Discovery actions Remedial actions Goals (expected improvements)
Document the client’s expectations and set
measurablegoals. Use R.A.C.I. to name who
should be involved with achieving each goal.
Document relevant past events and propose
actions to prevent repeats.
Inventory and evaluate existing Info
Sec/Cyber Security-related hardware &
software configuration items, policy, vendor
Perform requirements gathering.
Report on ITSM, Info Sec and ITIL
compliance documenting performancegaps
with proposed remedies mentioned briefly.*
Reach agreementon which systems and
networks are critical and which are non-
Determine any additional needs the client has
not mentioned and prepare
recommendations.* (e.g., How will
information documented previously be used
for business continuity planning?)
Determine if enough improvements can be
made realistically considering the client’s
resources, culture &executive leadership.
Negotiate MSP agreement with a schedule ofremedial
actions or terminate the relationship now.
Develop a short-term win/win agreement or
separation as friends.
Test security solutions identified earlierin
this process. Report results with
Create a series ofcommunications to be sent
from the owner or execs communicating how
and why security is more important, to be
given more attention, and how compliance
will be measured and reported after ITaudit
plans are documentedand participants are
Design and deploy security-related alerts
triggered according to best ITSMpractices.
Implement the security-related management
reports plan and schedule reflecting best
Plan and develop timelines for ITsecurity
audits, incident management actions, and
disaster recovery efforts.*
Design and run proof-of-concept tests for
identified advanced security solutions. Report
results and make recommendations.*
* Document the client’s response to each of these communications.
The at-a-glance summary outlined above should incorporate best practices and tools tailored to fit the needs documented during this
process. Tools should be used for business continuity planning, security policy, risk analysis, network security, biometrics, etc. Best
practices should address the following needs:
a. Understanding begins with the definition of terms.
- How should objectives and scope of ITSM be defined?
- How should roles of the Service Desk and other resources be defined?
- How should reliance upon these definitions be reinforced?
b. Executives and middle management teams must communicate, monitor and support what is planned, purchased and promoted.
- Who will be responsible for which communications?
- Who will be responsible for monitoring progress?
- How will responsible persons be required to succeed?
c. Plan how the objectives of the Service Desk and other groups will be monitored and achieved using the R.A.C.I. model.
- Who will be responsible for ______________?
- Who is to be accountable for _______________?
- Who is to be consulted about _______________?
- Who is to be informed of ________________?
d. A formal service management model must be documented with illustrations and explanations and communicated thoroughly .
- What components should be included?
- What workflows are expected?
- Can the model be patented or protected as a trade secret?
e. Document and distribute processes, procedures, etc. so everyone can sing from the same sheet of music.
- What hierarchy of processes, procedures, etc. should be developed?
- What should be included in a style guide for this business venture?
- Who are the SMEs and SPOCs to be contributors?
- What configuration items should be referenced in the documentation?
f. Tailor work processes and systems tomake sure they support your ITSM goals with the right tools and talent.
- How should initial documentation be drafted to reflect what is anticipated?
- How should what is drafted be improved to reflect reality?
- Is what is documented expected toreflect the one best way to do each type of work?
g. Define, document and deploy monitoring metrics in ways measurements will be trended over time and used to evaluate
- How will the top 10 call drivers be recognized? How should they be remedied?
- How should they be prevented?
- How will the 20% of the problems causing 80% of the costs be remedied?
h. Negotiate and document roles and responsibilities for all staff using the R.A.C.I. determinations noted above.
- What are people to account for?
- How will performance be measured daily, trended over time and reported?
- How will responsible parties be held accountable?
i. Discover, document and deliver a realistic, relevant and robust knowledge base.
- How will users be trained to use it?
- How will staff be required to use it?
- How will users be required to improve it?
j. Define, document and deploy reporting standards.
- How should the standards reflect meaningful milestones?
- What key performance indicators (KPIs) should be measured and trended?
- What vendor or programmer can provide a dashboard for at-a-glance viewing? Can it be shared by all decision makers?
k. Define, document and deploy role-based cybersecurity policy.
- What are our minimum cybersecurity requirements?
- What measures and equipment should be put in place?
- How should cybersecurity be monitored daily and trended over time?
- How can funding for needed improvements be justified objectively?
l. Investment in people is critical to the successful adoption and ongoing success of IT services, support, and sustainability;
communication, training and evaluation are three types of investment which are often neglected.
- How should the above information and related decisions be incorporated in trainings to facilitate a learning organization with
- What should be done before, during and after hirings or transfers to facilitate effective and efficient learning?