Service Management initiatives can be help drive better IT operational efficiency and effectiveness when you understand where you are and what improvements can help you meet your goals. As more companies start to consider implementing IT Service Management (ITSM), turning to professional consulting organizations for help with process definition and implementation can help to facilitate a successful program implementation.

It is, however, important to note that implementing ITSM good practices is much different than implementing technology. When implementing technology, there is a tendency, particularly within large companies, to heavily leverage consultants for the lion’s share of the work. Consultants are brought in to do any and all of the following tasks:

• manage the project(s),
• gather, and in some cases even specify the requirements,
• develop or configure software,
• implement necessary hardware,
• document the efforts,
• develop and deliver training and conduct the rollout .

In essence, much of the effort to deliver new technology capabilities in the form of IT services is often outsourced fairly routinely, and in many cases successfully. Ongoing success of service operation of these new technologies would require that internal resources are trained to provide support or that the appropriate outsourcer is in place to assure successful service operation.

The implementation of an ITSM program, however, is quite different. With respect to implementing good practices, we are primarily talking about instituting new or modifying existing processes and practices. While one or more ITSM consultants used in the “staff augmentation” model, as described above for technology projects, can crank out process documentation and help to specify requirements for automation, they cannot define your processes for you nor can they, alone, affect the behavioral modification required for successful implementation and ongoing continuous improvement. Getting to “success” with ITSM includes organizational transformation. People in the organization must adopt new policies, modify their procedures and embrace new responsibilities. We are talking about changing the way people do things.

To be successful, the drivers for such change cannot be outsourced. The message of expectations, urgency and sponsorship must be communicated early and often by senior IT management. A steering committee of senior managers along with your ITSM consultant(s) should form the guiding coalition to lead people in the organization through the changes that will be necessary to reach goals that need to be attained. In addition, each of the various teams involved in the daily activities of each process being defined or modified should be represented in the working teams that will define the processes they will be expected to use on a daily basis. Without this level of involvement process internalization and the sense of ownership that is necessary for long-term participation and continuous improvement is less likely to occur. Lastly, the system of rewards must be adjusted to reinforce the transformation you are hoping to achieve with implementation of retooled process and service management behaviors.

Below are 5 steps for using consultants for your ITSM program to promote successful ITSM implementation:

1. Use your principal consulting resource as a program mentor. This person can help you structure and plan the program and guide you in the right direction. Assign your own program manager and expect that this person will spend between 50 and 100% of their time (depending on the size of the organization) directly involved in this effort
2. Fight the urge to expect your consultant to give you an out of the box solution. Expect that if your consultant has worked with other customers in your industry, they can leverage this experience to help you streamline solutions for your need, but the size and nature of your organization will require more specific solutions to meet your needs.
3. Appoint Process Owners to work with consultants to define each process. Expect these individuals to spend 25 to 50% of their time (depending on the size of the organization) in the definition phase of this project. This process owner should be responsible for helping to identify a cross-functional working team for their process area to assist with process definition and roles and responsibilities.
4. Use consultants to facilitate process definition workshops.   Consultants should be trained in meeting facilitation and process modeling to provide objective, informed guidance to the overall project.
5. Once the process has been vetted and agreed to by the process team, consultants can be used to document the process, create training materials, solicit requirements and write requirements documents for process automation, train employees, assist in developing communication materials.

The development and implementation of your ITSM program cannot be outsourced to consultants. The typical staff augmentation rules for technology projects do not apply. The fundamental organizational and behavioral changes that accompany process improvement require direct involvement throughout the program from high level IT management and other players in the organization. Working in conjunction with your ITSM consultant(s) your IT organization can implement effective processes to help you achieve efficiencies while improving levels of service. But if you abandon the importance of your role in the process and think that you can hire a consultancy can come in, implement, educate without requiring sponsorship and time from individuals in the organization you are likely going to spend significant dollars with little return on investment.

Valerie Arraj
valerie@cppit.com

I’ve written in the past about the nicely crafted accountability model that exists within ITIL. (See http://www.itsmwatch.com/itil/article.php/3794216/The-IT-Accountability-Model.htm).   One of the most prevalent questions we get what person or area of the organization is best suited to play the role of process owner.  Unfortunately, the standard consultant answer, “It depends…” is the answer.  But the following guidelines might help to pinpoint be best person or place for these roles for some of the more commonly implemented processes:

Process

Incident Management: One could make a good argument that this role should be owned with the Service Desk function.    Whether or not it is the Service Desk Manager who assumes these responsibilities depends upon the size and nature of your service desk.  Service Desks that handle more than 200 calls per day, should consider this a dedicated role – particularly if this person is also responsible for oversight of a Major Incident process.  This person should be reviewing incident metrics, documentation, opportunities to turn data into knowledge, and implementation of continuous improvement metrics.  This person also has to rally staff that are outside of the Service Desk to participate within service level commitments, for issues that need to escalate to groups with deeper element-level skills.  This is one of the easier processes to find a process owner home for.

Problem Management: Problem management has two missions:  get to the root cause of the reactive issues (the incidents that have occurred) and proactively identify trends as a means of identifying problems.  Tougher to pinpoint a definitive owner here.   In larger organizations, we have seen the emergence of a service delivery function where this role may logically reside.  In smaller enterprises the oversight of this process may also reside in the Service Desk or within the realm of Event Management (monitoring – perhaps a NOC group), being mindful that it cannot conflict with the incident management goal of rapid restoration.   The individual responsible for Problem Management must be able to leverage resources from level 2 and 3 organizations outside of their direct functional responsibility to perform successful root cause resolution and to assist in the identification of trends.

Change (Configuration & Release) Management:Many think  of  Change Management as an operational function – likely due to its role in protecting the “production” services through prudent evaluation of risk versus benefit.  It is, however,  a governance role – a control point and oversight for two other tightly related processes: Service Asset & Configuration management (SACM) and Release & Deployment management.   Some large organizations have Enterprise Risk Management functions in place where  Change Management would find a logical home.  Small organizations may assign the ownership of all three processes to one individual as an approved Change drives asset and configuration repository updates and spawns the release of developed changes to production.  All three represent a collective of governance over the risk and quality of service delivery.   As with Incident and Problem management processes. Change, SACM, and Release & Deployment necessitate the oversight and cooperation of cross-functional teams within the IT organization – always a consideration in determining “where” a role should reside organizationally.

Bottom Line

The typical first approach to this in most organizations is to not “upset the apple cart”, but slotting these roles into existing organizational buckets.  This might be a good initial pass, but the cross-organizational nature of Process  requires a longer term strategy for success.  This may mean some restructuring within the organization that positions process owners with the empowerment necessary gain cooperation and compliance to process from stakeholders throughout the organization.  Considering a Service Delivery organization or a Governance organization  outside of the standard IT organization silos that is staffed by managers that have the seniority and expertise to drive cross-functional efforts may be a key to a lasting strategy for Service Management effectiveness.

Valerie Arraj
valerie@cppit.com

In a 2010 joint study, ITIL is among the top 5 IT certifications and the certification garners a higher salary.

I mentioned in my blog in late November that the cost to Health Net over loss of an unencrypted hard drive containing 450,000 patient records (revised down from 1.5m) would be much greater than the cost of securely controlling and protecting their information assets. Health Net will begin the process of emptying their wallets in an effort to build a defense against the lawsuit levied against them by Attorney General Richard Blumenthal.

The breach occurred in May of 2009 and was not reported until November. As discussed, Connecticut’s breach notification law are fairly strict and I would assume holding off reporting such an incident for 5+ months is over the top which could cause Blumenthal to make Health Net an example for all to see. To add fuel to the fire, the American Recovery and Reinvestment Act of 2009 (also known as the HITECH act) also imposes notification mandates that were apparently neglected. See my November blog post under security entitled “Health Net Breach — A Failure of People, Process & Technology” for more details.

jay.martin@cppit.com

CISM, ISMAS

www.cppit.com

The national Data Accountability and Trust Act, H.R. 2221 passed within the House of Representatives earlier this month (Dec. 8th, 2009).  The Bill — as with 201 CMR 17.00, the Massachusetts Protection for Personal Information — seeks to protect consumer personal information and requires notification to individuals in the event of a breach, albeit from a national level.  The bill is set to go before the Senate next and then the President.

H.R. 2221 would require “for profit” organizations to develop the necessary security policies and safeguards to protect U.S. Residence personal information within 1 year of passing.

More to come later…

jay.martin@cppit.com

CISM, ISMAS

www.cppit.com

The recent Health Net data breach of 1.5 million patient records due to a lost hard drive included unencrypted personal information such as names/addresses, medical records, Social Security numbers and other financial information.  A breach of this magnitude is shocking and what is more astounding is that the breach apparently occurred in May 2009 and was not reported to the Connecticut Attorney General’s office until this month (November, 2009).  The breach may be a gross negligence of HIPAA, FTC “Red Flag” Regulations, Connecticut’s Public Act 08-167, CGS 36a-701(b) and other state regulations/breach laws.  

I am sure that Health Net, like most companies, felt they developed the necessary controls to meet such regulations.  But a breakdown of this magnitude proves a failure of the company to institute “strong enough” information security policies, employee awareness programs and technology across the company to protect against this major corporate risk.   That is why we have been advising our clients to develop a risk-based information protection plan that estimates their potential loss against the cost of securely controlling and protecting their information assets.  The monetary penalties and consequences to Health Net for this breach will far outweigh the “should-have” preventative costs of deploying the right controls for this threat.  If the lost hard drive were encrypted, I wouldn’t even be writing this blog.

In his statement, Attorney General Richard Blumenthal stated that “I will vigorously and aggressively seek damages, penalties and other appropriate remedies, if warranted.”

This is not an option:  *Information security programs that include people, process, technology and partners must be vigorously managed and improved upon over time.*     Comments are welcome.

jay.martin@cppit.com

www.cppit.com

In CPP’s June Podcast, we discussed a security breach that occurred a few years ago and the steps my team took to detect, respond and remediate the incident.  Here are the five things I learned from that breach.

1).  Planning your response to a disaster or security incident is just as important as the safeguards you put in place
You cannot protect against everything.  The following often delays or prohibits putting the necessary mitigation plans and preventative controls in place:
   -  Residual risk that remains based upon your organization’s tolerance or risk appetite
   -  The cost of mitigating risks and putting necessary controls in place to thwart threats & vulnerabilities
   -  Business strategies and priorities that conflict with your security program
   -  Zero day threats and vulnerabilities
If you agree with at least one of the bullets above, then it is of the upmost importance to have Incident Response Plans and Response Teams in place that you can trust.
2).  Select a team or teams you can trust
Tough times don’t last, tough people do.  Choosing people for your Emergency Response and Incident Response teams should be done on a selective basis.  Having the right people on call at the right time may save your organization from further loss.  Creative people that can think clearly in stressful situations can make all the difference between ending up in the headlines or heading the bad guys off at the pass.
3).  Store your Incident Plans in plain sight (and at multiple sites)
When an incident or disaster occurs you don’t want to leave your response to chance — even if you have selected a great team.  Know exactly where your Continuity, DR and Incident Response Plans are located.   This is achieved through constant awareness and possibly automation.  Both electronic and paper documents should exist in multiple locations.
4).  Monitor, Monitor, Monitor
Our security breach was discovered by a higher-than-normal CPU event that triggered an automated alert to our Service Desk.  Good processes and disciplines (automated and otherwise) must take over from there.  Monitoring for anomalies on your servers, network devices, databases and applications are an important first step in addition to the traditional security monitoring (IDS/IPS, Anti-virus, logging, etc.). 
5).  Embed good processes and practices such as ITIL into your organization’s daily life
I brought ITIL into my previous employer’s organization in 1999.  Good Event, Incident and Problem Management disciplines were vital in detection, notification, “root cause” and escalation of the attack.  Change/Configuration and Release Management disciplines were significant in quickly correcting the incident, the underlying problem and putting the necessary corrective, compensatory and deterrent controls in place.

Comments are welcome.
Jay Martin
jay.martin@cppit.com

A 2009 study conducted by a research organization that follows trends in IT industry skill demand and pay scale indicates that in general pay for IT professionals has declined for the first time since 2004, salaries have increased for individuals with skills and certification in IT architecture and methodology/process.

Important update.  The amended or revised 201 CMR 17.00 has softened the requirement for third-parties you do business with and that have access to personal data.  The original regulation slated for a May 1, 2009 compliance date stated that businesses would require “certification that such service provider has a written, comprehensive information security program that is in compliance with the provisions of these regulations”.

The revised regulation scheduled for January 2010 now states that businesses should ensure that third-parties are taking all reasonable security measures — at least as stringent as those provided in the 201 CMR 17.00 regulation — in protecting personal information.

Ensure?  How are you going to “ensure” that your third-parties are protecting themselves? 

Here’s what I recommend, and I suggest you follow my advice.  Send each of your third-parties (whether they do business in the Commonwealth or not) the 201 CMR 17.00 Audit Compliance Checklist that I provided a link for in my first blog on this very subject (see below).  Take the checklist and add a signature page and have your third-parties sign it.  If they don’t fully comply, have them put together a letter that outlines their security improvement plan with dates and have them sign that. 

If your third-party is not willing to go the extra mile, you’ll have not choice but to move on.  The eventual financial risks and public image drubbing may be too high.  Are you willing to chance it?

Let me know your thoughts.

The Massachusetts Office of Consumer Affairs and Business Regulation (OCABR) this week pushed back the compliance date for its Standards for the Protection for Personal Information from May 1, 2009 to January 1, 2010.  This is the second delay to the Mass. legislation which was initially scheduled for January 2009. 

The revision was filed on Thursday, February 12th, 2009 and OCABR Undersecretary Daniel C. Crane stated, “We understand the impact of the current business environment, and feel this is an appropriate timeframe for companies to implement the necessary protections.”

As I stated in my blog last week, this regulation sets strict guidelines for businesses and other holders of Massachusetts residence’s personal information.  The policy states that personal information (a combination of a residence’s name and a social security number, driver’s license number, credit card number or financial institution account number) must be encrypted when stored or transmitted electronically over a public network.  Protection for paper documents is also included.

I recommend that you do not wait until the last minute. 

As I suggested, developing and fine tuning your Information Security Policy, educating your staff, planning your budget and making any necessary purchases and deploying them should start ASAP.