change Evaluation governance

8

ITSM Service Transition Standard

Integration with other ITSM processes

Service change performance# -

Service change reporting -

# The term ‘performance’ is used in change evaluation to mean the utilities and warranties of the service, which provide the ability of the service to contribute to the performance of the customer’s assets.

(g) Knowledge Management

To share perspectives, ideas, experience and information, ensuring these are available in the right place at the right time to enable informed decisions, and to improve efficiency by reducing the need to rediscover knowledge. Solutions that should address the Knowledge Management element are included in the service requirements below:

Knowledge Management Requirements Silver Gold Platinum

Service Knowledge Management System (SKMS)

Integration with other ITSM processes

Data protection, controlled access and security Data structure(s) (Data-to-information-to Knowledge-to-Wisdom) (DIKW) -

Knowledge, Information and Data architecture -

Self-Service Knowledge management -

9

ITSM Service Transition Standard

4.4.1 Service Management requirements

(h) Compliance with NSW Government Standard Business Process

Solutions that wish to comply with this element (for Platinum services) must accept full and ongoing compliance with the current version(s) of the NSW Government Standard Business Processes. To be endorsed against this element, suppliers must meet the following requirements:

Compliance with NSW Government Standard Business Processes Silver Gold PlatinumThe supplier’s solution meet all requirements in the appropriate standard(s), related materials and process artefacts as defined within the NSW Government Standard Government Processes

- -

Sign a legal contract under the ProcureIT framework related to the appropriate standard(s) - -

Pay for cost of on-going (annual) certification against the relevant standard(s) - -

(i) Self-service administration

The ability to automatically provision and de-provision for all agency resources within the system, together with other appropriate administration and management tasks that can be delegated from the service provider that do not impinge on the solution being provided to other customers.

(j) Full-service administration

All provisioning, de-provisioning, together with all other administration and management tasks required to operate the environment, are provided as part of the service offering. The only exception will be service management of the provider which remains the sole responsibility of the initiating agency.

(k) Cloud compliant hosting facility

All relevant cloud services for the solution may be provisioned from a compliant hosting facility. A compliant hosting is defined as having the following attributes and/or capabilities:

The location of the hosting facility must be identified either by name and/or location (city and country) in any response.

The hosting location cannot be changed without first informing the agency concerned.

The service provider undertakes, maintains and provides access to SSAE 16 Service Organization Control (SOC) Type II reports (or equivalent) for the services and facilities in scope for the engagement.

The hosting facility must comply with minimum Tier 3, as defined by the Uptime Institute, ANSI TIA-942, or an equivalent industry standard.

The hosting facility must be certified against ISO 27001; compliance with the following international standards is desirable:

o ISO 9001

o ISO 27002

o ISO 20000-1:2011

o ISO 14001

Other desirable certifications may include, but are not limited to:

10

ITSM Service Transition Standard

o PCI-DSS v3.0 or later

o Australian Signals Directorate

o ASIO-T4

o Uptime Institute

o CSA

Also consider contractual obligations relating to the service provider allowing security assessments and treatment of outcomes as agreed with the client.

If the hosting facilities changes to a location that is deemed unacceptable either to NSW Government or to the agency and/or loses attributes and/or capabilities identified above, the agency may need to consider termination of services.

(l) NSW Government Data Centre

All relevant services for the solution may be provisioned from one or both NSW Government Data Centre(s) (GovDC). Depending on the service offering and agency requirements, it may be possible to ‘burst’ some elements of services to other location(s), subject to agreement with the commissioning agency.

Burst data centres must be deemed ‘compliant’. If the ‘burst’ data centre facilities change to a location that is deemed unacceptable either to NSW Government or to the agency, the agency may need to re-examine the ‘burst’ service or the full service.

(m) Onshore/offshore management

All solution providers must be able to articulate where their services will be provided from, including any remote support services.

For example, with a ‘follow the sun’ support model: the locations of each of their support sites around the globe need to be identified any changes to these need to be communicated to the customer agency promptly if this causes issues, the agency has the right to cancel the service with appropriate notification.

(n) Service level management

Agencies will retain ultimate responsibility for service level management in any solutions engagement which would ordinarily be covered by a Service Level Agreement (SLA). Agencies, service-brokers and solution providers need to agree all SLA reporting and other related activities as part of any transition-in process.

(o) Multi-service broker provision

Any solution provider must work within the confines of a multi-service provider environment where either the agency or nominated provider will perform broker service provision. This will be defined as one provider being made accountable for the provision of all associated services, whether these are provided by the provider itself, or other third-party providers.

11

ITSM Service Transition Standard

DOCUMENT CONTROL

Document historyStatus: Final

Version: 1.0

Approved by:

Approved on: ?? 2016

Issued by: IDG Policy and Innovation, ICT & Digital Government Division, Department of Finance, Services & Innovation (DFSI)

Contact: IDG Policy and Innovation, ICT & Digital Government Division, Department of Finance, Services & Innovation (DFSI)

Email: standards@finance.nsw.gov.au

Telephone: (02) 9372 7445

Review This standard will be reviewed as required.

12

ITSM Service Transition Standard

APPENDIX A – ABBREVIATIONS AND DEFINITIONS

AIIA Australian Information Industry Association

ASD Australian Security Directorate

ASIO Australian Secret Intelligence Organisation

CSA Canadian Standards Association

GovDC Government Data Centre

ICT Information & Communication Technology

ISO/TC International Organization for Standardization / Technical Committee

IT Information Technology

MAM Mobile Application Management

MDM Mobile Device Management

OS Operating System

PCI-DSS Payment Card Industry – Data Security Standard

PTS Procurement & Technical Standards

RTCE Real Time Collaborative Editing

SLA Service Level Agreement

13

ITSM Service Transition Standard

APPENDIX B – REFERENCES Agencies should have regard to the following statutes, NSW Government policies and standards:

AS/NZS ISO 31000 Risk management – Principles and guidelines Electronic Transactions Act 2000 Government Information (Public Access) Act 2009 Health Records and Information Privacy Act 2002 ISO 27031-2011 Information technology – Security techniques – Guidelines for information and

communication technology readiness for business continuity ISO 27001 Information technology – Security techniques – Information security management systems

– Requirements ISO 24762 – IT Security Techniques – Guidelines for ICT Disaster Recovery Services NIST Definition of Cloud Computing SP800-145 NSW Government Digital Information Security Policy NSW Government Open Data Policy NSW Government Cloud Policy NSW Government Standard for Data Quality Reporting NSW Government ICT Strategy NSW Government Digital + 2015 Final Update NSW Government Information Classification, Labelling and Handling Guidelines NSW Procurement: Small and Medium Enterprises Policy Framework Privacy and Personal Information Protection Act 1998 Public Finance and Audit Act 1983 Public Interest Disclosures Act 1994 State Records Act 1998 TPP 09-05 - Internal Audit and Risk Management Policy for the NSW Public Sector

14

ITSM Service Transition Standard

APPENDIX C – STANDARDS

Developing technical standardsDevelopment of a standard begins with identifying the need for a new standard, which is followed by the development of the standard in consultation with the industry and experts groups, including the Australian Information Industry Association (AIIA).

The following diagram outlines the process.

The ICT Procurement and Technical Standards Working Group (PTS Working Group) is chaired by the Department of Finance, Services & Innovation and includes senior representation from across NSW Government.

Agencies engage with the PTS Working Group concerning services for inclusion in the ICT Services Catalogue. This drives the development of technical standards, where none exist. The PTS Working Group has the leading role in reviewing and endorsing the technical standards developed in response to agencies’ requirements.

The PTS Working Group is supported by two sub-groups responsible for the areas of Telecommunications and Services and Solutions. The sub-groups are responsible for initial development and review of standards relating to their areas of responsibility.

Management and implementationThere is scope to modify standards through the NSW Government ICT governance arrangements as necessary. Standards are designed to add value, augment and be complementary to, other guidance, and they are continually improved and updated.

This standard does not affect or override the responsibilities of an agency or any employee regarding the management and disposal of information, data, and assets. Standards in ICT procurement must also address business requirements for service delivery.

NSW Procurement facilitates the implementation of the standards by applying them to the goods and services made available through the ICT Services Catalogue.

15

Need for new or amended standard

identified

Standard developed (Industry/agencies

consulted)

Standard approved and released by PTS

Working Group

Market engagement for services which meet the standard

Services added to Catalogue

Business requirements change

ITSM Service Transition Standard

APPENDIX D – Sample Key Performance Indicators

Key Performance Indicator (KPI) Definition

Project Management (Transition Planning and Support)

# projects # major release rollouts under the control of project management

% projects with project charters % projects started with a signed project charter

# changes to project charter # changes to the project charter after project start

Adherence to project budget Actual vs. planned consumption of financial and personnel resources

Project delays Actual vs. planned project completion dates

Change Management

# major changes # major changes assessed by the CAB (Change Advisory Board)

#CAB Meetings # CAB (Change Advisory Board) meetings

Time for change approval/ rejection

Average time from registering an RFC with Change Management until a decision on the RFC is reached (i.e. until it is either approved or rejected)

Change Acceptance Rate # accepted vs. rejected RFCs

# emergency changes # emergency changes assessed by the ECAB (Emergency Change Advisory Board)

Service Asset and Configuration Management

Verification Frequency Frequency of physical verifications of CMS contents

# incidents owing to inaccurate CMS information

# incidents reported due to inaccurate configuration management information

Effort for CMS Verifications Average work effort for physical verifications of the CMS contents

CMS Coverage % configuration components kept in the CMS

Number of unauthorized Changes detected automatically

# unauthorized changes identified as a result of audits performed using automatic configuration update software

Number of CMS Errors # errors found in the CMS as result of an audit

Release and Deployment Management

# releases # releases rolled out into production environment. Grouped by major and minor releases

Duration of major deployments Average duration of major deployments from clearance until completion

# release back-outs # releases that had to be reversed

Proportion of automatic release distribution Proportion of new releases distributed automatically

16

ITSM Service Transition Standard

Key Performance Indicator (KPI) Definition

 Service Validation and Testing

% failed release component acceptance tests % release components that fail to pass acceptance tests

# identified errors # identified errors during release testing per release

Time for error fixing Time until re-submission of fixed release components

Incidents caused by new releases # incidents attributable to new releases

% failed service acceptance tests % service acceptance tests that fail to obtain customer’s sign-off

 

17