OPS.1.1.1

OPS.1.1.1 General IT Operations

Q: OPS.1.1.1.A1 Definition of IT Operations Tasks and Responsibilities (B)

Details zur Anforderung OPS.1.1.1.A1 Definition of IT Operations Tasks and Responsibilities (B) finden Sie in der vollstaendigen Beschreibung auf dieser Seite.

Q: OPS.1.1.1.A2 Definition of Roles and Permissions for IT Operations (B)

Details zur Anforderung OPS.1.1.1.A2 Definition of Roles and Permissions for IT Operations (B) finden Sie in der vollstaendigen Beschreibung auf dieser Seite.

Q: OPS.1.1.1.A3 Creation of Operations Manuals for Operated IT (S)

Details zur Anforderung OPS.1.1.1.A3 Creation of Operations Manuals for Operated IT (S) finden Sie in der vollstaendigen Beschreibung auf dieser Seite.

Q: OPS.1.1.1.A4 Provision of Sufficient Personnel and Material Resources (S)

Details zur Anforderung OPS.1.1.1.A4 Provision of Sufficient Personnel and Material Resources (S) finden Sie in der vollstaendigen Beschreibung auf dieser Seite.

Q: OPS.1.1.1.A5 Defining Hardened Standard Configurations (S)

Details zur Anforderung OPS.1.1.1.A5 Defining Hardened Standard Configurations (S) finden Sie in der vollstaendigen Beschreibung auf dieser Seite.

Q: OPS.1.1.1.A6 Implementation of IT Asset Management (S)

Details zur Anforderung OPS.1.1.1.A6 Implementation of IT Asset Management (S) finden Sie in der vollstaendigen Beschreibung auf dieser Seite.

Q: OPS.1.1.1.A7 Ensuring Proper IT Operations (S)

Details zur Anforderung OPS.1.1.1.A7 Ensuring Proper IT Operations (S) finden Sie in der vollstaendigen Beschreibung auf dieser Seite.

Q: OPS.1.1.1.A8 Regular Target-Actual Comparison (S)

Details zur Anforderung OPS.1.1.1.A8 Regular Target-Actual Comparison (S) finden Sie in der vollstaendigen Beschreibung auf dieser Seite.

Q: OPS.1.1.1.A9 Implementation of IT Monitoring (S)

Details zur Anforderung OPS.1.1.1.A9 Implementation of IT Monitoring (S) finden Sie in der vollstaendigen Beschreibung auf dieser Seite.

Q: OPS.1.1.1.A10 Maintaining a Vulnerability Inventory (S)

Details zur Anforderung OPS.1.1.1.A10 Maintaining a Vulnerability Inventory (S) finden Sie in der vollstaendigen Beschreibung auf dieser Seite.

IT Operations represents an organizational unit and the associated business process within information technology. The process describes the tasks with all activities...

Description

Introduction

IT Operations represents an organizational unit and the associated business process within information technology. The process describes the tasks with all activities that are carried out by the IT Operations organizational unit. IT encompasses all IT components of an institution, in particular IT systems, services, applications, platforms, and networks. IT Operations includes, among other things, the following tasks:

Management, including inventory and documentation
Participation in procurement
Commissioning and decommissioning, including replacement of IT
IT administration
IT monitoring
IT incident management

The proper, secure, and correct execution of IT Operations is essential to ensure the functioning of IT. For this purpose, IT Operations establishes framework conditions, for example for process design, and ensures that these are adhered to.

In addition, IT Operations MUST also provide and ensure the functionality of its own operational resources — the specific IT components used for operational purposes — to an appropriate extent. The IT being operated therefore always includes the operational resources of IT Operations itself. From a security perspective, these operational resources are of particular importance. They hold a great deal of information that is important for IT components and their functionality, which presents an attractive target for attack and must therefore be protected. Their availability is also essential for IT Operations.

Objective

The objective of this building block is to establish information security as an integral part of all generally applicable aspects of IT Operations. By implementing this building block, the institution ensures that the activities of general IT Operations, through which the functionality of IT is maintained, are carried out properly and systematically.

Scope and Modeling

The building block OPS.1.1.1 General IT Operations is to be applied once to the entire information domain.

In order to create an IT-Grundschutz model for a specific information domain, all building blocks must generally be considered in their entirety. As a rule, several building blocks are to be applied to the topic or target object.

This building block addresses cross-cutting aspects of IT Operations. In larger institutions, it makes sense to also embed IT Operations within the institution’s service management. For this purpose, standard works such as the “Information Technology Infrastructure Library” (ITIL) can be consulted. Such service management is not limited to IT (IT service management), but also addresses business processes and specialist tasks such as “portfolio management.”

The following content is also relevant and is addressed elsewhere:

Special aspects of IT Operations from further building blocks in the OPS.1.1 Core IT Operations layer, in particular the performance of administration (see OPS.1.1.2 Proper IT Administration) and activities in patch and change management (see OPS.1.1.3 Patch and Change Management)
Aspects of network and system management (see NET.1.2 Network Management and OPS.1.1.7 System Management)
The proper management of users and permissions (see ORP.4 Identity and Access Management)
Aspects of data backup and archiving (see CON.3 Data Backup Concept and OPS.1.2.2 Archiving)
Aspects relating not to normal operations but to exceptional situations, in particular an IT attack and the compromise of IT systems (incident management, see building block DER.1 Detection of Security-Relevant Events as well as building blocks from the DER.2 Security Incident Management area and building block DER.4 Emergency Management)
Special requirements for the case where IT Operations is performed by third parties (see OPS.2.3 Use of Outsourcing and OPS.3.2 Providing Outsourcing)

This building block does not address:

The part of the operation of IT components for which not IT Operations but e.g. a specialist department is responsible,
Special aspects of DevOps,
Aspects characteristic of IT service, such as the interface with users or the provision of a helpline, as well as
The implementation of IT projects.

Threat Landscape

Since IT-Grundschutz building blocks cannot address individual information domains, typical scenarios are used to illustrate the threat landscape. The following specific threats and vulnerabilities are of particular importance for the building block OPS.1.1.1 General IT Operations.

Insufficient Personnel Capacity

The operations staff is responsible for ensuring that all IT is functional, without which institutions are often no longer operational. IT is particularly at risk if IT Operations does not have sufficient capacity.

If there is a shortage of staff, e.g. due to faulty or insufficient personnel planning, IT Operations processes cannot be executed properly. In addition to availability, the confidentiality and integrity of the information domain can also be impaired, e.g. if inadequate IT or security monitoring occurs due to understaffing.

If the required know-how is not sufficiently redundantly available among the operations staff — because additional personnel have been only insufficiently trained, for example — the dependence on individual persons can lead to the availability of IT Operations no longer being fully guaranteed.

Loss of Operationally Relevant Information

Processes that are insufficiently executed by IT Operations can lead to operationally relevant information becoming outdated or even being lost.

If IT Operations performs activities based on insufficient or manipulated documentation, this can lead to disruptions of IT functionality. Moreover, if the information needed to resolve an incident is only insufficiently available, such disruptions cannot be remedied or can only be remedied incorrectly. As a consequence of insufficient documentation, both the availability of IT components and the confidentiality of information may be impaired.

If the operationally relevant information is insufficiently secured — e.g. by being disclosed or easily accessible — its confidentiality is no longer guaranteed.

One cause of the loss of operationally relevant information can be, for example, insufficient coordination with contracted service providers regarding the documentation to be delivered, which can result in the consequences mentioned above.

Limited Availability of Operational Resources

Operational resources — which encompasses all IT components used to perform IT Operations activities — have a significant influence on whether IT Operations processes can be carried out efficiently.

If the operational resources are insufficiently redundant, only partially hardened, or overloaded, availability may be restricted. If operational resources are not sufficiently available, errors that occur on operated IT components cannot be resolved, for example, which jeopardizes the availability, integrity, or confidentiality of the operated IT components.

Misuse of Operationally Relevant Information and Privileged Rights by Authorized Persons

The privileged rights of operations staff enable far-reaching effects on all IT. If operationally relevant information and privileged rights are misused by authorized persons for sabotage, manipulation, or espionage, all information security objectives for the operated IT components and for the institution’s information are at risk. This situation can have several causes.

If the operations staff has overly broad privileged rights, these permissions can be misused for attacks. Coercion, phishing, or social engineering can also be used to force the release of extensive rights or the disclosure of operationally relevant information.

If internal or external operations personnel leave and the corresponding processes are inadequately executed, such persons may continue to use privileged rights. Shared accounts can also result in, for example, continued access to operationally relevant information and operational resources when changing job roles.

Operationally relevant information can also be disclosed through human error, for instance when policies that prevent espionage or theft are not implemented.

Access to or Espionage of Operational Resources and Operationally Relevant Information by Unauthorized Persons

If there is insufficient protection against unauthorized physical access to premises where operational resources are located, this can be exploited as a starting point for any kind of attack or misuse. Consequently, all information security objectives may be impaired.

Interfaces and access points of IT Operations that are insufficiently secured can enable unauthorized persons to reach or spy on operational resources and operationally relevant information.

Misdirection of IT Operations

If internal or external persons deliberately misrepresent facts to IT Operations — for example by falsely impersonating another person — IT Operations can be led to incorrect responses. Phishing emails sent to IT Operations, for example, can trigger incorrect activities. Depending on how IT Operations is misdirected, all information security objectives can be significantly jeopardized. Availability can be restricted, for example, if administrators are led to shut down IT systems.

Prevention of Operational Processes

If the activities of IT Operations are blocked and thus not properly executed, this can impair the availability and integrity of all IT.

One possible cause can be insufficient planning and procurement of IT components — for example, if it was not considered whether the applications can be operated well. Likewise, faulty process planning, e.g. due to unclear interfaces or responsibilities, can lead to IT Operations being executed only inadequately.

Incorrectly performed activities by operations staff — which can be attributed, for example, to insufficient knowledge of operational processes — can also cause operational processes to be prevented, thereby rendering the entire IT only limitedly available or functional.

Similarly, the behavior of operations staff or the activities of various service providers with insufficiently defined interfaces can prevent operational processes from being executed correctly.

Requirements

The following are the specific requirements of building block OPS.1.1.1 General IT Operations. The Information Security Officer (ISO) is responsible for ensuring that all requirements are met and verified in accordance with the established security concept. The ISO MUST always be involved in strategic decisions.

The IT-Grundschutz Compendium additionally defines further roles. They should be staffed insofar as this is reasonable and appropriate.

Responsibilities	Roles
Primarily responsible	IT Operations
Additional responsibilities	None

Exactly one role should be Primarily responsible. Beyond that, there may be Additional responsibilities. If one of these additional roles is primarily responsible for fulfilling a requirement, this role is listed in square brackets after the requirement heading. The use of singular or plural says nothing about how many persons should fill these roles.

Basic Requirements

The following requirements MUST be fulfilled as a priority for this building block.

OPS.1.1.1.A1 Definition of IT Operations Tasks and Responsibilities (B)

For all operated IT components, it MUST be defined which tasks arise for IT Operations and who is responsible for them. For this purpose, the corresponding rights, obligations, tasks with the activities required for them, authorizations, and associated processes MUST be regulated. Furthermore, the interfaces and reporting channels as well as escalation management between different operational units and towards other organizational units of the institution MUST be defined.

OPS.1.1.1.A2 Definition of Roles and Permissions for IT Operations (B)

For all operated IT components, the respective role and permission concept MUST also define roles and associated permissions for IT Operations. A role and permission concept MUST also be created for the operational resources.

The role and permission concept for IT Operations MUST separate IT use from IT Operations tasks. Administration tasks and other operational tasks MUST be separated by different roles. In principle, IT Operations SHOULD define different roles for different operational activities, which have the necessary permissions for the respective activities. Shared accounts MAY ONLY be established in justified exceptional cases.

The roles and permissions MUST be regularly reviewed and adjusted to current circumstances. In particular, the permissions of departed personnel MUST be removed from IT components. Likewise, roles and permissions MUST be deleted when IT components are decommissioned.

Standard Requirements

Together with the basic requirements, the following requirements correspond to the state of the art for this building block. They SHOULD generally be fulfilled.

OPS.1.1.1.A3 Creation of Operations Manuals for Operated IT (S)

For all operated IT components, operational tasks SHOULD be planned and recorded in operations manuals. The operations manuals SHOULD always be available and address at minimum the following topics:

Relevant system and contact information
Required and permitted operational resources
General configuration requirements
Configuration requirements for hardening of special systems
Roles and permissions
IT monitoring, logging, and alerting
Data backup and emergency concepts
IT incident management
Requirements for all regular and unplanned activities

The operations manuals SHOULD be reviewed and updated regularly and as circumstances require.

OPS.1.1.1.A4 Provision of Sufficient Personnel and Material Resources (S)

IT Operations SHOULD have sufficient personnel resources to ensure proper IT Operations. For this purpose, the effort for all IT Operations activities SHOULD be determined. Personnel resources SHOULD be planned with appropriate redundancies and reserves, and SHOULD also account for short-term staff absences and temporarily increased staffing needs.

Suitable material resources SHOULD also be available. For each IT Operations activity, it SHOULD be identified which operational resources are required.

Resource planning SHOULD be reviewed regularly and as circumstances require, and adjusted to current needs.

OPS.1.1.1.A5 Defining Hardened Standard Configurations (S)

IT Operations SHOULD categorize the operated IT components and define and provide hardened standard configurations for these categories.

For IT platforms such as virtualization hosts on which further IT components are provided and operated, a coordinated hardening approach SHOULD be developed and implemented that takes into account all elements of the IT components. Different variants of IT components SHOULD be considered, and permitted deviations SHOULD be specified.

The configuration requirements SHOULD implement the institution’s security requirements and take into account the recommendations of the respective manufacturers. The hardened standard configurations SHOULD be documented in the respective operations manuals.

Each standard configuration SHOULD be tested before deployment. The hardened standard configurations SHOULD be reviewed regularly and as circumstances require, and adjusted to the current state of the art in accordance with available information.

IT Operations SHOULD ensure that the current configuration requirements are always available and can be identified by version and description.

OPS.1.1.1.A6 Implementation of IT Asset Management (S)

IT Operations SHOULD create an overview of all existing IT assets, review it regularly, and keep it current.

In IT Asset Management (ITAM), all productive IT components, test instances, and IT components held in reserve SHOULD be recorded. Existing but no longer used IT assets SHOULD also be recorded.

ITAM tools SHOULD be used that enable central management of IT assets.

OPS.1.1.1.A7 Ensuring Proper IT Operations (S)

IT Operations SHOULD develop operational concepts for all IT components. These operational concepts SHOULD be regularly reviewed and adjusted.

Security-relevant configuration specifications SHOULD be implemented. The hardened standard configurations SHOULD be used for this purpose.

IT Operations SHOULD define review criteria for all activities, which collectively serve as a guide for proper IT Operations. The approval of installed or changed IT components for productive operation SHOULD be demonstrated using these review criteria.

At commissioning and after updates or restructuring, system tests SHOULD be performed for the IT components. IT Operations SHOULD specify in which environment the respective system tests are to be performed with what test coverage and depth.

IT Operations SHOULD make provisions for the replacement procurement of IT components. Reserves or supply contracts SHOULD be arranged for this purpose.

All IT Operations activities SHOULD be comprehensively and traceably recorded. IT Operations SHOULD use a suitable tool such as a ticket system for this purpose.

IT Operations SHOULD in particular systematically record the quality of operational processes, compliance with SLAs, and user satisfaction. Regular reports SHOULD be created that serve as evidence of proper IT Operations.

OPS.1.1.1.A8 Regular Target-Actual Comparison (S)

IT Operations SHOULD regularly and as circumstances require check all operated IT components as well as operational resources to determine whether the current configuration corresponds to the target state. Furthermore, it SHOULD be checked whether the practiced processes implement the defined IT Operations processes.

OPS.1.1.1.A9 Implementation of IT Monitoring (S)

All IT components SHOULD be integrated into a uniform IT monitoring system that covers all relevant parameters of the IT components. IT monitoring SHOULD be coordinated with the overarching service management.

IT Operations SHOULD perform IT monitoring in accordance with a previously defined monitoring plan. Appropriate threshold values SHOULD be determined for each IT component that trigger a notification or alarm.

IT Operations SHOULD specify which reporting channels are used for IT monitoring and what consequences are drawn from notifications or alarms. Based on monitoring results, it SHOULD be checked whether the infrastructure is to be expanded or adapted. Regular reports SHOULD be created from the insights gained, presenting the current status of the operated IT and temporal developments as well as trends.

The IT monitoring concept SHOULD be reviewed and updated regularly and as circumstances require, in order to correspond to the current state of the art and the operated infrastructure.

The monitoring data SHOULD only be transmitted via secure communication channels.

OPS.1.1.1.A10 Maintaining a Vulnerability Inventory (S)

IT Operations SHOULD maintain a vulnerability inventory in which the vulnerabilities of all operated IT components and the handling of these are centrally recorded and maintained.

IT Operations SHOULD initiate, track, and ensure the remediation of vulnerabilities. A process SHOULD be defined that specifies how vulnerabilities are to be handled. At a minimum, the following SHOULD be specified:

By when an available update that fixes the vulnerability MUST be installed,
In which cases and by when IT components with vulnerabilities should be decommissioned or replaced, and
Whether and how such IT components are to be segregated if neither replacement nor an update is possible.

OPS.1.1.1.A11 Definition and Compliance with SLAs (S)

For all IT components and all activities, IT Operations SHOULD define and monitor Service Level Agreements (SLAs) that correspond to the protection needs of the IT components and are agreed upon within the institution. The defined SLAs SHOULD take into account the roles and permissions as well as any dependencies of the respective activity on other organizational units.

OPS.1.1.1.A12 Specification and Implementation of Clear Operational Processes (S)

IT Operations SHOULD specify operational processes for all tasks that encompass all activities and dependencies for the respective task and ensure that IT Operations activities are traceable.

For each process, it SHOULD be defined who may initiate the process and who implements it. For each process, the organizational interfaces to other IT Operations groups or other organizational units SHOULD be specified.

IT Operations personnel SHOULD be briefed on the relevant operational processes.

When processes have been executed, this SHOULD be logged. The result of the execution SHOULD be logged. For each process step, it SHOULD be defined whether it must be documented that it was processed. Furthermore, it SHOULD be defined when the process is successfully completed.

IT Operations SHOULD specify a process that generally describes how to handle situations not covered by the regular operational processes. At minimum, fallback processes SHOULD be defined and it SHOULD be described how to proceed in the event of faulty or manipulated operations.

OPS.1.1.1.A13 Securing Operational Resources and Documentation (S)

Only authorized IT Operations personnel SHOULD be able to access the operational resources, documentation, and operations manuals. IT Operations SHOULD ensure that the operational resources and documentation are available at all times.

If the IT systems and applications of the operational resources communicate via the productive infrastructure, secure protocols SHOULD be used. Confidential data SHOULD only be transmitted via secure protocols.

The operational resources SHOULD be integrated into vulnerability management and IT monitoring.

OPS.1.1.1.A14 Consideration of Operability in Conception and Procurement (S)

For IT components, requirements for efficient and secure operation SHOULD already be taken into account during conception and procurement. For this purpose, the requirements of IT Operations SHOULD be gathered and considered. IT Operations SHOULD also take into account the complexity of the IT.

OPS.1.1.1.A15 Planning and Deployment of Operational Resources (S)

IT Operations SHOULD plan, procure, and deploy operational resources for all IT components in accordance with needs. IT Operations SHOULD determine the requirements for the respective operational resources and align them with the other affected organizational units of the institution.

The networks in which the operational resources are positioned SHOULD be at least logically separated from the other networks of the institution (see building block NET.1.1 Network Architecture and Design). The network for the operational resources SHOULD be further subdivided depending on security policy and functional dependencies. The different operational groups and target systems SHOULD be used as the basis for further segmentation.

OPS.1.1.1.A16 Training of Operations Staff (S)

For IT Operations, a training plan SHOULD ensure that several persons have the required skills and qualifications for all IT components and operational resources. The training measures SHOULD in particular address the following topics:

Hardening and standard configurations
Specific security settings for the operated IT components and deployed operational resources
Possible interferences between the operational resources used
Dependencies and interfaces of IT Operations processes

When new IT components are procured, a budget for corresponding training measures for IT Operations SHOULD be planned.

OPS.1.1.1.A17 Planning IT Operations with Special Consideration of Shortage and Emergency Situations (S)

IT Operations SHOULD define when a shortage or emergency situation exists for the operated IT components. For these situations, it SHOULD be established — in accordance with the requirements of general emergency management — which IT components are to be operated as a priority or are needed for minimum operations. Emergency planning SHOULD include the following points:

Disaster recovery plan
Emergency manual for the IT components, taking into account the entire infrastructure
Handling of critical and longer-term operation-disrupting incidents

OPS.1.1.1.A18 Planning the Use of Service Providers (S)

IT Operations SHOULD coordinate the use of service providers and control them among other things via SLAs so that the service is provided to a sufficient extent. The use of different service providers SHOULD be coordinated with each other, particularly if they are intended for the same area of activity. For such situations, a clear communication interface SHOULD be defined in each case.

IT Operations SHOULD document, regularly review, and adjust the provisions on service provider management as well as the activities planned for the service providers.

OPS.1.1.1.A19 Regulations for Maintenance and Repair Work (S)

IT components SHOULD be regularly maintained. It SHOULD be regulated which security aspects are to be observed during maintenance and repair work. It SHOULD be defined who is responsible for the maintenance or repair of IT components. Maintenance and repair work performed SHOULD be documented.

It SHOULD be ensured that maintenance and repair work performed by third parties is coordinated with the parties involved. Internal IT Operations staff SHOULD be designated to authorize, observe or support, and accept such work.

OPS.1.1.1.A20 Checking for Vulnerabilities (S)

IT Operations SHOULD regularly obtain information about known vulnerabilities in IT platforms, firmware, operating systems, deployed IT applications, and services, analyze them for the specific conditions, and take them into account.

The IT components SHOULD be tested for vulnerabilities regularly and as circumstances require. For each IT component, the appropriate test coverage, depth, and method SHOULD be defined.

The tests and identified vulnerabilities SHOULD be traceably recorded. Vulnerabilities SHOULD be remediated as quickly as possible. As long as appropriate patches are not available, other measures MUST be taken to protect the IT component against serious vulnerabilities and threats. If this is not possible for an IT component, it SHOULD no longer be operated.

Requirements for High Protection Needs

The following are exemplary proposals for requirements for this building block that go beyond the level of protection corresponding to the state of the art. The proposals SHOULD be considered for high protection needs. The specific determination is made within the framework of an individual risk analysis.

OPS.1.1.1.A21 Integration of Operational Resources into Security Monitoring (H)

The IT systems and applications used as operational resources SHOULD be integrated into security monitoring.

If the institution uses a system for central detection and automated real-time verification of event messages, the operational resources SHOULD be integrated into it. Operational resources such as IT management and IT monitoring systems SHOULD be used as data sources for security monitoring.

OPS.1.1.1.A22 Automated Vulnerability Testing (H)

All IT components SHOULD be regularly and automatically tested for vulnerabilities. The test results SHOULD be automatically logged and made available to other tools in security monitoring.

For critical vulnerabilities, automated alerting SHOULD take place.

OPS.1.1.1.A23 Conducting Penetration Tests (H)

Penetration tests SHOULD be performed for all IT components. A concept SHOULD be created and implemented that, in addition to the test methods and depths to be used, also defines the success criteria.

OPS.1.1.1.A24 Comprehensive Logging of Process Steps in IT Operations (H)

For operational processes, each process step SHOULD be traceably logged.

OPS.1.1.1.A25 Ensuring Self-Sufficient Operational Resources (H)

It SHOULD be ensured that operational resources can also be used in the event of external disruptions. In particular, a failed internet connection SHOULD NOT lead to a disruption of the operational resources.

The operational resources SHOULD be configured and positioned such that dependencies between the various operational resources are minimized. It SHOULD be prevented that the failure of one operational resource leads to an operation-disrupting malfunction of another operational resource.

OPS.1.1.1.A26 Proactive Maintenance in IT Operations (H)

For IT systems, proactive maintenance SHOULD be carried out, in which preventive maintenance measures are performed at defined intervals.

In addition to regular maintenance and proactive maintenance, it SHOULD be weighed for each IT component whether predictive maintenance is used.

2 Additional Information

Distinction of Operational Terms

Operations Manual

An operations manual (BHB) describes all relevant measures and data for the operation of each IT component that are necessary for its operation. A BHB is based on the corresponding operational concept and is to be regarded as a living document subject to continuous updating and supplementation.

Operational Concept

An operational concept describes the operational organization and operational processes for a similar group of IT components. The operational concept forms the basis for the operations manual.

Operational Processes

An operational process specifies the activities necessary to fulfill an operational task. Component-specific operational processes can also be defined as part of the operations manual.

Good to Know

The Information Technology Infrastructure Library (ITIL) provides guidance (best practices) for the establishment and implementation of an institution’s service management.

The International Organization for Standardization (ISO) specifies in the standard ISO/IEC 20000 the minimum requirements for IT service management processes in order to ensure a measurable quality standard of IT services. The ISO/IEC 20000 standard is aligned with ITIL and complements its best practices.