Recently in Compliance/Risk Management (GRC) Category

Back in 2007, Gartner released the statistic that IT was responsible for 2% of global CO2 emissions. This puts IT on a par with the aviation industry. Yes, really! We all focus on the airlines, because they are big and obvious, we can even pay an off-set charge to "feel better", but we need to start and focus on things we can more directly impact on our own doorstep, the IT we use. The carbon footprint of PCs and monitors is expected to triple by 2020 - a growth rate of 5% per annum. The global data centre carbon footprint is expected to triple by 2020 - a growth of 7% per annum.

We've all heard about global warming and the impact we hungry consumers are having on the planet. It's something we need to address, especially as we begin to see the impact it's having on our weather patterns. Severe floods in South America, Australia, heavy snow in the UK and East coast of the USA. These conditions are impacting our lives and businesses and are projected to continue unless we all start to turn the tide and think of ways to reduce our carbon footprint. Many governments and businesses have Green policies and set targets as part of their corporate governance responsibilities ...perhaps your own organisation has such a policy. If so, do you know its content and how you can contribute towards it? We need to start adding Green IT thinking into all that we do, particularly in the business/IT (BSM) relationship, before it's too late.

What can we do about this? There are simple things to make a positive start, such as archive unused data, power off idle Desktops, printers etc. We need to bring this thinking into our Service Strategy and Design initiatives ready for the transitioning into live operations. We need to bring Green IT into the business-oriented service management discussion. 

Recently I came across a great article by Karen Ferris from a consulting company in Australia, Macanta Consulting, who looked into Service Management and in particular ITIL as a way of understanding, controlling and reducing a Businesses CO2 impact. I hope you'll find it of interest and useful in your Green IT efforts.
In the Chief Executive.net CEO Briefing article, "WikiLeaks' Next Target: CEOs", it seems to me that Wikileaks' founder Julian Assange will make good on his vow to go after big business and to release confidential information concerning the nation's largest private companies.  The most severe threat to any organization whether it is the State Department, Department of Defense, or a large U.S. Bank or other major publicly traded company is the insider threat.

I spoke with Chrisan Herrod, our security expert, to get her view on how this will impact security policy in global enterprises. This is what Chrisan had to say:

"Wikileaks has made it completely obvious that information security breaches represent a significant risk to the enterprise and that an air tight cyber security strategy is not an option, it is a must. The question then becomes how best to counter the threat without damaging the mission of your business.

  1. CEO's should take notice now of what is happening within the US government and take extraordinary measures to protect their corporate information.  IT and the Business should focus on the principles of alignment offered by Business Service Management. Business leaders and Information Security personnel have much that they can do, and should do to be as proactive as possible.
  2. First and foremost make Information Security a top priority for your company.  If you do not have a Chief Information Security Officer (CISO) hire one and place the individual outside of IT in a role that is visibly important to the entire company. 
  3. Stand firmly behind your Corporate policies and enforce them through the best education, training, and awareness that you can afford for your employees.
  4. Adopt a culture of risk management and form an IT Risk Management group that reports to the Audit Committee of the Board of Directors. 
  5. Do not buy technologies to solve your problem, rather adopt technology that will enable your company to do a better job of ensuring who has access to information and systems and require business units to monthly validate an individual's need for access. 
  6. Finally, use technology in conjunction with improved access management processes, compliance to corporate policies and increased awareness of the risks to your company should information be leaked that could be damaging to you personally or your company as a whole.
I agree with the government's increased emphasis on improving access management and my reasoning is supported by survey data released earlier this year by the Ponemon Institute.  In their survey, sponsored by CA, they revealed that rank-and-file employees were much more likely than executives to see the necessity of certain enabling technologies to reduce or mitigate security risks within their organizations, and the technology with the widest difference: identity and access management systems.
 
If Identity and access management systems and processes are not in place, it places the corporation in a higher risk category.  And even if they are in place, they must be continuously monitored.  That is why it is so important not to invest in technology alone, but to invest in sound processes based on enforceable and monitored policies.

So by all means take to heart the issue of access management and address it first and foremost, but also ensure that you are taking Information Security and Risk Management seriously as part of your Business Service Management strategy in a high threat environment."

Compliance?

| No Comments | No TrackBacks
Imagine a company department that works the following way:

  • There is no external salary control - the department decides how much everyone should be paid and gives itself major raises at regular intervals
  • If the department does not like the tax that they have to pay, they change the rules so they don't have to pay any
  • The expense budget is uncontrolled and they can claim for anything they like 
  • If anyone complains they point you at an obscure piece of legislation from the 1600s and say that their department conforms to that
For those of you don't live in the UK, this is how our Government has been run for many years, and is now the subject of a major scandal. I've just watched Tiger on the TV admit that he thought he was beyond the controls that other mere mortals have to abide by. So the next time someone comes and asks you whether your systems are compliant, please don't raise your eyebrows and think they are wasting their time - this stuff is vital. 

Health and Safety, on the other hand, in this country appears to be controlled by a bunch of morons and has unfortunately become a laughing stock. Petty controls are put in place - e.g. you must not run during a race as you might slip!!! - with the result that everyone thinks the whole thing is a waste of time and money.

So what is needed is a sensible set of rules, enforced via a sensible set of controls. That's why I've always liked the combination of ITIL and CobIT. ITIL giving me best practice ideas of what I should be doing and CobIT to check that I'm doing it right/sensibly. Now where do I find the same thing for Governments and Health and Safety? 
Another area that is gaining more and more attention these days is "Cloud computing" and I guess the largest issue I have is around its scope and definition. Many appear to offer hosted services and this is now renamed as Cloud computing, even outsourcing, managed services, Software as a service (SAAS) fall under this new branding. Is that all it is, a simple rebranding to allow all remotely hosted services to have a new home?

As with all new paradigm shifts the best evidence that it'll be widely adopted and accepted is by looking at the user community for this.  At this week's Westminster eForum one of the speakers, Rik Ferguson, senior security adviser at security firm Trend Micro told us that the criminal fraternity are the largest group of adopters. Well I guess if we look back to look forward, we'll see that this was the case for the early adopters of the internet (pornography being the biggest financial winner). Well Rik also highlighted that "We already see customers of Google, customers of Amazon, who are criminals and who use those services, among others, to run command-and-control services for botnets, to launch spam campaigns and to host phishing websites. They see the power, the scalability, the availability and, for them, the anonymity that is possible through cloud services and they are using it to its fullest extent."

Well the good news is that both large and small organisations will benefit from the Cloud, enabling smaller companies to automate, scale up and down depending on the market conditions whilst keeping overheads well managed. Large organisations can also reduce overheads, move into new or changing business areas quickly without being held back by in-house technology restraints. However I think that now, more than ever, process becomes king. Knowing your business services processes and IT services processes are in place, ownerships of responsibilities are understood become the key to success when the ownership of the infrastructure (including operating systems, software and applications) are left to someone who is not a part of your business. It appears to me that we are entering into the realms of treating IT as a utility, just like Electricity, gas etc. We need it to be there, we need to know the costs of utilisation, but the providers do not need to know what we run on it. This makes me think about the capacity planning and availability issues. We in the UK certainly know that the Electric providers monitor the utilisation and have to prepare for odd events like the ½ time during a football and rugby match as viewers go and put the kettle on for tea. The utility suppliers need to understand their market, its dynamics and influences, however odd, to ensure all the customers get the resources they need, when they need it without interruption. Can "the cloud" handle this now or in the future?

Who's working on the cloud right now? Well Amazon, Google, Sun, IBM etc, but some surprising companies are entering the market utilising spare capacity from their traditional business. Salesforce.com now offers Force.com to other business to host applications on. BMC software being a recent case in point. So keep your head in the cloud and watch how things develop, in particular the process issues of dual ownership and the end to end automation, but keep your feet on the ground to ensure you protect your business and understanding the current and potential risks.

The space between the cloud (hosted infrastructure (including apps)) and the end users would be the area that needs focus. Can that be called "fresh air"?

six sigma and IT compliance

Business Service Management, Six Sigma and your IT Compliance Program new article
by Chrisan Herrod
Institutionalizing a culture of continuous monitoring as an essential part of IT compliance management can be achieved using the best practices of the Six Sigma methodology.  IT compliance should be treated as a critical corporate program and to that end Six Sigma can be used to assist organizations in implementing a robust and effective information technology compliance program and culture. »

UPDATE: we now have a BSM Maturity Model (registration required) >>

One of our unstated goals at BSMReview.com is to create a maturity model for Business Service Management and beyond. Of course, this maturity model may differ slightly by industry, but the idea is to create a model which is good enough to create a "common roadmap" for IT and its business partners (yes, we will include cloud services).

To start the discussion, I've brought together some of the traditional thinking from IT 1.0, and some "edge insights" from people like JSB.

To start, let's look at Gartner's IT Management Process Maturity Model from 2005. Looks familiar, doesn't it? What should Level 5 and Level 6 look like? 

maturitymodel_gartner.gif


For nGenera, a few years ago, Vaughan Merlyn created a different sort of maturity model based on demand and supply:
maturitymodel_demand.gif

He asks:

Business demand is also a function of IT supply - low supply maturity will constrain business demand.  For example, an IT infrastructure that is unreliable and hard to use will tend to dampen the business appetite to leverage IT for business innovation and for collaboration with customers and partners.  Typically, if business demand gets too far ahead of IT supply, there will be a change of IT leadership.  On the other hand, if IT supply gets too far ahead of business demand, IT will be seen to be overspending, resulting in a change of IT leadership.  The most common patterns are that at Level 1, business demand leads IT supply; in Level 2, IT supply tends to 'catch up' with and overtake demand, and in Level 3, demand and supply are closely aligned. From the perspective of late 2007, we see the majority of companies at mid-Level 2, some at high Level 2, and a minority at either low Level 3 or high Level 1.  Why are so many at mid-level 2, and seem to be struggling to get to the next level?
Good question. Any ideas?

Then there's Accenture's Service Management Maturity model from their ITILv3 practice - they rightly state that ITILv3's focus is on business results; hence their advocacy for adoption:

maturitymodel_accenture.gif




At Deloitte, JSB and Tom Winans have built an interesting map for "autonomic computing" which is focused on the direction of IT's evolution. It's part of a series of papers on cloud computing. It's a technology maturity model, if you will:

maturitymodel_jsb.gif

Finally, I borrowed this SOA Maturity model from Infosys:
maturitymodel_infosys.gif


Taken together, we have enough food for thought and discussion, don't you think? I have this silly notion that a business service management maturity model must begin and end not with IT but the business.  And cloud computing will certainly play a giant role in this transformation from physical datacenter to cloud service grids.  And of course we'll still have to worry about compliance and security.

Once again, I'll defer to the JSB and Winans vision for the future.  After we get to autonomic computing, then comes the service grid:

maturitymodel_jsb2.gif



If I understand correctly, here's what they're saying: technology platforms will be business platforms.

With that, let's ask once more: what does a Business Service Management Maturity Model look like to you? 

UPDATE #1:

HP has an ITIL-view which is evolutionary:

maturitymodel_hp.gif

UPDATE #2:

IBM
gives us a look at a maturity model developed by Macehiter Ward-Dutton:

maturitymodel_ibm.gif

Stay tuned.

Business Service Management (BSM) is a process, a mindset, not a product (as Peter Armstrong would say) so it is not a technology in the first place.  It is strategic, however, so let's take a quick look at each of Gartner's choices and ask:

"What has this got to do with BSM?"

Gartner's Top 10 Strategic Technologies for 2010

Cloud Computing. Cloud computing is a style of computing that characterizes a model in which providers deliver a variety of IT-enabled capabilities to consumers. Cloud-based services can be exploited in a variety of ways to develop an application or a solution. Using cloud resources does not eliminate the costs of IT solutions, but does re-arrange some and reduce others. In addition, consuming cloud services enterprises will increasingly act as cloud providers and deliver application, information or business process services to customers and business partners.
My two cents: Managing cloud services demands that companies must have a BSM strategy which can monitor and manage the physical datacenter, virtualization, and the cloud - whether it be public, private, or hybrid. We need ITIL in the Cloud and robust Cloud Service SLAs.

Advanced Analytics. Optimization and simulation is using analytical tools and models to maximize business process and decision effectiveness by examining alternative outcomes and scenarios, before, during and after process implementation and execution. This can be viewed as a third step in supporting operational business decisions. Fixed rules and prepared policies gave way to more informed decisions powered by the right information delivered at the right time, whether through customer relationship management (CRM) or enterprise resource planning (ERP) or other applications. The new step is to provide simulation, prediction, optimization and other analytics, not simply information, to empower even more decision flexibility at the time and place of every business process action. The new step looks into the future, predicting what can or will happen.

My two cents: OK, so now we know how to compete on analytics. But the decision-making process is much more complex than most people expected. Analytics are fine, but what we need is refined insight and critical understanding.  The Big Shift Index tells us about what we haven't thought about measuring yet! Where's BSM in all of this? Well, if your CRM and yoru ERP systems are mission-critical, then BSM ensures they deliver on their promise when you need it.

Client Computing. Virtualization is bringing new ways of packaging client computing applications and capabilities. As a result, the choice of a particular PC hardware platform, and eventually the OS platform, becomes less critical. Enterprises should proactively build a five to eight year strategic client computing roadmap outlining an approach to device standards, ownership and support; operating system and application selection, deployment and update; and management and security plans to manage diversity.

My two cents: Anytime, anywhere, on any device. BSM must be an integral part of managing virtualization to avoid virtual sprawl, if nothing else. Of course there's the end-user experience that needs monitoring as well.

IT for Green. IT can enable many green initiatives. The use of IT, particularly among the white collar staff, can greatly enhance an enterprise's green credentials. Common green initiatives include the use of e-documents, reducing travel and teleworking. IT can also provide the analytic tools that others in the enterprise may use to reduce energy consumption in the transportation of goods or other carbon management activities.

My two cents: Virtualization and Cloud computing will help IT become greener faster, by reducing the datacenter footprint.  And virtual collaboration can reduce carbon emissions. Isn't optimizing asset usage a BSM function?

Reshaping the Data Center. In the past, design principles for data centers were simple: Figure out what you have, estimate growth for 15 to 20 years, then build to suit. Newly-built data centers often opened with huge areas of white floor space, fully powered and backed by a uninterruptible power supply (UPS), water-and air-cooled and mostly empty. However, costs are actually lower if enterprises adopt a pod-based approach to data center construction and expansion. If 9,000 square feet is expected to be needed during the life of a data center, then design the site to support it, but only build what's needed for five to seven years. Cutting operating expenses, which are a nontrivial part of the overall IT spend for most clients, frees up money to apply to other projects or investments either in IT or in the business itself.

My two cents: See previous two cents <<

Social Computing. Workers do not want two distinct environments to support their work - one for their own work products (whether personal or group) and another for accessing "external" information. Enterprises must focus both on use of social software and social media in the enterprise and participation and integration with externally facing enterprise-sponsored and public communities. Do not ignore the role of the social profile to bring communities together.

My two cents: Have you noticed that Twitter is having availability issues lately?  I wonder if they use ITIL or BSM?  Same story on Facebook. Maybe they use ITIL-Lite.  There are unfortunately, some documented productivity issues with social computing, but we have an effective solution for improving knowledge-worker productivity.

Security - Activity Monitoring. Traditionally, security has focused on putting up a perimeter fence to keep others out, but it has evolved to monitoring activities and identifying patterns that would have been missed before. Information security professionals face the challenge of detecting malicious activity in a constant stream of discrete events that are usually associated with an authorized user and are generated from multiple network, system and application sources. At the same time, security departments are facing increasing demands for ever-greater log analysis and reporting to support audit requirements. A variety of complimentary (and sometimes overlapping) monitoring and analysis tools help enterprises better detect and investigate suspicious activity - often with real-time alerting or transaction intervention. By understanding the strengths and weaknesses of these tools, enterprises can better understand how to use them to defend the enterprise and meet audit requirements.

My two cents: See this survey on security management best practices.

Flash Memory. Flash memory is not new, but it is moving up to a new tier in the storage echelon. Flash memory is a semiconductor memory device, familiar from its use in USB memory sticks and digital camera cards. It is much faster than rotating disk, but considerably more expensive, however this differential is shrinking. At the rate of price declines, the technology will enjoy more than a 100 percent compound annual growth rate during the new few years and become strategic in many IT areas including consumer devices, entertainment equipment and other embedded IT systems. In addition, it offers a new layer of the storage hierarchy in servers and client computers that has key advantages including space, heat, performance and ruggedness.

My two cents: Wrong? We're going to see cloud storage take over this area, and it may or may not use flash memory.

Virtualization for Availability. Virtualization has been on the list of top strategic technologies in previous years. It is on the list this year because Gartner emphases new elements such as live migration for availability that have longer term implications. Live migration is the movement of a running virtual machine (VM), while its operating system and other software continue to execute as if they remained on the original physical server. This takes place by replicating the state of physical memory between the source and destination VMs, then, at some instant in time, one instruction finishes execution on the source machine and the next instruction begins on the destination machine.

However, if replication of memory continues indefinitely, but execution of instructions remains on the source VM, and then the source VM fails the next instruction would now place on the destination machine. If the destination VM were to fail, just pick a new destination to start the indefinite migration, thus making very high availability possible. 

The key value proposition is to displace a variety of separate mechanisms with a single "dial" that can be set to any level of availability from baseline to fault tolerance, all using a common mechanism and permitting the settings to be changed rapidly as needed. Expensive high-reliability hardware, with fail-over cluster software and perhaps even fault-tolerant hardware could be dispensed with, but still meet availability needs. This is key to cutting costs, lowering complexity, as well as increasing agility as needs shift.

My two cents: Now this is a BSM play if there ever was one!

Mobile Applications. By year-end 2010, 1.2 billion people will carry handsets capable of rich, mobile commerce providing a rich environment for the convergence of mobility and the Web. There are already many thousands of applications for platforms such as the Apple iPhone, in spite of the limited market and need for unique coding. It may take a newer version that is designed to flexibly operate on both full PC and miniature systems, but if the operating system interface and processor architecture were identical, that enabling factor would create a huge turn upwards in mobile application availability.

My two cents: Anytime, anywhere, on any device.  Didn't I write about that a few seconds ago? And don't we need our CMDB to track all these diverse devices and apps?

As you can see, I've attached Business Service Management (BSM) as an enabling IT strategy for just about all ten of Gartner's Strategic Technologies for 2010. And of course if it's a service provided by IT or even an external service provider, we're still going to need a Service Catalog for 2010. More on that in a later post.

Israel, where do agile practices fit into this? Just about everywhere as well?

security survey

Chrisan
's friends over at the Enterprise Strategy Group shared this security best practices report with us. Let us know what you think.

What Matters is the End Goal

| 1 Comment | 1 TrackBack
Its strange how history repeats itself, fashions go in cycles, and every generation comes to them for the first time thinking these things are new, innovative and revolutionary. I guess it's because we're still human and we still need to learn the same lessons over and over again. We want to listen to advice, but can't, we want to learn from the past, but don't, we all want something that's called "common" but is far from it - sense!

May years ago now the company I worked for at the time brought a new concept to the marketplace. The analysts jumped onto it and made it their own and the market hype was all over it, it was the direction all business had to get to. Eight or more years on and we're still moving in that direction, the buzz died down, but the capabilities slowed and the term used changed from IRM to BSM.  However BSM was actually only a subset of what IRM aimed to achieve. With the complexities we find ourselves in today, with Virtualisation and Cloud computing the issues are still the same only in some cases magnified and the responsibility of ownership is moving. More and more the Business is, and will continue to, relinquishing ownership of the delivery of services to the employee (who make up the business) and allow suppliers to take over. It's something that has happened for centuries now. We moved from self-sufficiency to being reliant on others. Once, we all had wells in the garden to provide water for the household, now it's all provided through piped services. Once, we had to make our own small generators for the electrification of the Home, Farm or estate, now it's all provided through piped services. The list goes on, and so it is and will continue to be within the IT environment. Hence the need for Service Management to ensure we all have the disciplines, controls, standards and processes in place, controlled and managed to ensure delivery as required by the customers, whomever they may be.  Why did we move this way? Well for various reasons, economies of scale, cost savings, and to allow us to focus on our core competency without being dragged down by day to day necessities of life.

A slide on my website shows what is required to support the employee, who is at the centre of the business, and how these are more and more being delivered via services as depicted around the circumference of the sphere.  This slide goes back 8 years or more, so not new, but it appears it was rather a vision of the future, and more and more I can see it being fulfilled. Whether we use the same term or not is irrelevant, what matters is the end goal. Something that Geoffrey Moore of Crossing the Chasm fame predicted at roughly the same time.

Check out the slide and let me know if you see it being slowly fulfilled:

turbitt_internalexternalsp.jpg

Explains Richard:

Initially, compliance was an externally imposed distraction, representing just one more burden on an over-stretched enterprise and IT staff. But now, compliance activities not only provide data about current practices but also highlight areas where increasing the level of control could yield greater efficiencies in operation.


Read The Path to Compliance as a Business Strategy »
In the current economic environment, and baring in mind what catapulted us into it, there are three terms that are coming up more and more. These terms have always been considered within IT and business operations, however the spotlight is now turned and directly highlighting these rising stars. So I thought today, I'd dip in a little into all three areas.

Let's start with Governance. The dictionary defines it as "The act, process, or power of governing; The state of being governed." The word Govern means to "rule with authority; conduct policy and affairs of state".  But I like the Wikipedia version, which actually highlights some component parts, often forgotten:

"Governance relates to decisions that define expectations, grant power, or verify performance. It consists either of a separate process or of a specific part of management or leadership processes. Sometimes people set up a government to administer these processes and systems.

In the case of a business or of a non-profit organisation, governance relates to consistent management, cohesive policies, processes and decision-rights for a given area of responsibility. For example, managing at a corporate level might involve evolving policies on privacy, on internal investment, and on the use of data.

In terms of distinguishing the term governance from government (both of them nouns) - "governance" is what a "government" does. It might be a geo-political government (nation-state), a corporate government (business entity), a socio-political government (tribe, family, etc.), or any number of different kinds of government. But governance is the kinetic exercise of management power and policy, while government is the instrument (usually, collective) that does it."
What I find interesting here is that many will be happy to define the process, the policies and responsibilities that go to make up the Governance standard, but few tend to clearly define the expectations, grant authority or power in a clearly defined manner and even fewer verify the performance of the governance being complied with. In fact as you see from the latter part of Wikipedia's definition, Governance is what a "government" (business entity in our case) does, however unlike a state the business does not invest in "policing" of policy to ensure adherence and enforcement. Hence the problems with the Banks having policies in place, but no policing to ensure brokers, traders etc adhered to them, or interpreted them correctly. As always Policy needs to be Specific, Measurable, Achievable, Realistic, and Timely (SMART).
 
Risk. This one is even more interesting, as the scale or level is different for different people, businesses and Governments. It is often determined by place, time and people. Crossing a road in the Australian outback without looking, is of lesser risk than crossing a road in downtown New York or London. Again going back to the dictionary we find "possibility or change of danger or loss or harm."  Risk is something we expose ourselves to, wittingly or unwittingly, based on experience, knowledge and analysed fact. So good old Wikipedia (it can be useful you know!), explains it well I think:

"Risk is a concept that denotes the precise probability of specific eventualities. Technically, the notion of risk is independent from the notion of value and, as such, eventualities may have both beneficial and adverse consequences. However, in general usage the convention is to focus only on potential negative impact to some characteristic of value that may arise from a future event.

Risk can be defined as "the threat or probability that an action or event will adversely or beneficially affect an organization's ability to achieve its objectives"[1]. In simple terms risk is 'Uncertainty of Outcome', either from pursuing a future positive opportunity, or an existing negative threat in trying to achieve a current objective."
The link back to Governance here is the part which highlights that risk will adversely or beneficially affect an organisation's ability to achieve its objectives. We need to ensure when creating our Governance policies we take into account the risks of adherence to that policy and the breaking of it. Adhering to a policy exactly may actually be a risk, as it may prevent innovative thinking or action which may generate new or more business areas or focus. This is why we need to understand and analyse the risks and be pragmatic in measures taken. Going back to the Banking example earlier, the brokers/dealers interpreted the policies in a manner that allowed for greater risk taking and greater rewards (at the time), however no-one appears to have "policed" the exposure and therefore change in risk and deviation from policy. Highlighting that the two areas (Governance and Risk) must be linked for effectiveness.
 
Now the "policing" element that should ensure both of the above are being SMART.
 
The Compliance element. Back to the dictionary and we get "in accordance with" and what I love about dictionaries is that they force you to look up other words with are used in defining others! So "accordance" is to be in accord with, and "accord" means to agree or be consistent. So compliance is to be consistent with, and agree to, something. In this case the Governance policies laid out. This is the "measurable" element and needs people and tools to carry out the reviews (policing) to report back on how consistent or inconsistent things are. Again, it's an element often ignored and seen as an expensive overhead. But we've all seen the expense of not having it in place with the Banking world! Jumping into Wikipedia again, it really helps me out, as it refers to the policing element too.

"The act of adhering to, and demonstrating adherence to, a standard or regulation. There is considerable regulation in the UK, some of which is from EU legislation. Various areas are policed by different bodies, such as the FSA (Financial Services Authority), Environment Agency and Scottish Environment Protection Agency, Information Commissioner's Office and others."
Interesting that it highlights the policing body of the FSA which should have measured the inconsistencies and risks of the non adherence to the Governance policies laid down by the UK Government, The EEC and the Banking Code of Conduct etc. As mentioned earlier failing to do all three areas well can have costly consequences, not just for you, but for a much much wider audience.

So when setting our governing policies within our groups, departments, organisations, sectors, states, countries and geographies we need to ensure we consider all three areas of Governance, Risk and Compliance to be effective and realistic. We in IT have guidance in many areas to help us, the most notable one being CobiT which in turn refers to and compliments ITIL. The Service Strategy book in ITIL v3 providing much more guidance than in the past. Most sectors have guidance too, so it's best to look at both to ensure your IT policies are aligned to the business you work within, as often IT is expected to measure and monitor against these policies as the "policing" mechanism.

Bringing all this down from the 35,000ft view the one area that still needs addressing in many organisations is Asset Management. We often have our policies set in place as to which standard builds can be purchased (having negotiated with suppliers). We understand the risk of interruption to service when we implement the asset (h/w or s/w) by analysing the Asset Db or the CMDB (CMS), but we often fail with the "policing" compliance element. If we have automated data collection tools in place, great, but we also need regular manual audits to verify the accuracy and quality of the data. This element is often ignored. So no matter where you are within the organisation these three areas of GRC need to be considered for your own protection and that of the business you work within.

I hope this has been educational and helpful I know it helped my own clarity of thought.

[Cross-posted at the ITP report]

EOL Technology


Bill Keyworth outlines a process to help turn the end-of-life problem into an opportunity to better serve the needs of your business constituents and IT staff, thereby moving to a desirable state of Business Service Management (BSM).

Read: Mitigating Risk for End-of-Life Technology >>
BMC Software announced yesterday the acquisition of Tideway Systems Limited, a UK-based, privately-held IT discovery solution.  As outlined in the press release, there is always goodness in IT delivering greater value to their business community through improved understanding of what IT assets are owned, what constitutes their relationships and inter-dependencies, where they are located and who owns them.  Tideway's contribution to that value is unquestioned.  (See Israel Gat's story on the acquisition announcement). 
 
BMC indicated that "the new offering supports the complete set of discovery requirements for BSM and features deep integration with BMC's Atrium Configuration Management Database (CMDB)." The yet-to-be fulfilled promise deals with the deeper integration of Tideway's IT discovery and BMC's Atrium Configuration Management Database (CMDB).  I'm assuming deeper integration as a result of the acquisition, else why the need to buy out their premier IT discovery partner ...except to remove that premiere offering from the grasp of BMC's competitors? 

Unknown is the impact to Tideway's existing partners such as Oracle and ASG Software Solutions.  What about the other 60+ Tideway partners and those customers who are dependent upon Tideway technologies?

We're also wary of any tool that promises to support the "complete set of discovery requirements for BSM" ...when true Business Service Management (BSM) requires discovery and mapping of most business oriented assets.  For example, does this mean that BMC is promising to support all types of business assets, including communication assets, manufacturing assets, inventory assets and transportation assets ...all of which include embedded IT components leveraged by commercial applications?  That would truly be impressive.

Finally, as IT management becomes more of a gating factor for the successful implementation of cloud computing, the BMC recognition that "visibility into the data center" and the need to "model, manage and maintain applications and services" is critical for cloud environments is welcomed. We believe the Tideway acquisition puts BMC in a stronger position to build a cloud-based CMDB which could become a core competence within BMC's solution suite, should they decide to pursue this value proposition. 

Welcome to BSMreview.com

| 2 Comments | No TrackBacks

Agile BSM

Discussion around Business Service Management (BSM) has been ongoing for years ...and years ...and years. Yet it remains a fairly immature dialogue as vendors scope BSM to capitalize on their respective product offerings; as IT organizations struggle to articulate the desired end state; and as industry analysts deliver unique perspectives for purposes of differentiation.

Fortunately, the purpose of BSM is so fundamental, so basic, and so obvious ...that vendors, IT organizations, business managers, analysts and editors intuitively "get it" ...dwindling the confusion that so frequently accompanies newer technology concepts. This website is dedicated to the BSM dialogue by whoever wishes to participate. There is no fee to join ...no content that requires a subscription ...and no censorship of reasonable ideas and questions.

IT has been, is and will continue to be hammered for being disconnected from the business needs of the customer that IT serves. Sometimes the IT organization is adequately connected to the business entity, with the value simply unrecognized. More often, IT is guilty of diversionary focus on technology silos that business doesn't care about. BSM is the discipline that aligns the deliverables of IT to the enterprise's business goals.

That discipline comes in the forms of activities, technologies, tools, metrics, processes, best practices and people. BSM creates a laser focus on those deliverables generated by IT into something that is meaningful to the business community. If the IT deliverable is of no importance to the business function, then IT should eliminate or repackage it into a service that carries appropriate business value. BSM success is entirely dependent upon the willingness and skill of both IT and business to have an effective two way conversation ...one party without the other is doomed to failure.

Read my complete introduction: The Why & What of Business Service Management

About this Archive

This page is an archive of recent entries in the Compliance/Risk Management (GRC) category.

Cloud Computing Management is the previous category.

Configuration Management (CMDB) is the next category.

Find recent content on the main index or look in the archives to find all content.

Pages