1.0 MOF Overview

8/7/2019 1.0 MOF Overview

1/29

Microsoft Operations Framework

Version 4.0

MOF Overview

Published: April 2008

For the latest information, please seemicrosoft.com/technet/SolutionAccelerators
http://technet.microsoft.com/en-us/solutionaccelerators/default.aspxhttp://technet.microsoft.com/en-us/solutionaccelerators/default.aspxhttp://technet.microsoft.com/en-us/solutionaccelerators/default.aspxhttp://technet.microsoft.com/en-us/solutionaccelerators/default.aspxhttp://technet.microsoft.com/en-us/solutionaccelerators/default.aspx


2/29

ii Microsoft Operations Framework 4.0

Copyright 2008 Microsoft Corporation. All rights reserved. Complying with the applicable copyright laws isyour responsibility. By using or providing feedback on this documentation, you agree to the license agreementbelow.

If you are using this documentation solely for non-commercial purposes internally within YOUR company ororganization, then this documentation is licensed to you under the Creative Commons Attribution-NonCommercial License. To view a copy of this license, visit http://creativecommons.org/licenses/by-nc/2.5/ orsend a letter to Creative Commons, 543 Howard Street, 5th Floor, San Francisco, California, 94105, USA.

This documentation is provided to you for informational purposes only, and is provided to you entirely "AS IS".Your use of the documentation cannot be understood as substituting for customized service and informationthat might be developed by Microsoft Corporation for a particular user based upon that users particularenvironment. To the extent permitted by law, MICROSOFT MAKES NO WARRANTY OF ANY KIND,DISCLAIMS ALL EXPRESS, IMPLIED AND STATUTORY WARRANTIES, AND ASSUMES NO LIABILITY TOYOU FOR ANY DAMAGES OF ANY TYPE IN CONNECTION WITH THESE MATERIALS OR ANYINTELLECTUAL PROPERTY IN THEM.

Microsoft may have patents, patent applications, trademarks, or other intellectual property rights coveringsubject matter within this documentation. Except as provided in a separate agreement from Microsoft, your useof this document does not give you any license to these patents, trademarks or other intellectual property.

Information in this document, including URL and other Internet Web site references, is subject to changewithout notice. Unless otherwise noted, the example companies, organizations, products, domain names, e-mailaddresses, logos, people, places and events depicted herein are fictitious.

Microsoft, Excel, and Visio are registered trademarks of Microsoft Corporation in the United States and/or othercountries.

The names of actual companies and products mentioned herein may be the trademarks of their respectiveowners.

You have no obligation to give Microsoft any suggestions, comments or other feedback ("Feedback") relating tothe documentation. However, if you do provide any Feedback to Microsoft then you provide to Microsoft, withoutcharge, the right to use, share and commercialize your Feedback in any way and for any purpose. You alsogive to third parties, without charge, any patent rights needed for their products, technologies and services touse or interface with any specific parts of a Microsoft software or service that includes the Feedback. You willnot give Feedback that is subject to a license that requires Microsoft to license its software or documentation tothird parties because we include your Feedback in them.

Solution Accelerators microsoft.com/technet/SolutionAccelerators


3/29

Contents

Introduction to MOF ..........................................................................1

Goal of MOF ..............................................................................1How to Use MOF ........................................................................1

The IT Service Lifecycle ...............................................................2

The Lifecycle Phases .............................................................2

Service Management Functions Within the Phases ...................... 3

Management Reviews .............................................................4

Goals and Functions of the IT Service Lifecycle Phases ............... 7

Plan Phase ............................................................................7

Deliver Phase ........................................................................9

Goals of the Deliver Phase ............................................................9Operate Phase .....................................................................12

Manage Layer ......................................................................14

Objectives, Risks, and Controls ..............................................16

MOF Applied ...................................................................................17

Governance, Risk, and Compliance SMF ..................................17

Policy SMF ..........................................................................18

Reliability SMF .....................................................................18

Financial Management SMF ...................................................19

Business/IT Alignment SMF ...................................................19Change and Configuration SMF ..............................................19

Portfolio Management Review ................................................19

Team SMF ..........................................................................19

Envision SMF .......................................................................20

Project Planning SMF ............................................................20

Project Plan Approved Management Review ............................. 20

Build SMF ...........................................................................20

Stabilize SMF .......................................................................21

Release Readiness Management Review ..................................21Deploy SMF .........................................................................21

Service Monitoring and Control SMF ........................................22

Operations SMF ...................................................................22

Operational Health Management Review ..................................22

Customer Service SMF ..........................................................22

Problem Management SMF ....................................................22



4/29

iv Microsoft Operations Framework 4.0

Service Alignment Management Review ...................................23

Policy and Control Management Review ...................................23

Conclusion ...............................................................................23

Next Steps .....................................................................................23

Feedback .................................................................................23

Attributions ....................................................................................24



5/29

Introduction to MOF

Microsoft Operations Framework (MOF) consists of integrated best practices,principles, and activities that provide comprehensive guidelines for achieving reliability forIT solutions and services. MOF provides question-based guidance that allows you todetermine what is needed for your organization now, as well as activities that will keepthe IT organization running efficiently and effectively in the future.

The guidance in the Microsoft Operations Framework encompasses all of the activitiesand processes involved in managing an IT service: its conception, development,operation, maintenance, andultimatelyits retirement. MOF organizes these activitiesand processes into Service Management Functions (SMFs), which are grouped togetherin phases that mirror the IT service lifecycle. Each SMF is anchored within a lifecyclephase and contains a unique set of goals and outcomes supporting the objectives of thatphase. An IT services readiness to move from one phase to the next is confirmed bymanagement reviews, which ensure that goals are achieved in an appropriate fashionand that ITs goals are aligned with the goals of the organization.

Goal of MOFThe goal of MOF is to provide guidance to IT organizations to help them create, operate,and support IT services while ensuring that the investment in IT delivers expectedbusiness value at an acceptable level of risk.

MOFs purpose is to create an environment where business and IT can work togethertoward operational maturity, using a proactive model that defines processes and standardprocedures to gain efficiency and effectiveness. MOF promotes a logical approach todecision-making and communication and to the planning, deployment, and support of ITservices.

How to Use MOF

The MOF guidance consists of a series of phase overviews and SMF guides. Thesedescribe the activities that need to occur for successful IT service managementfromthe assessment that launches a new or improved service, through the process ofoptimizing an existing service, all the way to the retirement of an outdated service.

The guidance is written for a number of audiencesCorporate Information Officers(CIOs), IT managers, and IT professionals:

Overview guides are directed toward CIOs who need to see the big picture.

Overview and workflow information in function-specific guides is geared toward ITmanagers who need to understand the IT service strategies.

Activities in function-specific guides are meant for the IT professionals whoimplement MOF within their work.

The MOF guidance is available on Microsoft TechNet athttp://www.microsoft.com/technet/solutionaccelerators/cits/mo/mof/default.mspx.

http://www.microsoft.com/technet/solutionaccelerators/cits/mo/mof/default.mspxhttp://www.microsoft.com/technet/solutionaccelerators/cits/mo/mof/default.mspxhttp://www.microsoft.com/technet/solutionaccelerators/cits/mo/mof/default.mspx


6/29


7/29

MOF Overview

Next is the Operate Phase. The goal of this phase is to ensure that IT services areoperated, maintained, and supported in a way that meets business needs andexpectations.

The Manage Layer is the foundation of the IT service lifecycle. Its goal is to provideoperating principles and best practices to ensure that the investment in IT deliversexpected business value at an acceptable level of risk. This phase is concerned with

IT governance, risk, compliance, roles and responsibilities, change management, andconfiguration. Processes in this phase take place during all phases of the lifecycle.

Following the guidelines contained in MOF can help:

Decrease risks through better coordination between teams.

Recognize compliance implications when policies are reviewed.

Anticipate and mitigate reliability impacts.

Discover possible integration issues prior to production.

Prevent performance issues by anticipating thresholds.

Effectively adapt to new business needs.

When an IT service is first released, it is generally the result of a new initiative: IT-drivenor business-driven. Throughout the lifecycle of the service, whenever changesminor,major, and significantare made, the MOF IT service lifecycle phases should be applied.

Use the MOF IT service lifecycle phases regardless of the size or impact of achange. The formality with which you apply the lifecycle is proportionate to the risk of thechange. You need to do just what is requiredno more and no less. For example, amajor new initiative, such as a new service on which a business function depends, shouldgo through in-depth analysis and review in the Plan Phase, a formal project plan in theDeliver Phase, and preparation for and review of how IT will implement, support, andmonitor this service in the Operate Phase.

A smaller change that does not have as much risk should also go through the lifecyclephases, but can do so in a more nimble way. For example, a change to a Web site is

requested. It is not defined as a standard change, so the MOF IT service lifecycle needsto be applied. In the Plan Phase, the requirements are defined with the business, policiesare checked, and reliability tradeoffs are made. In the Deliver Phase, the change isdesigned and tested. In the Operate Phase, the change is made in the productionenvironment, the service is then monitored and adjustments are made as needed, andcustomer support is provided to assist users with issues that may arise from the change.All of this can be done very quickly for this lower-risk change by using a minimum set ofMOF processes.

Service Management Functions Within the Phases

Each phase of the IT service lifecycle contains service management functions (SMFs)that define the processes, people, and activities required to align IT services to therequirements of the business. Each SMF has its own guide that explains the flow of theSMF and details the processes and activities within it.

Figure 2 shows the IT service lifecycle phases and the SMFs within each phase.


3


8/29

4 Microsoft Operations Framework 4.0

Figure 2. The IT service lifecycle phases and SMFs

Although each SMF can be thought of as a stand-alone set of processes, it is importantto understand how the SMFs in all of the phases work to ensure that service delivery is atthe desired quality and risk level. In some phases (such as Deliver), the SMFs areperformed sequentially, while in other phases (such as Operate), the SMFs may beperformed simultaneously to create the outputs for the phase.

Management Reviews

For each phase in the lifecycle, management reviews (MRs) serve to bring togetherinformation and people to determine the status of IT services and to establish readinessto move forward in the lifecycle. MRs are internal controls that provide managementvalidation checks, ensuring that goals are being achieved in an appropriate fashion, andthat business value is considered throughout the IT service lifecycle. The goals ofmanagement reviews, no matter where they happen in the lifecycle, are straightforward:

Provide management oversight and guidance.

Act as internal controls at the phase level of the IT lifecycle.

Assess the state of activities and prevent premature advancement into the nextphases.

Capture organizational learning.

Improve processes.



9/29

MOF Overview

During a management review, the criteria that a service must meet to move through thelifecycle are reviewed against actual progress. The MRs make sure that businessobjectives are being met, and that IT services are on track to deliver expected value.

The MRs, their locations in the IT service lifecycle, and their inputs and outputs areshown in the following table.

Table 1. MOF Management ReviewsMR Owned by Phase Inputs Outputs

Service Alignment Plan Results of theOperationalHealth Review

Service LevelAgreements(SLA)

Customer input

Opportunity for anew or improvedproject

Request forchanges to SLA

Portfolio Plan Projectproposals

Formation of ateam

Initial projectcharter

Project PlanApproved

Deliver Businessrequirements

Visionstatement

Formation of theproject team

Approved projectplan

Release Readiness Deliver Documentationshowing thatthe releasemeetsrequirements

Documentationshowing thatthe release isstable

Documentationshowing thatthe release isready foroperations

Go/no go decisionabout release

Operational Health Operate Operating levelagreement(OLA)documents

OLAperformancereports

Operationalguides andservice-solutionspecifications

Request forchanges to theOLA documents

Request for

changes to the ITservices

Configurationchanges tounderlyingtechnologycomponents


5


10/29


MR Owned by Phase Inputs Outputs

Policy and Control Manage Operationaland securitypolicies

Policy

violations,complianceincidents

Policy changerequests

Changes inregulations,standards, orindustry bestpractices

Requests forchanges topolicies andcontrols

Requests forchanges to policyand controlmanagement

Figure 3 illustrates the IT service lifecycle phases and the MRs that connect them.

Figure 3. The IT service lifecycle with MRs

The MRs are described in more detail in the phase overview documents.



11/29

MOF Overview

Goals and Functions of the IT Service Lifecycle Phases

The following sections discuss the goals and functions of each phase and how theparticular SMFs within that phase achieve their objectives.

Plan Phase

Figure 4 illustrates the Plan Phase.

Figure 4. Plan Phase

During the Plan Phase business and IT work together to determine how IT will delivervaluable services that enable the organization to succeed. Doing that requires:

Understanding the business strategy and requirements and how the current ITservices support the business.

Understanding what reliability means to this organization and how it will be measuredand improved, as well as reviewing and taking action to improve the current statewhere needed.

Understanding the organizations policy requirements and how they affect the ITstrategy.

Providing the financial structure to support the IT work and drive the right decisions.

Creating an IT strategy that provides value to the business strategy and makingportfolio decisions accordingly.

The goal of the Plan Phase is to make the right decisions about IT strategy and theproject portfolio, ensuring that the delivered services have the following attributes andoutcomes:

Are valuable and compelling in terms of business goals

Are predictable and reliable

Are cost-effective


7


12/29


Are in compliance with policies

Can adapt to the changing needs of the business

The following SMFs support the primary activities of the Plan Phase.

Table 2. Plan Phase SMFs

SMF Deliverable/Purpose Outcomes

Business/IT Alignment Deliverable: IT servicestrategy

Purpose:

Deliver the right set ofservices as perceived bythe business

IT Service Portfolio that ismapped to businessprocesses, functions, andcapabilities

Services that support thebusiness needs

Knowledge of servicedemand and usage

Customer satisfaction

Reliability Deliverable: IT standards

Purpose:

Ensure that servicecapacity, serviceavailability, servicecontinuity, and dataintegrity are aligned tobusiness needs in acost-effective manner

Reliability plans

Reliability performancereports

Predictable services

Policy Deliverable: IT policies

Purpose:

Efficiently define andmanage IT policiesrequired

Documented IT policesthat are mapped tobusiness policies

IT policies required for

the effectivemanagement of IT

Policies documented forthe following areas:

Security

Privacy

Appropriate use

Partner and third-party management

Asset protection



13/29


14/29


Specifically, that means ensuring that the project team:

Captures the business needs and requirements prior to planning a solution.

Prepares a functional specification and solution design.

Develops work plans, cost estimates, and schedules for the deliverables.

Builds the solution to the customers specification, so that all features are complete,and the solution is ready for external testing and stabilization.

Releases the highest-quality solution by performing thorough testing and release-candidate piloting.

Deploys a stable solution to the production environment and stabilizes the solution inproduction.

Prepares the operations and support teams to manage and provide customer servicefor the solution.

The following SMFs support the primary activities of the Deliver Phase:

Table 3. Deliver Phase SMFs


Envision Deliverable: Visiondocument

Purpose:

Clearly communicate theprojects vision, scope,and risk

Vision and scope of theproject are clearlydocumented andunderstood by the teamand the customer

Conceptual design ofthe proposed solution isrecorded as part of thevision document

Projects risks aredocumented andunderstood by the team

and the customerProject Planning Deliverable: Project plan

document

Purpose:

Obtain agreement fromthe project team,customer, andstakeholders that allinterim milestones havebeen met, that the projectplans reflect thecustomers needs, and

that the plans are realistic

The design andfeatures of the solutionare clearly documentedin the functionalspecification

The design andfeatures of the solutionare traceable tobusiness, user,operational, and systemrequirements



15/29

MOF Overview


Build Deliverable: Developedsolution

Purpose:

Build a solution thatmeets the customersexpectations andspecifications as definedin the functionalspecification

A final design thatmeets business, user,operational, and systemrequirements

A solution that meetsthe customersexpectations andspecifications asdefined in the functionalspecification

Stabilize Deliverable: Tested andstable solution

Purpose:

Resolve all issues foundby testing and throughpilot feedback, and

release a high-qualitysolution that meets thecustomers expectationsand specifications asdefined in the functionalspecification

All issues found bytesting and through pilotfeedback are resolved

A high-quality solutionthat meets thecustomersexpectations and

specifications asdefined in the functionalspecification

Deploy Deliverable: Service inoperation

Purpose:

Deploy a stable solutionthat satisfies thecustomer, andsuccessfully transfer itfrom the project team tothe operations andsupport teams

A stable solutiondeployed into theproduction environment

A customer who issatisfied with andaccepts the deployedsolution

A solution successfullytransferred from theproject team to theoperations and supportteams


11


16/29


Operate Phase

Figure 6 illustrates the Operate phase.

Figure 6. Operate Phase

The Operate Phase of the IT service lifecycle represents the culmination of the twophases that precede it. The Operate Phase focuses on what to do after the services arein place.

After an IT service has been successfully deployed, ensuring that it operates to meetbusiness needs and expectations becomes the top priority. This is the focus of theOperate Phase, which depends on four primary endeavors:

Effective ongoing management of the service

Proactive and ongoing monitoring of its health

Effective and readily available help to assist with use of the service

Restoration of a service to health when things go wrong

The primary goal of the Operate Phase is to ensure that deployed services are operated,maintained, and supported in line with the service level agreement (SLA) targets thathave been agreed to by the business and IT.

Specifically, that means ensuring:

That IT services are available by improving IT staff use and better managingworkload.

That IT services are monitored to provide real-time observation of health conditions,and ensuring that team members are trained to handle any problems efficiently and

quickly. That IT services are restored quickly and effectively.



17/29

MOF Overview

The following SMFs support the primary activities of the Operate Phase:

Table 4. Operate Phase SMFs


Operations Deliverable: Operationsguide

Purpose:

Ensure that the workrequired to successfullyoperate IT services hasbeen identified anddescribed

Free up time for theoperations staff byreducing reactive work

Minimize servicedisruptions and

downtime Execute recurring IT

operations workeffectively and efficiently

Improved efficiency ofIT staff

Increased IT serviceavailability

Improved operations ofnew/changed ITservices

Reduction of reactivework

Service Monitoring andControl

Deliverable: IT healthmonitoring data

Purpose:

Observe the health of ITservices

Initiate remedial actionsto minimize the impact of

service incidents andsystem events

Improved overallavailability of services

Reduced number ofSLA and OLAbreaches

Improvedunderstanding of theinfrastructure

componentsresponsible for deliveryof the service

Improvement in usersatisfaction with theservice

Quicker and moreeffective responses toservice incidents

Customer Service Deliverable: Effectiveassistance for service users

Purpose: Provide a positive

experience to the usersof a service

Address complaints orissues

Maintained levels ofbusiness productivity

Increased value addedby IT

Improved businessfunctionality,competitiveness, andefficiency


13


18/29



Problem Management Deliverable: Effectiveproblem resolution process

Purpose:

Provide root causeanalysis to find problems

Predict future problems

Reduced number ofincidents and problemsthat occur, andlessened impact ofthose that do occur

Increased number ofworkarounds andpermanent solutions toidentified problems

More problemsresolved earlier oravoided entirely

Manage Layer

Figure 7 illustrates the Manage Layer.

Figure 7. Manage Layer

The Manage layer integrates the decision making, risk management, and change

management processes that occur throughout the IT service lifecycle. It also contains theprocesses related to defining accountability and associated roles.

The Manage Layer represents the foundation for all phases of the lifecycle. The ManageLayer promotes consistency in planning and delivering IT services and provides the basisfor developing and operating a resilient IT environment.



19/29

MOF Overview

The primary goal of the Manage Layer is to establish an integrated approach to IT servicemanagement activities. This approach helps to coordinate processes describedthroughout the three lifecycle phases: Plan, Deliver, and Operate. This coordination isenhanced through:

Development of decision making processes.

Use of risk management and controls as part of all processes. Promotion of change and configuration processes that are controlled.

Division of work so that accountabilities are clear and do not conflict.

Specific guidance is provided to increase the likelihood that:

The investment in IT delivers the expected business value.

Investment and resource allocation decisions involve the appropriate people.

There is an acceptable level of risk.

Controlled and documented processes are used.

Accountabilities are communicated and their ownership is apparent.

Policies and internal controls are effective and reliable.

Meeting these goals is most likely to be achieved if IT works toward:

Explicit IT governance structures and processes.

The IT organization and the business organization sharing a common approach torisk management.

Regularly scheduled management reviews of policies and internal controls.

The following SMFs support the primary activities of the Manage Layer:

Table 5. The Manage Layer SMFs


Governance, Risk, andCompliance Deliverable: IT objectivesachieved, change and riskmanaged and documented

Purpose: Support, sustain, and

grow the organization while

managing risks and constraints

IT services are seamlesslymatched to business strategyand objectives

Change andConfiguration

Deliverable: Knownconfigurations and predictableadaptations

Purpose: Ensure that changes

are planned, that unplanned

changes are minimal, and that ITservices are robust

IT services are predictable,reliable, and trustworthy

Team Deliverable: Clearaccountabilities, roles, and workassignments

Purpose: Agile, flexible, andscalable teams doing requiredwork

IT solutions are deliveredwithin specified constraints,with no unplanned servicedegradation

Service operation that istrusted by the business


15


20/29


The following list describes how each of the Manage Layer SMFs can be applied to thephases of the IT services lifecycle:

The Plan Phase purpose is getting business and IT to productively work together. Inthis phase, the focus of GRC is on the clear communication of strategy, IT decisionsbeing made by the desired stakeholders, and an overall consideration of risk andbenefits in terms of the service portfolio. Change management is oriented to issues

related to program plans and approaches to initiatives. Plan accountabilitiesdescribed in the Team SMF are Service and Architecture.

The Deliver Phase is focused on building the desired solution in the right way. Here,GRC is focused on project scope decisions, project stakeholder involvement, andproject risks. Change management is also project-focused, often driving riskmanagement activity for each project. The Deliver accountability described in theTeam SMF is Solution,

The Operate Phase is primarily focused on the daily running and service deliverytasks of IT. In this phase, GRC focuses on capturing information from processes andapplications, as well as on demonstrating compliance to policy and regulations.Change management is applied to minimize unplanned changes, preserving serviceperformance and availability, and smoothly introducing standard changes. Operateaccountabilities described in the Team SMF are Operations and Support.

There is also an interrelationship among the Manage SMFs themselves. The Change andConfiguration SMF processes provide information needed for the Governance, Risk, andCompliance (GRC) SMF processes. In turn, the GRC SMF helps determine who isinvolved in change management, defines the process for identifying, evaluating, andmanaging risk associated with the change, ensures that changes reflect policy, anddocuments these changes appropriately. The Manage accountabilities described in theTeam SMF are Management and Compliance.

Objectives, Risks, and Controls

To ensure that the work done in each phase of the IT service lifecycle meets its keyobjectives, MOF identifies internal controls to minimize the risks to those objectives.Controls are processes and procedures put in place in each phase to ensure that thetasks are performed as expected and that management objectives can be achieved.Many of the controls are driven by the management reviews.

Further information about controls can be found in theManage Layer Overview. Thespecific controls to ensure that the work performed in each phase is completed as agreedare described in the individual phase overview documents.

http://go.microsoft.com/fwlink/?LinkId=115616http://go.microsoft.com/fwlink/?LinkId=115616http://go.microsoft.com/fwlink/?LinkId=115616


21/29

MOF Overview

MOF Applied

This scenario uses a fictional company, Woodgrove Bank, to demonstrate the use ofMOF 4.0. The scenario shows how Woodgrove Bank IT uses each MOF component inmeeting a new business objective. For more information on any of these processes, seethe MOF Phase Overviews and SMFs.

Woodgrove Bank is a small, regional U.S. bank. It has a new business opportunity thatinvolves expanding operations to California. This puts the company under state laws thatthey have not had to comply with in the past. These state laws require that they makesome changes to their existing security and privacy policies and systems.

Janet is the CEO of Woodgrove Bank. She and other members of the senior staff aregoing to drive the California expansion project, and they need to identify the actual workthat needs to be done, assess the risks, and ensure compliance with the new stateregulations. She knows that Woodgrove must greatly improve the ways in which itprotects the security of the banks data and the privacy of its customers personallyidentifiable information (PII).This involves thoroughly understanding the California laws,

defining the necessary security and privacy controls, assessing the risk and impact of thechanges, planning for the changes, building, testing, and deploying the changes, andpreparing Customer Service and Operations to support the changes.

Governance, Risk, and Compliance SMF

Janet arranges a series of meetings with the management team to determine how toprovide the necessary security and privacy controls for the California expansion. Duringtheir meetings, they review pertinent California regulations and define the followingsecurity and privacy controls:

Standards, policies, and procedures

Data access controls, including encryption

Controls that protect the banks computer systems

The bank already has an IT governance policy in place, but Janet knows that they mustassess the risks to security and privacy in their new endeavor and then design,document, and implement the proper controls. They begin by examining Woodgroves:

Mission statement.

Risk tolerance and approach to risk management.

IT portfolio.

IT service maps.

Incident reports and security events.

Regulatory environment and past non-compliance events.

The result is an IT services risk characterization report. This and an awareness ofpossible threats and vulnerabilities to the banks data, allows the team to prioritize therisks and identify the necessary controlsthe most important of which is the encryptionof dataand then implement them. The team also recommends systems for monitoring,tracking, and reporting risks and controls.


17
http://www.microsoft.com/mofhttp://www.microsoft.com/mof


22/29


The team knows that the most critical aspect of its preparations for the expansionconcerns compliance with the California state regulations and law. The team identifies allpertinent California policies, laws, and regulations, creates a compliance plan, and setsup compliance auditing.

Policy SMF

Janet (CEO), Charles (CIO), Kevin (Security Manager), and Neil (IT Manager) need toupdate the banks policies to incorporate the new state laws with which they must complyand to increase security and privacy through the use of data encryption.

First, they determine the areas requiring policy changes. Next, they create security,privacy, and appropriate use policies. After the policies have been created, they performa policy review and incorporate any changes.

The team then establishes controls for enforcing the policies and corrective actions forinfractions, sets up a system for recording infractions, and then releases the policies tobank employees who need to know about them. After the policies have been released,the team needs to analyze enforcement of the policies and evaluate their effectiveness,so it sets up a structure for periodically reviewing policies and changing them if

necessary.

Reliability SMF

Neil (IT Manager), Ray (Infrastructure Manager), Linda (Development Manager), andJamie (Operations Manager) tackle ensuring the reliability, dependability, andtrustworthiness of the changes that must be made to comply with the California laws.

First, they define the business and service requirements for the changes by examiningthe new laws, internal bank policies, risk analysis, and reliability parameters. This resultsin service level requirements, data classification, and data handling policies. Next, theyplan and develop a reliability specification model, project plan, and responsibilities fordevelopment activities.

The team reviews and updates the following documents:

The availability plan, which describes the plans for ensuring high availability for theservice and which addresses the hardware, software, people, and processes relatedto the service.

The capacity plan, which outlines the strategy for assessing overall service andcomponent performance and uses this information to develop the acquisition,configuration, and upgrade plans.

The information security plan, which describes how the service will be brought toacceptable levels of security. It details existing security threats and how implementingsecurity standards will mitigate those threats. The information security planaddresses data confidentiality, data integrity, and data availability.

The disaster recovery plan, which specifies the actions and activities that IT will

follow in the event of a disaster. The purpose of this plan is to ensure that critical ITservices are recovered within required time frames.

The monitoring plan, which defines the process by which the operational environmentwill monitor the service, the information being sought, and the ways in which theresults will be reported and used.

The team reviews the plans with Janet (CEO), Charles (CIO), and Kevin (SecurityManager), make appropriate changes, and then approve the plans.



23/29

MOF Overview

Financial Management SMF

Working with its Finance team, the team creates an IT cost model and sets up the budgetmodel covering the proposed changes. As a result of this process the team:

Determines maintenance and operations costs.

Defines how to track the project and operations costs.

Adds the tracking requirements to the project plan.

Estimates the project costs and expected value realization.

The team was satisfied that it now had a methodology to forecast, track, and eventuallyevaluate the business value realized from the decision to move into the California market.

Business/IT Alignment SMF

The team decides to create a service map for the changes to clarify the relationshipsbetween IT and the business and to determine requirements for the work that needs tobe done.

Service mapping requires that the team:

Identify the specific services to be created and their owners.

Identify the key customers and users.

Classify and categorize the components of the new services.

The team then takes this information and creates a draft of the service mappingillustration in Microsoft Visio and a draft of the service mapping table in MicrosoftExcel, reviews the drafts, and publishes them.

Change and Configuration SMF

Kevin (Security Manager) and Neil (IT Manager) baseline the banks system configurationand do an initial assessment of the impact of the changes. After this is complete, they

initiate a Request for Change (RFC) and route it to the banks change advisory board(CAB) for approval. Since this is not a standard change, the CAB analyzes the impact ofthe changes and then approves the RFC.

The teams will use change and configuration management throughout the rest of the ITservice lifecycle.

Portfolio Management Review

The team presents the project proposal at a Portfolio MR to review and approve theproposed project, and then forms teams to design and deliver the new services. Theultimate outcome of this MR is the initial project charter. With the charter in hand, theteam can now begin the process of creating and deploying the new services.

Team SMF

The management team analyzes the scope of the project, determines the roles that willbe needed, and then organizes the core project team. The team then creates the projectstructure document that describes the project teams organization, and specifies rolesand responsibilities of each project team member. Phil, the IT Services Manager, alsoregularly participates in the team meetings to ensure that the customer is wellrepresented. The management team now hands off the work to the project team.


19


24/29


Envision SMF

The project team identifies a number of projects that will bring Woodgrove Bank intocompliance with California laws, but it decides to start with the most critical component ofthe solution. The team decides to call this project the Data Encryption Project, and itsgoal is to implement Internet Protocol Security (IPSec) to encrypt all of the banks dataincluding customer personal data. IPSec is a suite of cryptography-based protectionservices and security protocols.

The team then writes the vision/scope document, which provides a clear vision of what itwants to accomplish. The vision/scope document defines the deliverables for the project:

IPSec deployment plan

Definition and assignment of IPSec policies and rules

After the vision/scope document is approved by the team and the stakeholders, theproject team completes the milestone review report for the Vision/Scope ApprovedMilestone. The team and stakeholders sign off on this report, indicating that the project isready to proceed to planning.

Project Planning SMFNow that the vision/scope document has been approved, the project team is ready to dothe planning work for the project.

The team documents the project requirements and usage scenarios and creates thefunctional specification.

The project team also creates the design documents (conceptual design, logical design,and physical design) that record the results of the design process. These documents areseparate from the functional specification and are focused on describing the internalworkings of the solution.

Now the team begins the detailed planning of the project. The team leads prepare projectplans for the deliverables in their areas of responsibility and participate in team planningsessions.

After the project plans are complete and approved, the project team rolls up the individualproject plans into the master project plan. It then creates individual project schedules androlls them up into the master schedule, which includes the release date for the solution.

Project Plan Approved Management Review

The project team, management team, and stakeholders review the functionalspecification, the master plan, and the master schedule and agree that the project teamhas met the requirements of the Project Plan Approved MR. The team is ready to moveon to the development of the solution.

Build SMF

Now the project team begins developing the solution: the IPSec deployment plan,policies, and documentation.

The developers begin by developing the IPSec deployment plan. This plan addresses thefollowing considerations:

After it has created the deployment plan, the project team starts the IP Security PolicyManagement snap-in in the test lab and begins defining the IPSec policies.



25/29

MOF Overview

The developers implement the policies and rules in interim builds, and the testers revieweach build, providing feedback to the developers through the bug-tracking database. Toobtain realistic performance data in the test environment, they run standard workloads onprograms.

At the same time, the technical writers begin developing the user and operationsdocumentation. This work continues through a number of interim milestones until all of

the solutions features are completed. After this happens, the project team can begin toprepare for the solutions release. It prepares for deployment of the solution bydeveloping a pilot plan, a deployment plan, and a deployment infrastructure, includinghardware and software.

The team also prepares a training plan, so that the banks employees will understand thenew requirements and learn how to use the new software. Developing ends with theScope Complete Milestone.

Stabilize SMF

After the development of the solutions features is complete, stabilizing the solutionbegins. During the initial parts of stabilizing, Test writes the test specification document,and Test and Development work together to find and resolve bugs. They hold regularly

scheduled bug meetings to triage bugs, and team members report and track the status ofeach bug by using the bug-tracking procedures developed during planning.

As stabilizing progresses, the team begins to prepare release candidates. Testing aftereach release candidate indicates whether the candidate is fit to deploy to a pilot group.After Test and Development have a pilot-ready release candidate, the stakeholders,including Operations and Support, perform user acceptance testing of the solution. Whenthe users accept the solution as pilot-ready, the project team archives the solution in thedefinitive software library (DSL).

The project team then performs the pilot test, which is a deployment of the solution in asubset of the live production environment. During the pilot test, the team collects andevaluates pilot data, such as user feedback. The team continues to fix reported bugs andother issues until it is satisfied that the solution is stable.

Release Readiness Management Review

Stabilizing culminates in the Release Readiness MR. This review occurs after asuccessful pilot has been conducted, all outstanding issues have been addressed, andthe solution is released and made available for full deployment in the productionenvironment. This review is the opportunity for customers and users, operations andsupport personnel, and key project stakeholders to evaluate the solution and identify anyremaining issues that they must address before deployment.

When the review is complete, the project team approves the release signoff.

Deploy SMF

The solution is now ready to be deployed in the production environment. The projectteam deploys the infrastructure that supports the solutionnew domain controllers andremote access servers. Then, the team deploys the solution to all targeted users andcomputers at each site.

Stabilization continues during deployment as customer and user feedback from thedeployed sites reveals bugs with the solution. The development team fixes the bugs thatare approved through the project team change control process.


21


26/29


The Post-Implementation Review finalizes the project and signifies that the project teamhas fully disengaged and transferred the solution to Operations and Support personnel.At the completion of this review, the project team signs off on the project. Finally, theproject team members, management team members, and stakeholders perform a post-project analysis, sign off on the project, and then close it.

Service Monitoring and Control SMFJamie (Operations Manager) knows that she needs to determine what is required tomonitor the health of the new service. She creates a health model and defines themonitoring requirements.

Next, she determines that the new service is aligned to existing processes and functions,specifies which Operations groups will do the monitoring, and defines the servicemonitoring requirements in the banks service monitoring and control (SMC) tool. Shealso ensures that the service will be continuously monitored.

Operations SMF

Jamie now leads a team that identifies the operational requirements for the new services

for instance how the service is backed up and restored, the tasks needed for disastermanagement, and the tasks needed for the security of the services.

The team builds the operations plan and then uses it to write the operational workinstructions. These instructions identify resources and operational guidance for the newservices, and specify the operational work instructions. The team then plans theoperational work, assigns the resources, and identifies dependencies. Finally, the teamexecutes the operational work and performs maintenance on the work instructions.

Operational Health Management Review

The new service is added to the regularly scheduled Operational Health MR with theOperations team. It is during this review that requests for changes to the OLAdocuments, IT services, and configuration of the underlying technology components are

made.

Customer Service SMF

Even though the software has been deployed automatically to all bank employeecomputers, the project team knows that customer service representatives (CSRs) willhave to respond to questions and requests for information. In response to these needs,the project team writes knowledge base articles and procedural documentation and trainsCSRs to deal with the new IPSec policies and rules. When incidents are recorded, Kate(a CSR) reviews the knowledge base articles about IPSec to find answers needed toresolve the incidents.

Problem Management SMF

Kate noticed in the incident trend reports that there were many incidents regardingintermittent problems with connections refused. She escalates this to the ProblemManagement team. Jerry on the Problem Management team researches the incidentsrelated to the problem and finds that one server was not updated correctly. He submits astandard change request to update this server and the problem is fixed. He further findsthat a root cause of the problem is that the update to the servers should have been doneusing Auto Enrollment rather than a manual configuration of the certificates. Jerryupdates the knowledge base article with this information.



27/29

MOF Overview

Service Alignment Management Review

The new service is added to the regularly scheduled Service Alignment MR with theaccount manager and the business customers. It is during this review that requests forchanges to the SLA documents and IT services are made.

Policy and Control Management ReviewAfter operations had been running for several months, Woodgrove Banks managementassessed the policies and controls that were put in place to support the banks move intothe California market. Taking a view across the lifecycle, they could see how well risk isbeing managed and the likelihood that managements objectives were on track to beachieved. They found that one policy around access to customer credit card informationwas not effectively being enforced. Their outsourced storage solution provider wasallowing shared administrator passwords that violated Woodgroves policy for tracking thespecific person that had access to the data. They initiated a change request to addressthe situation with the service provider both in terms of their contract and their SLA.

Conclusion

Woodgrove Banks management and project teams have successfully deployed IPSec toprovide data encryption for the banks data. With this important step completed, they cannow begin work on other security and privacy solutions that will allow them to expandtheir operations to California and take advantage of new and exciting opportunities.

Next Steps

This document provides a broad overview of the Microsoft Operations Framework 4.0and its related SMFs, management reviews, and controls. The next step in putting MOF4.0 into practice is to consider your organizations needs, and then read and use therelevant SMFs. Their step-by-step guidance will be of value to IT organizations whose

goal is reliable, efficient, and compelling IT services.

Feedback

Please direct questions and comments about this guide to [email protected].


23
mailto:[email protected]?subject=MOF%20Overviewmailto:[email protected]?subject=MOF%20Overview


28/29


Attributions

The MOF 4.0 Core Team would like to express our deep appreciation to the many peoplewho participated in the development and review of this latest version of MOF.Contributions have been made at many different levels, from individuals who providedsubject matter expertise, to beta participants who gave us much food for thought andvaluable suggestions for improvements, to those who reviewed and commented on thecontent throughout the development process.

The following people are from Microsoft, unless otherwise noted.

Subject Matter Experts:

Alex Broekarts Kurt Skjdt Pedersen

Chuck Chemis (ExamineOps) Michael Polzin

Edwin Griffioen Anders Ravnholt

Jerry Honeycutt (Studio B) Gary Roos

Lasse Wiln Kristensen Rune Ungermann

Morten Lauridsen Rob van der Burg

Paul Leenards (Getronics) Hans Vriends (Getronics)

Tony Noblett (Socair Solutions)

Contributors:

Khalid AlHakim Flicka Enloe

Michelle Arney Karl Grunwald

Rick Baker Valentina Haack

Dave Beers Kelly Hengesteg

Mary Anne Blake Gerald Herbaugh

Tom Bondi Kevin Hite

Simon Boothroyd Byron Holder

Nigel Cain Betty Houser (Volt)

Derick Campbell Michael Kaczmarek

Bill Canning Peter Kendon

Chase Carpenter Larry Killingsworth (Air Products)

Andre Carter Kevin Klein (Xtreme Consulting Group Inc.)

Bret Clark David Krogh

Shiloh Cleofe Brent Kronenberg (Avenade)

CyBOOK, Inc. for graphics Shawn LaBelle

Brian DeZell Peter Larsen

Laurie Dunham Matthew Lehman



29/29

MOF Overview

Lex Liao David Pultorak (Pultorak & Assoc., Ltd.)

David Lymburner Paul Ross

Robin Maher Gerard Roth

Cleber Marques Patricia Rytkonen (Volt)

Luis Martinez Terri Snider Susan McEver Mitch Sonnen

Steve McReynolds Jennifer Stevens

Daniel Rubiolo Mendoza Jim Stuart

Linda Moschell (Volt) Robert Sympson

Shane Muffley Kendall Tieck

Rich Nardi Kathleen Troy

Jeff Newfeld Jan van Bon (Inform-IT)

Baldwin Ng Shane van Jaarsveldt (brightenup)

Michael Oppenheimer (Volt) Meera Venkatesh

Catherine Paoletti Mike Walker

Mark Pohto Jeffrey Welton

Ruth Preston (Volt) Jeff Yuhas

Our thanks to each of you for making this contribution to the IT service managementcommunity. We look forward to ongoing collaboration through our MOF CommunityPortal!

The MOF Core Team

Betsy Norton-Middaugh, Jerry Dyer, Clare Henry, Don Lemmex, and Jason Osborne

S l ti A l t i ft /t h t/S l ti A l t

25

1.0 MOF Overview

Documents

Transcript of 1.0 MOF Overview