Let’s face it.  The configuration management database is really the Holy Grail of IT Service Management.  Business services  are defined  that support one or more business processes.  These business services  connect to various software and hardware elements (or infrastructure services) that represent connectivity, processing and storage capabilities used to support the business service.  Ideally through an extension of the CMDB referred to as the Coniguration Management System (CMS)  you might also connect supplier contracts (underpinning contracts), OLA’s, and SLA’s.  Additionally you would include links to incidents, problems and changes.  The end goal would be to have optimal visibility to see what services you are supporting along with all of the past, present and future activity regarding these services.  It is the IT data warehouse that transforms data from multiple IT management operational data store so that key IT management decisions can be made.

The vision for a CMDB/CMS strategy is spot on as a critical underpinning for holistic service management.  The execution piece is very tricky.  And, in the case of the CMDB, this is a consummate example of the importance of ITIL’s  guidance on breaking vision down into manageable, achievable interim goals.

For organizations that have substantial infrastructure and have no current tracking mechanism, be realistic about the results you hope to achieve.  Auto discovery tools can be helpful but are also very complex and require you to access all points in the network to give you comprehensive results.   A structured, slow but reliable approach to getting your arms around the relationship models is to target a handful of services to begin with and do one service at a time. Once each service is validated in the CMDB assuring that you are managing it under your change management process is key.

Identifying business critical services and prioritizing them within this strategy will allow you gain better control and visibility to the areas that are most important to your enterprise as the first phase of this process.  Once you’ve got these critical services captured, you can tackle others.  In a large organization, this discover & control method will be a multi-year process, but the approach makes the CMDB promise achievable.

I mentioned in my blog in late November that the cost to Health Net over loss of an unencrypted hard drive containing 450,000 patient records (revised down from 1.5m) would be much greater than the cost of securely controlling and protecting their information assets. Health Net will begin the process of emptying their wallets in an effort to build a defense against the lawsuit levied against them by Attorney General Richard Blumenthal.

The breach occurred in May of 2009 and was not reported until November. As discussed, Connecticut’s breach notification law are fairly strict and I would assume holding off reporting such an incident for 5+ months is over the top which could cause Blumenthal to make Health Net an example for all to see. To add fuel to the fire, the American Recovery and Reinvestment Act of 2009 (also known as the HITECH act) also imposes notification mandates that were apparently neglected. See my November blog post under security entitled “Health Net Breach — A Failure of People, Process & Technology” for more details.

jay.martin@cppit.com

CISM, ISMAS

www.cppit.com

The national Data Accountability and Trust Act, H.R. 2221 passed within the House of Representatives earlier this month (Dec. 8th, 2009).  The Bill — as with 201 CMR 17.00, the Massachusetts Protection for Personal Information — seeks to protect consumer personal information and requires notification to individuals in the event of a breach, albeit from a national level.  The bill is set to go before the Senate next and then the President.

H.R. 2221 would require “for profit” organizations to develop the necessary security policies and safeguards to protect U.S. Residence personal information within 1 year of passing.

More to come later…

jay.martin@cppit.com

CISM, ISMAS

www.cppit.com

The recent Health Net data breach of 1.5 million patient records due to a lost hard drive included unencrypted personal information such as names/addresses, medical records, Social Security numbers and other financial information.  A breach of this magnitude is shocking and what is more astounding is that the breach apparently occurred in May 2009 and was not reported to the Connecticut Attorney General’s office until this month (November, 2009).  The breach may be a gross negligence of HIPAA, FTC “Red Flag” Regulations, Connecticut’s Public Act 08-167, CGS 36a-701(b) and other state regulations/breach laws.  

I am sure that Health Net, like most companies, felt they developed the necessary controls to meet such regulations.  But a breakdown of this magnitude proves a failure of the company to institute “strong enough” information security policies, employee awareness programs and technology across the company to protect against this major corporate risk.   That is why we have been advising our clients to develop a risk-based information protection plan that estimates their potential loss against the cost of securely controlling and protecting their information assets.  The monetary penalties and consequences to Health Net for this breach will far outweigh the “should-have” preventative costs of deploying the right controls for this threat.  If the lost hard drive were encrypted, I wouldn’t even be writing this blog.

In his statement, Attorney General Richard Blumenthal stated that “I will vigorously and aggressively seek damages, penalties and other appropriate remedies, if warranted.”

This is not an option:  *Information security programs that include people, process, technology and partners must be vigorously managed and improved upon over time.*     Comments are welcome.

jay.martin@cppit.com

www.cppit.com

 A huge chink in the armor of end-to-end encryption took a big hit last week when the US-CERT reported that a man-in-the-middle exploit code against SSL and TLS is publicly available.   The exploit allows a malicious attacker to insert themselves into an SSL or TLS conversation during a client or server initiated renegotiation of their security context.  The vulnerability affects pretty much every site we securely connect with including our online banking sites, paypal, etc.  It also affects all operating systems and browsers.

Updates are not available to remediate the exploit, but there appears to be an Internet draft standard dated November 14, 2009 to fix TLS.  The RFC is here if you wish to review.  This means that the committee that wrote the new Internet draft was aware of the vulnerability and was secretly meeting to provide a fix prior to CERT releasing the news.

As you may know, SSL will not be updated as most of us are really using TLS in our browsers when we connect to secure web sites.  We still may call it SSL, but SSL is a fallback protocol to TLS.

I suspect a patch is on its way within the next few weeks, so make it a priority to update your systems through your normal patch update mechanism.

What is a “Service Catalog”?  Ask this question to 10 people and y0u may get 20 answers.  And the answers vary from a documented resume-like list  of IT capabilities to a  list of requestable  items that IT can provide to an end-user.  As IT vendors and consulting organizations, we’ve done nothing but contribute to the overall confusion around the service catalog.  The only thing we’ve been able to convey with any consistency is that if you are an IT service provider (whether internal to an organization or an external third party) it’s important to have one.  That’s were the common theme around service catalog ends, I’m afraid.

So let’s break it down from an ITIL perspective:

Question 1:  What is a Service?

A service is something that provides “value” to customers by facilitating outcomes customers want (an email service that is up and running  24 x 7 with the ability to send and receive messages, filter spam and guarantee deliver – or pick another customer facing service where you can clearly articulate a desired business outome) without the specific ownership of costs or risks (because the customer is not a technology expert, they are a subject matter expert for their business area…this does not mean that they don’t pay for the service…it means that as the technology expert The IT service provider  has a better opportunity to understand and control the costs and risks than they can hope to…therefore they’ve put the ownership of this in your more capable hands).

Question 2:  What is a business service and what is an infrastructure service?

A business service is an IT service that DIRECTLY  supports a business process.  Benefits Administration for example is a business service that allows the a business unit to track and manage corporate benefits, benefit entitlements and the subscription choices of employees.  In a water delivery system, think of the faucet being the business service.  When I turn the cold water faucet on I get cold water.  When I turn the hot water faucet on I get hot water.

An infrastructure service is an IT Service NOT DIRECTLY used by the business, but is required by the IT service provider so that they can provide business services.  For example,  in order for the Benefits Administration Business service to perform it’s required functions it needs to be supported by server administration services, storage services, directory services, or communications services.  Think of the infrastructure services being the plumbing and the water heater in your home and the wells, or reservoirs, pumping stations and the municipal piping that deliver water to your home.

Question 3:  What is a Service Catalog?

A Service Catalog is a database or structured document with information about all Live Service or services planned for delivery.  It is used to support the sales and delivery of IT Services.  The Service Catalog includes information about deliverables of IT Services, contact points, prices, ordering and request processes.   The portion of the service catalog that is visible to business customers are only the Business Services.  Both Business and Infrastructure services are visible to the IT organization.

Question 4: What is a Service Request?

A Service Request is the action of subscribing to a service or turning on, off or altering some underlying aspect or capability of a service.  For example,  if Email is my business service I may be able to make the following requests:

• Add or remove mailbox
• Add or remove a mail user
• Grant or restrict rights to access a mailbox to a user
• Extend the amount of space in a mailbox

Question 5:  What is an Actionable Service Catalog?

It is an electronic version of the Service Catalog described in Question 3, constructed in such a way to allow you to search services, service levels, service contacts,  make requests related to services.  It provides both a communication vehicle (linking realtime service level metrics,  or alerts to service changes, for example) and an automated service request mechanism to allow for self-service.

Six Sigma or ITIL for IT organizations?  We’re often asked this question as if there is a clear choice between the two or that they are mutually exclusive.  While, in fact, both ITIL and Six Sigma have the same goals – to drive process efficiency and effectiveness, they each contribute in a complimentary fashion to achieving these goals. For those IT organizations that have well defined processes in place, Six Sigma tactics can be used to measure the analyze and improve the performance and effectiveness of the process.

But the key is that you have to have something to measure.   For those organizations that have informal or loosely defined processes, this is where ITIL comes in.  ITIL provides a process framework that is accompanied by well-defined inputs, outputs, activities and metrics.  ITIL lays a process foundation that Six Sigma methods can continuously improve upon.  For those organizations who have well-defined, poor performing processes, ITIL, as a recognized leading good practice, can be a place to start in the reengineering effort.

Can you implement ITIL and Six Sigma in tandem?  There should be a well-architected approach to implementing Service Management using ITIL and applying Six Sigma as a continuous improvement methodology.  The process definition needs to come first; but should be defined taking into account current pain points and inefficiencies and supplying concrete measuring points to a Six Sigma program that can continue to assure that it remains or continues to gain efficiency and effectiveness.

Both ITIL and Six Sigma are excellent mechanisms to build an effective, productive, service-oriented IT organization.  The trick is to understand the role that each plays and assure that your implementation approach is designed to produce the maximum benefit.

In CPP’s June Podcast, we discussed a security breach that occurred a few years ago and the steps my team took to detect, respond and remediate the incident.  Here are the five things I learned from that breach.

1).  Planning your response to a disaster or security incident is just as important as the safeguards you put in place
You cannot protect against everything.  The following often delays or prohibits putting the necessary mitigation plans and preventative controls in place:
   -  Residual risk that remains based upon your organization’s tolerance or risk appetite
   -  The cost of mitigating risks and putting necessary controls in place to thwart threats & vulnerabilities
   -  Business strategies and priorities that conflict with your security program
   -  Zero day threats and vulnerabilities
If you agree with at least one of the bullets above, then it is of the upmost importance to have Incident Response Plans and Response Teams in place that you can trust.
2).  Select a team or teams you can trust
Tough times don’t last, tough people do.  Choosing people for your Emergency Response and Incident Response teams should be done on a selective basis.  Having the right people on call at the right time may save your organization from further loss.  Creative people that can think clearly in stressful situations can make all the difference between ending up in the headlines or heading the bad guys off at the pass.
3).  Store your Incident Plans in plain sight (and at multiple sites)
When an incident or disaster occurs you don’t want to leave your response to chance — even if you have selected a great team.  Know exactly where your Continuity, DR and Incident Response Plans are located.   This is achieved through constant awareness and possibly automation.  Both electronic and paper documents should exist in multiple locations.
4).  Monitor, Monitor, Monitor
Our security breach was discovered by a higher-than-normal CPU event that triggered an automated alert to our Service Desk.  Good processes and disciplines (automated and otherwise) must take over from there.  Monitoring for anomalies on your servers, network devices, databases and applications are an important first step in addition to the traditional security monitoring (IDS/IPS, Anti-virus, logging, etc.). 
5).  Embed good processes and practices such as ITIL into your organization’s daily life
I brought ITIL into my previous employer’s organization in 1999.  Good Event, Incident and Problem Management disciplines were vital in detection, notification, “root cause” and escalation of the attack.  Change/Configuration and Release Management disciplines were significant in quickly correcting the incident, the underlying problem and putting the necessary corrective, compensatory and deterrent controls in place.

Comments are welcome.
Jay Martin
jay.martin@cppit.com

As many of you are aware, the new Massachusetts Standards for the Protection of Personal information (201 CMR 17.00) will hit the books on January 1, 2010.  The law establishes protection standards to be met by persons who own, license, store or maintain personal information about a resident of the Commonwealth of Massachusetts in both electronic and paper format.  So even if you do not run your business in the Commonwealth you are still affected if you keep personal information about a resident of Massachusetts. 

Personal information (PI) is defined here.

Here are the 5 things you need to do today to begin the process for compliance:

1.  Read the Regulation (http://snipurl.com/ipfwi) and the 201 CMR 17 checklist (http://snipurl.com/201_cmr_checklist)
2.  Roles and Responsibilities – Assign ownership for the overall security program within your organization.  Next, elect a Security Council comprised of senior staff or management that are stakeholders in protecting personal (and other sensitive corporate) information.  The Security Council facilitates consensus relative to the risks, impacts and priorities for compliance and will help with achieving (or changing) the security culture for your organization
3.  Find the Personal Information (PI) – Through interviews with Business Managers, Data Owners and Subject Matter Experts.  Additionally, the use of technology such as IdentityFinder can facilitate speedier PI discovery. Once discovered:

• Determine whether this data is still required and needed in the discovered location
• Do you need all the PI data or can you do without (do you still need your old customer’s credit card number)?
• Determine who requires mandatory access to the information and plan for the modification of your access lists to comply
• Ensure other safeguards are in place to protect this information (Physical access, firewalls, strong authentication/passwords, encryption).  If not, budget and plan accordingly

4.  Review your current Written Information Security Policies, if they exist, and plan for their update to include compliance.  If they do not exist, develop a project plan to begin the development process.  The larger the organization, the longer this will take for development and approval.
5.  Determine if your Third-Parties, partners, consultants, etc. have access to PI and begin the process of discovering their protection mechanisms

Compliance doesn’t happen overnight.  The sooner your company develops a strategy for 201 CMR 17.00 compliance the better your organization’s chances to meet the January 1, 2010 mandate.  These safeguards not only make good business sense, they will soon be the law.

Finally….

It usually takes a compelling event to get people to act on intiatives that otherwise make perfect sense; but when there is no proverbial “kick in the pants” these good ideas sit on the sideline until people are forced to look at them and realize their value.  I am talking about getting our act together around implementing good, consistent, repeatable IT process and implementing enterprise architecture.  The “kick in the pants” this time is the economy.  Lean budgets, hiring freezes and staff downsizing has caused IT organizations to look to process improvement as a way of becoming more efficient.  I wrote about this at the beginning of the year on ITSMWATCH.COM as the year of doing more with less (http://www.itsmwatch.com/itil/article.php/3796936) …with ITIL and ITSM as a way of facilitating more efficiency within IT. 

A 2009 study conducted by a research organization that follows trends in IT industry skill demand and pay scale indicates that in general pay for IT professionals has declined for the first time since 2004, but salaries have increased for individuals with skills and certification in IT architecture and methodology/process.   This is the first time there has been a such a counter-trend in specific areas within IT while the rest of the skill set is experiencing a correction.  This is very telling!!!  The study specifically sites skills and certification in ITIL as being in high demand to increase the efficiency of IT through process improvement.  It indicates that IT departments look at this as a good investment (in a time when investing in anything is truly scrutinized) as both a skill that can affect short term results but have long term application. 

Having been practicing, consulting and training in this area for many years, I am truly happy to hear that there is finally a recognition of value to IT process improvement.  The fact that it’s helping to affect a sharp increase the salaries of those who have these skills is just icing on the cake.  Having said this, please jump into the IT process improvement pool wisely.  Don’t let the slash of haphazard “diving” through thoughtless adoption of ITIL put a damper on those of us who would like to see these practices truly change how we manage services in the long run.

Posted by: Valerie Arraj (valerie@cppit.com)