SMS-DOC-082-4 Configuration Management Process

Page 1

Configuration Management Process

ISO20000 Toolkit: Version 10 ŠCertiKit


Configuration Management Process

Implementation guidance The header page and this section, up to and including Disclaimer, must be removed from the final version of the document. For more details on replacing the logo, yellow highlighted text and certain generic terms, see the Completion Instructions document.

Purpose of this document This document describes how the service provider will manage configuration items related to the services.

Areas of the standard addressed The following areas of the ISO/IEC 20000:2018 standard are addressed by this document: •

8. Operation of the service management system o 8.2 Service portfolio â–Ş 8.2.6 Configuration management

General guidance This is a document that underpins the whole area of configuration management. Careful thought needs to be given to what will be treated as a configuration item, what information will be recorded about it and how that information will be collected and kept up to date. Location information in particular can be tricky. Another major issue is that of defining relationships between configuration items and with services. Unless you have a reasonably high-end ITSM software tool this can be difficult to achieve, and we would suggest you start with the most important IT services in your landscape. In a virtual environment (either hosted on premise or in the cloud e.g. AWS or Microsoft Azure), where infrastructure may be represented as code and configurations may be temporary (e.g. to provide elasticity), careful consideration is required regarding the degree of configuration control that will be applied, and a good understanding of the available cloud tools may be needed.

Review frequency We would recommend that this document is reviewed annually. Version 1

Page 2 of 26

[Insert date]


Configuration Management Process

Document fields This document may contain fields which need to be updated with your own information, including a field for Organization Name that is linked to the custom document property “Organization Name”. To update this field (and any others that may exist in this document): 1. Update the custom document property “Organization Name” by clicking File > Info > Properties > Advanced Properties > Custom > Organization Name. 2. Press Ctrl A on the keyboard to select all text in the document (or use Select, Select All via the Editing header on the Home tab). 3. Press F9 on the keyboard to update all fields. 4. When prompted, choose the option to just update TOC page numbers. If you wish to permanently convert the fields in this document to text, for instance, so that they are no longer updateable, you will need to click into each occurrence of the field and press Ctrl Shift F9. If you would like to make all fields in the document visible, go to File > Options > Advanced > Show document content > Field shading and set this to “Always”. This can be useful to check you have updated all fields correctly. Further detail on the above procedure can be found in the toolkit Completion Instructions. This document also contains guidance on working with the toolkit documents with an Apple Mac, and in Google Docs/Sheets.

Copyright notice Except for any specifically identified third-party works included, this document has been authored by CertiKit, and is ©CertiKit except as stated below. CertiKit is a company registered in England and Wales with company number 6432088.

Licence terms This document is licensed on and subject to the standard licence terms of CertiKit, available on request, or by download from our website. All other rights are reserved. Unless you have purchased this product you only have an evaluation licence. If this product was purchased, a full licence is granted to the person identified as the licensee in the relevant purchase order. The standard licence terms include special terms relating to any third-party copyright included in this document.

Version 1

Page 3 of 26

[Insert date]


Configuration Management Process

Disclaimer Please Note: Your use of and reliance on this document template is at your sole risk. Document templates are intended to be used as a starting point only from which you will create your own document and to which you will apply all reasonable quality checks before use. Therefore, please note that it is your responsibility to ensure that the content of any document you create that is based on our templates is correct and appropriate for your needs and complies with relevant laws in your country. You should take all reasonable and proper legal and other professional advice before using this document. CertiKit makes no claims, promises, or guarantees about the accuracy, completeness or adequacy of our document templates; assumes no duty of care to any person with respect its document templates or their contents; and expressly excludes and disclaims liability for any cost, expense, loss or damage suffered or incurred in reliance on our document templates, or in expectation of our document templates meeting your needs, including (without limitation) as a result of misstatements, errors and omissions in their contents.

Version 1

Page 4 of 26

[Insert date]


Configuration Management Process

Configuration Management Process

Version 1

DOCUMENT REF

SMS-DOC-082-4

VERSION

1

DATED

[Insert date]

DOCUMENT AUTHOR

[Insert name]

DOCUMENT OWNER

[Insert name/role]

Page 5 of 26

[Insert date]


Configuration Management Process

Revision history VERSION

DATE

REVISION AUTHOR

SUMMARY OF CHANGES

Distribution NAME

TITLE

Approval NAME

Version 1

POSITION

SIGNATURE

Page 6 of 26

DATE

[Insert date]


Configuration Management Process

Contents 1

2

Introduction ............................................................................................................... 9 1.1

Purpose ....................................................................................................................... 9

1.2

Objectives.................................................................................................................... 9

1.3

Scope .......................................................................................................................... 9

Configuration management process ......................................................................... 11 2.1

Process diagram......................................................................................................... 11

2.2

Process triggers.......................................................................................................... 12

2.3

Process inputs............................................................................................................ 12

2.4

Process narrative ....................................................................................................... 12

2.4.1 2.4.2

2.4.3 2.4.4 2.4.5

2.5

Process outputs ......................................................................................................... 17

2.6

Roles and responsibilities ........................................................................................... 17

2.6.1 2.6.2 2.6.3

2.7

3

4

5

Planning .................................................................................................................................... 12 Identification of Configuration Items ......................................................................................... 12 Services ............................................................................................................................ 13 Hardware ......................................................................................................................... 13 Software .......................................................................................................................... 14 Virtual resources .............................................................................................................. 15 Control ...................................................................................................................................... 16 Status accounting and reporting ................................................................................................ 16 Verification and audit ................................................................................................................ 17

Configuration manager .............................................................................................................. 17 Configuration librarian .............................................................................................................. 18 Configuration analyst ................................................................................................................ 18

RACI matrix................................................................................................................ 19

Configuration management tools ............................................................................. 20 3.1

Configuration management system ............................................................................ 20

3.2

Automated asset management system ....................................................................... 20

3.3

Cloud configuration management systems ................................................................. 20

Communication and training .................................................................................... 21 4.1

Communication with change management ................................................................. 21

4.2

Communication with IT teams .................................................................................... 21

4.3

Communication with projects..................................................................................... 21

4.4

Process performance ................................................................................................. 21

4.5

Training for configuration management...................................................................... 22

Interfaces and dependencies .................................................................................... 23 5.1

Interface to financial asset accounting processes ........................................................ 24

6

Reporting ................................................................................................................. 25

7

Conclusion................................................................................................................ 26

Version 1

Page 7 of 26

[Insert date]


Configuration Management Process

Figures Figure 1: Configuration management process ............................................................................. 11

Tables Table 1: Service CI attributes ...................................................................................................... 13 Table 2: Hardware CI attributes .................................................................................................. 14 Table 3: Software CI attributes ................................................................................................... 15 Table 4: Virtual resources CI attributes ....................................................................................... 16 Table 5: RACI matrix ................................................................................................................... 19 Table 6: Process interfaces and dependencies ............................................................................. 23 Table 7: Process KPIs .................................................................................................................. 25

Version 1

Page 8 of 26

[Insert date]


Configuration Management Process

1 Introduction 1.1 Purpose The purpose of this document is to set out in detail the [Organization Name] process in the area of configuration management. As such, this document will represent an initial design for the enhancement of existing configuration management processes and will be updated on at least an annual basis thereafter as [Organization Name] and its IT service management needs develop. The overall goal is to define and control the components of services and infrastructure and maintain accurate configuration information on the historical, planned and current state of the services and infrastructure. The achievement of this goal will require the population of a repository of configuration information (the Configuration Management System or CMS) which is verified and kept up to date using an appropriate mix of technical and procedural controls.

1.2 Objectives The objectives of the configuration management process are to: • • • •

Identify, record and control information about configuration items that have value to the organization Create and maintain a configuration management system (CMS) that holds useful information about CIs and their relationships e.g. baselines and snapshots Ensure that the CMS stays up to date in the face of change by working closely with the change management process Provide useful information about the status, attributes and relationships of CIs to other processes such as release and deployment management, change management and capacity management

1.3 Scope The scope of this process is defined according to the following parameters: • • •

Organizational o [List organizations and parts of those organizations covered] Geographical o [List locations from which requests for change will be accepted and managed] Services o [Define the services covered by the process]

Version 1

Page 9 of 26

[Insert date]


Configuration Management Process •

Technical o [If necessary, cover the technology that may give rise to changes managed via this process]

The following areas are specifically excluded from this process: [Describe any areas that need to be clearly stated as outside the scope]

Version 1

Page 10 of 26

[Insert date]


Configuration Management Process

2 Configuration management process 2.1 Process diagram In overview the process of implementing configuration management consists of the following steps:

Figure 1: Configuration management process

Each of these steps will be described in the following sections of this document.

Version 1

Page 11 of 26

[Insert date]


Configuration Management Process

2.2 Process triggers The configuration management process is initiated as a result of one or more of the following triggers: • • • • •

Initiation of a project that requires the introduction or changing of CIs Requests from change management and release and deployment management Significant events such as a service continuity or security incident Changes to legal, regulatory or contractual requirements In response to audit requirements

2.3 Process inputs The process of configuration management requires a number of inputs in order to be able to function effectively. These may not always be available but will ideally be: • • • • •

Definitions of configuration management requirements from projects New configuration item details e.g. hardware manufacturer, model, serial number Requests for Change (RFCs) Audit records Hardware and software disposal records

2.4 Process narrative 2.4.1 Planning The planning of configuration management within [Organization Name] will establish the following factors: • • • • •

The objectives to be achieved Resources to be allocated both for initial setup and for on-going operation of the process Tools to be used to identify, record, manage and report on configuration items Timescales Roles and responsibilities in the configuration management process

The plans will be managed via the service improvement process.

2.4.2 Identification of Configuration Items Configuration Items (CIs) will be identified based on the following general principles:

Version 1

Page 12 of 26

[Insert date]


Configuration Management Process • • •

The types of CI will be services, hardware, software and virtual resources The level of CI will be determined according to the value of the information to the delivery of IT services The attributes recorded for each CI type will be determined based on a balance of usefulness and ease of maintenance

The following attributes will be recorded according to the CI type:

Services All services that are included in the service catalogue will be recorded as CIs in the CMS. ATTRIBUTE

DESCRIPTION

Service Name

The unique name by which this CI is known

Description

A text description of the CI

Status

Whether the CI is live, disposed etc.

Relationships

How this CI is related to other CIs and service components

Supplier

The supplier’s name

Start Date

The date the CI became live

Support Provider

Which organization provides support services for this CI

Support Contract Number

The contract number under which support is provided

Support Contract Expiry Date

The date the relevant support contract ends

Change Numbers

The numbers of all change records affecting this CI

Problem Numbers

The numbers of all problem and known error records affecting this CI

Incident Numbers

The numbers of all incident records affecting this CI

Comment

A free-format text field for any relevant information

Table 1: Service CI attributes

Hardware The following types of configuration items will be recorded (this list will be updated as further types of hardware items are implemented): • • • • • •

Desktop hardware Monitors Laptops Printers Servers Firewalls

Version 1

Page 13 of 26

[Insert date]


Configuration Management Process • • •

Routers Switches Other

The attributes listed below will be recorded.

ATTRIBUTE

DESCRIPTION

Asset Number

The asset number assigned to the CI

Description

A text description of the CI e.g. “Internet Router”

Status

Whether the CI is live, disposed etc.

Relationships

How this CI is related to other CIs and service components

Location/User

The current user or location of the CI

Type

The type of hardware e.g. desktop, router, laptop

Manufacturer

The manufacturer’s name

Serial number

The unique manufacturers serial number

Model number

The manufacturers assigned full product code

Supply Date

The date the CI was supplied

Supplier

Where the CI was sourced from

Cost

The costs of the CI when sourced

Purchase Order Number

Reference for the PO on which this CI was ordered

PO Date

Date of approval of the PO

Invoice #

If known

Invoice Date

If known

Date of Installation

The date the CI was installed into the live environment

Change Numbers

The numbers of all change records affecting this CI

Problem Numbers

The numbers of all problem and known error records affecting this CI

Incident Numbers

The numbers of all incident records affecting this CI

Comment

A free-format text field for any relevant information

Table 2: Hardware CI attributes

Software All application software in use will be recorded as CIs in the CMS. This includes server-based systems as well as desktop software such as office suites.

Version 1

Page 14 of 26

[Insert date]


Configuration Management Process

ATTRIBUTE

DESCRIPTION

CI Name

The unique name by which this CI is known

Description

A text description of the CI

Status

Whether the CI is live, disposed etc.

Relationships

How this CI is related to other CIs and service components

Supplier

The supplier’s name

Version number

The manufacturers assigned version number e.g. R33

DML Reference/location

The reference of this software item within the Definitive Media Library

Supply Date

The date the CI was supplied

Supplier

Where the CI was sourced from

Cost

The costs of the CI when sourced

Date of Installation

The date the CI was installed into the live environment

Maintenance/Warranty Provider

Which organization provides maintenance/warranty services for this CI

Maintenance/Warranty Contract Number

The contract number under which maintenance/warranty is provided

Maintenance/Warranty Expiry Date

The date the relevant maintenance/warranty ends

Change Numbers

The numbers of all change records affecting this CI

Problem Numbers

The numbers of all problem and known error records affecting this CI

Incident Numbers

The numbers of all incident records affecting this CI

Comment

A free-format text field for any relevant information

Table 3: Software CI attributes

Virtual resources It is essential that a clear picture is maintained of the virtual resources in use, particularly given the ease with which they may be created and terminated. Appropriate configuration management tools provided by the virtualization software or cloud vendor should be used where available.

ATTRIBUTE

DESCRIPTION

CI Name

The unique name by which this CI is known

Description

A text description of the CI e.g. “Virtual server”

Type

Whether the resource is a virtual server, storage bucket, virtual private cloud etc.

Status

Whether the CI is live, disposed etc.

Relationships

How this CI is related to other CIs and service components

Version 1

Page 15 of 26

[Insert date]


Configuration Management Process

Supplier

The supplier’s name (if in the cloud or internal if not)

Version number

The version number of the CI

Reference/location

The location of this virtual resource e.g. physical server or cloud region

Date of creation

The date the CI was accepted into the live environment

Change Numbers

The numbers of all change records affecting this CI

Problem Numbers

The numbers of all problem and known error records affecting this CI

Incident Numbers

The numbers of all incident records affecting this CI

Comment

A free-format text field for any relevant information

Table 4: Virtual resources CI attributes

2.4.3 Control On-going control of the configuration items recorded in the CMS will be exercised via the change management process. No CIs will be added, changed or removed unless the appropriate change management documentation has been completed and approved. Part of the change management process will be the updating of the CMS to ensure that it remains current and always reflects a true record of installed items. Installation of common items such as desktop PCs and laptops will be treated as service requests and there will be an interface between the procurement process and configuration management that ensures that items purchased are created as CIs when installed.

2.4.4 Status accounting and reporting A set of reports will be regularly generated from the CMS in order to provide management information on the status of configuration items. These reports will include: • • • • • •

List of all configuration items by site Rack listings by server room CIs having incidents associated with them CIs having problems associated with them CIs having changes associated with them Discrepancies between the recorded status of CIs and that most recently discovered by the asset management tool

Ad-hoc reports will also be required to satisfy information requirements for support contracts. These may require the creation of new reports. Other reports may be required for: •

Equipment refresh programmes

Version 1

Page 16 of 26

[Insert date]


Configuration Management Process •

Financial or insurance purposes e.g. value of kit at a location

2.4.5 Verification and audit An automated asset management software tool will be used to verify the hardware, virtual resource and software configurations of all CIs to which it has access. This exercise will be carried out on a monthly basis initially, with the frequency being adjusted according to the number of discrepancies found. A programme of physical audits will be instituted to verify the data collected via the tool with the intention of visiting all locations within a specified period of time. This approach will be validated in the light of the results obtained – if the tool is found to maintain a very high degree of accuracy and completeness then the number of physical audits may be minimised. The IT service desk will also be used to verify data on an on-going basis when users report incidents. Verification of CIs not covered by software tools will be performed manually at least every six months.

2.5 Process outputs The outputs of the configuration management process will be the following: • • • • •

New and updated configuration records Configuration baselines Status and accounting reports Relationship information for use in assessing changes An accurate CMS that provides input to the wider service knowledge management system (SKMS)

2.6 Roles and responsibilities The following roles will play a part in the configuration management process.

2.6.1 Configuration manager The overall responsibilities of this role are: •

Implement the organization’s Configuration Management (CM) process and standards

Version 1

Page 17 of 26

[Insert date]


Configuration Management Process • • • •

• •

Propose and agree scope of the CM processes, function, the items that are to be controlled, and the information that is to be recorded. Develop CM standards, CM plans and procedures Arrange recruitment and training of staff. Train CM specialists and other staff in CM principles, processes and procedures Create and manage the CM plan, principles and processes and their implementation. This includes CI registration procedures, access controls and privileges. Ensure that the correct roles and responsibilities are defined in the CM plans and procedures Propose and agree CIs to be uniquely identified with naming conventions. Ensure that staff comply with identification standards for object types, environments, processes, life cycles, documentation, versions, formats, baselines, releases and templates Propose and/or agree interfaces with change management, problem management, network management, release management, computer operations, logistics, finance and administration functions Assist auditors to audit the activities of the CM team for compliance with laid-down procedures. Ensure corrective action is carried out

2.6.2 Configuration librarian The overall responsibilities of this role are: • • • • • • •

Plan and execute population of the CMS Manage and maintain the CMS, central libraries, tools, common codes and data Ensure regular housekeeping of the CMS Provide reports, including management reports (indicating suggested action to deal with current or foreseen shortcomings), impact analysis reports and configuration status reports Use or provide the CMS to facilitate impact assessment for change requests and to ensure that implemented changes are as authorised. Provide the CMS to help identify other CIs affected by a fault that is affecting a CI Perform configuration audits to check that the physical IT inventory is consistent with the CMS and initiate any corrective action

2.6.3 Configuration analyst The overall responsibilities of this role are: • •

Perform configuration audits to check that the physical IT inventory is consistent with the CMS and initiate any corrective action Follow documented procedures to ensure that CIs are created, updated and disposed of according to the configuration management process

Version 1

Page 18 of 26

[Insert date]


Configuration Management Process

2.7 RACI matrix The table below clarifies the responsibilities at each step using the RACI method, i.e.: • • • •

R: Responsible A: Accountable C: Consulted I: Informed

STEP

CONFIG MANAGER

CONFIG LIBRARIAN

CONFIG ANALYST

Planning

A/R

C

I

Identification

A/R

C

I

Control

A

I

R

Status Accounting and Reporting

A

R

I

Verification

A

I

R

Table 5: RACI matrix

Version 1

Page 19 of 26

[Insert date]


Configuration Management Process

3 Configuration management tools There are a number of key software tools that underpin an effective configuration management process. These are subject to change as requirements and technology are updated and so specific systems are not described here. However the main types of tools that play a significant part in the process within [Organization Name] are as follows.

3.1 Configuration management system The configuration management system (CMS) provides a way to store configuration records together with the attributes that are defined against them. It also allows relationships between CIs to be reflected so that a more effective impact assessment of changes can be made. The CMS is interfaced with the incident, problem and change management tools so that records in each system can be linked together e.g. changes to a specific CI can be recorded and reported upon.

3.2 Automated asset management system This system is capable of discovering assets located within the IT estate and automatically capturing key attributes of them such as their type, configuration and software versions. The automated asset management system works with the CMS to provide regular updates without the need to physically visit remote locations.

3.3 Cloud configuration management systems Software provided by a cloud service provider (CSP) as part of Infrastructure as a Service (IaaS) and Platform as a Service (PaaS) offerings will provide the capability to track and report on the cloud environment, including virtual private clouds, virtual servers, networks and containers. They may also allow for the automation of many aspects of configuration management, such as the creation of virtual environments based on code and the checking and automated correction of configurations that do not meet defined policy.

Version 1

Page 20 of 26

[Insert date]


Configuration Management Process

4 Communication and training There are various forms of communication that must take place for the configuration management process to be effective. These are described below.

4.1 Communication with change management Configuration management effectively provides a service to change management so that the potential impacts of changes can be better understood. Configuration management will obtain feedback from change management about the accuracy and usefulness of the information provided so that any required improvements can be identified. Change management also provides updates to the CMS on a regular basis and the smoothness of the interface should be a subject of frequent communication. For both these reasons the configuration management process manager should be a regular attendee at Change Advisory Board (CAB) meetings.

4.2 Communication with IT teams Configuration management needs to communicate the importance of keeping the CMS up to date to IT support teams so that there is no temptation to bypass change management and avoid updating the CMS. This will be done via awareness sessions delivered during team meetings and via other appropriate methods depending on the need.

4.3 Communication with projects Project teams may need a significant degree of assistance with assessing and planning their configuration management requirements at the start of a project. This will depend upon the type and scope of the project but the configuration management process manager’s attendance at progress meetings may be useful to all parties involved.

4.4 Process performance It is important that the performance of the configuration management process is monitored and reported upon on a regular basis in order to assess whether the process is operating as expected. The content of performance reports is set out in section 6 of this document, but it

Version 1

Page 21 of 26

[Insert date]


Configuration Management Process

is vital that the reports are not only produced but are also communicated to the appropriate audience. This will include the management of IT concerning resource utilisation and allocation. Depending on the health of the process it may be appropriate to hold regular meetings with IT management to discuss the performance and agree any actions to improve it.

4.5 Training for configuration management In addition to a well-defined process and appropriate software tools it is essential that the people aspects of configuration management are adequately addressed. The process requires that training be provided to all participants in order that it runs as smoothly as possible. The main areas in which training will be required for configuration management are as follows. • • • •

The configuration management process itself, including the activities, roles and responsibilities involved Configuration management software tools such as the configuration management system and cloud tools The basics of the technology and how it is implemented within [Organization Name] The business, its structure, locations, priorities and people

Version 1

Page 22 of 26

[Insert date]


Configuration Management Process

5 Interfaces and dependencies The configuration management process has a number of interfaces and dependencies with other processes within service management and the business. These are outlined here and are described in further detail in the relevant procedural documentation.

PROCESS

INPUTS TO CM FROM THE NAMED PROCESS

OUTPUTS FROM CM TO THE NAMED PROCESS

Budgeting and Accounting for IT Services

Requests for inventory and asset information Procurement information for new CIs

Reports for financial and insurance purposes

Information Security Management

Security requirements for access to the CMS Security policies

Correct (unaltered) configuration information Reports on detected configuration changes

Availability Management

Changes to CIs to improve availability (via change management)

Reports on single points of failure from CI relationship information

Capacity Management

Advance notice of required changes to configurations for capacity reasons

Details of installed configurations and capacities

IT Service Continuity Management

Requirements for control of key spares and software in a service continuity situation

Provision of key spares and other CIs needed during a service continuity incident

Release and Deployment Management

Requirements for baselines and release packages

Tracking of CIs within releases and provision of the right versions of CIs when required

Change Management

Information about changes to CIs

Impact assessment of proposed changes

Incident Management

Incidents linked to CIs

Information about CIs for use in incident diagnosis

Problem Management

Problems linked to CIs

Reports on CIs with many incidents against them Information about CIs for use in problem investigation

Service Request Management

Service requests linked to CIs

Reports of service requests by CI

Table 6: Process interfaces and dependencies

Version 1

Page 23 of 26

[Insert date]


Configuration Management Process

5.1 Interface to financial asset accounting processes In line with recommendations by [Organization Name] internal and external auditors and with the Asset Management Policy, there is a requirement to be able to provide to the Finance Department a listing of all hardware, software licenses and other assets installed within the organization, together with its location. This information is provided in spreadsheet form on an annual basis. Purchase order and value information must also be provided for all hardware installed after dd/mm/yyyy. This information is held within the CMS and provided upon request.

Version 1

Page 24 of 26

[Insert date]


Configuration Management Process

6 Reporting The following KPIs will be used on a regular basis to evidence the successful operation of the configuration management process:

KPI REF

KEY PERFORMANCE INDICATOR

KPI1

Percentage discrepancies found during CMS audits

KPI2

Number of complaints about inaccurate CMS records

KPI3

User satisfaction with the CMS

KPI4

Percentage of incidents for which configuration information was available

KPI5

Number of successful impact analyses carried for change management

KPI6

Number of access of the CMS by problem management

KPI7

Number of configuration errors caused by inadequate protection of CIs

KPI8

Completeness of the definitive media library (DML)

Table 7: Process KPIs

Version 1

Page 25 of 26

[Insert date]


Configuration Management Process

7 Conclusion Configuration management is a vital underpinning service that provides key information to other processes within IT service management. The mix of physical and virtual infrastructure and other components used to deliver our IT services is complex and it will require strict adherence to this process to ensure that a clear and accurate picture of configurations is maintained at all times. Only by really understanding and documenting our environment can we continue to deliver existing services effectively whilst at the same time planning for the transition of new ones.

Version 1

Page 26 of 26

[Insert date]