November 29, 2006 – Data Protection Down Pat

More ITIL notes

Configuration management fits between change management and release management. It ensures that assets of the IT group are recorded, change is done with minimal risk, and data integration is maintained.

To account for all IT assets and configuration within the organization and its services. To provide accurate information on configuraiton sand their documentation to support all other service management processes. To provide a sound basis for incident management, problem management, change management, and release management. To verify configurationr ecords against the infrastructure and correct any exceptions.

Service level management and SLAs are the customer facing part of the IT department. The configuration management organizes this data and allows us to organize and present this data. This correlates to asset management and relationship management with the user community. Some companies keep asset management in spreadsheets that are used for taxes and depreciation tracking but not for asset tracking. It typically is an afterthought or something that is done once a year. This is a bad practice that is typically driven by the accounting department. It should be driven by the IT department on a daily basis, not yearly.

The configuration information should be stored in the configuration management database. It should include hardware, software, peopleware, and documentation. It should also include services and the relationships between configuration items as well as incident, problems, and known errors. It should also include a history of all changes and releases. Historically this has been kept in a journal or notebook and done in different formats based on the note keeping ability of the administrators. This format and repository needs to be standardized and centralized. Deployment of an asset management package typically does not include hooks into the help desk, request for change requests, and release announcements. It does, however, typically resolve accounting issues that upper level management has and gets funded easier than a configuration management system.

The configuration management system should have linkages into the definitive software library (typically CVS or Subversion) and the definitive hardware store (typically the enterprise management interface in the IT organization).

The first of configuration management process is planning. This should include strategy, policy, scope and objectives. It should also include processes, procedures, guidelines, and responsibilities. It also includes relationships with other ITIL processes and relationships with other parties as well as tool and resource requirements. The objectives should be simple, measurable, achievable, realistic, and timely. Many of these categories should be boilerplate items because processes, procedures, and guidelines should not change very much between projects.

The second part of configuration management is identification. It is important to define what level of detail is needed to identity an item. The level of detail is what differentiates companies from each other. Higher levels of detail requires more time and typically more cost. Less detail typically leads to differentiation of services and non-uniformity between systems. In defining relationships it typically helps to define the composition, connection, and the usage relationships. For example a workstation typically is composed of a keyboard, processor unit and monitor. It is typically connected to a network hub, network server, file server, and print server. It is typically used by a user but could be time shared at night for batch processing of jobs.

The third part of configuration management is control. The subcomponents of this is register, update, archive, and protection. When we receive new equipment, we need to register this equipment. If this equipment is changed it should be updated. For example, if we get a computer and install new memory in the system we need to register the computer and update the definition when we add memory to it. Archiving is backup of the CMDB to a backup repository and might or might not involve pruning of data as the backup is done. Protection of the data keeps changes being made to the repository without proper authorization. It also keeps the data from being stolen or corrupted.

The fourth configuration management activity is status accounting. This is reporting of all current and historical data concerned with each configuration identifier throughout its lifecycle. It helps create configuration baselines as well as analyze risk and cost that changes create in an organization.

The fifth and final element is verification. This is to verify that the data in the CMDB and make sure that it is accurate. This is typically done on a regular basis and not done once a year as is required by accounting. It is important to make sure that verification is done before equipment is moved or new software releases are made. It is also important to verify configurations after disasters since changes can be made in times of emergency and not recorded.

Change management is the next major component of ITIL. Change is the process of moving from one defined state to another. It us used to ensure that standardized methods and procesures are used for efficient and prompt handling of all changes, in order to minimize the impact of any related incidents upon service. It is responsible for implementing changes in the orgznization with the minimum of disruption. This also allows for announcements of what changes will be made, when the changes will happen, and a definition of when and where a backout plan should be implemented when problems occur. This helps maintain a good balance between the benefits of change as well as the risks associated with change. Layered on top of this is an approval process that tracks and manages change requests. It typically involves some type of review, a go-no go selection, and resource commitment before a change is begun. It typically is integrated with capacity management, availability management, and configuration management. When a change is proposed to a system it is moved from configuration management into change management. When the project is approved it is moved into the release management process so that it can be rolled out as a new configuration. The capacity and availability management systems are also integrated into change management so that existing operation parameters can be analyzed to figure out if the changes will positively or negatively impace the service.

A typical trigger that initiates change management is a request for change that comes from the service desk, problem management, or changed CIs made by engineering. New business requirements can also generate change requests. Legislation and corporate changes typically mandate change requests as well.

Changes are typically categorized as urgent, minor, significant, and major. Urgent requests are typically handled by an emergency group that handles change requests quickly. Minor changes are typically approved by a larger group and done through collaboration tools like email or shared files. Significant change requests typically require discussion and reviews of the changes. Major changes usually requires higher levels of management to get involved because it has a larger impact on the organization and typically requires more resources and assets to be involved.

Typical metrics for change management are number of changes, number of changes backed out and why, cost per change vs estimaged cost, and number of urgent changes. Other items that need to be measured are time from RFC to release, number of items reviewed by review board and items handled by change manager.

Release management is the final component of support services. This is defined as a way of taking a holistic view of a change to an IT service and ensure all aspects of a release, both technical and non technical, are considered together. It includes software, hardware, and documentation required.

Release management typically incorporates processes in the development, test, and production environments. Release management typically manages the definitive software library and definitive hardware hardware store. It is also important that the release manager be integrated with compliance checks as well as license agreements.

information collaboration and libraries

Technorati Profile

I have been working with my wife in building a school library for my kids new school. When the school opened this fall they did not plan on creating a library for the kids due to expenses. My wife thought that this was wrong and began a grass roots movement to gets books, bookshelves, and a library computer donated. This movement was very popular among the parents and over 7000 books were donated as well as money for bookshelves, time to build and install the bookshelves, and a computer to checkout and checkin books. Now that we have the basic resources to build a library, it reminds me of a problem I am having at work. How do you arrange information so that it can be referenced and indexed at a later date and how is this information shared with my peers.

What are the basic technologies that can be used to share information?

A web page? A good start but I want to make it a little more dynamic. When I was at Sun we started onestop.central.sun.com which was a central navigation tool into product engineering. It was very successful but didn’t capture day to day problems and FAQ data that people posted on a daily basis. It was typically controlled by one or two people thus the data was limited to the knowledge base of these few people and the availability of their time to update the pages. It did allow us to create pointers into engineering so that we could navigate and learn about technologies quickly.

A blog? Blogs are interesting but they don’t have enough order to them. They are typically good at recording daily thoughts and stream of events but are typically organized by calendar and not topics.

A wiki? Interesting idea since it does allow for a blending of web information and blogs. Administration of a wiki server is a little complex but I like the idea of something like OraclePedia (Oracle specific implementation of WikiPedia). This might just work so I will have to investigate more.

A portal? We do have an internal portal that everyone has access to and it does allow us to customize it to view my personal interests. The problem with a portal is that it does not allow me to create content but subscribe to existing content. If I go this route I am still locked into the question of linking in web pages and blogs that I generate. It also gives me a view of what I want to see but how do I share this with my peers?

Shared files? I can create a shared file repository with information in heiarchial format but how do I index this data without opening the files? Directory organization of information is complex and different for everyone. I can give people access rights so that they can drop files into a directory and even give them access rights that allow them to update files. The problem is that you need to open the files to read the data. It is much easier to navigate this data with a web browser and navigate it with links. Shared files typically don’t have hyperlinks that allow you to go from file to file.

collaboration has always been a difficult topic. There is no single answer for all problems. I have been looking at applying this problem to the legal industry. How do laywers collaborate yet still keep confidential client information from people who should not see the data? It seems that searching and discovery of information is critical to their industry. I know that there are legal search engines to look at judgements and verdicts of court cases. The problem with these search engines is that they don’t index and search local information controlled and managed by the law firm. Allowing this data to be indexed is potentially an issue because key words published to a public search engine like Google desktop could lead to a break in the client confidentiality. The same is true for a sales organization. Do I really want to use Google desktop to index my documentation and presentations? Yes. Do I want to index my email exchanges with people inside my company and customers? Not really. This metadata gets shared with Google. True, they have done a good job of protecting this data and not using it malicously but it does become a vulnerability out of my control. I don’t think that many CIOs would approve of using a tool that exposes them to a risk that they have zero ability to control or mitigate.

being successful

I’m not sure if I have written about this before or not but it is something that I keep coming back to on a regular basis. What makes someone successful? Is it power? money? fame? fortune? To be honest I don’t care how someone judges being successful. I have my own definition that probably is different from the average person. To be brutally honest it is something very personal that I don’t share with many people and I don’t talk about very much. What I do talk about with as many people that I can is how you become successful. How do you start a new job and contribute, make a difference, and make the group that you work for meet it’s goals? The two key elements that are consistent with everyone that I talk to is a little luck and picking something that they can become very good at. Part of the luck is picking the right thing. For example, I think that I make a really good bread pudding that is better than most resturaunts. Does that mean that I should open a place of my own? Does that mean that I should be a chef or go to cooking school? No, I am smart enough to know that this won’t make me happy and won’t make me successful. I also know that I would not keep my job very long since cooks aren’t something that Oracle typically hires.

I really don’t have control over luck. I know that I can prepare myself to take advantage of luck but I can’t make luck happen. If I could I would have become a professional card player. That leaves only one thing left to do and that is be good at something. If I pick the right thing and get lucky in what I pick I can be successful. Ok, looking at what Oracle has been successful in might help. Oracle has done well in database. Oracle has done well in acquiring companies that require database. Given that I don’t have enough money to acquire companies I should probably focus on something that surrounds a database. When I was at Sun I started becoming an expert in identity management. It seemed important and was something that everyone wanted to talk about (as well as Java). I did ride the Java wave for a while but realized that I was not very good at producing code. I tend to overanalyze things and take too long to get a product into production. So the question that is difficult to ask is where should I spend my time? Analytics? Business Intelligence? Security? Compliance and Audit? Database? Management and Performance?

Lately I have been looking at specific markets and how our software can be used. Law firms, real estate, oil and gas, and retail. Somehow it seems like my Computer Science and Electrical Engineering degrees didn’t prepare me for any of this. I learned how to use tools and how to create things but I never learned why. Focusing on specific markets has made me aware that I haven’t learned why things are done. I think I know how. I think I need to focus on why.

good luck figuring it out, let me know if anyone figures it out.

M	T	W	T	F	S	S
		1	2	3	4	5
6	7	8	9	10	11	12
13	14	15	16	17	18	19
20	21	22	23	24	25	26
27	28	29	30