AXELOS RESILIA® - Glossary (EN)
RESILIA® is a registered trademark of AXELOS Limited. RESILIA® logo courtesy of the AXELOS Limited. Copyright © AXELOS Limited 2012. All rights reserved. Material is reproduced with the permission of AXELOS
Terms in this set (355)
Formal agreement that an IT service, process, plan or other deliverable is complete, accurate, reliable and meets its specified requirements. Acceptance is usually preceded by change evaluation or testing and is often required before proceeding to the next stage of a project or process.
The ITSM process responsible for allowing users to make use of IT services, data or other assets. Access management helps to protect the confidentiality, integrity and availability of assets by ensuring that only authorized users are able to access or modify them. Access management implements the policies of information security management and is sometimes referred to as rights management or identity management.
A role that is very similar to that of the business relationship manager, but includes more commercial aspects. Most commonly used by external service providers.
A situation where the number of users or privileged accounts has become unmanageable, often due to uncontrolled creation of accounts.
The process responsible for identifying the actual costs of delivering IT services, comparing these with budgeted costs, and managing variance from the budget.
Officially authorized to carry out a role. For example, an accredited body may be authorized to provide training or to conduct audits.
A set of actions designed to achieve a particular result. Activities are usually defined as part of processes or plans, and are documented in procedures.
advanced encryption standard (AES)
A symmetric key encryption standard that was approved by NIST for encrypting information
advanced persistent threat (APT)
A persistent attack targeted at organizations using generally available or specially developed malware designed to steal valuable information. The attack is stealthy and takes place over a long period of time.
A document that describes a formal understanding between two or more parties. An agreement is not legally binding, unless it forms part of a contract. See also operational level agreement; service level agreement.
A notification that a threshold has been reached, something has changed, or a failure has occurred. Alerts are often created and managed by system management tools and are managed by the event management process.
annual rate of occurrence (ARO)
The probability that a specific risk will occur in a single year.
annualized loss expectancy (ALE)
The expected financial loss due to a risk, averaged over a one-year period. ALE is calculated by multiplying the single loss expectancy (SLE) by the annual rate of occurrence (ARO).
Software that provides functions which are required by an IT service. Each application may be part of more than one IT service. An application runs on one or more servers or clients.
See also application management.
The ITSM function responsible for managing applications throughout their lifecycle.
Architecture Development Method (ADM)
A method for enterprise architecture development defined in TOGAF, which takes an iterative lifecycle approach to architecture development.
The structure of a system or IT service, including the relationships of components to each other and to the environment they are in. Architecture also includes the standards and guidelines that guide the design and evolution of the system.
Inspection and analysis to check whether a standard or set of guidelines is being followed, that records are accurate, or that efficiency and effectiveness targets are being met. See also audit.
Anything that has value to an organization. Assets can be physical things such as servers and buildings or intangible things such as a company's reputation.
A generic activity or process responsible for tracking and reporting the value and ownership of assets throughout their lifecycle. See also service asset and configuration management.
The persons or roles accountable for the assets in an organization. There may be one or many asset owners, depending on the size and nature of the organization. Responsibility for the assets may be delegated to others as appropriate.
A list of assets and the information required to manage them. For information security management this could be a list of information and related assets with owners, value to the business, classification and applicable security controls. For financial management this could be a list of fixed assets with owners, financial value and information about deprecation.
asymmetric key pair
A pair of related encryption keys. Data that is encrypted by one key in the pair can only be decrypted by using the other key. See also public key; private key.
A piece of information about a configuration item (Cl). Examples are name, location, version number and cost. Attributes of CIs are recorded in a configuration management database (CMDB) and maintained as part of a configuration management system (CMS). See also relationship; configuration management system.
Formal inspection and verification to check whether a standard or set of guidelines is being followed, that records are accurate, or that efficiency and effectiveness targets are being met. An audit may be carried out by internal or external groups. See also assessment; certification.
Verification that a characteristic or attribute that appears to be true or is claimed to be true is in fact true: for example, that a specific user is who they claim to be.
A characteristic of information that ensures it is able to be used when needed. Confidentiality, integrity and availability are the three core characteristics which confer requirements on information security systems and processes.
availability management (AM)
The ITSM process responsible for ensuring that IT services meet the current and future availability needs of the business in a cost-effective and timely manner. Availability management defines, analyses, plans, measures and improves all aspects of the availability of IT services, and ensures that all IT infrastructures, processes, tools, roles etc. are appropriate for the agreed service level targets for availability.
Copying data to protect against loss of integrity or availability of the original.
Best Management Practice
The Best Management Practice portfolio is jointly owned by the Cabinet Office, part of HM Government, and Capita. Formerly owned by CCTA and then OGC, the Best Management Practice functions moved to the Cabinet Office in June 2010. In July 2013 the Cabinet Office formed a joint venture with Capita called AXELOS. AXELOS now manages the Best Management Practice portfolio which includes guidance on IT service management, project, programme, risk, portfolio and value management, and cyber resilience. There is also a management maturity model as well as related glossaries of terms.
Proven activities or processes that have been successfully used by multiple organizations. Cyber Resilience Best Practices is an example of best practice.
border gateway protocol (BGP)
A routeing protocol used for routeing data between autonomous areas in a network.
A technique that helps a team to generate ideas. Ideas are not reviewed during the brainstorming session, but at a later stage. Brainstorming is often used by problem management to identify possible causes.
An intentional or unintentional incident that results in the loss of confidentiality, integrity or availability of information.
British Standards Institution (BSI)
The UK national standards body, responsible for creating and maintaining British standards. See www. bsi-global.com for more information. See also International Organization for Standardization.
A list of all the money an organization or business unit plans to receive, and plans to pay out, over a specified period of time. See also budgeting.
The activity of predicting and controlling the spending of money. Budgeting consists of a periodic negotiation cycle to set future budgets (usually annual) and the routine monitoring and adjusting of current budgets.
The activity of assembling a number of configuration items to create part of an IT service. The term is also used to refer to a release that is authorized for distribution - for example, server build or laptop build.
business capacity management
The sub-process of capacity management responsible for understanding future business requirements for use in the capacity plan. See also service capacity management.
business continuity management (BCM)
The business process responsible for managing risks that could seriously affect the business. Business continuity management safeguards the interests of key stakeholders, reputation, brand and value-creating activities. The process involves reducing risks to an acceptable level and planning for the recovery of business processes should a disruption to the business occur. Business continuity management sets the objectives, scope and requirements for IT service continuity management.
business impact analysis (BIA)
The activity in business continuity management that identifies vital business functions and their dependencies. These dependencies may include suppliers, people, other business processes, IT services etc. Business impact analysis defines the recovery requirements for IT services. These requirements include recovery time objectives, recovery point objectives and minimum service level targets for each IT service.
The objective of a business process, or of the business as a whole. Business objectives support the business vision, provide guidance for the IT strategy, and are often supported by IT services.
The routine execution, monitoring and management of business processes.
business relationship manager (BRM)
A role responsible for maintaining the relationship with one or more customers. This role is often combined with the service level manager role.
A segment of the business that has its own plans, metrics, income and costs. Each business unit owns assets and uses these to create value for customers in the form of goods and services.
The ability of an organization, person, process, application, IT service or other configuration item to carry out an activity. Capabilities are intangible assets of an organization. See also resource.
Capability Maturity Model Integration (CMMI)
A process improvement approach developed by the Software Engineering Institute (SEI) of Carnegie Mellon University, USA. CMMI provides organizations with the essential elements of effective processes. It can be used to guide process improvement across a project, a division or an entire organization. CMMI helps to integrate traditionally separate organizational functions, set process improvement goals and priorities, provide guidance for quality processes, and provide a point of reference for appraising current processes. See www. sei.cmu.edu/cmmi for more information. See also maturity.
The maximum throughput that a configuration item or IT service can deliver. For some types of Cl, capacity may be the size or volume - for example, a disk drive.
The ITSM process responsible for ensuring that the capacity of IT services and the IT infrastructure are able to meet agreed capacity - and performance-related requirements in a cost-effective and timely manner. Capacity management considers all resources required to deliver an IT service, and is concerned with meeting the current and future capacity needs along with the performance requirements of the business. Capacity management includes three sub-processes: business capacity management, service capacity management and component capacity management.
Issuing a certificate to confirm compliance to a standard. Certification includes a formal audit by an independent and accredited body. The term is also used to mean awarding a certificate to provide evidence that a person has achieved a qualification.
The addition, modification or removal of anything that could have an effect on IT services. The scope should include changes to all architectures, processes, tools, metrics and documentation, as well as changes to IT services and other configuration items.
change advisory board (CAB)
A group of people who support the assessment, prioritization, authorization and scheduling of changes. A change advisory board is usually made up of representatives from all areas within the IT service provider; the business; and third parties such as suppliers.
The ITSM process responsible for formal assessment of a new or changed IT service to ensure that risks have been managed and to help determine whether to authorize the change.
The ITSM process responsible for controlling the lifecycle of all changes, enabling beneficial changes to be made with minimum disruption to IT services.
A document that includes a high-level description of a potential service introduction or significant change, along with a corresponding business case and an expected implementation schedule. Change proposals are normally created by the service portfolio management process and are passed to change management for authorization. Change management will review the potential impact on other services, on shared resources, and on the overall change schedule. Once the change proposal has been authorized, service portfolio management will charter the service.
See request for change.
A document that contains details of a new service, a significant change or other significant project. Charters are typically authorized by service portfolio management or by a project management office. The term charter is also used to describe the act of authorizing the work required to complete a service change or project.
The resultant output from an encryption of plain text.
The act of assigning a category to something. Classification is used to ensure consistent management and reporting. Configuration items, incidents, problems, changes etc. are usually classified.
A generic term that means a customer, the business or a business customer. For example, client manager may be used as a synonym for business relationship manager. The term is also used to mean:
• A computer that is used directly by a user - for example, a PC, a handheld computer or a work station.
• The part of a client server application that the user directly interfaces with - for example, an email client.
The final status in the lifecycle of an incident, problem, change etc. When the status is closed, no further action is taken.
Cloud Security Alliance (CSA)
An organization that defines a set of security practices, principally in the form of the cloud control matrix (CCM).
A business framework for the governance and management of enterprise IT. COBIT is published by ISACA.
See www.isaca.org for more information.
code of connection (CoCo)
An agreement between parties to obey a set of rules as a condition for connecting the parties' networks.
commercial off the shelf (COTS)
Pre-existing application software or middleware that can be purchased from a third party.
Ensuring that a standard or set of guidelines is followed, or that proper, consistent accounting or other practices are being employed.
A general term that is used to mean one part of something more complex. For example, a computer system may be a component of an IT service; an application may be a component of a release unit. Components tha-need to be managed should be configuration items.
computer emergency response team (CERT)
A group of security incident response experts who respond to security incidents and advise an organization or handling of security incidents.
A characteristic of information that ensures it is not made available or disclosed to unauthorized entities. Confidentiality, integrity and availability are the three core characteristics which confer requirements on information security systems and processes.
A generic term used to describe a group of configuration items that work together to deliver an IT service, or; recognizable part of an IT service. Configuration is also used to describe the parameter settings for one or more configuration items.
configuration item (Cl)
Any component or other service asset that needs to be managed in order to deliver an IT service. Information about each configuration item is recorded in a configuration record within the configuration management system and is maintained throughout its lifecycle by service asset and configuration management. Configuration items are under the control of change management. They typically include IT services, hardware, software, buildings, people and formal documentation such as process documentation and service level agreements.
configuration management database (CMDB)
A database used to store configuration records throughout their lifecycle. The configuration management system (CMS) maintains one or more configuration management databases (CMDBs), and each database stores attributes of configuration items, and relationships with other configuration items.
configuration management system (CMS)
A set of tools, data and information that is used to support service asset and configuration management.
The CMS is part of an overall service knowledge management system and includes tools for collecting, storing, managing, updating, analysing and presenting data about all configuration items and their relationships. The CMS may also include information about incidents, problems, known errors, changes and releases. The CMS is maintained by service asset and configuration management and is used by all IT service management processes.
continual service improvement (CSI)
A stage in the lifecycle of a service. Continual service improvement ensures that services are aligned with changing business needs by identifying and implementing improvements to IT services that support business processes. The performance of the IT service provider is continually measured, and improvements are made to processes, IT services and IT infrastructure in order to increase efficiency, effectiveness and cost effectiveness. Continual service improvement includes the seven-step improvement process. Although this process is associated with continual service improvement, most processes have activities that take place across multiple stages of the service lifecycle.
See also Plan-Do-Check-Act.
continual service improvement (CSI) register
A database or structured document used to record and manage improvement opportunities throughout the lifecycle.
A legally binding agreement between two or more parties.
A means of managing a risk, ensuring that a business objective is achieved or that a process is followed. Examples of controls include policies, procedures, roles, RAID, door locks etc. A control is sometimes called a countermeasure or safeguard. Control also means to manage the utilization or behaviour of a configuration item, system or IT service.
A control that is intended to correct the situation after an incident has been detected.
The amount of money spent on a specific activity, IT service or business unit. Costs consist of real cost (money), notional cost (such as people's time) and depreciation.
cost benefit analysis
An activity that analyses and compares the costs and the benefits involved in one or more alternative courses of action.
A business unit or project to which costs are assigned. A cost centre does not charge for services provided. An IT service provider can be run as a cost centre or a profit centre.
A measure of the balance between the effectiveness and cost of a service, process or activity. A cost-effective process is one that achieves its objectives at minimum cost.
Can be used to refer to any type of control. The term is most often used when referring to measures that increase resilience, fault tolerance or reliability of an IT service.
Changes made to a plan or activity which has already started to ensure that it will meet its objectives. Course corrections are made as a result of monitoring progress.
Crisis management is the process responsible for managing the wider implications of business continuity. A crisis management team is responsible for strategic issues such as managing media relations and shareholder confidence, and deciding when to invoke business continuity plans.
critical success factor (CSF)
Something that must happen if an IT service, process, plan, project or other activity is to succeed. Key performance indicators are used to measure the achievement of each critical success factor. For example, a critical success factor of 'protect IT services when making changes' could be measured by key performance indicators such as 'percentage reduction of unsuccessful changes', 'percentage reduction in changes causing incidents' etc.
A set of values that is shared by a group of people, including expectations about how people should behave, their ideas, beliefs and practices.
Someone who buys goods or services. The customer of an IT service provider is the person or group who defines and agrees the service level targets. The term is also sometimes used informally to mean user - for example, 'This is a customer-focused organization.'
The ability to prevent, detect and correct any impact that incidents have on the information required to do business.
A collection of characters, signs and symbols that has to be processed to have relevance, context or value. Data is the lowest level in a hierarchy of increasing value from Data-to-Information-to-Knowledge-to-Wisdom.
Data stored on disk, in memory or being processed as opposed to being in transit or in motion.
Data that is being moved from one place to another, usually across a network.
Using multiple independent security controls to provide redundancy. If one control fails or a vulnerability is exploited, assets will be protected by alternative controls.
The ITSM process responsible for understanding, anticipating and influencing customer demand for services. Demand management works with capacity management to ensure that the service provider has sufficient capacity to meet the required demand. At a strategic level, demand management can involve analysis of patterns of business activity and user profiles, while at a tactical level, it can involve the use of differential charging to encourage customers to use IT services at less busy times, or require short-term activities to respond to unexpected demand or the failure of a configuration item.
demilitarized zone (DMZ)
An area of a network that sits outside the firewall. A DMZ is semi-trusted and is used for hosting services that are accessible from outside the organization.
The activity responsible for movement of new or changed hardware, software, documentation, process etc. to the live environment. Deployment is part of the ITSM release and deployment management process.
An activity or process that identifies requirements and then defines a solution that is able to meet these requirements.
The ITSM process responsible for coordinating all service design activities, processes and resources. Design coordination ensures the consistent and effective design of new or changed IT services, service management information systems, architectures, technology, processes, information and metrics.
A stage in the lifecycle of an incident. Detection results in the incident becoming known to the service provider. Detection can be automatic or the result of a user logging an incident.
A control that is intended to identify when a threat has succeeded, so that the organization can respond appropriately.
A stage in the incident and problem lifecycles. The purpose of diagnosis is to identify a workaround for an incident or establish the root cause of a problem.
A situation where information stored in legacy technology, or media cannot be accessed because the required infrastructure is no longer available.
The product of using the private key of an asymmetric key pair and a hashing algorithm to encrypt information that can act as an electronic signature. Digital signatures can be used to vouch for the authenticity of activities of the private key owner, such as their documents and software.
Information in readable form. A document may be paper or electronic - for example, a policy statement, service level agreement, incident record or diagram of a computer room layout.
See also record.
A measure of whether the objectives of a process, service or activity have been achieved. An effective process or activity is one that achieves its agreed objectives.
See also key performance indicator.
A measure of whether the right amount of resource has been used to deliver a process, service or activity. An efficient process achieves its objectives with the minimum amount of time, money, people or other resources.
See also key performance indicator.
A device that can send and receive data on a network: for example a server, a laptop, a PC, a mobile phone or a tablet.
enterprise financial management
The function and processes responsible for managing the overall organization's budgeting, accounting and charging requirements. Enterprise financial management is sometimes referred to as the 'corporate' financial department. See also financial management for IT services.
enterprise resource planning (ERP)
An enterprise planning tool that comprises a modular suite of applications. Organizations can use ERP for each of their business functions such as accounting, invoicing, production and manufacturing.
A subset of the IT infrastructure that is used for a particular purpose - for example, live environment, test environment, build environment. Also used in the term 'physical environment' to mean the accommodation, air conditioning, power system etc. Environment is used as a generic term to mean the external conditions that influence or affect something.
A design flaw or malfunction that causes a failure of one or more IT services or other configuration items. A mistake made by a person or a faulty process that impacts a configuration item is also an error.
An activity that obtains additional resources when these are needed to meet service level targets or customer expectations. Escalation may be needed within any process, but is most commonly associated with incident management, problem management and the management of customer complaints. There are two types of escalation: functional escalation and hierarchic escalation.
A change of state that has significance for the management of an IT service or other configuration item. The term is also used to mean an alert or notification created by any IT service, configuration item or monitoring tool. Events typically require IT operations personnel to take action, and often lead to incidents being logged.
The ITSM process responsible for managing events throughout their lifecycle. Event management is one of the main activities of IT operations.
external service provider
An IT service provider that is part of a different organization from its customer. An IT service provider may have both internal and external customers.
See also outsourcing.
The function responsible for managing the physical environment where the IT infrastructure is located. Facilities management includes all aspects of managing the physical environment - for example, power and cooling, building access management, and environmental monitoring.
Loss of ability to operate to specification, or to deliver the required output. The term may be used when referring to IT services, processes, activities, configuration items etc. A failure often causes an incident.
failure mode and effects analysis (FMEA)
A method for analysing possible failures in products, processes or services and the consequences of failures.
A generic term used to describe the function and processes responsible for managing an organization's budgeting, accounting and charging requirements. Enterprise financial management is the specific term used to describe the function and processes from the perspective of the overall organization. Financial management for IT services is the specific term used to describe the function and processes from the perspective of the IT service provider.
financial management for IT services
The ITSM function and processes responsible for managing an IT service provider's budgeting, accounting and charging requirements. Financial management for IT services secures an appropriate level of funding to design, develop and deliver services that meet the strategy of the organization in a cost-effective manner.
See also enterprise financial management.
fit for purpose
The ability to meet an agreed level of utility. Fit for purpose is also used informally to describe a process, configuration item, IT service etc. that is capable of meeting its objectives or service levels. Being fit for purpose requires suitable design, implementation, control and maintenance.
fit for use
The ability to meet an agreed level of warranty. Being fit for use requires suitable design, implementation, control and maintenance.
A tangible business asset that has a long-term useful life (for example, a building, a piece of land, a server or a software licence).
See also service asset; configuration item.
Performing activities to meet a need or requirement - for example, by providing a new IT service, or meeting a service request.
A team or group of people and the tools or other resources they use to carry out one or more processes or activities - for example the service desk.
The term also has two other meanings. Firstly, an intended purpose of a configuration item, person, team, process or IT service: for example, one function of an email service may be to store and forward outgoing mails, while the function of a business process may be to despatch goods to customers. The second meaning is to perform the intended purpose correctly, as in 'The computer is functioning.'
An activity that compares two sets of data and identifies the differences. Gap analysis is commonly used to compare a set of requirements with actual delivery.
Ensuring that an organization meets the expectations of its stakeholders. These stakeholders may include legal and regulatory authorities as well as shareholders or citizens. Governance includes defining what management should do and ensuring that this is carried out as intended.
A document describing best practice, which recommends what should be done. Compliance with a guideline is not normally enforced.
A unique name that is used to identify a user, person or role. The identity is used to grant rights to that user, person or role. Example identities might be the username 'SmithJ' or the role 'change manager'.
A measure of the effect of an incident, problem or change on business processes. Impact is often based on how service levels will be affected. Impact and urgency are used to assign priority.
An unplanned interruption to an IT service or reduction in the quality of an IT service. Any breach of confidentiality, integrity or availability should be treated as an information security incident.
The process responsible for managing the lifecycle of all incidents. Incident management ensures that normal service operation is restored as quickly as possible and the business impact is minimized.
A record containing the details of an incident. Each incident record documents the lifecycle of a single incident.
Structured data that is meaningful, relevant and useful and has value in context. Information is the second level in a hierarchy of increasing value from Data-to-Information-to-Knowledge-to-Wisdom.
information security management
The process responsible for ensuring that the confidentiality, integrity and availability of an organization's assets, information, data and IT services match the agreed needs of the business. Note that the information security objectives will now need to deliver cyber resilience, which is a development on past definitions of information security, reflecting the changing nature of the networked environment and the threats that this brings. Information security management supports business security and has a wider scope than that of the IT service provider, including handling of paper, building access, phone calls etc. for the entire organization.
information security management system (ISMS)
The framework of policy, processes, functions, standards, guidelines and tools that ensures an organization can achieve its information security management objectives. Note that the nature of an ISMS depends upon the breadth of security objectives and, for this publication, the ISMS will need to deliver cyber resilience, which is a development on past definitions of information security, reflecting the changing nature of the networked environment and the threats that this brings.
See management information system.
information technology (IT)
The use of technology for the storage, communication or processing of information. The technology typically includes computers, telecommunications, applications and other software. The information may include business data, voice, images, video etc. Information technology is often used to support business processes through IT services.
A characteristic of information that ensures it is only modified by authorized personnel and activities. Confidentiality, integrity and availability are the three core characteristics which confer requirements on information security systems and processes.
internal service provider
An IT service provider that is part of the same organization as its customer. An IT service provider may have both internal and external customers.
International Organization for Standardization (ISO)
The International Organization for Standardization (ISO) is the world's largest developer of standards. ISO is a non-governmental organization that is a network of the national standards institutes of 156 countries.
See www.iso.org for further information about ISO.
International Standards Organization
See International Organization for Standardization.
internet protocol (IP)
One of the protocols in the TCP/IP suite that is used for communicating between networked devices and routeing data over networks.
internet service provider (ISP)
An external service provider that provides access to the internet. Most ISPs also provide other IT services such as web hosting.
intrusion detection system/intrusion prevention system (IDS/IPS)
Network devices used for detecting and preventing intrusions in networks. IDS/IPS sensors are placed at strategic points in the network or on devices to detect malicious activities and to alert or prevent attacks. The IDS detects and raises alerts whereas the IPS tries to prevent attacks.
A generic term that refers to a number of international standards and guidelines for quality management systems.
See www.iso.org for more information.
See also International Organization for Standardization.
An international standard for quality management systems. See also ISO 9000.
An international standard for IT service management.
An international specification for information security management. The corresponding code of practice is ISO/IEC 27002.
All of the hardware, software, networks, facilities etc. that are required to develop, test, deliver, monitor, control or support applications and IT services. The term includes all of the information technology but not the associated people, processes and documentation.
Activities carried out by IT operations control, including console management/operations bridge, job scheduling, backup and restore, and print and output management. IT operations is also used as a synonym for service operation.
IT operations control
The ITSM function responsible for monitoring and control of the IT services and IT infrastructure.
See also operations bridge.
IT operations management
The ITSM function within an IT service provider that performs the daily activities needed to manage IT services and the supporting IT infrastructure. IT operations management includes IT operations control and facilities management.
A service provided by an IT service provider. An IT service is made up of a combination of information technology, people and processes. A customer-facing IT service directly supports the business processes of one or more customers, and its service level targets should be defined in a service level agreement. Other IT services, called supporting services, are not directly used by the business but are required by the service provider to deliver customer-facing services.
IT service continuity management (ITSCM)
The process responsible for managing risks that could seriously affect IT services. IT service continuity management ensures that the IT service provider can always provide minimum agreed service levels, by reducing the risk to an acceptable level and planning for the recovery of IT services. IT service continuity management supports business continuity management.
IT service management (ITSM)
The implementation and management of quality IT services that meet the needs of the business. IT service management is performed by IT service providers through an appropriate mix of people, process and information technology.
See also service management.
IT Service Management Forum (itSMF)
An independent organization dedicated to promoting a professional approach to IT service management. The itSMF is a not-for-profit membership organization with representation in many countries around the world (itSMF chapters). The itSMF and its membership contribute to the development of ITIL and associated IT service management standards.
See www.itsmfi.org for more information.
IT service provider
A service provider that provides IT services to internal or external customers.
IT steering group (ISG)
A formal group that is responsible for ensuring that business and IT service provider strategies and plans are closely aligned. An IT steering group includes senior representatives from the business and the IT service provider. Also known as IT strategy group or IT steering committee.
A set of best-practice publications for IT service management. Owned by AXELOS, ITIL gives guidance on the provision of quality IT services and the processes, functions and other capabilities needed to support them. The ITIL framework is based on a service lifecycle and consists of five lifecycle stages (service strategy, service design, service transition, service operation and continual service improvement), each of which has its own supporting publication. There is also a set of complementary ITIL publications providing guidance specific to industry sectors, organization types, operating models and technology architectures.
See https://www.axelos.com/itil for more information.
A document that defines the roles, responsibilities, skills and knowledge required by a particular person. One job description can include multiple roles - for example, the roles of configuration manager and change manager may be carried out by one person.
joiners, movers and leavers (JML)
A process that includes pre-employment screening, recruitment, onboarding and line management during employment, and exit management of employees. JML is usually managed by an HR organization and it should be closely tied with access management.
Hardware or software that can be used to monitor and capture keystrokes on a keyboard with the purpose of capturing sensitive information such as account information and passwords. Key loggers are sometimes called key stroke loggers.
key performance indicator (KPI)
A metric that is used to help manage an IT service, process, plan, project or other activity. Key performance indicators are used to measure the achievement of critical success factors. Many metrics may be measured, but only the most important of these are defined as key performance indicators and used to actively manage and report on the process, IT service or activity. They should be selected to ensure that efficiency, effectiveness and cost effectiveness are all managed.
A logical database containing data and information used by the service knowledge management system.
The ITSM process responsible for sharing perspectives, ideas, experience and information, and for ensuring that these are available in the right place and at the right time. The knowledge management process enables informed decisions, and improves efficiency by reducing the need to rediscover knowledge.
See also service knowledge management system.
A problem that has a documented root cause and a workaround. Known errors are created and managed throughout their lifecycle by problem management. Known errors may also be identified by development staff or suppliers.
The principle of access control whereby entities are only allocated the minimum access rights or privileges needed to carry out their duties.
The various stages in the life of an IT service, configuration item, incident, problem, change etc. The lifecycle defines the categories for status and the status transitions that are permitted. For example, the lifecycle of an application includes requirements, design, build, deploy, operate, optimize. The expanded incident lifecycle includes detection, diagnosis, repair, recovery and restoration. The lifecycle of a server may include: ordered, received, in test, live, disposed of etc.
Refers to an IT service or other configuration item that is being used to deliver a service to a customer.
A controlled environment containing live configuration items used to deliver IT services to customers.
Interaction with hardware or software via a remote connection. This can be contrasted with physical access where the user needs to be in the same physical environment as the component they are interacting with.
A measure of how quickly and effectively an IT service or other configuration item can be restored to normal working after a failure. Maintainability is often measured and reported as MTRS. Maintainability is also used in the context of software or IT service development to mean ability to be changed or repaired easily.
The highest category of impact for an incident. A major incident results in significant disruption to the business.
An informal measure of how easily and effectively an IT service or other component can be managed.
Information that is used to support decision-making by managers. Management information is often generated automatically by tools supporting the various IT service management processes. Management information often includes the values of key performance indicators, such as 'percentage of changes leading to incidents' or 'first-time fix rate'.
management information system (MIS)
A set of tools, data and information that is used to support a process or function. Examples include the availability management information system and the supplier and contract management information system. See also service knowledge management system.
Management of Risk (M_o_R)
Systemic application of policies, procedures, methods and practices to the tasks of identifying and assessing risks, and then planning and implementing risk responses. This provides a disciplined environment for a proactive decision-making management system.
The framework of policy, processes, functions, standards, guidelines and tools that ensures an organization or part of an organization can achieve its objectives. This term is also used with a smaller scope to support a specific process or activity - for example, an event management system or risk management system.
See also system.
A measure of the reliability, efficiency and effectiveness of a process, function, organization etc. The most mature processes and functions are formally aligned with business objectives and strategy, and are supported by a framework for continual improvement.
A named level in a maturity model, such as the Carnegie Mellon Capability Maturity Model Integration (CMMI).
mean time between failures (MTBF)
A metric for measuring and reporting reliability. MTBF is the average time that a service, system or component can perform its agreed function without interruption. This is measured from when the service, system or component starts working, until it next fails.
mean time to restore service (MTRS)
The average time taken to restore an IT service or other configuration item after a failure. MTRS is measured from when the configuration item fails until it is fully restored and delivering its normal functionality.
Something that is measured and reported to help manage a process, IT service or activity.
See also key performance indicator.
A short but complete description of the overall purpose and intentions of an organization. It states what is to be achieved, but not how this should be done.
mobile device management (MDM)
Remote management of mobile devices such as tablets, smartphones and laptops. MDM can be used to apply and enforce security policies, and to update, lock and wipe mobile devices.
A representation of a system, process, IT service, configuration item etc. that is used to help understand or predict future behaviour.
A technique that is used to predict the future behaviour of a system, process, IT service, configuration item etc. Modelling is commonly used in financial management, capacity management and availability management.
Repeated observation of a configuration item, IT service or process to detect events and to ensure that the current status is known.
The use of more than one form of authentication information required to verify the identity of an entity. The authentication information is usually something one knows (for example, a password) something one possesses (for example, a token) or something one is (a biometric).
need to know
A principle of confidentiality that requires information to be shared with only those who need to know the information to carry out their duties.
network access control (NAC)
A way to control access to networks from endpoints by ensuring that the endpoint devices meet the minimum or baseline configuration requirements, including in the areas of anti-virus software, patches etc. before they are allowed to connect to the network.
Providing undeniable proof that an alleged event actually happened or an alleged action was actually carried out, and that these events and actions were carried out by a particular entity.
The outcomes required from a process, activity or organization in order to ensure that its purpose will be fulfilled. Objectives are usually expressed as measurable targets. The term is also informally used to mean a requirement.
off the shelf
See commercial off the shelf.
open shortest path first (OSPF)
A dynamic IP-based routeing protocol that routers use to work out the shortest path to the target destination network.
Open Web Application Security Project (OWASP)
An online non-profit community dedicated to web application security. The OWASP community includes organizations and individuals from across the globe that publishes articles, provides documentation, tools and technologies for application security.
To perform as expected. A process or configuration item is said to operate if it is delivering the required outputs. Operate also means to perform one or more operations. For example, to operate a computer is to do the day-to-day operations needed for it to perform as expected.
Routine management of an IT service, system or other configuration item. Operation is also used to mean any predefined activity or transaction - for example, accepting money at a point of sale, or reading data from a disk drive.
The lowest of three levels of planning and delivery (strategic, tactical, operational). Operational activities include the day-to-day or short-term planning or delivery of a business process or IT service management process. The term is also a synonym for live.
operational level agreement (OLA)
An agreement between an IT service provider and another part of the same organization. It supports the IT service provider's delivery of IT services to customers and defines the goods or services to be provided and the responsibilities of both parties. For example, there could be an operational level agreement:
• Between the IT service provider and a procurement department to obtain hardware in agreed times
• Between the service desk and a support group to provide incident resolution in agreed times.
See also service level agreement.
A physical location where IT services and IT infrastructure are monitored and managed.
See IT operations control.
See IT operations management.
Review, plan and request changes, in order to obtain the maximum efficiency and effectiveness from a process, configuration item, application etc.
A company, legal entity or other institution. The term is sometimes used to refer to any entity that has people, resources and budgets - for example, a project or business unit.
The result of carrying out an activity, following a process, or delivering an IT service etc. The term is used to refer to intended results as well as to actual results.
See also objective.
Using an external service provider to manage IT services.
Installing vendor updates to operating systems, applications or firmware, usually in response to vulnerabilities, to correct errors or to support new hardware.
A measure of what is achieved or delivered by a system, person, team, process or IT service.
Activities to ensure that something achieves its expected outcomes in an efficient and consistent manner.
personal identification number (PIN)
A numeric password that can be used in authentication.
Readable information before it is subjected to encryption.
A detailed proposal that describes the activities and resources needed to achieve an objective - for example, a risk treatment plan.
A four-stage cycle for process management, attributed to Edward Deming. Plan-Do-Check-Act is also called the Deming Cycle. It comprises:
• Plan Design or revise processes to deliver desired outcomes.
• Do Implement the plan and manage the processes.
• Check Measure the processes and the outcomes, compare with objectives and produce reports.
• Act Plan and implement changes to improve the processes.
Formally documented management expectations and intentions. Policies are used to direct decisions, and to ensure consistent and appropriate development and implementation of processes, standards, roles, activities, IT infrastructure etc.
post-implementation review (PIR)
A review that takes place after a change or a project has been implemented. It determines if the change or project was successful, and identifies opportunities for improvement.
A way of working, or a way in which work must be done. Practices can include activities, processes, functions, standards and guidelines.
See also best practice.
A control that is intended to prevent a threat from succeeding.
See PRojects IN Controlled Environments.
A category used to identify the relative importance of an incident, problem or change. Priority is based on impact and urgency, and is used to identify required times for actions to be taken. For example, the service level agreement may state that Priority 2 incidents must be resolved within 12 hours.
private automatic branch exchange (PABX)
An automatic telephone switch that emulates an internal telephone network and can also act as the gateway to external networks for outgoing calls.
A portion of an asymmetric key pair that is kept confidential or private. A private key can be used to decrypt information that has been encrypted with the corresponding public key. It can also be used to encrypt a message hash to be used as a digital signature.
A cause of one or more incidents. The cause is not usually known at the time a problem record is created, and the problem management process is responsible for further investigation.
The process responsible for managing the lifecycle of all problems. Problem management proactively prevents incidents from happening and minimizes the impact of incidents that cannot be prevented.
The steps that specify how to achieve an activity. Procedures are defined as part of processes.
A structured set of activities designed to accomplish a specific objective. A process takes one or more defined inputs and turns them into defined outputs. It may include any of the roles, responsibilities, tools and management controls required to reliably deliver the outputs. A process may define policies, standards, guidelines, activities and work instructions if they are needed.
The activity of planning and regulating a process, with the objective of performing the process in an effective, efficient and consistent manner.
The person who is held accountable for ensuring that a process is fit for purpose. The process owner's responsibilities include sponsorship, design, change management and continual improvement of the process and its metrics. This role can be assigned to the same person who carries out the process manager role, but the two roles may be separate in larger organizations.
See live environment.
A number of projects and activities that are planned and managed together to achieve an overall set of related objectives and other outcomes.
A temporary organization, with people and other assets, that is required to achieve an objective or other outcome. Each project has a lifecycle that typically includes initiation, planning, execution and closure. Projects are usually managed using a formal methodology such as PRojects IN Controlled Environments (PRINCE2) or the Project Management Body of Knowledge (PMBOK8).
Project Management Body of Knowledge (PMBOK)
A project management standard maintained and published by the Project Management Institute.
See www. pmi.org for more information.
See also PRojects IN Controlled Environments (PRINCE2).
PRojects IN Controlled Environments (PRINCE2)
The standard UK government methodology for project management.
See https://www.axelos.com/prince2 for more information.
See also Project Management Body of Knowledge (PMBOK).
A portion of an asymmetric key pair that is generally made available and is used to encrypt data which only the corresponding private key can decrypt. A public key can also be used to decrypt a message hash to verify a digital signature.
public key encryption (PKE)
An encryption system that uses asymmetric key pairs (public and private) to encrypt and decrypt information.
public key infrastructure (PKI)
Infrastructure required to manage digital certificates. PKI provides the ability to create, distribute, use and revoke digital certificates to support authentication and non-repudiation.
An activity that ensures that the IT infrastructure is appropriate and correctly configured to support an application or IT service.
See also validation.
The ability of a product, service or process to provide the intended value. For example, a hardware component can be considered to be of high quality if it performs as expected and delivers the required reliability. Process quality also requires an ability to monitor effectiveness and efficiency, and to improve them if necessary.
See also quality management system.
quality management system (QMS)
The framework of policy, processes, functions, standards, guidelines and tools that ensures an organization is of a suitable quality to reliably meet business objectives or service levels.
See also ISO 9000.
A model used to help define roles and responsibilities. RACI stands for responsible, accountable, consulted and informed.
A document containing the results or other output from a process or activity. Records are evidence of the fact that an activity took place, and they may be paper or electronic - for example, an audit report, an incident record or the minutes of a meeting.
Returning a configuration item or an IT service to a working state. Recovery of an IT service often includes recovering data to a known consistent state. After recovery, further steps may be needed before the IT service can be made available to the users (restoration). Recovery may also include working with regulators, customers or other external stakeholders to remediate the impact of a security incident.
Use of one or more additional configuration items to provide fault tolerance. The term also has a generic meaning of obsolescence, or no longer being needed.
See also defence-in-depth.
A connection or interaction between two people or things. In business relationship management, it is the interaction between the IT service provider and the business. In service asset and configuration management, it is a link between two configuration items that identifies a dependency or connection between them. For example, applications may be linked to the servers they run on, and IT services have many links to all the configuration items that contribute to that IT service.
One or more changes to an IT service that are built, tested and deployed together. A single release may include changes to hardware, software, documentation, processes and other components.
release and deployment management
The ITSM process responsible for planning, scheduling and controlling the build, test and deployment of releases, and for delivering new functionality required by the business while protecting the integrity of existing services.
A set of configuration items that will be built, tested and deployed together as a single release. Each release package will usually include one or more release units.
A measure of how long an IT service or other configuration item can perform its agreed function without interruption. Usually measured as MTBF or MTBSI. The term can also be used to state how likely it is that a process, function etc. will deliver its required outputs.
See also availability.
The act of correcting vulnerabilities, deficiencies, faults or failed changes. This could be by installing a patch, adjusting configuration settings, or installing or uninstalling software applications including undoing changes.
The replacement or correction of a failed configuration item.
request for change (RFC)
A formal proposal for a change to be made. It includes details of the proposed change, and may be recorded on paper or electronically. The term is often misused to mean a change record, or the change itself.
The ITSM process responsible for managing the lifecycle of all service requests.
A formal statement of what is needed - for example, a legal requirement, a service level requirement, a project requirement or the required deliverables for a process.
A set of best-practice publications in cyber resilience. Owned by AXELOS (a joint venture between the Cabinet Office (part of HM Government) and Capita), RESILIA gives guidance on the deployment and management of cyber resilience, including the processes, functions and other capabilities needed to support them. The RESILIA framework is based on a service lifecycle and consists of five lifecycle stages (strategy, design, transition, operation and continual improvement).
See https://www.axelos.com/resilia for more information.
The ability of a system or component to resist an unplanned disturbance or failure, and the ability to recover in a timely manner following any unplanned disturbance or failure. For example, an armoured cable will resist failure when put under stress and therefore demonstrates resilience.
Action taken to repair the root cause of an incident or problem, or to implement a workaround. In ISO/IEC 20000, 'resolution processes' is the process group that includes incident and problem management.
A generic term that includes IT infrastructure, people, money or anything else that might help to deliver an IT service. Resources are considered to be assets of an organization.
See also capability; service asset.
Taking action to return an IT service to the users after repair and recovery from an incident. Restoration is the primary objective of incident management.
Permanently remove an IT service, or other configuration item, from the live environment. Being retired is a stage in the lifecycle of many configuration items.
An evaluation of a change, problem, process, project etc. Reviews are typically carried out at predefined points in the lifecycle, and especially after closure. The purpose of a review is to ensure that all deliverables have been provided, and to identify opportunities for improvement.
See also change evaluation; post-implementation review.
Entitlements, or permissions, granted to a user or role - for example, the right to modify particular data, or to authorize a change.
A possible event that could cause harm or loss, or affect the ability to achieve objectives. A risk is measured by the probability of a threat, the vulnerability of the asset to that threat, and the impact it would have if it occurred. Risk can also be defined as uncertainty of outcome, and can be used in the context of measuring the probability of positive outcomes as well as negative outcomes.
The initial steps of risk management: analysing the value of assets to the business, identifying threats to those assets, and evaluating how vulnerable each asset is to those threats. Risk assessment can be quantitative (based on numerical data) or qualitative.
The process responsible for identifying, assessing and controlling risks. Risk management is also sometimes used to refer to the second part of the overall process after risks have been identified and assessed, as in 'risk assessment and management'.
See also risk assessment.
A set of responsibilities, activities and authorities assigned to a person or team. A role is defined in a process or function. One person or team may have multiple roles - for example, the roles of configuration manager and change manager may be carried out by a single person. Role is also used to describe the purpose of something or what it is used for.
role-based access control (RBAC)
A method of access control that bases access rights on the role of the user.
The underlying or original cause of an incident or problem.
A US federal law for internal control that governs all publicly listed companies. The Sarbanes-Oxley Act requires an organization's board to certify its company's financial records.
The ability of an IT service, process, configuration item etc. to continue to perform its agreed function when the workload or scope changes.
The boundary or extent to which a process, procedure, certification, contract etc. applies. For example, the scope of change management may include all live IT services and related configuration items; the scope of an ISO/IEC 27001 certificate may include all IT services delivered out of a named data centre.
secure sockets layer (SSL)
A session-based encryption methodology that is used to protect internet connections between two points.
See also transport layer security.
security information and event management (SIEM)
An application that monitors and collates information and provides real-time analysis of the security alerts generated by hardware and software.
segregation of duties
An internal control principle of separating roles and privileges to ensure that one entity cannot have enough privileges to abuse its role.
separation of concerns (SoC)
An approach to designing a solution or IT service that divides the problem into parts that can be solved independently. This approach separates what is to be done from how it is to be done.
A computer that is connected to a network and provides software functions that are used by other computers.
A means of delivering value to customers by facilitating outcomes that customers want to achieve without the ownership of specific costs and risks.
Any resource or capability of a service provider.
See also asset.
service asset and configuration management (SACM)
The ITSM process responsible for ensuring that the assets required to deliver services are properly controlled, and that accurate and reliable information about those assets is available when and where it is needed. This information includes details of how the assets have been configured and the relationships between assets.
See also configuration management system.
service capacity management
The sub-process of capacity management responsible for understanding the performance and capacity of IT services. Information on the resources used by each IT service and the pattern of usage over time are collected, recorded and analysed for use in the capacity plan.
See also business capacity management; component capacity management.
A database or structured document with information about all live IT services, including those available for deployment. The service catalogue is part of the service portfolio and contains information about two types of IT service: customer-facing services that are visible to the business, and supporting services required by the service provider to deliver customer-facing services.
service catalogue management
The ITSM process responsible for providing and maintaining the service catalogue and for ensuring that it is available to those who are authorized to access it.
A stage in the lifecycle of a service. Service design includes the design of the services, governing practices, processes and policies required to realize the service provider's strategy and to facilitate the introduction of services into supported environments. Service design includes the following processes: design coordination, service catalogue management, service level management, availability management, capacity management,
IT service continuity management, information security management and supplier management. Although these processes are associated with service design, most processes have activities that take place across multiple stages of the service lifecycle.
See also design.
service design package (SDP)
Document(s) defining all aspects of an IT service and its requirements through each stage of its lifecycle. A service design package is produced for each new IT service, major change or IT service retirement.
The single point of contact between the service provider and the users. A typical service desk manages incidents and service requests, and also handles communication with the users.
service knowledge management system (SKMS)
A set of tools and databases that is used to manage knowledge, information and data. The service knowledge management system includes the configuration management system, as well as other databases and information systems. The service knowledge management system includes tools for collecting, storing, managing, updating, analysing and presenting all the knowledge, information and data that an IT service provider will need to manage the full lifecycle of IT services.
See also knowledge management.
service level agreement (SLA)
An agreement between an IT service provider and a customer. A service level agreement describes the IT service, documents service level targets, and specifies the responsibilities of the IT service provider and the customer. A single agreement may cover multiple IT services or multiple customers.
See also operational level agreement.
service level management (SLM)
The ITSM process responsible for negotiating achievable service level agreements and ensuring that these are met. It is responsible for ensuring that all IT service management processes, operational level agreements and underpinning contracts are appropriate for the agreed service level targets. Service level management monitors and reports on service levels, holds regular service reviews with customers, and identifies required improvements.
service level requirement (SLR)
A customer requirement for an aspect of an IT service. Service level requirements are based on business objectives and used to negotiate agreed service level targets.
service level target
A commitment that is documented in a service level agreement. Service level targets are based on service level requirements, and are needed to ensure that the IT service is able to meet business objectives. They should be SMART, and are usually based on key performance indicators.
An approach to IT service management that emphasizes the importance of coordination and control across the various functions, processes and systems necessary to manage the full lifecycle of IT services. The service lifecycle approach considers the strategy, design, transition, operation and continual improvement of IT services. Also known as service management lifecycle.
A set of specialized organizational capabilities for providing value to customers in the form of services.
A stage in the lifecycle of a service. Service operation coordinates and carries out the activities and processes required to deliver and manage services at agreed levels to business users and customers. Service operation also manages the technology that is used to deliver and support services. Service operation includes the following processes: event management, incident management, request fulfilment, problem management and access management. Service operation also includes the following functions: service desk, technical management, IT operations management and application management. Although these processes and functions are associated with service operation, most processes and functions have activities that take place across multiple stages of the service lifecycle.
A role responsible for managing one or more services throughout their entire lifecycle. Service owners are instrumental in the development of service strategy and are responsible for the content of the service portfolio.
A database or structured document listing all IT services that are under consideration or development, but are not yet available to customers. The service pipeline provides a business view of possible future IT services and is part of the service portfolio that is not normally published to customers.
The complete set of services that is managed by a service provider. The service portfolio is used to manage the entire lifecycle of all services, and includes three categories: service pipeline (proposed or in development), service catalogue (live or available for deployment), and retired services.
See also service portfolio management.
service portfolio management
The process responsible for managing the service portfolio. Service portfolio management ensures that the service provider has the right mix of services to meet required business outcomes at an appropriate level of investment. Service portfolio management considers services in terms of the business value that they provide.
An organization supplying services to one or more internal customers or external customers. Service provider is often used as an abbreviation for IT service provider.
A formal request from a user for something to be provided - for example, a request for information or advice, to reset a password, or to install a workstation for a new user. Service requests are managed by the request fulfilment process, usually in conjunction with the service desk. Service requests may be linked to a request for change as part of fulfilling the request.
service set identifier (SSID)
The name of a wireless network that is broadcast to enable endpoints to connect. Wireless endpoints connect to the SSID to form a wireless local area network.
A stage in the lifecycle of a service. Service strategy defines the perspective, position, plans and patterns that a service provider needs to execute to meet an organization's business outcomes. Service strategy includes the following processes: strategy management for IT services, service portfolio management, financial management for IT services, demand management and business relationship management. Although these processes are associated with service strategy, most processes have activities that take place across multiple stages of the service lifecycle.
A stage in the lifecycle of a service. Service transition ensures that new, modified or retired services meet the expectations of the business as documented in the service strategy and service design stages of the lifecycle. Service transition includes the following processes: transition planning and support, change management, service asset and configuration management, release and deployment management, service validation and testing, change evaluation and knowledge management. Although these processes are associated with service transition, most processes have activities that take place across multiple stages of the service lifecycle.
See also transition.
service validation and testing
The ITSM process responsible for validation and testing of a new or changed IT service. Service validation and testing ensures that the IT service matches its design specification and will meet the needs of the business.
The ability of a third-party supplier to meet the terms of its contract. This contract will include agreed levels of reliability, maintainability and availability for a configuration item.
seven-step improvement process
The ITSM process responsible for defining and managing the steps needed to identify, define, gather, process, analyse, present and implement improvements. The performance of the IT service provider is continually measured by this process, and improvements are made to processes, IT services and IT infrastructure in order to increase efficiency, effectiveness and cost effectiveness. Opportunities for improvement are recorded and managed in the CSI register.
simple network management protocol (SNMP)
A protocol from the TCP/IP suite of protocols that is used to monitor, configure and manage network devices.
single loss expectancy (SLE)
The expected financial loss due to a risk, each time that risk occurs.
single point of contact
Providing a single consistent way to communicate with an organization or business unit. For example, a single point of contact for an IT service provider is usually called a service desk.
An authentication method that uses the same logon credentials across multiple systems, so that the user is only required to log on once to be able to access multiple systems.
An acronym for helping to remember that targets in service level agreements and project plans should be specific, measurable, achievable, relevant and time-bound.
software as a service (SaaS)
A model for delivery of software, and software licensing, in which the software is hosted by a service provider, which provides access to the software on a subscription basis.
A formal definition of requirements. A specification may be used to define technical or operational requirements, and may be internal or external. Many public standards consist of a code of practice and a specification. The specification defines the standard against which an organization can be audited.
A person who has an interest in an organization, project, IT service etc. Stakeholders may be interested in the activities, targets, resources or deliverables. Stakeholders may include customers, partners, employees, shareholders, owners etc.
See also RACI.
A mandatory requirement. Examples include ISO/IEC 27001 (an international standard), an internal security standard for UNIX configuration, or a government standard setting out how financial records should be maintained. The term is also used to refer to a code of practice or specification published by a standards organization such as ISO or BSI.
See also guideline.
A pre-authorized change that is low risk, relatively common and follows a procedure or work instruction - for example, a password reset or provision of standard equipment to a new employee. Requests for change are not required to implement a standard change, and they are logged and tracked using a different mechanism, such as a service request.
The name of a required field in many types of record. It shows the current stage in the lifecycle of the associated configuration item, incident, problem etc.
The highest of three levels of planning and delivery (strategic, tactical, operational). Strategic activities include objective-setting and long-term planning to achieve the overall vision.
A strategic plan designed to achieve defined objectives.
strategy management for IT services
The ITSM process responsible for defining and maintaining an organization's perspective, position, plans and patterns with regard to its services and the management of those services. Once the strategy has been defined, strategy management for IT services is also responsible for ensuring that it achieves its intended business outcomes.
A third party responsible for supplying goods or services that are required to manage cyber resilience or to deliver IT services. Examples of suppliers include commodity hardware and software vendors, network and telecom providers, and outsourcing organizations.
See also supply chain; underpinning contract.
The process responsible for obtaining value for money from suppliers, ensuring that all contracts and agreements with suppliers support the needs of the business, and that all suppliers meet their contractual commitments.
The activities in a value chain carried out by suppliers. A supply chain typically involves multiple suppliers, each adding value to the product or service.
See also value network.
An encryption key used to encrypt and also decrypt information. A symmetric key is sometimes called a secret key.
A number of related things that work together to achieve an overall objective. For example:
• A computer system including hardware, software and applications
• A management system, including the framework of policy, processes, functions, standards, guidelines and tools that are planned and managed together - for example, a quality management system
• A database management system or operating system that includes many software modules which are designed to perform a set of related functions.
The middle of three levels of planning and delivery (strategic, tactical, operational). Tactical activities include the medium-term plans required to achieve specific objectives, typically over a period of weeks to months.
The ITSM function responsible for providing technical skills in support of IT services and management of the IT infrastructure. Technical management defines the roles of support groups, as well as the tools, processes and procedures required.
See technical management.
terms of reference
A document specifying the requirements, scope, deliverables, resources and schedule for a project or activity.
An activity that verifies that a cyber resilience control, configuration item, IT service, process etc. meets its specification or agreed requirements.
See also acceptance; service validation and testing.
An enterprise architecture methodology and framework, owned and maintained by The Open Group.
A person, organization or other entity that is not one of the two primarily concerned. In information security this could be an external entity (who is not the organization that owns the information or an internal user). In IT service management it could be a supplier (who is not the IT service provider or their customer).
Anything that might exploit a vulnerability. Any potential cause of an incident can be considered a threat. For example, a fire is a threat that could exploit the vulnerability of flammable floor coverings.
The value of a metric that should cause an alert to be generated or management action to be taken. For example, 'Priority 1 incident not solved within four hours', 'More than five soft disk errors in an hour', or 'More than 10 failed changes in a month'.
A measure of the number of transactions or other operations performed in a fixed time - for example, 5,000 emails sent per hour, or 200 disk I/Os per second.
A discrete function performed by an IT service - for example, transferring money from one bank account to another. A single transaction may involve numerous additions, deletions and modifications of data. Either all of these are completed successfully or none of them is carried out.
A change in state, corresponding to a movement of a cyber resilience control, an IT service or other configuration item from one lifecycle status to the next.
transition planning and support
The ITSM process responsible for planning all service transition processes and coordinating the resources that they require.
transport layer security (TLS)
A security protocol similar to secure sockets layer (SSL) that protects information in transit between two communicating points using strong encryption.
A contract between an IT service provider and a third party. The third party provides goods or services that support delivery of an IT service to a customer. The underpinning contract defines targets and responsibilities that are required to meet agreed service level targets in one or more service level agreements.
A measure of how long it will be until an incident, problem or change has a significant impact on the business. For example, a high-impact incident may have low urgency if the impact will not affect the business until the end of the financial year. Impact and urgency are used to assign priority.
The ease with which an application, product or IT service can be used. Usability requirements are often included in a statement of requirements.
A person who uses an IT service on a day-to-day basis. Users are distinct from customers, as some customers do not use the IT service directly.
The functionality offered by a product or service to meet a particular need. Utility can be summarized as 'what the service does', and can be used to determine whether a service is able to meet its required outcomes, or is 'fit for purpose'. The business value of an IT service is created by the combination of utility and warranty.
See also service validation and testing.
An activity that ensures a new or changed cyber resilience control, IT service, process, plan or other deliverable meets the needs of the business. Validation ensures that business requirements are met even though these may have changed since the original design.
See also acceptance; qualification; service validation and testing; verification.
A sequence of processes that creates a product or service that is of value to a customer. Each step of the sequence builds on the previous steps and contributes to the overall product or service.
See also value network.
A complex set of relationships between two or more groups or organizations. Value is generated through exchange of knowledge, information, goods or services.
See also value chain.
An activity that ensures that a new or changed cyber resilience control, IT service, process, plan or other deliverable is complete, accurate, reliable and matches its design specification.
See also acceptance; validation; service validation and testing.
virtual private network (VPN)
An encrypted connection over a public network that appears to be an extension of a private network, due to the protection of data provided by the encryption.
voice over internet protocol (VoIP)
A method for sending voice traffic using the internet protocol over data networks.
A weakness that could be exploited by a threat - for example, an open firewall port, a password that is never changed, or a flammable carpet. A missing control is also considered to be a vulnerability.
Assurance that a product or service will meet agreed requirements. This may be a formal agreement such as a service level agreement or contract, or it may be a marketing message or brand image. Warranty refers to the ability of a service to be available when needed, to provide the required capacity, and to provide the required reliability in terms of continuity and security. Warranty can be summarized as 'how the service is delivered', and can be used to determine whether a service is 'fit for use'. The business value of an IT service is created by the combination of utility and warranty.
See also service validation and testing.
web application firewall (WAF)
A firewall that is able to protect against web-based attacks such as those listed in the OWASP top 10 risks.
WiFi Protected Access (WPA) and WiFi Protected Access 2 (WPA2)
Wireless security protocols based on the IEEE 802.lli standard defined by the WiFi Alliance that protect the confidentiality of information over wireless connections and support strong encryption and authentication. WPA2 is the more secure version of WPA.
wired equivalent privacy (WEP)
A wireless security protocol that protects the confidentiality of information over wireless connections. WEP has been superseded by WPA and subsequently WPA2. WEP is no longer recommended due to its inherent flaws.
Reducing or eliminating the impact of an incident or problem for which a full resolution is not yet available - for example, by restarting a failed configuration item. Workarounds for problems are documented in known error records. Workarounds for incidents that do not have associated problem records are documented in the incident record.
YOU MIGHT ALSO LIKE...
ITIL - Exam D
ITIL 2011 Foundation
OTHER SETS BY THIS CREATOR
Better Business Cases (BBC) - Glossary (EN)
AXELOS PRINCE2® Agile - Glossary (EN)
PMI® PgBOK® 3 Guide - Glossary (EN)
PMI® PfBOK® 3 Guide - Glossary (EN)
THIS SET IS OFTEN IN FOLDERS WITH...
CISSP Terms + Explanations