Poor Problem Management


CA’s Rich Graves posts “Problem Management sits alone in the corner and cries and cries. It’s the loneliest ITIL process as it’s always the last one picked to play on the Service Operations team. Poor little Problem Management sits and watches while Incident and Change Management get to play. And Configuration Management gets to play too, even though it is a complete mess and isn’t even wearing shoes.”

So true.  Problem Management is a misunderstood process, even moreso than Configuration Management.  Without it though, so many issues will go unresolved, or be closed with an inconclusive response.  No lessons will be learned, and the problems won’t just go away.

“And let’s be honest: root cause analysis is boring. Who wants to deal with that all the time? I’d rather just restore service and move on. What’s that you say? Eliminating the root cause could prevent further outages and free IT from dealing with critical incidents? OK then. We need to do Problem Management.”

Check it out and make a resolution to improve your IT and business processes in 2012.  Shoot for the moon, that way, even if you just miss, you still stand a chance to fall among the stars.

The ITIL Service Catalog

The ITIL framework is based on the concepts of Service and Customer Care, and the Service Catalog is at the core of these fundamental concepts.  Having a menu of available services is critical for effective IT service provisioning and management.  So many IT departments have grown up without maturing the way that they manage, support and offer services to their constituents, and have ended up in sheer chaos.  Usually, a user will have a need, and place a request to IT through the Service Desk.  The Service Desk staff member may not be able to help them, or will simply turn down the request since no procedures are in place to handle it.  Worse, there is the potential to just by-pass “the IT run-around” altogether because of the availability of downloadable applications and external services that may add additional, unmeasured, and unrecoverable costs and risks to the organization.  Do you know ALL of the applications in use in your organization and where they came from?

By taking the time to document the services that IT provides currently, the services that IT plans to offer soon, and asking what services the customers would like to consider in the future, IT departments can gain an understanding of their current environment, plan for the future, and engage their customers in developing new services.  The development of a service catalog can also aid in understanding what resources are needed for support, where the budget is being spent, what factors should be measured to gauge efficiency, what services can be automated or optimized, and where costs may be recovered or saved.

This available list of services should include everything that IT does, for instance, requests for a new laptop, new software, account provisioning, access requests, file permissions, or de-provisioning an employee’s account when they leave.  A help desk without a service catalog will not be able to provide its customers with consistent information about the services available and time requirements for delivery.

Service Catalog Contents:
Each service within the catalog typically includes:
  • A description of the service provided.
  • Service level agreement commitments for fulfilling the service.
  • Who is entitled to request or approve the service.
  • Costs and charge backs (if any).
  • How the service is fulfilled.

ITIL Service Lifecycle Overview

Traditionally, IT has been managed and maintained through fire-fighting efforts, remaining reactive and with a technology focus.  The world view is one of “users”, isolated silos of information and responsibility, ad-hoc problem solving, informal processes, and operational in nature.  The frequently cited objective of “alignment with the Business” characterizes a common problem faced by the leadership of IT organizations.   Those who succeed in meeting this objective are the ones who understand the need to be Business-minded.   When an IT organization has an internal focus on the technology being delivered and supported, they lose sight of the actual purpose and benefits that their efforts deliver to the Business.

ITIL builds upon existing IT practices by providing a process driven focus, pro-active problem prevention, viewing the world through service colored glasses with “customers” rather than users, seeking integration and information sharing, making processes SMART – simple, manageable, achievable, repeatable and timely.  ITIL has a service and service level orientation, focusing on continuous measurement and improvement.

The objective of the ITIL Service Management practice framework is to provide services to business customers that are fit for purpose, stable, and reliable.  The core disciplines provide structure, stability and strength to service management through durable principles, best practices, formal methods and tools, while protecting investments, and providing the necessary basis for measurement, learning and improvement.  The ITIL Framework has been redesigned in version 3 to make building out IT services strategy more straightforward and maintaining or improving them, logical.  The ITIL service life cycle consists of 5 major considerations, containing several processes for managing and developing the services IT provides through to maturity.  The life cycle itself is iterative, and multi-dimensional, ensuring that lessons learned in one area can be applied to other areas as well.

It is often helpful to understand the bigger picture when discussing a framework as large and multi-layered as Information Technology and Service Management.  Below is an overview of some of the key terms and ITIL practice areas.  The ITIL core guidance consists of 6 books.  Each volume is consistently structured, making interpretation and cross referencing easier.

  1. Introduction to ITIL Service Management
  2. Service Strategy
  3. Service Design
  4. Service Transition
  5. Service Operation
  6. Continual Service Improvement

In addition to the core guidance there is large body of official and unofficially developed complementary guidance available, as well as examples and templates for many tasks.  Additionally, other frameworks are referenced and related to align with ITIL practices, such as CoBIT, Six-Sigma, and ISO.  To me, ITIL is quite simply; documented common sense that works.  Continue reading

What Is ITIL?

I met with an acquaintance recently, who was looking for some input into forming a cohesive IT strategy, aligned more closely with business strategy and processes, and supporting the anticipated growth of the company.  I hope that she doesn’t mind my sharing some of our meeting dialogue as a learning experience for others.

The company that she presently works for is well established across Canada, and has started to reach into the states as it steadily grows.  My acquaintance is concerned that current growth may exceeded IT’s ability to keep pace shortly, and the company will be facing capacity, capability and security issues in the mid to long-term.  Better to identify and plan to address these issues now, than to wait for a major flame up.  I couldn’t agree more.

IT is all about providing, managing, measuring and changing services for the constituents within the organization.  The first question that I asked was, “how is change managed in the organization?”  There was a pause, and I followed up for clarity “do you manage change, using say, ITIL practices?”  It turns out that she has had little exposure to ITIL, and asked for a quick explanation of the term.  My short two sentence expansion was probably far too brief to offer any real guidance or expression of value, so I am following up in more detail, here.

ITIL is short for the Information Technology Infrastructure Library.  This library provides an organized set of core IT concepts and a framework of practices and processes for Information Technology Services Management (ITSM), development and operations.  Each of the core concepts and process groups inter-relate, with input and feedback linkages.  Each concept is designed to create order from chaos, improve service delivery and customer service, increase productivity, reduce complexity, and streamline costs.  ITIL gives detailed descriptions of a number of important IT practices and provides comprehensive checklists, tasks and procedures that any IT organisation can tailor to its needs.  Read this white paper for more information on ITIL basics.

A 2007 article in IT World Canada reports that an “implementation of ITIL was estimated to save 10 to 20 percent in technology support costs over a five-year period.  Actual returns have been higher, according to Senior Vice President of Enterprise Technology Operations, Robert Turned, but it’s difficult to attribute all of the savings directly to ITIL.”

ITIL does not require adoption of the entire body of its framework in order to be successful in bringing to light substantial benefits to the organization.  A company can choose what to adopt, how far to mature the model and framework, if and when to introduce automation, and can choose to adopt only a single module if that is all that it requires.  In fact I have been responsible for introducing select modules at several places of work, and have worked at others that had elected to introduce formal Change Management only, because that was all that they needed at the time.  CoBIT has been mapped to ITIL, as have other best practice sets, and Microsoft’s own Operational Framework is based directly on the ITIL model.

ITIL is published in a series of books, each of which covers an IT management topic.  Each topic contains one or more sub-processes.  Version 3 is a significant update to the framework and its processes.  The Version 3 IT Service Management core process group includes: Continue reading

M&A Security Challenges

Merging IT and security strategies that were developed at different times, under different conditions, and different management teams is no simple task.  In one organization that I worked for, innovation and growth was handled through merger and acquisition.  A trend that is quite common in the current economy as businesses look for opportunities to gain new markets, increase their corporate strengths, and bring in new talent and ideas.

The organization when I arrived had just completed 2 substantial acquisitions, extending its reach across Canada, parts of the UK, and 2 US states.  The IT team and I faced huge challenges in merging technologies, introducing a structured IT strategy, and unifying information security practices.

All 3 businesses were considerably behind the times in terms of their security programs.  There were no security policies to speak of, and head office relied primarily on contract IT and information security staff used primarily for after-hours support and fire-fighting missions.  The smaller units had basically no security considerations beyond the firewall.  It was basically building the program from the ground up in terms of staffing, training, equipment, policies and procedures.

Continue reading

Disaster Recovery or Business Continuity, Plan, Plan, Plan

In various companies, I have assumed the role of IT Manager in many shapes, forms and job titles.  One of the first things that I have usually done as part of that transition has been to look for Disaster Recovery & Business Continuity plans.  Mostly, they didn’t exist.  Occasionally, they were in various states of readiness.  One firm in particular had an excellent Network Manager who didn’t realize that he had been preparing and updating a pretty good tactical DR plan for several years. 

Every single year without fail, the highrise office tower that the company was headquartered in would pull the plug on all 40-some-odd floors, and make repairs and updates to its electrical, mechanical, HVAC and other life supporting systems.  In preparation for this big event, every single server, every router, switch and even desktops, had to be visited in order to prepare and shut down clean so as to protect critical data and resources.  This often involved taking the extra time to patch, test, fail-over and repeat, before everything goes black.  This is a monumental task, and I think I still owe that guy a big thank you and a small beer for maintaining such a good inventory checklist, as well as doing the majority of the heavy lifting during those crazy weekends.  (Cheers Al!)

With this documentation in hand, it was fairly easy to determine what were the “crown jewels” within the organization, what the business could not afford to be without for an extended length of time, and also, what needed to be stood up fast in the event of catastrophe.  The exercise also made clear what needed to be backed up, what needed to be duplicated, and what required full, live replication in order to meet both disaster and continuity goals.

What are those goals?

Continue reading

WikiLeaks – Could It Happen To You?

For enterprise IT managers and security professionals, the on-going WikiLeaks disclosures underscore the information security gaps that exist even when common security controls are in use by large organizations.  It is not necessarily the controls themselves that are flawed, but more often the supporting processes and procedures that were quickly pulled together under pressure, and seldom if ever revisited or audited at a granular level for optimal performance and completeness.

This entire ordeal also serves to highlight the importance of adopting a “trust, but verify” approach to hiring practices and access control.  This means that you need to be just a little bit more paranoid regarding your practices, without distrusting your employees.  Remember that everyone that you hire is human, and that people will make mistakes if mistakes are possible.  They are (hopefully) hired due to their capabilities and experience, but what really separates them from the other candidates that showed up for an interview?  Were you able to validate their claims of reliability and trustworthiness?  Trust that they will exercise good judgement, work towards corporate betterment, but verify that each access to sensitive data or corporate intellectual property is properly justified.   Remove the temptation to go astray, and by all means, let them know that you verify.  Your intentions are to DISCOURAGE criminal or damaging behavior, not ENTRAP those who may err or fall prey to social engineering.

What controls should be in place?  That depends on the type and classification of the information that is at risk.  When it comes to client financial and personal information, it is clear that monitoring, notification and escalation controls are a requirement.  Take a lesson from PCI, even if you don’t adopt it formally.  The PCI DSS is simply basic computer security.  A quick review of the 12 main PCI requirements shows nothing revolutionary, and they offer a solid starting point for virtually any security compliance engagement. 

Continue reading