ITILv3 /2011 Edition Case Study for New Service Managers to Understand Old ITIL.

Implementing ITIL®V3/2011 Edition Framework
for Japanese Enterprises
Soma, Jerimi (yuko.soma8@gmail.com), Oct. 8, 2023
Abstract
This essay will discuss my own interpretation of ITIL®v3/2011 Edition and ISO/IEC 20000-1:2011 based on the Service
Management Framework Trainings.
ITIL (Information Technology Infrastructure Library) has been in IT service industries since 1989. ITIL V2 was the second
version of this framework, released in 2001. ITIL®V3 was released in 2007 and it started to become a Western enterprise
standard, including their Japan branch offices. ITIL V3®/2011 Edition introduced a service lifecycle approach to IT service
management, consisting of five phases: Service Strategy (SS), Service Design (SD), Service Transition (ST), Service
Operation (SO), and Continual Service Improvement (CSI). ITIL® 2011 Edition became best practice even among Japan
local enterprises, since its release in 2011.
ITIL® V3/2011 also placed greater emphasis on the integration of ITIL® with other frameworks and standards, such as
ISO/IEC 20000-1:2011. Currently both ISO/IEC 20000-1:2018 and ITIL®4 (2019) are not just for IT service management
anymore but for any kind of service management.
ITIL®4 has undergone significant transformation and evolution to align with emerging trends such as AI (Artificial
Intelligence), RPA (Robotic Process Automation), Cybersecurity, ADM (Agile Delivery Model), DevOps, Cloud Technologies,
and SIAM (Service Integration and Management). ITIL®4 no longer emphasizes PDCA due to rapid global environmental
changes. Before studying ITIL®4, let's review the ITIL®v3/2011 Edition to understand the differences between them.
Introduction
First of all, I will describe the ITIL® lifecycle for seeking
"value to the customer" by using 5 stages as follows.
ⅰ) Service Strategy (SS)
As the center or starting point of the service lifecycle, it
provides basic principles that help organizations
understand their achievement goals and customer
needs, as well as develop policies, guidelines, and
processes for service management from both financial
and technical perspectives.
ⅱ) Service Design (SD)
Recognizing achievement goals, covering all
requirements, prioritizing, communicating with all
stakeholders as necessary, and designing and
developing accurate service management.
ⅲ) Service Transition (ST)
In the transition stage of services, which involves risks
and complexity, it manages programs, projects, and
clear cooperative relationships, controls risks associated
with transitions, and ensures that the entire business
organization transitions to the new environment cost-
effectively and reliably.
ⅳ) Service Operation (SO)
By taking over the service design package strategically
designed in Service Design, and taking over the
operation from Service Transition, it supports the
activities of the entire business in a strategic and stable
manner in line with the business goals.
ⅴ) Continual Service Improvement (CSI)
Aim to improve strategies, designs, transitions, and
operations. Specifically, plan and implement
improvement activities throughout the service lifecycle
in line with the overall goals of the business, improving
service quality, promoting operational efficiency, and
maintaining business continuity.
Secondly, the common meanings of the terms in each
lifecycle are as follows;
Service
A service is the act of providing specific value to a
customer. By doing so, the customer does not have to

p. 2
bear the risk of failure or cost directly, but can instead
delegate them to the service provider, enabling them to
achieve their goals and focus on their business, thereby
improving efficiency. Therefore, service providers
should be experts who have the ability to control risks
and costs appropriately. The value of a service is
determined and defined by the customer, so ultimately,
the customer decides whether or not to receive the
service at the offered price. Additionally, as value
changes, the service must always be adapted
accordingly.
Service Management
Service Management is the series of activities that
provide value to customers through the assurance of
ongoing service delivery of a consistent quality across
the five lifecycle stages of strategy, design, transition,
operation, and continual improvement. This involves
inputting service assets such as personnel and
capabilities, controlling and transforming 26 processes
(such as change management and knowledge
management) through the use of four functions (service
desk, operations management, technical management,
and application management), and outputting results to
customers. The value of these results is defined by
customers and is dependent on the achievement of
desired performance, the absence of constraints, and
the guarantee of adequate availability, capacity,
continuity, and security.
Process
A process is a set of defined activities that are aimed at
achieving a specific purpose. Processes are measurable,
and process managers aim to measure the cost and
quality of processes, while process practitioners focus
on measuring duration and productivity. Processes are
triggered by data and carry out a series of activities,
delivering outputs to customers or stakeholders. The
output data then becomes a trigger, and the process is
repeated, forming a closed loop. This is called a
performance-driven process, and it is characterized by
continuity, repetition, and improvement. Processes are
also quantifiable, as they result in specific outcomes.
Function
Functions use service assets such as personnel, tools,
and accumulated knowledge to execute processes.
Functions are organizational units responsible for a
series of activities that produce specific results, and they
must be staffed with specialized groups that perform at
a high level. Functions are assigned roles and
responsibilities through RACI (Responsible, Accountable,
Consulted, and Informed), and productivity of functions
is improved through the use of appropriate processes.
Then, discuss about 26 processes in ITIL®2011 from
Chapter 1. Each chapter in this essay tells the name of
the core books of ITIL®2011.
Chapter 1:
SOA (Service Offering and Agreement)
The following is a summary of SOA (Service Offering and
Agreement).
Value creation, usefulness, and assurance
While the results of IT services can be qualitatively
defined, quantifying them in monetary terms can be
difficult. If we attempt to quantify the value of IT
services, customers can recognize value through
"Reference value (what the customer can do on their
own) + benefits from using the service - losses from
using the service = economic value of the service,"
And
"Economic value of the service - reference value = the
difference in service."
This difference in service is what the service provider
can offer as useful and assured "usefulness and
assurance" (although it is important to note that all of
these factors are based on the customer's perception,
preferences, and business outcomes).
Usefulness, which determines the value of the service,
refers to its suitability for the intended purpose
(functionality), such as whether performance is
supported and constraints are eliminated. Assurance
refers to its suitability for use (manageability), such as
whether availability, capacity, continuity, and security
are sufficient. The phase of design that confirms
usefulness, such as application development, should not
be executed independently and is more valuable when

p. 3
the operational phase that confirms assurance is
involved. If the operational phase is entered after the
design phase is completed, additional costs for rework
may occur, resulting in a lower value. Additionally, when
the level of usefulness and assurance is balanced, a
synergistic effect is created, resulting in value creation.
The roles of Service Catalog Manager and Service Level
Manager
・Develop a strategy that aims to achieve overall goals,
not for organizational politics or self-interest.
・Foster team culture through mentoring and coaching.
・Ensure investments are proportional to the intended
development and growth of the organization.
・Prioritize investments by considering areas that will
have the greatest impact on the business.
・Make decisions based on analysis results.
・Evaluate, direct, and monitor the strategy, policies,
rules, and contracts.
・By investing only in valid businesses, reduce costs and
maximize ROI.
・Increase investment levels for major projects and
service improvements.
・ Receive instructions and report to senior
management.
・Understand and support customer needs.
・Involve other managers and provide support.
Risks and challenges faced by service design Challenge:
a) Managers must address the following challenges:
Services and processes that are not designed will
develop in a chaotic manner. Without proper control,
they will become reactive to the environmental
conditions that have arisen without a clear
understanding of the overall vision and business needs.
An iterative and innovative approach is needed for
service design.
Risk: Without service design, costs become very high
and cost-effectiveness becomes low. Also, there is a
higher likelihood of incidents occurring during service
operation. Resources are wasted and no longer aligned
with business needs. Regardless of the improvement
plan, business goals that should have been achieved will
not be met.
a) Actions in accordance with the position of a manager
・Always act with business objectives, profitability, and
investment priorities in mind.
・ Give equal weight to control from above (senior
management), the side (customers and other IT
managers), and below (subordinates, processes,
technology, and tools).
・Prioritize considering what service management is.
b) Actions that are not in line with this
・Engage in internal political activities for self-interest
or self-preservation.
・ Micromanaging or conducting subordinates' tasks
without asking them can lower their motivation.
・ Assign projects to their subordinates without
conveying business objectives.
Service Portfolio Management
About Portfolio A portfolio, like an investment portfolio,
should be adjusted based on the characteristics of
customer risk and return to maximize profits at an
acceptable level of risk. Therefore, if conditions change,
the portfolio should be updated accordingly.
IT service portfolios include service portfolios,
application portfolios, customer portfolios, customer
agreement portfolios, and project portfolios. However,
only the service portfolio under portfolio management
is described below.
This is a documentation that describes the operational
or deployed services (=service catalog), services under
preparation or development (=pipeline), and obsolete
services that the provider offers from the perspective of
business value. This serves as a means of comparing the
competitiveness of various providers. The purpose of
creating a portfolio is to ensure that the appropriate
services are prepared to achieve a balance between IT
investment and business results. The value of the

p. 4
portfolio to the business is that it enables sound
decision-making regarding IT service investments.
What services are needed to achieve it?
What capabilities and resources (resource assets) does
the organization need to realize those services? How
will the goals be achieved?" Satisfactory answers to
these questions require the participation of senior
leaders and subject matter experts, such as senior
architects. This group is called the Service Architecture
Board (SAB), and they support clear answers to the
aforementioned strategic questions and conduct
analysis of each service to ensure that the service
portfolio brings value to the business in a strategic
manner.
Activities of Service Portfolio Management Process
Activity initiation: Triggered by strategic management,
business relationship management, continuous service
improvement, and other service process management
processes. Here, we use continuous service
improvement as an example. CSI provides inputs such as
performance improvement opportunities, service level
achievement opportunities, gaps in the current service
portfolio, and overall improvement opportunities for
service portfolio management.
Defining: Defining the desired business outcomes,
opportunities, requirements for usefulness and
assurance, and the service itself, as well as predicting
the required investments to achieve these.
Service Catalog Management
Objectives of Catalog Management
By clearly showing business customers what services are
provided, which services have been approved and can
be received in the future, which services have been
discontinued, and which services are lacking, customers
can more easily receive services and understand what
services they want to receive in the future, promoting
business development. In addition, customers can
consider whether services are being provided at an
appropriate price. The catalog must always be up-to-
date.
The content of the service catalog There are two types
of service catalogs, both of which are included in the
service portfolio.
a) Technical service catalog for support staff
That is not publicly available to the business side The
contents include services, hardware, software,
networks, applications, data, suppliers, etc. Two types
of services are listed: currently provided services and
approved services that have not yet been provided.
b) Business service catalog
It centrally manages all service information promised to
be supplied to customers and supplies that information
to all authorized stakeholders. The contents include
services, supported product policies, ordering and
request procedures, support conditions, entry points
and escalation, pricing and billing methods. Different
catalogs can be shown to user groups using different
views.
The Goal of Service Level Management (SLM)
The goal of SLM is to ensure that current and planned
services meet agreed achievable targets. To achieve this,
the following objectives are set: define, document,
agree, monitor, measure, report, review, and take
appropriate improvement measures for IT service levels.
Collaborate with business relationship management to
maintain and improve relationships with the business
and customers. Enable IT services to be set with
measurable targets. Monitor and improve customer
satisfaction with service quality. Ensure that quality is
maintained at agreed levels while always being cost-
effective and constantly striving for continuous
improvement.
SLA and OLA
An SLA is a formal agreement between an IT service
provider and a business customer that defines the
objectives of each service and the responsibilities of
both parties. The agreement is not intended for paying
compensation in the event of a breach, but rather
emphasizes the agreement between the two parties.
The SLA defines the useful features and guarantees that
the service should provide. The SLA is planned,

p. 5
coordinated, drafted, agreed upon, monitored, and
reported by service level management (SLM).
An OLA is a formal agreement between an IT service
provider and another department in the same
organization that supports it, such as procurement or
facilities management. The OLA defines the objectives
that support service activities and ensure that they do
not cause SLA violations.
Types of SLAs:
a) Service-based SLA:
It specifies an SLA for a single service used by all
employees, such as email service. However, even for the
same email service, different conditions may apply, such
as employees using it from home, connecting via VPN
from another site, or accessing it from the company's
internal LAN. Thus, there is a problem of whether the
same SLA can be applied and who will sign the
agreement on behalf of the users. Using multiple service
levels can be considered to improve the effectiveness of
service levels.
b) Customer-based SLA:
It specifies a single SLA for all services used in a single
department, such as financial, payroll, billing, or email
systems. It is often preferred by the customer because
all requirements are met in a single document and only
one person needs to sign the agreement, making it clear.
c) Multi-level SLA:
It may have a hierarchical structure, such as specific
service-level SLAs, customer-level or business unit-level
SLAs, and enterprise-level SLAs. Details are similar to a)
and b). Using a combination of hierarchical SLAs makes
them easier to handle, avoids unnecessary duplication,
and requires less frequent updating. However, it
requires more effort to maintain the necessary
relationships in the service catalog and
CMS(Configuration Management System).
Service Level Management
The main activities are as follows: 1) Evaluation,
negotiation, documentation, agreement, management,
and review of new or changed service requirements in
SLRs, and incorporating these requirements into SLAs
through service lifecycle management. 2) Monitoring
and measuring service performance against SLAs. 3)
Creating service reports. 4) Conducting service reviews,
including identifying opportunities for improvement in
the CSI register and appropriately managing the SIP. 5)
Measuring customer satisfaction in collaboration with
business relationship management and implementing
improvements based on the results. 6) Reviewing and
revising SLAs, service scopes, and OLAs. 7) Recording
and managing complaints and compliments in
collaboration with the business relationship
management process.
Reality of Service Level Management Activities
Step 1 - Availability management measured and
baselined the availability and capacity of the current
ABC phone server, and based on those results, service
level management discussed SLAs with business clients,
including business client management. Service level
management agreed on a service-based SLA for ABC
phone mail service, which includes 24/7 availability,
downtime of no more than 2 hours per incident due to
failures or maintenance, no more than one outage every
four months, and response time of less than three
seconds for initiating email sending and receiving on
ABC phone, with a period of less than 1 hour for periods
of less than that time. The agreement is based on end-
to-end performance, and the customers agreed to it
(without using expressions that customers do not
understand, such as "99.8%"). In addition, service
providers, such as NNN and RIM, that support the
service also signed a separate SLA and a legally binding
external outsourcing contract to achieve that SLA. The
procurement department agreed to an OLA stating that
it would deliver ABC phone to IT within 14 days of a
user's request.
Step 2 - Monitoring and measuring service performance
against SLAs.
Step 3 - Creating service reports, including RAG charts.
Step 4 - Conducting service reviews and adding
consideration of ABC phone OS upgrades to the SIP in
light of the impact of security vulnerabilities on
availability.

p. 6
Step 5 - Triggered by case closure, a survey was sent out
through an incident management tool for ABC phone
incidents, asking users to rate their satisfaction on a
scale of 1 to 10 and provide honest opinions in a free-
form field.
Demand Management
Demand management is a process of understanding,
predicting, and analyzing the business activity patterns
and user profiles of business customers, and controlling
the capacity and performance of service assets to
ensure that they are provided with sufficient resources
to meet their needs. Along with capacity management,
it involves controlling service assets to ensure that they
are provided with sufficient resources to meet their
needs. Specific processes unique to demand
management include using strategies such as incentives
and penalties to control demand and splitting out peak
hours, as well as finding ways to balance business
objectives and IT investments.
The process most closely related to Demand
Management is Capacity Management:
Both aim to achieve business results and optimize IT
investment, but differ in the following ways. Demand
Management is a somewhat business and user-oriented
process, where business customers adjust product
demand by setting differential pricing or spreading peak
demand, and IT services predict and develop strategies
for managing that demand. In contrast, Capacity
Management is a more IT service and technology-
oriented process, managing service asset capacity and
performance based on the demand information
received from Demand Management. Therefore,
Capacity Management's work is inherited from Demand
Management and the two processes are closely related
because capacity is needed in response to demand.
Core services and support services
Core services are the basic services that customers rely
on, such as the ability to send and receive emails. On the
other hand, support services provide additional value to
customers, such as the ability to choose between
Domino server, Exchange server, or Office 365, and a
guarantee that email sending and receiving is available
24/7. These services are presented to customers as a
service package, and service providers incorporate
them into their service portfolio management to be
considered for purchase and implementation. At the
same time, the combination of these core and support
services is evaluated through demand management to
determine if they fit with the customer's business
activity patterns and user profiles.
Control Demand Management
One way to control demand is through demand
management, which analyzes business activity patterns
and user profiles to determine which users need which
services, at what time (or time of day), and how much in
advance. By knowing this information beforehand,
demand can be controlled by implementing strategies
like penalties (such as withholding expense
reimbursements until a user input their expenses by a
certain deadline) to normalize the use of expense
reporting systems. Additionally, capacity management
can control demand by understanding changes in the
business environment and reflecting new technologies
and service requirements in the service portfolio, as well
as accurately forecasting resources to meet demand.
The business activity pattern of the services provided
by XYZ tool services:
XYZ is a powerful ITSM tool that strongly supports the
ITIL® framework. The target users are all business
customers, with 5,000 users, not only IT staff but also
human resources department due to its high frequency
of use for managing employee entry and exit. It is used
for incident management, problem management,
request fulfillment, access management, and other
purposes.
For request fulfillment, users can select the necessary
services from the service catalog on the intranet in a
shopping cart style, and the ticket is automatically
created.
For incidents, users create tickets. The service desk
follows the sun, so XYZ is used 24 hours a day, Monday
to Friday, with peak transaction times being constantly
busy.
In terms of timing, it is at the end of each month, end of
each quarter, and end of the fiscal year. The number of
users for each time zone (APAC, CEMEA, North America
daytime) is 1,500, and no-load balancing measures are

p. 7
taken, but demand management will need to be carried
out to avoid imbalanced numbers of employees in each
region, and capacity management will need to be
adjusted if differential internal charging is not applied.
Supplier Management
What are Suppliers?
Suppliers are classified into four categories from top to
bottom: strategic suppliers, tactical suppliers,
operational suppliers, and commodity suppliers. The
term "supplier" often implies working under the service
provider.
Strategic suppliers are partners who make long-term
commitments on an equal footing with service
providers and their business customers, sharing
confidential strategic information, accepting joint
responsibility, and sharing risks and rewards, so they are
managed at the senior management level of the service
provider. Example: Providing network construction
services and operation management on an Asia-wide
scale.
Tactical suppliers are involved in commercial activities
and interactions with business, including regular
contacts and performance reviews, including ongoing
improvement programs, and are managed by middle
management. Example: Maintenance organizations
that provide solutions for server hardware failures.
Operational suppliers provide operational products or
services and are managed by lower-level management,
including occasional contacts and performance reviews.
Example: Hosting service providers.
Commodity suppliers provide low-value, readily
available products and services that are relatively easily
sourced. Example: Providing printer cartridges.
Although managing multiple suppliers can be
cumbersome, it diversifies risks. Using a single supplier
makes management easier, but the risk of dependence
and cost increases. Note that transitioning to alternative
suppliers becomes even more difficult when suppliers
customize services.
Achievement goals for supplier management
The goals of supplier management are to obtain results
that match the value invested by the business customer
or service provider, to manage contract details to fit the
needs of business customers, to work with the service
level management process to determine agreed-upon
SLA targets and SLAs, to fully manage relationships with
suppliers, to review and manage supplier performance,
to negotiate and agree on contracts, and to manage
them throughout their lifecycle, and to maintain and
manage supplier policies and supporting supplier and
contract management information systems (SCMIS).
What is a Supplier Contract Database?
The Supplier and Contract Management Information
System (SCMIS) is created to ensure that service
provider policies for all suppliers are consistent and
effective. SCMIS records the details of the types of
services or products provided by each supplier, other
relevant CI information, and the content of contracts,
which must be integrated into the CMS(Configuration
Management System) or SKMS (Service Knowledge
Management System). This also forms the service
portfolio and service catalog. The following information
in SCMIS provides a reference set of information for
supplier management procedures and activities: ⅰ )
Definition of requirements for new suppliers and
contracts, ⅱ ) Evaluation and configuration of new
suppliers and contracts, ⅲ) Categorization of suppliers
and maintenance of SCMIS, ⅳ) Establishment of new
suppliers, ⅴ) Management of supplier performance
and related contracts, and (6) Update or termination of
contracts.
Challenges, Key Success Factors (KSF), and Risks in
Supplier Management
Challenges: The supplier management process manager
must address the following challenges in order to solve
them. Change management due to constantly changing
business and IT needs. Business operations are carried
out based on contracts that do not have sufficient target
values and performance measurement definitions.
Insufficient specialized knowledge within the
organization. Long-term contracts with punitive
penalties for early termination despite no possibility of
improvement, leading to cost increase. Disputes
regarding fees. A reactive approach is taken due to
being overwhelmed with day-to-day firefighting tasks,
and a proactive approach is not taken. Losing the

p. 8
strategic perspective and only focusing on operational
challenges, resulting in failure to achieve goals and solve
challenges.
Key Success Factors: Suppliers demonstrate sufficient
performance, provide support services that align with
business needs and business goals, and provide
sufficient availability, and providers have clear
ownership of supplier contracts.
Risks: Lack of commitment to the supplier management
process from business and senior management.
Insufficient information regarding future business and
IT policies, plans, and strategies. Lack of resources and
budget. Old contracts that do not support business
needs, SLAs, and SLRs. There are supplier transitions
that result in changes to relationships, resources, and
contracts.
Financial Management
Benefits of Financial Management
First, the financial management process includes the
following three tasks. Monitoring discrepancies
between budget and actual expenses and monitoring
revenue = accounting task. Creating and managing
budgets = budgeting task. Invoicing for payments
received = charging task.
The benefits of financial management are that a healthy
business decision can be made based on appropriate
data in compliance with regulations (such as the SOX
law and US-GAAP accounting and reporting) to avoid
penalties. Additionally, the decision to continue or
withdraw from business can be made based on a service
portfolio that clarifies the relationship between service
and cost, with financial support. Furthermore, financial
management can design billing systems, optimize costs,
and make reasonable investments for IT service
management by considering the relationship between
supply and demand.
Service Assessment: Service assessment refers to two
types of value: (a) the cost of tangible and intangible
elements required to provide IT services, such as
hardware, software licenses, maintenance fees,
personnel expenses, facilities costs, and compliance
costs; and (b) the potential value added to the business
by providing IT services, which cannot be accurately
quantified but is perceived by the business customers.
For example, the value of services includes the
customers' perception of the usefulness and guarantee
of services and the potential value added to the
customer's assets by the services provided.
Return on Investment (ROI): Return on Investment (ROI)
is a concept used to measure the value of IT service
investments. It measures the increase in business
profits resulting from IT service investments relative to
the total investment made by the business customer.
The result is expressed as a percentage and is used to
determine whether IT services are treated as profit
centers or cost centers. However, since many intangible
factors affect the provision of IT services, the ROI
formula may oversimplify the calculation and not
capture all potential benefits, such as improved
customer loyalty.
Chapter 2:
PPO (Planning, Protection & Operation)
PPO, or Planning, Protection & Operation, is a service
management methodology evaluated in terms of its
strengths and weaknesses. PPO has several strengths,
such as comprehensive information management using
XYZ tools, adherence to ITIL® guidelines for roles and
functions, a robust service desk function with 24/7
infrastructure support, effective business continuity
planning, and a balance between management
flexibility and risk aversion. However, PPO also has some
weaknesses, including the lack of a billing model
assessment for demand management, lower customer
satisfaction among Japanese users due to the parent
company's focus on US-based processes, and a lack of
awareness that the company is an internal service
provider that may cause customers to be less patient
with IT service issues.
The benefit of properly implementing service design is
to minimize the necessary improvements in the service
lifecycle. These improvements will inevitably be
required as the direction of the business changes over
time or as domestic infrastructure technology evolves
regardless of the business. It is important to prepare a
service design package, taking into account the impact

p. 9
on service transition and service operation. For
customers using large-scale cloud technologies such as
Microsoft 365 and CCC's business cloud, which can be a
significant investment, there is the benefit of being able
to confirm cost-effectiveness before introducing the
service. Furthermore, this proper implementation also
contributes to IT governance.
Processes included in PPO that allow for even better
efforts and potential effects
In the case of the above-mentioned business customer,
the information security management process was
appropriately incorporated into the service design
package (SDP) at the introduction stage, passed to
service transition, and appropriately addressed by
service operation. As a result, there was a fault during
the AD/Exchange server/file server migration project,
but it caused minimal damage to the user, and the
project was completed as planned.
Fault details: During the Exchange server migration on a
holiday, some of the data in the distribution list (DL) was
lost. Also, during the file server migration, some of the
folder security settings were lost.
Action taken by IT: The IT department promptly notified
the respective department heads of the customer about
the fault and followed the procedures as stated in the
customer service catalog. They also requested the
customer to call the service desk for assistance if
needed and proceeded to continue with the other tasks
in the project promptly, finishing all migration work by
the start of business the next morning.
Customer behavior: On Monday morning, the
department head who is the DL(Distribution List) owner
came to work and added the correct members to the DL
list based on the hardcopy. Similarly, the department
head who is the owner of each department folder added
the correct member access rights to all folders under the
department folder based on the access rights to
hardcopy. As a result, all users were able to receive
group emails in a state where CIA was maintained at
9:15 AM and were able to access the folders they
needed to access, returning to BAU (Business as usual).
The benefits of conducting service design appropriately
include minimizing the necessary improvements in the
service lifecycle. These improvements will always be
necessary as business direction changes over time or
domestic infrastructure technology advances, but they
must be smoothly completed. In carrying out this
process, a service design package should be carefully
prepared, taking into account the impact on service
transition and service operation. In particular, for
customers using large-scale cloud technologies such as
Microsoft 365 and CCC Business Cloud, there is a benefit
of being able to confirm cost-effectiveness before
implementation, as it represents a significant
investment. Additionally, conducting service design
appropriately leads to IT governance.
Furthermore, the processes included in a well-executed
PPO and the potential effects can enable superior
initiatives.
In the case of the business customer described above,
the information security management process was
appropriately incorporated into the service design
package (SDP) during the introduction phase, passed to
service transition, and appropriately addressed by
service operation. As a result, despite the incident
during the Active Directory/Exchange server/file server
migration project, the impact on users was minimized,
and the project was completed as planned.
Service catalog notation:
a) DLs are created by IT upon request from department
managers. However, the department manager is
responsible for adding or deleting members to the DL
and managing it.
b) Only IT can create department folders on the file
server. However, the department manager is
responsible for creating, updating, and managing access
rights for the folders under the department folder.
Note: The file server administrator has full access rights
to all folders but does not access them for purposes
other than support.
If an appropriate SDP is not in place, the lack of clarity
regarding who is responsible for restoring access rights,
how to grant access rights, or what the original access
rights were can lead to disputes between IT and users,
causing delays in operations, delays in IT service
operations, and potential loss of business opportunities.
Improvement points: Emails sent to the DL were not
delivered from the time of the incident until Monday

p. 10
morning. Users who attempted to use the file server via
VPN during the holiday weekend were unable to access
the intended folder until Monday morning. Even on
holidays, it may be advisable to convene an ECAB to
obligate department managers to take emergency
measures. While IT is not involved in these access
controls due to resource constraints and confidentiality
and document security considerations, if a department
manager is unable to respond for some reason, IT may
need to become a backup for each department manager.
IT should have set a baseline and taken a rollback
approach. These points can be recorded in the CSI
management table by the information security
management manager and improved in conjunction
with the availability management manager to achieve
even better PPO and increase availability.
The four process managers listed below have the
responsibility of coordinating with each other due to the
close relationship between their respective processes,
obtaining an understanding of IT financial service
management, and providing material to justify
appropriate investment from business customers.
The common responsibilities shared by the following
four process managers are: a) taking responsibility for
the operation and management of the process,
appointing personnel to roles and managing resources;
c) planning and development of the necessary
investment and management procedures with the
process owner; d) monitoring performance and
reporting to the process owner; e) creating and
updating the CSI register; f) monitoring compliance with
agreed SLAs; g) attending necessary CAB meetings; h)
ensuring all of the above is documented and kept up-to-
date.
Responsibility for explaining to the CIO and analyzing
KPIs falls within the remit of the process owner, so it is
not the responsibility of the process manager. However,
if the manager also serves as the process owner, this
does not apply. Additionally, since process managers
may be located in multiple sites, they should coordinate
with each other.
The specific responsibilities of each manager are as
follows:
ⅰ) Availability Manager - responsible for identifying the
reliability, maintainability, and serviceability
requirements of internal and external suppliers'
components. Provides support for related incident and
problem management. Performs risk assessment and
risk management.
ⅱ ) ITSCM Manager - responsible for conducting
business impact analysis, risk assessment, and risk
management. In the event of a disaster, directs the
invocation of the service continuity plan for recovery.
Directs testing, post-review, and corrective action.
Manages contracts with recovery service providers.
SLAs are agreed with the business rather than
customers.
ⅲ ) Capacity Manager - Responsible for balancing
capacity and demand. Analyzes past, present, and
future usage rates, maximum capacity, performance
thresholds, and tuning methods. Supports incident and
problem management activities.
ⅳ) Information Security Manager - Assists the ITSCM
manager in conducting business impact analyses.
Supports incident and problem management activities.
Conducts security risk assessments and risk
management. Promotes the company's security policies
to customers and users.
Availability-related "Issues, CSFs (Critical Success
Factors), Risks": ⅰ) Issue: The XYZ service ticketing
system experiences downtime or extremely slow
response times for about 5 hours, twice a week during
business hours. The SLA requires 99.99% availability
during weekdays (excluding Japanese holidays) from
9:30 to 17:30, and a Severity 2 incident ticket should be
resolved within 3 hours after being reported. However,
the system has been in violation of the SLA for almost a
year since its implementation. The XYZ server and its
technical and application management are located in
the United States.
[Current situation] Availability (%) = (Agreed service
hours - downtime) x 100 = (480h / 1920h) x 100 = 25%
To address this issue, it is necessary to reach an
agreement with the business customer to lower the SLA.
However, as the application is only used within the IT
department, it has only an indirect impact on customers
and is not considered a VBF. Therefore, the discussions
have been postponed. However, in reality, even when
incidents are reported by users, the service desk cannot

p. 11
create tickets, and the workaround for known errors
that have been updated by technical management
cannot be accessed by the service desk, resulting in
significant delays in service response to users and a
major impact on business customers' businesses.
Additionally, the service provider's work efficiency has
significantly decreased, although the impact has not
been measured. As a result of the business customer's
lack of awareness of the need for high availability of XYZ,
appropriate investments and improvement activities
are not being carried out. Information is integrated into
AMIS (Availability Management Information System),
but since AMIS is within XYZ, it cannot be utilized.
2) CSF (Critical Success Factor)
According to the SLA, XYZ's availability is 98.12%,
reliability (MTBSI) is 160 hours (12 downtimes per year),
and maintainability (MTRS) is 3 hours (12 downtimes
per year with a total downtime of 36 hours), ensuring
that availability and reliability are managed.
Fulfilling business needs for using XYZ.
Providing the service at an optimal cost.
ⅲ) Risk
XYZ is an ITSM tool used only within the IT department,
and it is essential for ensuring business continuity for
business customers. However, senior managers have
not been able to explain to the management that when
individual users or system-wide issues arise, the low
availability of XYZ indirectly affects all users of the
business customers and directly affects all users of the
service provider.
Due to the above reasons, resources and budget for the
availability process of this system are insufficient.
Reporting to seven group companies individually
requires significant effort in the reporting process.
Capacity Management
Objectives of Capacity Management:
The goal of Capacity Management is to ensure that all
services related to capacity and performance are
achieved at the agreed-upon level with business
customers. Expectations for capacity are constantly
changing and new technologies are emerging, so it is
important to regularly measure and be sensitive to new
technology, anticipate future needs, and seek
understanding from business customers for appropriate
budget investments. Resources at the component level,
such as human resources and skill levels for functions
like the Service Desk, as well as network bandwidth and
CPU performance, are also within the scope of Capacity
Management. It must be managed at the optimal
schedule for high cost-effectiveness.
The three levels of Capacity Management:
There are three sub-processes: Business Capacity
Management (BCM), Service Capacity Management
(SCM), and Component Capacity Management (CCM).
All three sub-processes have in common a focus on both
current and future business demands. BCM is focused
on accurately assessing long-term business objectives to
analyze and plan for capacity. SCM involves analyzing
the impact of transactions resulting from timing, time of
day, and updates to business plans, and predicting how
to utilize resources. CCM involves predicting and
managing the performance and capacity of each
component, such as the data center's air conditioning
system, the SECOM entry management system, and
CPUs. These three sub-processes form a hierarchy in the
order of 1→2→3, and if there is a problem with 3, it will
have a negative impact on 2, leading to a review of 1,
which demonstrates a hierarchical relationship.
Challenges, Critical Success Factors(CSF), and Risks of
Capacity Management: Challenges: Due to the vast
amount of information to handle, tools need to be used
to set appropriate thresholds, and automation needs to
be maximized for efficiency, such as setting alarms and
alerts. Particularly if you are an external service provider,
it can be difficult to know the business plans of business
customers, so you need to work with senior
management to collect information.
Critical Success Factors: Understand the needs that
correspond to the business plan and introduce the
capacity management plan cost-effectively and in a
timely manner. Remove old technologies that cause SLA
failures and consider new technologies, and have a
broad technical knowledge. Reduce incidents caused by
low performance.

p. 12
Risks: Lack of adequate amounts of people, goods,
money, and information from business customers and
senior management, lack of knowledge of future
business plan information, inability to provide accurate
and prompt information by relying on manual methods
instead of using tools and computer systems, inability to
create reports that can be understood from a business
perspective.
The relationship between business activity patterns and
capacity management in the service delivery
infrastructure and targeted businesses is different
depending on the user profile due to variations in busy
periods and usage purposes, as shown in the table
below. For example, as shown in the table below, the
capacity of the internal LAN is particularly important
infrastructure for the technology department, which
supports this business customer's product. This
business customer's VBF is a software development
environment, and the critical service is the performance
of the internal trusted network. However, the capacity
requirements for the internal trusted network for other
users are not as high as those for the technology
department.
The relationship between capacity management and
business activity patterns specific to this business
customer is shown in the table below.
User profile Relevant Business Activity Pattern (PBA)
Capacity management Senior Executives (UP1)
It is essential for maintaining a good relationship with
customers that they are always able to send and receive
emails via ABC phone. Response time of the internal
trusted network for all applications: within 5 seconds,
within 10 seconds for VPN connections.
Mobile Corporate Sales (UP2)
High contact with customers. Need to be able to
respond immediately to customers. Expect the network
to be operational from evening to late at night as they
work long hours. They often use the train, so they
require lightweight LAPTOPs, even if processing power
is reduced. It is essential to be able to connect to VPN
with a LAPTOP and send and receive emails via ABC
phone for a quick response to external customers.
Response time of the internal trusted network for all
applications: within 3 seconds, within 5 seconds for VPN
connections. File server usage space increases by
100MB per month (SLA).
Back Office Staff (UP3)
Mostly works in the office. Need a stable LAPTOP with
good processing performance, but weight is not a
concern. Requires high productivity during business
hours but does not expect the network to be
operational after hours or on holidays. Response time of
the internal trusted network for all applications: within
5 seconds. File server usage space increases by 100MB
per month (SLA).
Non-Mobile Technology Staff (UP4)
Resident in the office with few travel requirements. As
they are engaged in software development, they expect
high reliability and performance (response time) of the
internal network as they frequently download large
amounts of data. Response time of the internal trusted
network for all applications: within 2 seconds. File
server usage space increases by 5GB per month (SLA).
Financial Management System (UP5)
During the one week prior to the closing date, the
response time is expected to be slow. Network speed is
not a significant concern to ensure stable transactions,
but high network availability is essential. Response time
of the internal trusted network: within 5 seconds, within
10 seconds for VPN connections (SLA).
Business Support Process - XYZ (UP6)
Business process. A system where users themselves
report incidents and manage progress. The service desk
function follows the sun, so both IT and users use it 24/7.
IT also uses XYZ for LAPTOP builds. Also, many
departments share it because the HR department and
each department head use it for New Hire requests.
Response time of the internal trusted network: within 2
seconds, within 5 seconds for VPN connections (SLA).
Availability Management
"Objectives" of Availability Management The objective
of Availability Management is to ensure that all IT
services are available and performing well (without
reliability, maintainability, or serviceability issues), with

p. 13
adequate capacity and security (without safety issues)
when required. However, service providers should not
set availability levels that are not required by business
customers, and the appropriate availability target
values based on agreement between business
customers and senior managers should be established,
and investment at reasonable prices must be made.
"Two levels of availability" Availability management is
classified into two levels: service availability and
component availability. Service availability refers to
whether the service is in a service provision state from
the user's perspective (end-to-end). Component
availability, on the other hand, is whether each
component such as network, uninterruptible power
supply (UPS), data center air conditioning, and LAPTOP
is operating or not from the service provider's
perspective, and whether the necessary components
are available or not. If any of the components are not
available, there is a risk that service availability will be
affected. Therefore, these two are interrelated, with
service availability as the upper layer and component
availability as the lower layer.
Challenges, key success factors, and risks of Availability
Management Challenges: The challenge is to manage
the expected availability of business customers and
senior management, justify the necessary budget, and
manage the changing expected values of availability.
Many customers demand high availability as a matter of
course, influenced by the impact of Microsoft setting
the availability of its Microsoft 365 service at 99.9% and
promising a refund if it is not met. However, extremely
high availability may require unnecessary high costs, so
it is important to note that cost-effectiveness may not
be achieved in some cases. Another challenge is that it
is extremely difficult to manage the availability of what
appears to be a single service when information from
various technologies is managed in different formats by
various tools. For example, the availability of email
communication depends on the availability of server
hardware, ISP, internal network, MS Exchange Server
application, LAPTOP, Outlook installed on the LAPTOP,
and security, all of which are usually managed by
separate functions. Information should be integrated
into AMIS (Availability Management Information
System) to enable consistent analysis.
Key success factors: Availability is properly managed
along with reliability, resulting in improved end-to-end
availability, reduced non-availability, and shorter MTRS.
The business needs are being met, resulting in high
customer satisfaction and high VBF availability.
Appropriate SLAs that are well documented and allow
cost reductions due to non-availability or timely
completion of system reviews exist as critical success
factors of Availability Management.
Risk: Failure in availability management may occur if
there is a lack of understanding from business
customers and senior management, and if appropriate
budget is not secured. The dissemination of vast
amounts of information from numerous components in
an unorganized state can make the reporting process
laborious. There is a tendency to focus on technology
rather than end-to-end availability and business needs,
leading to potential oversight.
How should we decide on indicators of infrastructure
availability? Decision: The availability management
process manager measures the current availability of
the ABC phone server and reports it to the process
owner. The process owner explains it to the CIO, who
then conducts a meeting with executive management,
taking into account business customer demands, IT staff
resources, and supplier serviceability in the event of
component failure, to determine the SLA with 90.00%
availability, 24/7 uptime, and downtime of no more
than two hours due to faults or maintenance.
Improvement: While determining the availability of the
ABC phone server, various services such as Exchange
mail server, ABC phone terminal failures, NNN base
station malfunctions in Japan, and internal network
malfunctions can complexly affect the availability of
sending and receiving emails via ABC phone. If business
customers do not understand this point, they may think
that ABC phone is not usable for a long time, even
though the ABC phone server itself is running normally
at 100%, and the availability of ABC phone may meet the
SLA of 90.00%. To ensure that business customers
understand the availability of sending and receiving
emails via ABC phone, it may be necessary to establish
an SLA. The availability management manager should
record these points in the CSI management table and
work to improve them with capacity management
managers, supplier management managers, and IT
service financial management managers.

p. 14
IT service continuity management (ITSCM)
The "objective" of IT service continuity management To
support the entire business continuity management
process under the responsibility of executive
management, and to aim to select and introduce
recovery options and formulate risk reduction measures.
This is similar to the availability management process
that deals with availability issues caused by component
failures, but the scope and responsibility differ. The goal
is to resume and continue business at the agreed-upon
level of the SLA in the event of major earthquakes, fires,
criminal incidents, information leaks, and other such
incidents. Therefore, it is necessary to regularly conduct
business impact analyses (BIA) and risk assessments and
reviews to ensure that all continuity plans are
maintained to match changing business requirements.
Relationship with IT Service Continuity Management
(BCP) If a business cannot continue due to situations
such as prolonged office closures, loss of IT service
continuity, or inability for all staff to return to work
during emergencies or disasters, management is
responsible for the resulting financial losses. Therefore,
business customers should appoint a BCM manager to
establish a business continuity plan (BCP). However,
since much of the BCP is related to IT services and IT
environments, the ITSCM manager must manage how to
restore their IT based on the BCP plan. Therefore, BCP
and ITSCM are closely related.
Challenges, important success factors, and risks of IT
Service Continuity Management Challenge: The absence
of business continuity management (BCM) is a challenge.
Without the BCM process, the IT side may not
understand the business customers' strategies and may
attempt to restore IT services according to processes
and priorities that are convenient for IT, resulting in the
purchase of expensive IT solutions that do not align with
the business customers' intentions. Alternatively,
assuming that IT will handle everything during disasters
can result in the loss of business continuity and revenue.
Important Success Factors: It is important to recognize
that IT services are supplied to achieve business
customers' objectives and enable recovery efforts
accordingly. Appropriate contracts with suppliers for
recovery options should be in place. Additionally,
awareness of the business continuity plan and IT service
continuity plan among the business customers'
management, IT senior managers, and all employees is
a critical success factor.
Risk: The absence of BCM and the existence of ITSCM
alone. Even with ITSCM in place, the information may be
outdated and not aligned with the needs of the business.
There may not be enough information, such as business
plans and strategies, from the business customers to
establish a BCM-aligned ITSCM, and therefore, the
budget cannot be justified. There may be too much
focus on technical issues and not enough on the needs
and priorities of the business.
Activities of IT Service Continuity Management Establish
an ITSCM policy aligned with BCM and launch a BCM
project. ITSCM should identify the damage caused by
disasters through a business impact analysis and assess
risks to understand the level of vulnerability in the
organization. Then, decide how much to reduce
strategic risks and which recovery option to use,
followed by an initial test. Then, raise awareness of
business continuity throughout the organization, from
management to users, and educate them on the actual
procedures. Through these activities, conduct reviews
and audits, conduct retests, and if there are no
problems, transfer to change management, and the
ITSCM activities are completed. However, revisions will
be made in response to changes in the business.
What kind of damage occurs in the event of
infrastructure damage and service interruption?
・ IT department member is in a traffic accident
overseas and hospitalized. During that time, access to
the email server with a malfunction cannot be obtained,
causing a break in communication with the trading
partner for over a month, resulting in the suspension of
transactions.
・ Mail information leakage and management
misconduct are publicized in the media, severely
damaging the company's reputation. 40% of employees,
including all IT personnel, resign immediately, causing
the internal IT infrastructure to stop. As a result, all
business operations that depend on IT services are
suspended, leading to bankruptcy.
・A physical injury incident occurs in the company, and
the police come to investigate. While IT was
investigating the entry management history to identify

p. 15
the culprit, all entry device services stopped for a long
time, causing business disruption and resulting in a halt
in transactions with customers.
・A server installed in the data center was destroyed by
a fire. As a result, access to web business application
services was lost, causing the closing date to expire. The
accounting system of the US headquarters was
automatically closed, making it impossible to correct,
and the department head was held responsible by the
US headquarters.
・Due to a tsunami, access to the external internet
connectivity is lost, and remittances to trading partners
using online banking do not make it in time, resulting in
a loss of trust, and cause a reputation risk.
・Due to an earthquake, the file server goes down,
making it impossible for sales to download the new
product presentation template created by the US
headquarters. They miss the deadline for the
competition, and a competing company wins.
・Due to an earthquake, the telephone line goes down,
making it impossible to make and receive calls to the
technical support hotline. As a result, technical support
cannot be obtained from customers, and a low score is
given by many customers in a survey, leading to the
department head being held responsible by the US
headquarters.
・ Due to an earthquake, the FAX goes down, and
according to YYY's policy, the HDD unlock master key
can only be sent by FAX from the contract FAX number.
The key cannot be received from YYY, and the material
that only exists on the president's local HDD cannot be
emailed, causing a great deal of trouble for the trading
partner and leading to a suspension of transactions.
・Due to a fire, the entry management system is broken,
and employees cannot enter the office. After a month,
cancellation requests pour in from customers.
・ Due to the vibrations of an earthquake, a
development-use Unix server set up in a department is
physically destroyed, causing a delay in the delivery of
the development program. As a result, the contract with
that customer is canceled.
This business client has almost complete "immediate
recovery options" prepared, so the above events will
not occur.
The following is a list of measures taken by a business
customer to prepare for potential infrastructure
damage and service downtime:
IT staff: The company has multiple staff members in
different countries who can perform the same tasks.
This allows for remote support or long-term business
travel to provide support.
Email: Employees can send and receive emails via GGG
Link servers or ABC phone servers installed abroad using
their smartphones. The hardware and carrier of these
smartphones are compatible with communication
methods in any country, making it easy to take them
abroad. The address book is synchronized with AD (+
Exchange server) so it can be searched at any time. In
case of email server downtime, application
management and technical management are available
for 24/7 on-call repair.
LAN: If the local internet infrastructure is down,
employees can switch their LAPTOP to an emergency
outline cable, tether their company-issued smartphone
or connect to the internet using a data card to access
VPN. If the entire region's internet infrastructure is
down, all tasks are shared among employees of other
branches in the APAC time zone, or an employee may
travel to work in the Hong Kong or Taiwan office.
LAPTOP: If all LAPTOPs are destroyed due to a disaster,
the company has an inventory of old model LAPTOPs in
foreign branches, which can be retrieved from the
nearest foreign branch and built by using the XYZ tool,
with data restored immediately via Mozy online backup.
Local data that is locked on the HDD of the damaged
LAPTOP can also be restored to another LAPTOP
through Mozy online backup.
Hotline: If the entire regional phone infrastructure is
down, technical support departments in other countries
can act as substitutes, with language-specific technical
employees.
Server physical damage: If the local IT department is
absent, the damaged server is airlifted to the German
branch for repair under DELL's international warranty.

p. 16
The data is then migrated by German IT, and the server
can be used in a few days.
Server failure: Almost all shared servers in foreign
branches are centrally managed and duplicated in the
US head office, eliminating the need to synchronize data
in the event of shared server failures outside the US
head office.
"CIA" in Information Security
"C" stands for Confidentiality - maintaining a high level
of confidentiality by making information viewable only
to those with permission. "I" stands for Integrity -
ensuring information is complete, accurate, and
protected from unauthorized modifications. "A" stands
for Availability - ensuring information is available when
needed, with defenses against potential disruptions,
and trustworthy when exchanged with external
organizations. CIA must be protected not only from the
technical aspects of IT, but also from physical aspects
such as unauthorized entry into offices and across the
entire business process.
Challenges, Key Success Factors, and Risks in
Information Security Management
Challenges: The information security committee is not
functioning properly due to lack of support from senior
management and lack of planning. Business customers
believe IT (especially external service providers) will
take care of security and no discussion is being held with
senior management. Even if planning has been done,
process practitioners may not have been adequately
explained the importance of security, resulting in users
not following security regulations. When accidents
occur, such as a single mis-sent email, all employees'
resources are used for an investigation but there is no
established response procedure, resulting in lost
business continuity. Another challenge is the lack of
alignment between the security awareness of business
customers, and that of the IT department.
Key Success Factors:
First, protecting the business from security breaches
and minimizing the number of violations reported to the
service desk. Senior management and business
customers have agreed upon policies that are
integrated with business needs, and users have
internalized these preventive measures. The entire
organization, including process practitioners and users,
receives repeated training. Security procedures are
justified, appropriate, and supported by senior
management. A mechanism for improvement, where
many proposals for improvements to procedures and
controls are presented according to changing
environments, is in place.
Risks:
Risks that must be addressed include the increasing
requirements for availability and robustness. There is a
risk of unintentional disclosure of personal information
due to user's smartphone loss, virus infection, external
intrusion, and the risk of users intentionally taking
internal information outside the organization. There is
also the risk that business customers will not follow ISM.
The lack of recognition of future business strategies and
insufficient budgets pose a risk to the effective
implementation of ISM.
Information Security Policy
a) Purpose of accident response related to admission
and retirement
When a New Hire request is generated on the tool, a
Windows account is automatically generated, but set it
so that it cannot be seen from Outlook on the AD side
and set it to be visible only after confirmation of
attendance (in the case of employees in remote offices,
after confirming with the person himself/herself), in
order to protect the personal information of non-
employees.
When a Termination Request is filed on the tool by
HRBP, the Windows account is automatically disabled,
but confirm the final attendance date with the HR
department and the individual and set it so that it
cannot be seen from MS Outlook (in order to protect the
privacy of people who are no longer employees).
Any additional access rights can only be granted upon
request from the user's direct supervisor.
Check that the Windows account of the retiree is
disabled on the AD side, disable the hostname and Unix
account, and remove it from all Distribution Lists and
access groups.

p. 17
Check if access rights are being managed for each folder
on the file server.
Create a list of assets to be collected from retirees,
collect all assets, and obtain the signature of the
department head.
Burn the retiree's local data to a DVD and give it to the
department head, obtaining their signature.
Format the retiree's HDD at a level that cannot be
recovered within the prescribed time.
Create an access card that restricts the minimum
number of people who can enter the room, and change
the system within the prescribed time when entry is no
longer necessary.
b) Legal security purpose
If requested by the HR department, disclose the user's
personal VPN access history, logon history, internet
access history, etc.
Contribute to the creation of regulations by the
Information Security Committee, conduct investigations,
make proposals, and update documents.
Even for email data from retirees, put it on litigation
hold for a certain period of time.
Accurately grasp the migration status of software
licenses to prevent unauthorized use.
c) Purpose of Information Leakage Protection
LAPTOPs are stored in a locked warehouse and even
temporary removals for about 10 minutes are recorded
on paper.
LAPTOPs are distributed with a unique hard disk
password.
To prevent email mis delivery, the MS Outlook 2010
autocomplete function is turned off before providing
the LAPTOP to the user, and the user is required to
pledge not to turn it on.
Accounts are locked after three incorrect password
attempts.
All passwords are enforced to be complex and changed
after a certain period of time by the system (e.g. group
policy), and writing down passwords on paper is strictly
prohibited.
Giving passwords or PIN codes for RSA tokens to other
users, or allowing someone else to log in on behalf of
oneself, is 100% prohibited even with permission.
Users are required to report immediately to the IT or
information security committee if they realize that their
smartphone, notebook LAPTOP, or RSA token is missing.
Users are required to pledge not to save email
attachments to personal LAPTOPs when accessing the
mail server via MS OWA from their personal LAPTOPs.
Users are required to pledge to use cable locks on all
LAPTOPs at their workstations.
Purpose of Virus and External Intrusion Prevention
The Windows Firewall is grayed out so that users cannot
turn it off and distributed with LAPTOPs.
Viruses are automatically detected and removed on the
server, and infection alerts are automatically reported.
If automatic removal is not successful, the user is
contacted, and the LAPTOP is rebuilt.
If the McAfee EPO Agent on the LAPTOP detects a virus
but cannot remove it automatically, the user is required
to report it immediately to the IT service desk.
Except for IM, installation and use of other software that
cannot be monitored by the IM gateway are strictly
prohibited.
External vendors working within the company are
required to sign an NDA.
LAPTOPs rented to external vendors are configured to
log on locally and cannot log on to the domain (to
prevent using Wireless LAN) and are required to
connect via an outline.
Demand Management
Demand Management In demand management, the
business activity patterns and user profiles of business
customers are understood, predicted, and analyzed,
and the capacity and performance of service assets are
controlled along with capacity management to ensure

p. 18
that there is neither shortage nor excess. The specific
process of demand management is to influence demand
through strategies such as incentives and penalties that
spread the busy season of the business and control
access to specific servers, as well as to find a policy that
balances business goals and IT investment in achieving
targeted numbers.
Which process is most closely related to demand
management? It is the capacity management process.
Both aim to achieve business results and optimize IT
investments, but they differ in the following ways.
Demand management is a slightly more business and
user-oriented process, where business customers adjust
product demand by, for example, creating differential
pricing and spreading busy periods, and predict the
demand for IT services and develop strategies based on
that. On the other hand, capacity management is an IT
service and technology-oriented process that manages
service asset capacity and performance to avoid excess
or shortage based on the demand information received
from demand management. As a result, the work of
capacity management is inherited from demand
management, and since capacity is required when there
is demand, these processes can be said to have a close
relationship.
Core Services and Support Services Core services are
basic services for customers, such as being able to send
and receive emails. In contrast, support services provide
additional value to customers, such as being able to
choose from Domino servers, Exchange servers, or
Microsoft 365to meet customer demands and
guarantee 24/7 email sending and receiving. These
combinations are presented to customers as service
packages, and service providers incorporate them into
service portfolio management and consider
purchasing/introduction. At the same time, the
combination of core services and support services is
examined in demand management to see if it fits the
customer's business activity pattern and user profile.
Methods to Control Demand management analyzes
business activity patterns and user profiles to determine
which users need which services, when (which time of
day), and how much in advance. Based on this, some
control methods include imposing penalties such as
carrying over expenses to the following month if users
do not input their expenses by the deadline, thereby
evening out the use of the expense settlement system
to control it. In addition, capacity management
understands changes in the business environment,
reflects new technologies and service requirements in
the service portfolio, and accurately predicts resources
to respond to demand, which can also be considered a
method of controlling demand.
Business Activity Patterns Pattern: The web timesheet
input deadline is every Friday at 22:00, so 7,000 users
access it simultaneously between 17:25-17:35 on
Fridays, causing a drop in user-perceived performance.
There is also a possibility of server downtime.
Background: Many people input their timesheets
together on Fridays, and they do not know their quitting
time until around 17:25 on Fridays. Moreover, because
it is Friday, few people work overtime, so it is difficult to
make them input after 17:35. Even if they input on
Monday morning, they have already missed the
deadline, and they still have to input in the evening on
Fridays even if they input every day. Countermeasure:
Every Thursday morning, send a mass email to 7,000
people with the subject "Notification of the timesheet
input deadline of Friday at 22:00," and expect users who
have predetermined quitting times, such as part-time
employees, to input from Monday to Friday during their
free time on Thursday. In the future, we plan to take
measures that cannot be decentralized
Chapter 3:
RCV (Release, Control & Verification)
This process is included in the management processes
indicated in ITIL®.
Change Management Process:
Trigger: Change in IT organization from local to
worldwide, for cost reduction (organizational change)
Input: A change request to the service portfolio
management from the US headquarters to change the
operating system language from local to English for
worldwide use (since this is a significant change with a
large impact, a change request to the service portfolio
management is necessary) Interface: Planning and
support for the migration, change evaluation process
Output: Approved changes are outputted and handed
over to the planning and support management for the
migration.

p. 19
Roles of managers and staff involved in RCV:
Service validation and testing
ⅰ)Service Test Manager: To maintain the neutrality of
the test, only assign people responsible for resource and
deployment management. Support the design and
planning of test conditions, test scripts, and test data
sets at the SD stage. Assign test resources, adhere to
test policies, verify the tests performed by resource and
deployment management, manage the test
environment, and provide management reports on the
progress of the test, test artifacts, success rates, and
issues and risks.
ⅱ) Release and Asset Management
ⅲ)Release and Deployment Manager: To maintain the
neutrality of the test, only assign people not responsible
for service validation and testing. Plan and coordinate
all resources, including those from functional areas such
as technology and application management. Plan and
manage support for tools and processes. Support the
change permission management process prior to any
activity that requires change permission. Coordinate
change management, service asset and configuration
management, and the interface with validation.
ⅳ ) Initial Support Staff: They are personnel from
functional areas such as technology and application
management, and are often assigned as practitioners
for packaging and building, or deployment. Provide
support documents to support IT services and business
functions during the deployment period until final
acceptance. Accept the release. Support service
operation in handling incidents and errors in the initial
stages. Handle the transition to service operation.
Conduct problem management and raise RFC. Conduct
service risk assessments.
Service Knowledge Management
Knowledge Management Process Owner In many
organizations, this role is combined with the Process
Manager and also the role of Service Asset and
Configuration Management. They create an overall
architecture for identifying, acquiring, and maintaining
knowledge within the organization. They define the
process strategy and support process design. They keep
process documentation up-to-date. They define policies
and standards for the process. They conduct regular
audits for compliance checking. They review and modify
the process strategy as needed. They also handle CSI
management and review.
Release and Deployment Manager Overview:
Release of device drivers, standard software, and
security patches from Windows XP to Windows 7.
Roles:
1) Planning of release and deployment: package the
device drivers to make them compatible with the new
OS for the transition from Windows XP to Windows 7.
The release package includes multiple release units such
as manual installation instructions, documentation of
improvements from the previous version, etc.
Uninstallation is also included in the test items for
rollback in case of issues. 2) Building the release:
request package creation from the package team in
Stockholm and Sydney. 3) Validation testing:
communicate with the package team, install the release
package on the test laptop via SCCM on Japanese
Windows 7, conduct tests according to the test
procedure, and issue problem tickets to the
development team for reassignment and package
improvement if any issues occur. Confirm that new
functionality can be provided while maintaining
integrity, usefulness, and assurance. 4) Get permission
from the Change Management Process to register with
the definitive media library. Request a change permit
from the Change Management Process when there are
no more problem items in the operating test procedure
table. 5) Deployment: deploy to pilot users via SCCM by
conducting testing of the entire new image after
performing the test desktop imaging. 6) Establish
service as per SDP. 7) Communicate and transfer
predicted problems, etc. to the Service Operation. 8)
Review and close: Confirm with pilot users that there
were no negative impacts, and register with the
definitive media library. Push distribution to all 7,000
users who have been distributed Windows 7 machines
and close the change request ticket.
Advantages of using tools in service management The
Service Design Process functions more efficiently.
Specifically, it identifies efficiency and effectiveness,
weaknesses and opportunities for improvement, and
provides management information. It reduces

p. 20
management costs and improves IT service productivity.
It improves the quality of IT services. It centralizes
important processes, automates and integrates core
processes in service management. The advantage is that
data becomes information, and that information
becomes knowledge, which clarifies trends.
Challenges, Critical Success Factors, and Risks in
Service Transition
Challenges: Service Transition (ST) can be complex, as it
involves not only the IT organization but also finance,
technology, human resources, and many other people.
It requires managing a diverse range of customers and
interfaces, which can make it difficult to achieve
harmony and integration. Additionally, there may be
unknown dependencies between legacy systems and
new technologies. It is important to balance stable
operation with business needs for service change.
Critical Success Factors (CSF): The ability to continuously
improve service quality cost-effectively while aligning
with business requirements.
Risks: There are risks of demotivation due to
accountability, execution responsibility, and practice
changes. There may be staff turnover during operations.
There is a risk of unexpected additional costs. Overly
avoiding risks can lead to excessive costs for the
business. Inappropriate people may access information
and interfere with knowledge. Insufficient integration
between processes may result in a siloed organization,
leading to business failure.
Case Example of Starting a Business from Scratch:
Transition from RSA Hardware Token to RSA Software
Token
Focus on ensuring that VPN connections can continue to
be used during the migration period, without any
downtime - this resolves availability issues.
Focus on promptly and reliably disabling RSA Hardware
Token accounts for users who have completed the
transition to RSA Software Token - this resolves security
and availability issues.
Focus on securely recovering RSA Hardware Tokens to
maintain accurate data in the Service Asset and
Configuration Management (SACM) database - this
resolves issues related to service asset management
and configuration.
Change Management
Objectives of Change Management The objective of
Change Management is to minimize the risk of service
disruption and implement beneficial changes to the
business by consistently controlling the change lifecycle.
In order to achieve this goal, it is necessary to respond
to changing business requirements, maximize the value
of services, reduce incidents, service interruptions, and
rework caused by changes. It is desirable to respond to
change requests that align with the needs of IT services
and the business. Change management is a necessary
process for improving the profit and loss of the business
by achieving a) cost reduction, service improvement,
ease and effectiveness of support required by the
business, b) reducing reactive costs and time to resolve
errors and adapt to changing situations, and c) realizing
benefits and eliminating risks early.
"Change Approval Model" There are various levels of
change approval for change requests, which should be
documented in the CMS. If new risks are discovered
during the process, they should be escalated to the
appropriate level. Change requests that are rejected can
be appealed to a higher level. Level 1: Business
executive approval - high cost, high-risk changes that
require executive decision-making. Level 2: IT executive
approval - changes that affect multiple services or
business units. Level 3: CAB or ECAB approval - changes
that only affect a group in the field or service. Level 4:
Change manager approval - low-risk changes. Level 5:
Local approval - standard changes.
The 7 Rs of Change Management
Raised, Reason, Return, Risk, Resource, Responsible,
Relationship. These must be reported in order to
properly manage changes. The person who initiated the
change, the reason for the change, the benefits of the
change, the risks associated with the change, whether
to pursue the change despite the risks, the resources
(people, materials, money) needed to make the change,
and the individual responsible for the design, testing,
and implementation of the change, as well as those
impacted by the change, must all be clearly identified.

p. 21
Change Approval: Level 2: IT Executive Approval -
Changes that affect multiple services or business units.
For changes that only affect the local region and are not
impacting other regions, local IT can approve the
changes as the CIO is located in the overseas
headquarters. Examples of such changes include model
changes to smartphones and feature phones that are
sold only in Japan, and selection of local
telecommunication carriers. If the estimated cost is over
10 million yen, the change request will be escalated to
level 1.
Service Asset and Configuration Management (SACM)
Objectives of SACM The goal of SACM is to properly
control assets to enable efficient and effective
operation of the business. In order to achieve this,
accurate and reliable information must be available
when and where it is needed. The primary objectives of
SACM are to a) identify, control, record, report, audit,
and inspect services and other configuration items (CIs),
including versions, baselines, configuration components,
their attributes, and relationships with other CIs, b)
create and maintain an accurate and complete CMS and
establish its integrity, and c) provide the ability to make
appropriate judgments in granting permission for
changes and releases, as well as for resolving incidents
and problems.
Value of SACM to the Business There are two values of
SACM to the business: a) overall improvement of service
performance, such as reducing service downtime, fines,
corrective licensing fees, and audit failures, and b)
providing service level assurance, improving compliance
with legal and regulatory obligations, identifying service
costs, managing fixed assets appropriately, and
visualizing the service release environment by providing
assessment and planning.
SACM Activities
Step 1: Management and Planning (Note: This Step 1
corresponds to the "Plan" phase of PDCA, and governs
Steps 2-5 below.)
Determine the scope: services, environment,
infrastructure, and location
Determine the requirements: requirements related to
policy and strategy, accountability, traceability, and
auditability, and related to requirements of the CMS
Determine applicable policies and standards: industry
initiatives such as ISO 20000 and hardware standards
Establish the SACM organization: roles and
responsibilities, authority to establish CAB, baselines,
changes, and releases
Determine SACM tools and process procedures:
configuration identification, version identification,
supplier management, and change management
Relationship with other processes and groups: fixed
asset management, projects, SPI, and service desk
Step 2: Identification of Configurations
Determine CIs and configuration components according
to documented criteria
Assign identifiers to CIs
Specify attributes of CIs
Specify the time to place CIs under SACM control
Determine the owner of each CI
Step 3: Control of Configurations
License control to minimize unused licenses
Version control of change management and image
builds
Access control to CMS
Control of the integrity of DML(Definitive Media Library)
Step 4: Explanation and Reporting of Status
Status: under development, approved, or retired
Maintain and archive configuration records
Record, search, and manage previous configurations
Record changes to CIs from receipt to disposal
Step 5: Verification and Audit Activities

p. 22
This step involves ensuring that the documented
baselines match the actual configurations, that the CIs
are present in the organization or in the DML and spare
parts inventory, and that the records in the CMS match
the actual infrastructure. Note that this step builds upon
Step 1.
Configuration Management
The XYZ tool extracts information about servers and
laptops (CIs) connected to the network via network
access. For CIs, DMLs, and image builds that cannot be
automatically recognized, they are managed separately
using tools such as MS Excel, file servers, and cabinets.
The XYZ console allows for checking of the serial number,
model number, hardware specifications, installed OS,
and software information for laptop assets. This
information is used for fixed asset management,
software license number management, and as
reference information for troubleshooting. Since the
history of statuses such as in-use and disposed cannot
be confirmed from XYZ, tickets are created as needed
and the history of configurations is tracked at all times
through management in MS Access. Upon delivery of
assets, the service tag number is reported to the
accounting department, and the fixed asset
management is conducted through physical
confirmation of fixed assets during the annual inventory
with the IT department.
Validation and Testing of Services
ⅰ) Goals of Validation and Testing of Services:
The goal is to ensure quality assurance of services, with
a focus on achieving newly introduced or modified
services and service offerings through SD and release.
The release should bring about results and value within
the constraints of cost, capacity, and limitations, while
meeting the business needs and requirements of
stakeholders. The service should be useful and available,
and a test process should be planned and implemented
to meet business and stakeholder requirements. Testing
during SD is critical to prevent increases in the following:
a) ineffectiveness of user utilization, b) incidents, c)
confirmation calls to the service desk, and d) increased
costs due to errors.
ⅱ) Related Terms for Validation and Testing of Services:
ⅰ ) Test Strategy: Third-party testing by uninvolved
parties is desirable. The criteria for success or failure are
determined after documentation in the SDP. The
approach should be iterative, reusable, and involve a
test model, test case, test script, test data library
creation, cataloging, and maintenance templates, and
integration of testing with the project or service lifecycle.
The approach should also include a risk-based testing
approach and skill improvement in testing.
ⅱ) Test Model: A set of test procedures for obtaining
feedback based on the test strategy described above. It
includes test scripts that define the test plan, test
targets, and test methods. It should be repeatable,
effective, efficient, and consistent.
Perspectives on Validation and Testing of Services
Validation and testing of services focus on whether the
service is being provided as requested, with the
perspectives of the people who use, provide, deploy,
manage, and operate the service as fundamental. The
starting and ending criteria for testing are determined
during the development phase of the Service Design
Package. The perspectives include ⅰ) Service Design
from functional, management, and operational
perspectives, ⅱ) Technical Design, ⅲ) Processes, ⅳ)
Measurement Settings, ⅴ ) Documentation, and (6)
Skills and Knowledge. Acceptance testing of services
begins with verification of service requirements.
Customers, customer representatives, and other
stakeholders (users of new or modified services)
conduct a final review of the acceptance criteria and
acceptance test plan.
Validity checks during migration and judgments of
service levels (usefulness and assurance) are made
through an evaluation process.
Content: Validity confirmation of the reporting macro
version upgrade for the accounting system Method:
Copy last week's data from the production system to the
test system, and run the upgraded reporting macro on
the test system data to confirm that the extracted data
meets customer requirements.
Service level assessment: By confirming whether the
data requested by the customer is extracted correctly

p. 23
(performance realization) and whether any special
operations are required to extract it (no usage
restrictions), usefulness can be confirmed by checking
four points: whether the report is displayed without
YYYy when the macro button is pressed (capacity
management), whether it always operates correctly in
the same way (availability management), whether an
alternative can be used when the macro is broken (IT
service continuity management), and whether only
appropriate users can access the data (security
management).
Release and deployment management
Goals of Release and Deployment Management The
goal is to plan, schedule, and control the construction,
testing, and deployment of releases and provide new
functionality required by the business while protecting
the integrity of existing services. To achieve this, the
following objectives should be achieved in order: a)
Define and agree on the release and deployment
management plan with customers and stakeholders. b)
Create and test release packages. c) Ensure integrity is
maintained, saved in DML, and accurately recorded in
CMS. d) Deploy from the DML environment to the
production environment. e) Ensure that tracking,
introduction, testing, verification, and appropriate
removal and rollback are possible. f) Record, manage,
and take necessary corrective action for deviations, risks,
and issues. g) Ensure that knowledge and skills are
inherited into service operation functions.
Value of Release and Deployment Management to the
Business By effectively implementing release and
deployment management, customers and users can use
new or changed services in a way that supports business
goals more quickly, at optimal costs, and with minimized
risk. By taking a more consistent implementation
approach among changes in the business, service team,
supplier, and customer, service transition can be
auditable and traceable, which is valuable to the
business.
Activities of Release and Deployment Management a)
Plan release and deployment – change management
approval → release package creation. b) Build and test
the release – build a baseline release package → test it
and register it to DML through service asset and
configuration management (Note: only occurs once). c)
Deployment – Deploy the release package in DML to the
production operating environment and hand it over to
service operation and initial support (application
management and technical management) (Note: occurs
multiple times for each release). d) Review and close –
activities to obtain experience and feedback, review
performance and results, and gain knowledge.
Comparison with ITIL® release management activities
Step 1: Plan release and deployment – change
management approval → release creation. If the
infrastructure for Windows 7, client LAPTOP, service
desk, operational management, technical management,
and application management is not established by the
end of December 2013, users will not be able to receive
IT services safely by the end of support for Windows XP
in April 2014. At the same time, the migration from
Lotus Domino (Notes Mail and Notes Database) to MS
Exchange Server (Outlook Mail) + MS SharePoint
(Database) must be completed, and the impact should
not affect users' client LAPTOP. By using MS Exchange
Server + MS SharePoint, the efficiency of users' work
must also be improved. RFCs were created for these
plans, and change evaluation assessed the risk and
obtained permission to start creating releases from
change management.
Step 2: Build and Test the Release - Activity of Building a
Release Package → Conducting Validity Confirmation
Tests → Registering with DML (Definitive Media Library).
Packagers in Sydney and Stockholm built the release
package, and in Japan, validity confirmation tests were
conducted on those that passed and were registered
with DML sequentially.
Step 3: Deployment Activity - Distributed to pilot users
using the MS SCCM tool and distributed to all users with
permission from change management. Reviews were
conducted by application management and technical
management, and initial support staff took over.
Step 4: Review and Close Activity - Obtain experience
and feedback from application management and
technical management, review performance and results,
and save knowledge to SKMS (Service Knowledge
Management System).
Evaluation:

p. 24
Evaluation "Objectives" The activity performed before
change management allows the release, with the goal
of providing a consistent and standardized means of
judging service request performance based on its
potential impact on business outcomes, existing and
proposed services, and IT infrastructure. Performance is
evaluated by comparing it to predicted performance.
Setting stakeholder expectations correctly and
providing effective information to change management
to prevent changes from being authorized with risks. It
is desirable to evaluate as many items as possible.
Challenges of Evaluation The challenges of the
evaluation management process that managers must
address are a) creating standard performance indicators
and measurement methods that are applicable to
various projects and suppliers, b) understanding various
stakeholders' perspectives, c) measuring and
demonstrating the reduction of differences in
predictions during and after migration, d) measuring the
reduction of differences in predictions during and after
migration, e) taking a realistic and cautious approach to
risks, and f) promoting a risk management culture of
sharing information.
Evaluation Process Status: Step 1: Evaluation Plan
Planning - Develop a plan to ensure that the intended
change is achieved and there are no unintended adverse
effects from the change.
Step 2: Evaluation of Predicted Service Performance
(Utility and Guarantee) - Evaluate whether the planned
performance is achieved to ensure that there are no
issues with migration.
Step 3: Evaluation of Actual Service Performance -
Submit an evaluation report that includes a risk profile,
deviation report, validation report, and
recommendations for the change evaluation, including
(temporary evaluation report if before release) and
feedback from initial support if after deployment.
What is included in the evaluation report: Risk profile,
deviation report, validation report, recommended
actions.
Step 4: Information Management - Register all
evaluation reports with CMS and save them to SKMS.
Knowledge Management
Objectives of Knowledge Management: a) To share
ideas, experiences, information, and perspectives, and
make decisions based on information b) To reduce the
need for discovering new knowledge, and efficiently and
safely use reliable knowledge, information, and data
throughout the service lifecycle to improve the quality
of management decision-making. This will improve
service quality, increase customer satisfaction, reduce
service costs, and ensure that staff have a common
understanding.
DIKW (Data, Information, Knowledge and Wisdom):
Data - a collection of individual facts, such as the date
and time an incident in an Oracle-based business
application was reported by a user.
Information - data that has been given meaning, and is
stored in content, such as the cumulative number of
unclosed issues escalated in Oracle's application
management function.
Knowledge - integrating what has been learned from
personal experience and ideas into new knowledge,
such as discovering that workarounds are found quickly
only when an issue in an Oracle-based business
application is reassigned to John, who seems to be
knowledgeable.
Wisdom - using knowledge to make useful common-
sense judgments based on sufficient information. For
example, the wisdom to propose that the Oracle team
shares information with John for all issues in the
meantime, which led to training by John and smoother
problem-solving.
Value of Knowledge Management to Business: The
following are the benefits of knowledge management
that add value to a business: a) Compliance with legal
requirements, company policies, and professional ethics,
among other requirements. b) Information that is easily
accessible to the organization. c) Up-to-date, complete,
and effective knowledge. d) Access to knowledge by the
necessary people when they need it. e) Disposal of
knowledge as needed.
Additionally, by providing controlled and secure access
to the necessary "knowledge, information, and data" for
managing and providing services, knowledge

p. 25
management adds value to all stages of the service
lifecycle and to the business.
Knowledge Management in CSI: Knowledge
management plays a vital role in CSI. For example,
during the CSI stage of the service lifecycle, data is
obtained to understand what is happening and to use
wisdom to make effective decisions. This is the structure
of DIKW mentioned above. Multiple types of knowledge
can be gathered and turned into wisdom, leading to
excellent decision-making about improvements.
Knowledge management is the cornerstone of all
process improvements and is related to all relevant
processes throughout the service lifecycle.
Steps for Introducing the Knowledge Management
Process:
Determine policies and obtain agreement from top
management Governance models (such as SOX),
changes related to organizational changes, funding, and
knowledge management policies
Involve PR to identify where necessary data is located
Data from IT staff, users, third parties, HR, finance,
business cases, DML, incidents, AMIS, etc.
Determine procedures, including:
・ Supporting the organization in identifying useful
knowledge
・Classifying and categorizing knowledge
・Creating a systematic process for publication
・Access knowledge through processes and workflows
・ Acquire external knowledge (from suppliers or
partners)
・Review knowledge ・Perform maintenance such as
updating, deleting, and archiving
・Conduct training
・Improve as necessary
Chapter 4:
OSA (Operational Support & Analysis)
Here is a summary of OSA (Operational Support &
Analysis), which focuses on operational support and
analysis:
OSA Functions and Processes
Functions
ⅰ)Service Desk (Role): Improves customer service and
satisfaction by providing a single point of contact and
improving accessibility through a single source of
information. Contributes to increased productivity in
the customer's business by providing high-quality and
prompt responses.
ⅱ) Application Management (Role): (Note: Does not
involve application development.) Manages technical
knowledge and expertise related to application
management. Collaborates with technical management
to ensure that the necessary knowledge for designing,
testing, managing, and improving IT services is
understood. Provides actual human resources to
support the service life cycle for effective training and
deployment of human resources for technical design,
construction, migration, operation, and release.
ⅲ) Technical Management (Role): Manages technical
knowledge and expertise related to IT infrastructure
management. Ensures that the necessary knowledge for
designing, testing, managing, and improving IT services
is understood. Provides actual human resources to
support the service life cycle for effective training and
deployment of human resources for technical design,
construction, migration, operation, and improvement.
Processes:
ⅰ)Incident Management
ⅱ) Problem Management
ⅲ) Access Management
Event Management
"Objectives" of Event Management The objective of
event management is to manage events throughout the
entire lifecycle. The objectives are to detect all changes
in important states for the management of CIs or IT
services, to determine appropriate control measures for

p. 26
events and ensure that they are communicated to the
appropriate functions, provide triggers for many service
operation processes and operational management
activities, provide a means of comparing actual
operational performance and behavior with design
standards or SLAs, and provide the basis for ensuring
and reporting on services and for service improvement.
Three classifications of events are any changes in
important states for the management of CIs or IT
services, recognized through notifications generated by
IT services, CIs, or monitoring tools. a) Information
events - events that require no action, such as
scheduled workloads being completed, users logging on
to applications, and emails being received. b) Warning
events - events that indicate anomalies but do not
require immediate action and should be carefully
monitored, such as server memory usage reaching
within 5% of the threshold or transactions taking 20%
longer than the threshold to complete. c) Exception
events - events that require immediate action because
they exceed the level of warning, such as users
attempting to log on with an invalid password,
abnormal situations requiring further investigation, or
unfinished transaction processing.
Challenges, important success factors, and risks of event
management Challenges: Event management managers
must address the following challenges:
Procuring the necessary tools to justify costs and bring
in ROI, prepare a compelling business case, and explain
how the benefits of effective event management
outweigh the costs.
Setting appropriate filtering levels to prevent the
generation of large numbers of unimportant events or
the detection of important events too late.
CSF: Detect all changes in important states for the
management of CIs or IT services, and ensure that all
events are communicated to the appropriate functions
that require reporting or further control measures.
Risk: Inability to procure sufficient funding, inability to
ensure appropriate filtering levels, and lack of
momentum in deploying necessary monitoring agents
across the IT infrastructure.
Example of the three classifications of events in the
provided infrastructure:
a) Information event - Distribution of Windows security
patches are complete. A user logged on and logged off
from the Hyperion Planning application. b) Warning
event - Server memory usage has reached within 5% of
the threshold. Transactions are taking 20% longer to
complete than last month. c) Exception event - An
unauthorized user attempted to access the financial
application. An unauthorized laptop attempted to log
on to the domain. After investigation, it was found that
the user was a SOHO user who had been connected via
VPN and cached Windows logon, and had come to the
office after a long time, causing the attempt to log on to
the company's LAN. Hostnames are automatically
disabled if they have not logged on to the domain for
more than a month.
Incident Management
"Objectives" of Incident Management The purpose of
incident management is to restore normal service
operation as quickly as possible and minimize the
negative impact on business operations while
maintaining the agreed level of service quality in the SLA.
To achieve this, the following objectives must be met: 1)
Standardized methods and procedures are used for
efficient and rapid response, analysis, documentation,
continuous management, and reporting of incidents. 2)
Resolve incidents quickly when they occur to improve
business perception of IT. 3) Align incident management
activities and priorities with business activities and
priorities.
General examples of incidents
Incidents are interruptions to IT services, a decrease in
the quality of IT services, or a failure of CIs that have not
yet impacted IT services. Examples include slow
network performance, inability to send emails, etc.
These incidents are discovered by users reporting
problems through a web interface or service desk, or by
event management tools detecting events and notifying
technicians, or by technicians discovering and reporting
issues to the service desk. However, incidents ideally
should be proactively prevented through event
monitoring, and not simply waiting for user reports. All
incidents must be categorized correctly and recorded
without fail (maintaining accuracy and completeness),

p. 27
and should be audited regularly by an independent
information source.
How are measurement criteria used to measure the
effectiveness and efficiency of the incident
management process?
By using the following measurement criteria,
effectiveness and efficiency can be measured, which
leads to improved customer satisfaction:
Average elapsed time to resolve or circumvent incidents
classified by impact code
Percentage of incidents closed without escalation by the
single point of contact
Percentage of incidents closed remotely by phone or
remote control
Percentage of incidents closed without business impact
Total number of incidents, percentage of unresolved
incidents, and percentage of major incidents
Average score of customer survey triggered by incident
closure auto notification
Percentage of incidents in which SLAs were not met
Average cost per incident
Percentage of incidents assigned to the wrong person or
with the wrong category selected
Incidents and Workarounds
Incident: An incident occurred in which nobody could
use the internal network, resulting in no one being able
to access email or business applications. Priority: 1
(Impact: High, Urgency: High) SLA: Within 2 hours
Workaround: As always, we instructed them to use the
smartphone we lend them to tether and use VPN
connection with RSA software token to access internal
network resources. Thanks to this, the business
downtime was only about 10 minutes. Meanwhile,
technical management contacted the ISP and checked
the switch to restore the internal network. The incident
record was closed within 2 hours.
Root Cause: As stated in KEDB, it was an issue with the
ISP's line. The problem record was a known issue and
was linked to the previous problem record, although a
new incident record was not created for this incident.
Service Request Fulfillment
"Objectives" of Request Fulfillment The goal is to be
responsible for managing the lifecycle of all service
requests from users. To maintain customer satisfaction
by handling requests efficiently and professionally.
Provide users with channels to request and use standard
services. Provide information on service availability and
procedures for receiving services. Source and provide
components of requested standard services, such as
software licenses. The aim is to respond to general
information, complaints, or comments.
Service Requests Various types of requests imposed by
users on the service desk. Some companies manage
them as incidents, while others manage them as
requests. They can be classified into three categories: a)
simple information provision - when is the service desk
open? b) inquiry level - when will the MS Excel mass
upgrade be performed? c) Low-risk, low-cost minor
change requests (=standard changes) - please install the
Adobe software that the retired user in the same
department was using on my laptop, etc.
Business Value of Request Fulfillment The ability to
provide quick and effective access to standard services
that business staff can use to improve their productivity,
business services, and product quality. Effective
reduction of bureaucratic elements related to access
requests and acceptance for existing or new services,
thereby reducing the costs of providing these services.
The ability to improve the level of control for requested
services by aggregating realization functions. It also has
business value in reducing costs of negotiating with
suppliers and supporting.
Service Requests There are four types of service
requests:
Simple Questions:
・Where should I report that the light bulb is out?
・ Service desk business hours
・When will the MS Excel mass upgrade be performed?
・How do I install BI tool?

p. 28
High frequency, low-risk, low-cost minor change
requests (=standard changes)
・Additional application installations
・Desktop equipment reconfiguration
・Purchase of software licenses
・Resetting Windows and Unix passwords
Those for which access management processes have
prescribed procedures
・Granting access rights due to a change in user roles
Those that require passing through other processes
such as business relationship management
Changing smartphone models
Positioning of Request Fulfillment Process for Service
Requests As the number of service requests was large
and the organizational capacity was not high, we initially
placed a specialized request fulfillment group in Tokyo,
but the cost exceeded the budget, so we stopped.
Currently, the request fulfillment process is offshore
outsourced to low-cost regions for labor, and is
relatively stable, so the cost can be justified. Regardless
of which team is responsible for processing service
requests, they must be returned to the service desk
after the service request has been fulfilled to confirm
whether the user is satisfied with the result before
closing it. The service desk must monitor and track
progress and provide information to users.
Problem Management
Goal of Problem Management The goal of Problem
Management is to manage the lifecycle of all problems,
from identification to further investigation,
documentation, and final removal, to minimize the
negative impact of incidents and problems on the
business, proactively prevent recurrence, and achieve
this by identifying the root cause of incidents,
documenting and communicating known errors, and
initiating corrective measures to improve the situation.
The objective is to prevent problems and resulting
incidents, eliminate incidents that recur, and minimize
the impact of unavoidable incidents.
Relationship between Problem Management Process
and Incident Management Process Both are closely
related processes. For example, they use the same tools
and select categories, impact, and priority codes based
on the same rules, enabling effective and efficient
communication between them when responding. In
addition, there are cases where multiple incidents are
caused by a single problem, so the Incident
Management process may escalate to the Problem
Management process. Both should proactively act for
customer satisfaction. Also, both have a common goal
of improving the availability and quality of IT services by
coordinating with Change Management to reduce the
impact and duration of incidents that may affect IT
services.
Approach to Problems and Management of Known
Errors a) Approach to problems Review incident records
once a month to find patterns and trends that may
indicate problems. Review event logs once a week for
patterns and trends in warning and exception events
that may indicate underlying problems. Collect and
utilize data on operational quality issues that can help
detect underlying problems using a checklist.
b) Management of known errors If the decisive cause
has not been identified, even if the incident has been
resolved, create a problem record (PR00001) from
multiple incident records (INC00001-INC00006). If a
workaround has been found, create a known error
record and manage it in a Known Error Database (KEDB).
(At this point, keep the problem record open and review
its priority.) The KEDB is made searchable by anyone
within the service provider so that the Service Desk can
immediately resolve similar incidents. If the root cause
of the problem has been resolved or if it has been
determined that it cannot be resolved for cost reasons,
close the problem record.
Access Management
Access management is the process of granting
permissions to authorized users to use specific services
and restricting access to unauthorized users. The
objective is to execute the policies and procedures

p. 29
defined in information security management to ensure
the confidentiality, integrity, and availability of
information. To achieve this objective, access to services
is managed based on policies and procedures defined by
information security management. Requests for
granting, changing, and restricting access rights are
responded to efficiently. The goal is to manage access
to services and prevent inappropriate use.
Scope of Application of Access Management,
Particularly in Relation to Availability Management and
Information Security Management Access management
has a deep relationship with availability management
and information security management and applies to
the following areas. Specifically, access management
enables organizations to manage the confidentiality,
availability, and integrity of their data and intellectual
property by effectively executing the policies of
information security management. This is the CIA.
Access management only deals with changes in
permissions. Therefore, it should be noted that access is
not always available within the agreed service hours,
which is the responsibility of availability management.
Also, access management is one of the functions
performed by technical management and application
management, not a separate function. Usually, IT
operations management or service desk serves as a
coordination point.
Business Value of Access Management a) Controlled
access rights enable organizations to maintain the
confidentiality of information they own. b) Business
customers maintain appropriate levels of access to
effectively perform their work. c) Reduce errors caused
by users with limited knowledge using important
services such as stock trading systems. d) Monitor
service usage and track unauthorized usage. e)
Implement immediate invalidation of access rights that
are critical to security. f) Provide and demonstrate
compliance with regulatory requirements.
Access Management Process
Access Request The rules for requesting access are
documented as part of the request fulfillment model
and are also described in the service catalog.
Verification The decision whether a service request is
legitimate is made by the service, not the requester. It
is only accepted from appropriate managers,
department managers, application administrators, HR,
or requests from RFCs as defined in the process.
Provision of Authorization Access management cannot
determine who has access rights. It only has the role of
implementing policies and regulations defined in SS and
SD. Automation is ideal, and in fact, in our company,
requests for joining or leaving the company trigger the
automatic generation and deactivation of Windows
accounts, eliminating human errors.
Recording and Tracking Access
Access management has the responsibility to ensure
that provided authorization is being used appropriately.
Access monitoring must be included in all monitoring
activities for technology management, application
management, and service operations functions. If there
is any exceptional access, it should be processed as an
incident. Access date, time, and content should be
submitted as evidence in legal operations if necessary.
Restriction of Authorization Restrict authorization by
access level, time, or duration. For example, at Boise
Potato, contractor accounts are automatically
deactivated after 90 days regardless of the contract
period. To reactivate, pre-approval from the
department head is required, and there is a need to
repeatedly apply for approval every 90 days to
strengthen restrictions.
Service Desk
What is a service desk? The service desk is a critical
component of the entire IT organization as they directly
communicate with users and serve as the single point of
contact for users. They handle incident response,
problem management escalation, service request
management, answering questions, as well as customer
change requests, maintenance contracts, software
licenses, service level management, service asset and
configuration management, availability management, IT
service financial management, and IT service continuity
management.

p. 30
Processes closely related to the service desk The service
desk has close relationships with event management,
incident management, access management, and
problem management. The service desk primarily deals
with incidents, which are communicated to them by
users (web, email, phone), warning events or tickets
from event management, or technical staff. If it is
determined to be a change in access, it is processed
through access management, while the service desk
handles incidents directly. If a workaround for a known
issue exists in the Known Error Database (KEDB), the
service desk will provide the user with the workaround.
Incidents requiring investigation of root cause are
handled by problem management.
Measurement criteria for service desk quality
Measurement is important for assessing soundness,
maturity, efficiency, effectiveness, and all opportunities
to improve operations. When measuring the total
number of calls, it is important not to base it on
exceptional periods of organizational busyness. The
total number of calls also increases during periods of
reduced service reliability and increased service desk
reliability, so it should not be used as the sole criterion.
It is important to confirm whether there has been a
change in service reliability or improvement in the
service desk since the last measurement baseline. The
following are examples of 11 measurement criteria: 1.
Measure the first-time resolution rate in primary
support. 2. However, also measure the percentage
resolved without using secondary support. 3. Measure
the percentage resolved during the initial call. 4.
Measure the average time to resolve incidents. 5.
Measure the average time to escalate incidents. 6.
Measure the average cost of service desk support for
incident response. 7. Measure the total cost of the
service desk divided by the total number of calls. 8.
Measure the total cost for the period divided by the
total call time (in minutes). 9. Measure the percentage
of customer or user updates that are performed within
the target time defined in the SLA. 10. Measure the
average time to review and close resolved calls. 11. The
breakdown of call volume by time of day and day of
week, combined with the measure of average call time,
is essential for determining staff allocation.
Function of window services
The single window services in Japan and China are
provided in Dalian, China, where they handle all
questions and issues at one place. When calling the
single window services, users are prompted to select
the support language and service type through a voice
guidance system, which streamlines the service desk's
operations. Once an incident is accepted, an incident
record number is issued, which eliminates the need for
users to repeat their information if they make another
inquiry. For password resets, users must provide their
staff ID number, building name, and mobile phone
number, and their identity is verified through a callback
before the reset is performed, ensuring the security of
the information. However, users may become
dissatisfied with the service desk's busyness, which may
require them to wait up to an hour for a callback. Access
requests are carefully checked through an application
database. The cost-effectiveness of the service, which
costs only about one-tenth of what it would in Japan,
allows for sufficient endurance of slow callbacks or
difficulties in communicating in Japanese. Business
customers believe that these issues can be improved
over time through training.
Common functions
Technical management function a) Manage technical
knowledge and expertise related to IT infrastructure
management. Ensure that the knowledge necessary for
designing, testing, managing, and improving IT services
is captured, nurtured, and refined. b) Provide actual
human resources to support the service lifecycle. Ensure
that human resources are effectively trained and
deployed for technical design, construction, migration,
operation, and improvement. Balance the skill level,
utilization, and cost of human resources as a strategy
and decide whether to outsource tasks or consolidate
internal specialists to increase the utilization of experts.
This is beneficial for project teams and problem-solving.
c) Communicate effectively with IT operations
management and provide IT operations guidance to
ensure stable operation of the technical infrastructure.
Application management function a) As a manager of
technical knowledge and expertise related to
application management, provide application services
that meet the business's required service levels and
support problem management (Note: application
development is not performed). Work with technical
management to ensure that the knowledge necessary
for designing, testing, managing, and improving IT
services is captured, nurtured, and refined. b) Provide

p. 31
actual human resources to support the service lifecycle.
Ensure that human resources are effectively trained and
deployed for technical design, construction, migration,
operation, and improvement. c) Communicate with IT
operations and provide procedure manuals on the best
methods for continuously managing application
operations within IT operations management. d)
Integrate the application management lifecycle into the
service lifecycle. e) Be responsible for providing
application training.
IT operations management function It is a function that
executes the necessary continuous activities and
procedures on a daily basis to manage and maintain the
IT infrastructure, which is necessary to provide and
support IT services at agreed-upon levels. Specifically,
there are tasks to ensure that devices, systems, and
processes are actually operating or functioning in
accordance with strategies and plans. This is a relatively
long and repeated process that is carried out by
professional technical staff who have received technical
training. It depends on investment in equipment and
human resources. IT operations management is divided
into IT operations control (console management, job
scheduling management) and facility management
(data center, computer room, recovery site
management). Technical management and application
management are part of the IT operations management
function.
Status of functions (technical management, application
management) in an organization
Technical management supports planning, testing,
implementation, and maintenance of IT infrastructure
changes and develops maintenance plans to execute in
IT operations management. Application management is
divided into teams for large products such as Oracle,
Citrix, and XX, which support planning, design, testing,
implementation, and development of maintenance
plans to execute in IT operations management. IT
operations management performs operational activities
of IT infrastructure, monitors networks, and manages
printing and output collection and distribution. They
also conduct maintenance activities based on the
procedures created by the technical management and
application management teams.
Chapter 5:
MALC (Management Across Life Cycle)
It summarizes the lifecycle of IT service management as
follows:
What is the basis for selecting a provider?
・ Performance, capabilities, credit inquiries, credit
ratings, and scale related to the business to be
partnered with.
・Whether to contract with a single supplier or use
multi-sourcing for risk diversification.
・Whether to position suppliers as dependent or form
partner relationships with shared responsibility.
・Whether it is a short-term relationship, such as a
project for introducing an ITSM tool, or a long-term
relationship for operational work.
Results based on creating a business case and
comparing ROI (return on investment) and VOI (value on
investment).
Results based on assessing customer satisfaction, brand
image, market share, stock prices, profitability, and the
impact or penalty risk of regulations.
・Whether the supplier can withstand environmental
changes such as business needs and scope.
・Whether the company is ISO20000-1:2018, ISMS, PCI
DSS for particular scopes certified (understands
common terms and frameworks).
・What criteria should be used to select a provider
when building a system or procuring IT services, e.g.
NIST-800, FISC?
Selection process:
・Conduct a SWOT analysis regarding supplier selection.
・Submit a business case that clearly states ROI, VOI,
and KPI to service portfolio management.
・The IT service financial management approves and
applies to the CFO.
Selection Criteria:

p. 32
Hosting Team (Independent outsourcing company A):
・Low service fees
・Compliance with SLA
・A company manager who can manage staff resources,
provide training, and reporting.
・ID (IDentity) Management/SACM Team (Independent
outsourcing company B):
・Low service fees
provide training, and reporting.
Desktop Support Team (Independent outsourcing
company C):
・Low service fees
・Healthy financial condition of C company (however,
to prepare for the risk of C company bankruptcy, similar
work may be requested from A and B companies)
provide training, and reporting
・Ability to speak English as a native Japanese speaker
・Soft skills, service orientation, and understanding of
the importance of achieving service culture. Technical
skills are not required.
Service Desk Team (D company in Dalian, China):
・Ability to speak Japanese and English as a Chinese
person
・Soft skills, service orientation, and understanding of
the importance of achieving service culture. No
technical skills required.
Business Application Development Team (E company in
India):
・Low service fees
・No requirement for Japanese language ability, but
specialized knowledge of databases and accounting is
required.
・Adherence to deadlines
・Signing of NDA.
Project Management Task (Foreign consulting company
F):
・Trilingual
・Detailed work history matching the needs such as
experience using XYZ development toolkit, Active
Directory, Hyper-V, and accounting system introduction
for at least 5 years.
・Ability to coordinate the entire project.
・Technology Management, Application Management,
and Overall Service Management (in-house employees):
・Service management experience
・High expertise in core technology
・Understanding of business strategy
・ Ability to coordinate diverse teams from various
suppliers
・Customer service skills as a liaison with each business
unit of the client.
If appointed as the CIO of an organization, what and
how to improve IT service management initially?
・Create a business case for each service change - to
ensure that it aligns with the business strategy and has
a good ROI.
・ Review the business case and prioritize new
investments - for example, to implement a nearshore
outsourcing strategy and move the hosting team to the
Dalian office. Also, invest in temporary staff to reduce
overall labor costs, and use the savings to invest in ITSM
tools to improve efficiency.
・Rebuild the IT organization - transfer non-managerial
employees to other departments, leaving only
managers and their successors in the IT department. ・

p. 33
Provide clear career paths, training opportunities, and
appropriate compensation to improve employee
morale and create a new team that can work in line with
the business strategy.
Strategic change management
"Contract portfolio" The contract portfolio includes
financial information used to analyze investments and
corresponding benefits related to supplier contracts.
Supplier contracts can become complex, especially as a
result of organizational restructuring, mergers, or the
addition of new suppliers. To review these contracts, it
is necessary to revise the contract portfolio. Before
making any changes to supplier contracts, it is
recommended to create a business case for each one
and incorporate it into the contract portfolio, which can
lead to cost savings and increased efficiency through
rationalization of supplier contracts.
Service delivery models
When designing services, it is necessary to consider how
they will be provided, and this is referred to as the
service delivery model, which is divided into seven
categories: insourcing, outsourcing, co-sourcing, multi-
sourcing, BPO, application service provision, and
knowledge process outsourcing. The advantages of
insourcing include expertise in business processes and
lower security risks, but it can be difficult to change
personnel and acquire necessary skills quickly. The
advantage of outsourcing is that necessary skills can be
obtained quickly, but there is a cost associated with
resolving security risks when outsourcing to other
companies. Over-reliance on suppliers for technical
expertise can also lead to hollowing out of the
information systems department, which is a current
problem.
Example of a business case to double profits in 5 years
through IT services:
Priority 1 (Industry): Achieving leadership in the
overseas Japanese company audit market.
A. Introduction: Training of IFRS accountants.
B. Method and assumptions: Target users - all
accountants. Implementation period - from the 2009
fiscal year. Organizational background: In the industry
as a whole, there is a strong trend of enclosing Japanese
customers.
C. Business impact:
Cost of IFRS certification training for existing
accountants, and compensation to headhunting
companies for hiring accountants with IFRS experience:
10 million yen.
Establishment of English and Chinese language training
programs in the Philippines and Beijing in 2005: 10
million yen.
Revenue increase of 10% by acquiring accounting audit
clients for Japanese companies rushing to respond to
globalization and incorporating them as clients faster
than competing companies.
10% increase in the number of existing foreign company
accounting audit clients by 2011.
Introduction of XYZ, Balanced Scorecard, and Enterprise
consolidation accounting tools for those clients as part
of IFRS, resulting in a 50% revenue increase. Result:
ROI is 1 or higher.
It leads to strengthening marketing capabilities and
improving customer loyalty. D. Risks and emergencies
(external factors):
Risk of postponement of Japan's deregulation of
dismissal regulations (increase in internal
unemployment): Probability of occurrence 10%
Risk of failure of TPP negotiations (free trade in human
resources and services): Probability of occurrence 80%
Risk of failure of the Tokyo Asian headquarters special
zone plan (reducing the need for Japanese companies to
expand overseas): Probability of occurrence 90%
Decreased motivation of existing employees without
English proficiency due to an increase in overseas
projects: Probability of occurrence 99% E.
Recommendations:
Japanese new graduates should have a minimum of US-
CPA, TOIEC 850 points, and HSK Level 4 before entry.

p. 34
Establish a system to speed up visa support for foreign
accountant hires. (Add immigration lawyers to shorten
visa issuance from 6 months to 2 months by April 2012.)
Recommend that the management recommend
adjusting the hiring and training of IT engineers to the
business client's system.
Fully manage all risks.
Priority 2 (Strategic): Introducing competitive products.
A. Introduction (presentation of business goals):
Revenue increase through the introduction and
development of ITSM tools such as XYZ for Japanese
corporate clients.
B. Method and assumptions (boundary definition of
business cases): Target customers - Japanese large
companies in any industry (excluding small and
medium-sized companies through selection and
concentration). Implementation period - from 2005.
Organizational background: ITSM tools have not yet
penetrated in Japan, so our experienced company has
kept a monopoly in the local foreign market, but the
future market size is uncertain.
C. Business impact (financial and non-financial results):
Compensation to personnel companies for mid-career
hires with ITSM tool development experience: 10
million yen (2 million yen x 5 people). New external
training: 800,000 yen x 5 people New software license
purchase: 100,000 yen x 5 people Total investment
amount: 14.5 million yen
Revenue increase of 30% year-on-year by acquiring
Japanese companies rushing to respond to globalization
as clients.
50% revenue increase year-on-year by introducing
Balanced Scorecard and Enterprise tools for those
clients. Result:
ROI is 1 or higher.
It leads to strengthening marketing capabilities and
improving customer loyalty. D. Risks and emergencies
(probability of occurrence of different results):
Emergence of Japanese sales agents around 2012
Risk Management
The risks anticipated when performing a system
migration include:
・ Lack of clarity in ROI and VOI, and ambiguity in
business value due to the absence of SWOT analysis in
all service transition management processes based on
SMART principles.
・Ambiguity in business value due to the absence of
creating a business case for each change during the
system migration, which leads to unclear ROI and VOI.
・Budget overruns due to the lack of involvement of
service strategy in system migration. Insufficient
capacity due to the absence of involvement of service
design. Increased incidents due to the absence of
involvement of service operation. Missed opportunities
for improvement due to the absence of involvement in
continuous service improvement.
Efforts to Reduce Risk in Design Activities
The risks in design activities are performance risks and
demand risks in the service. Customers expect the
service to have a beneficial impact on their assets'
performance (referred to as usefulness from the
customer's perspective). There is always a risk that the
service designed to provide the expected benefits in
terms of usefulness does not deliver them.
Underperformance is a result of inadequate design
activities, which are often due to the inability to
understand and adjust to demand patterns. Risk
reduction in design activities depends on how well the
flexibility to withstand sudden changes in demand
patterns is incorporated.
Job Separation as an Internal Control Function: Practical
Examples from Your Organization's Management
In our organization, we ensure transparency and
accountability for business processes and corporate
accounting by creating financial reports based on the
Sarbanes-Oxley (SOX) Act. External audit agencies
perform audits to confirm the accuracy of the business
processes and whether the appropriate IT service
management processes have been followed, such as
whether accounts have been deleted correctly. We print
and submit account and data records to auditors as
instructed. Moreover, access to data is restricted based

p. 35
on job roles in our organization. Technical architects
cannot access the incident data managed by the
operations team, and the IT operations team cannot
access the live human resources or accounting
databases. This separation ensures that access to data
is restricted, even within the same company, and that
job roles are separated appropriately.
Planning and implementing IT service management
PDCA in the Continuous Service Improvement (CSI)
stage The Deming cycle leads to the improvement of IT
service quality in all service life cycles, but is particularly
effective in the CSI stage. The cycle of plan, do, check,
and act in the Deming cycle should be used to gradually
raise the maturity level of IT service quality over time
and to move towards alignment between business and
IT, rather than rolling back. The ultimate goal of the
Deming cycle is steady and continuous improvement.
Development procedure: Step 1. Review the business
case created by the service portfolio management.
Priority 1 (Operation): Improving work efficiency A.
Introduction (Business objectives): The productivity
increases by 80% as a result of the migration to
Windows 7 and hardware improvement. B. Method and
assumptions (boundary definition of the business case):
Target users: all employees (excluding contract and
dispatched employees). Implementation cycle: every
three years Start date: January 2013 End date:
December 2013 Organizational background: Since staff
reduction is underway, improving productivity is urgent.
By investing in a laptop refresh project for 2,000 people,
it is necessary to increase the productivity of all
employees and link it to business revenue. C. Impact on
business: ⅰ)Cost: 10 million yen (including hardware
purchase, test environment construction, and project
personnel expenses excluding fixed costs). ⅱ) Reduce
personnel expenses by 30% and raise 10 million yen.
Results: - ROI is equal to or greater than 1 (1,800/1,450).
- Improved employee satisfaction of 90%. D. Risks and
emergencies: ⅰ)Information security risk if the project
is not completed as planned (Microsoft ends support for
Windows XP in April 2014). ⅱ ) Since support for
Windows Server 2003 also ends in July 2015, it is
necessary to confirm the server-side version for all
servers. 1. If there are issues with specific applications
on the new OS, it may affect business processes, with a
10% probability. 2. If employees do not understand how
to use the new OS or new hardware, it may cause
problems with work efficiency and reduce business
revenue, with a 40% probability. 3. Follow-up on
increased employee stress due to getting used to the
new OS. E. Recommended actions: ⅰ)Clarify roles for
each process to ensure the success of the asset refresh
plan project by cooperating with all service life cycles.
ⅱ) Establish a Project Management Office (PMO). ⅲ)
Save all old laptops and environments for at least three
years in preparation for emergencies such as disasters
or trouble. ⅳ) Focus on risk management to manage all
risks.
Step 2: Create a service design package that includes the
following.
・Service charter
・Service specifications
・Service model
・Architecture design (including limitations)
・Definition and design of release and release packages
・Plan for release management and deployment
management
・Service acceptance criteria
Step 3: Submit the service design package to the process
of verifying and testing service validity.
・Regarding Communication that CIO should Expand
within the Organization:
・Implement expanded communication for creating a
strategy aimed at achieving overall goals, not for
organizational maneuvering or self-interest.
・Expand communication for developing team culture,
mentoring, and coaching.
・Expand communication to ensure that investments
match the organization's intended development and
growth.
・Expand communication to make all managers aware
of their roles.

p. 36
・ Expand communication regarding prioritization of
investments.
・ Expand communication about the strengths,
weaknesses, opportunities, and threats of service
providers.
・Expand communication for evaluating, directing, and
monitoring strategies, policies, rules, and contracts.
Challenges for the Organization
CMMI:
Keywords indicating the maturity of the process in the
five stages of maturity:
The CMMI maturity model includes six stages: 0. non-
existent, 1. initial state, 2. repeatable state, 3. defined
state, 4. managed state, and 5. optimizing state. CMMI
(Capability Maturity Model Integration) is a process
improvement approach developed by the Software
Engineering Institute at Carnegie Mellon University.
CMMI is used to guide process improvement or
adjustment for projects, business units, or entire
organizations. For example, if the maturity level of the X
management process is 0 or 1 and the organization
relies heavily on the ○○ management process, there is
considerable risk for the organization. Conversely, even
if the maturity level of the X management process is 5,
if the Y management process contributes very little to
the business, the organization may be investing
resources and funds unnecessarily.
Factors (domains) to consider when assessing process
maturity: International standards such as CMMI and
ISO/IEC20000-1: 2018 can be used to assess the
maturity of an organization's capabilities. This not only
applies to all aspects of the process environment,
including personnel, processes, and technology within
the organization, but also allows for comparison with
industry standards. Through maturity assessment, the
maturity of acceptance culture, process strategy and
vision, process organization, process governance,
business and IT alignment, process reporting, process
measurement criteria, and decision-making can be
evaluated.
Policies necessary for CIO to raise the maturity level of
current IT services by one level:
・Obtain senior management agreement that raising
the maturity level of IT services is essential for the
success of customer business.
・Have service managers create business cases for the
assessment plan.
・Have the IT service financial management manager
secure funds for using external CMMI consultants.
・Have the service level management manager work
with external consultants to objectively assess the
maturity level.
・Report process gaps.
・ Have the CSI manager involve stakeholders in
improving maturity level.
Service Evaluation:
Three types of measurement criteria:
Technical measurement criteria: measure performance
and availability for individual components or
applications.
Process measurement criteria: measure service
management processes using CSFs and KPIs to
determine overall process health. KPIs are metrics that
answer whether a process complies with the four
elements of compliance: 1) service quality, 2)
performance, 3) value, and 4) whether it conforms to
the process. The results of CSF and KPI measurements
are input to the CSI management table to contribute to
the continuous improvement of overall services.
Service measurement criteria: an end-to-end service
performance metric for customer experience. Technical
measurement criteria ⅰ) and process measurement
criteria ⅱ) are used as inputs for calculating service
measurement criteria ⅲ ) meaning these three
measurement criteria are related.
Measurement criteria set for IT services: Technical
measurement criteria are responsible for measuring the
performance of Oracle application servers, internal
wired networks, wireless networks, VPN servers,
Exchange servers, file servers, ABC phone servers, and
other speed and capacity metrics. The results are
automatically output to ITSM tools and processed into

p. 37
tables with the necessary analyses added based on the
requests of multiple recipients of the report. ITIL®
recommends automating operational-level processes as
much as possible. The report is viewed by process
measurement criteria personnel for reference and used
as input for end-to-end measurement by service
measurement criteria personnel.
Additional Service Metrics that CIO Should Introduce to
Further Utilize the Service Quality of "Involved IT
Services"
Our Strategic Business Unit has introduced the Balanced
Scorecard as a service measurement standard that can
be used for management. The Balanced Scorecard
evaluates items from four perspectives: internal
processes, customers, learning and growth, and
finances, and aims to achieve a balanced score as much
as possible. Originally, it was a measure to assess the
management status of business customers, but it has
been used as an indicator of IT service status for the past
10 years. By setting final goals and KPIs for each
perspective and conducting quantitative evaluations,
strengths and weaknesses of the organization can be
recognized from the balanced score, leading to
improvement activities.
Purposes of using strategic frameworks, techniques,
and tools other than ITIL®
COBIT 2019 (Control Objectives for Information and
Related Technology):
Complies with IT governance principles and covers five
aspects: alignment with strategy, value delivery,
resource management, risk management, and
performance measurement. COBIT is a globally
recognized and adopted control-based framework for
value and risk management, used for overall IT
governance support.
Service Management System (ISO/IEC 20000-1:2018):
Defines the requirements for service providers to
provide managed services and is utilized for third-party
review and certification to prove it to external
stakeholders.
CMMI (Capability Maturity Model Integration):
A capability maturity model that provides guidelines for
process improvement in system development. It aims to
ensure that products or services meet customer
expectations. By going through five stages: initial state,
repeatable state, defined state, managed state, and
optimized state, processes mature.
Balanced Scorecard: Developed by Americans in 1992, it
evaluates performance from the perspectives of
customers, finances, learning and growth, and business
processes. It proposes that setting measurement
standards from these four perspectives, collecting data,
and analyzing the data is beneficial.
Quality Management (ISO/IEC 9001:2015):
Utilized to strengthen organizational capabilities. It
includes not only quality management of the company's
own products but also quality management of IT
services and IT service processes. If the organization is
utilizing quality management systems such as ISO 9001,
Six Sigma, and TQM, regular reviews and report creation
can evaluate progress regularly and promote agreed-
upon service improvement initiatives.
OSI framework:
Around the time when ITIL® version 1 was created, the
International Organization for Standardization began an
initiative that would eventually become the Open
Systems Interconnection (OSI) framework.
Since many of the areas that the OSI framework
initiative targeted were the same as those targeted by
the ITIL® team, both dealt with many of the same topics.
It is common for people from different organizations to
use both ITIL® and OSI framework terms, which can
sometimes cause confusion.
Pension:
A pension system is a mechanism that guarantees a
basic part of the living expenses during the elderly years.
The usage method is as follows.
・Using Table A.1, determine the present value of one
pound of future pension payments.
・Identify the column for the corresponding discount
rate (or asset cost) and the row for the corresponding
payment period.

p. 38
・The intersection of the column and row is the present
value of the pension payment per pound for that
year. ・Multiplying this value by the expected amount
of pounds to be received in a single payment gives the
present value of the pension.
From the Service Management Maturity Framework
(quoted from ARC's task response): ・ The Process
Maturity Framework (PMF) assesses the maturity of
each service management process individually. ・ In
process review, assessment is performed for the
following five areas: vision, process, people, technology,
and culture. ・Processes mature through five stages:
initial, repeatable, defined, managed, and optimizing.
Six Sigma:
Developed by Motorola in the 1980s, it is a methodology
based on Japanese manufacturing QC.
Six Sigma is a process improvement methodology
suitable for not only manufacturing, but also IT services
and services in general. The goal is to reduce errors so
that there are fewer than three or four defects for every
one million operations performed. IT managers must
consider the various variations in IT service artifacts,
such as capacity management, as well as the various
roles and tasks in the IT operations environment. Six
Sigma is a data-driven approach that supports
continuous improvement. Six Sigma has the following
methodologies:
DMAIC - Define, Measure, Analyze, Improve, Control
DMADV - Define, Measure, Analyze, Design, Verify
PRINCE2 (RRoject IN Controlled Environment v2):
PIMBOK7 revised in 2021:
For IT service improvement, standardized project
management methodologies such as PIMBOK
accredited by PMI (created by PMI as well), PRINCE2
accredited by PeopleCert (created by AXELOS) can be
used. While a standardized project approach is not
necessary for all improvements, it is necessary for many
to fully cover the scope and scale of the improvement.
An activity with a different purpose each time and with
a starting and ending period.
TQM (Total Quality Management): A methodology
developed in the 1980s in the United States that adapts
quality management to business strategy, which later
replaced Japan's bottom-up TQC with top-down TQM.
Total Quality Management (TQM) is a management
strategy aimed at incorporating quality awareness into
all processes within an organization. In TQM efforts, all
individuals within the organization participate in
improving processes, products, services, and the culture
surrounding their respective duties.
ITIL® v3/2011 Edition Training and Exams
The ITIL® v3/2011 Edition Expert certification exam is
overseen by AXELOS and was previously administered
by organizations such as EXIN. However, since 2017,
PeopleCert has been globally contracted to administer
the exam for ITIL® v3/2011 Edition instead of EXIN and
others. Then ITIL®4 Foundation exam become available
since April 2019 by PeopleCert. Then PeopleCert
acquired AXEOS in 2021. Since then, ITIL® v3/2011
Edition and ITIL® v4 training and exam system has
become much more flexible than before.
ITIL® v3/2011 Edition consists of five exams, and
eligibility for taking the exam requires passing ITIL®
v3/2011 Edition Foundation exam and completing
training from an PeopleCert-certified institution after
2017. Only those who have completed the training can
take the exam respectively.
ITIL® v3/2011 Edition Master is the top-level
certification above ITIL® Expert and is conducted in
English through presentations and interviews in
countries such as Singapore, Hong Kong, and Malaysia
until 2022. As it is not a written exam, certification as an
ITIL® Expert requires practical experience and
permission from affiliated and customer companies.
ITIL® v3/2011 Edition Foundation: Taking training is not
mandatory. This exam tests a candidate's understanding
of ITIL® terminology, concepts, and basic processes. It
covers the ITIL® v3/2011 Edition framework, service
management as a practice, service lifecycle, key
principles and models, and selected processes. Passing
the Foundation exam is a prerequisite for taking the
higher level ITIL® v3/2011 Edition exams.
SOA (Service Offering and Agreement): This exam
assesses a trainee's ability to design, implement, and
manage service management processes to ensure

p. 39
service offering and agreement. For more details, refer
to figure#1 in orange section.
PPO (Planning, Protection, and Optimization): This
training & exam assess a trainee's ability to design,
implement, and manage service management processes
to ensure service quality and efficiency. For more details,
refer to figure#1 in orange section.
RCV (Release, Control, and Validation): This training &
exam assess a trainee's practical knowledge of service
transition. For more details, refer to figure#1 in orange
section.
OSA (Operational Support & Analysis): This training &
exam assess a trainee's practical knowledge of
maintaining service operation stability while responding
to changes in design, scope, scale, and service levels. For
more details, refer to figure#1 in orange section.
MALC (Management Across Life Cycle): This training &
exam assess a trainee's ability to build, manage, and
improve the IT service management life cycle. The MALC
exam is in the form of various case studies based on
scenarios of business expansion and IT department
integration due to merger strategy. Only those who
have passed all four of the previous exams (SOA, PPO,
RCV, and OSA) are eligible to take the MALC exam, and
passing it results in becoming an ITIL® EXPERT V3/2011,
but the version ended in 2022.
ITIL®4 Training and Exams
ITIL®4 Managing Professional (MP): This training and
exam evaluate individuals to determine their eligibility
to convert their certification to ITIL®4 without
undergoing ITIL®4 training and exams. Taking the MALC
training and exam isn't mandatory for transitioning to
MP. ITIL®4 MP training & exam in Japanese is available
only until September 30, 2023. The English ITIL®4 MP
training & exam concluded in 2022. After October 1,
2023, those who wish to become ITIL®4 MP must pass
the following five subjects.
・ITIL®4 foundation (*taking training is an option, not
mandatory) JPN
・ITIL®4 Specialist: create, deliver & support（CDS）
JPN
・ITIL®4 Specialist: drive stakeholder value（DSV）JPN
・ITIL®4 Specialist: high velocity IT（HVIT）JPN
・ITIL®4 Specialist: direct, plan & improve（DPI）JPN
People who seek ITIL®4 Strategic Leader above ITIL®4
MP has to take the following additional training and the
exam.
・ITIL®4 Specialist: Digital & IT Strategy（DITS）JPN
People who seek ITIL®4 Master has to take the following
additional training and the exam.
・ITIL®4 Practice Manager Course (Only English books
are available as of Oct. 8, 2023.)
Refer the following URL for further information about
ITIL®4 Practice Manager Course
https://www.axelos.com/certifications/itil-service-
management/itil-practices-manager/
ISO20000-1:2018 Training & Exam
EXIN IT Service Management Foundation based on
ISO/IEC 20000:2018 training & exam are provided by
EXIN accredited training companies and it’s still valid.
ISO20000-1: 2018 IRCA 3rd party auditor’s training &
exam training & exam is provided by IRCA accredited
training companies, and the exam can be completed at
home. Training contents are mostly based on ITIL®2011
rather than ITIL®4 so far. After 5-day successful training
and exam, trainees can register immediately to IRCA as
Associate 3rd party auditor without any ISO20000-1 3rd
party audit experience. If the person wants to promote
to 3rd party auditor, s/he has to experience at least 15
day’s on-site audit experience. Promoting to IRCA Lead
auditor requires at least 10 days on-site audit
experience as team lead which has member works
under the candidate. Promoting to IRCA Principal
Auditor requires 5+ years’ experience as either IRCA
registered auditor or lead auditor. Or the candidate is
continuously employed by certain ISO20000-1

p. 40
accreditation body for 3+ years as an auditor or lead
auditor. Conducting ISO20000-1 3rd party audit does
not require IRCA certifications though.
Reference materials
AELOS Ltd, ITIL® 2011 edition: Planning, Protection &
Operation, TSO, 2011
AXELOS Ltd, ITIL® 2011 edition: Release, Control &
Verification, TSO, 2011
AXELOS Ltd, ITIL® 2011 edition: Operational Support &
Analysis, TSO, 2011
AXELOS Ltd, ITIL® 2011 edition: Service Offering and
Agreement, TSO, 2011
AXELOS Ltd, ITIL® 2011 edition: Managing Across the
Lifecycle, TSO, 2011
ISO, ISO/IEC 20000-1:2018 Information technology —
Service management — Part 1: Service management
system requirements, ISO, 2018

ITILv3 /2011 Edition Case Study for New Service Managers to Understand Old ITIL.

More Related Content

Similar to ITILv3 /2011 Edition Case Study for New Service Managers to Understand Old ITIL. (20)

More from Boise State University - College of Engineering (20)

Recently uploaded (20)

ITILv3 /2011 Edition Case Study for New Service Managers to Understand Old ITIL.