Itil Availability Management

In the Information Technology world there are many options to pursue if one is looking for a solid and trustworthy career. One particular job specifically has proved being of great interest and is currently in dire need of more recruits. This IT job is that of a “Database Administrator” or for short, a DBA. Database administrators obviously work with databases, specifically database management systems software. The basic requirements of DBAs is to create databases, maintain them and write programs for database administration.

DBA Obligations

Responsibilities of database administrators differ upon many factors. Depending on one’s specific DBA job description, the interwoven corporate and IT policies as well as the technical issues of Database Management Systems (or DBMS) one’s duties can vary greatly. What is certain, duty wise, is that a few definite and necessary tasks need to be fulfilled by all DBAs. DBAs are often required to conduct operations including disaster recovery, performance analysis and tuning, data dictionary maintenance and some database design.

DBA obligations in clear cut form involve safeguarding and guaranteeing either a corporation’s or organization’s functional databases and coinciding applications that reach those databases, making sure to monitor both efficiency and functionality.

6 Required Tasks

Beyond the above obligations, DBAs are also responsible for 6 main tasks including issues of recoverability, integrity, security, availability, performance and development and testing support.

Recoverability here is done as a means to take precautionary action in case of major errors in terms of data entry, program bugs or overall hardware malfunctions. The objective for a DBA in recoverability terms is to be able to bring back a database in the state it was prior to the malfunction or lose. Rightfully so, recoverability is also sometimes called “disaster recovery.”

Integrity requires DBAs to provide means to protect, but more importantly, to prevent data giving users from breaking the system’s business rules. Security is obviously just what it implies. And DBAs must tailor what they create to conform to a company’s security policies in terms of user ability, both in access and changing data. Availability here is just asking DBAs to provide accessible means to authorized users to access and change data as necessary for business interest.

Performance from a DBAs point of view is simply a task of maintaining efficiency in online response times and workability between all other aspects tying into the database maintenance process. If performance problems arise, DBAs will examine SQL statements, table processes and overall system architecture, individually speaking. And lastly, the Development and Testing Support aspect for DBAs is a rather less important task, one involving the collecting of sample production data for testing new and/or altered programs, consulting with programmers about overall performance tuning and making certain table design modifications as to provide new means of storage for new program functions.

Prerequisite Action

Before actually heading out into the real IT working world as a DBA, one must get their Microsoft certification, or gain what is referred to as a Microsoft Certified Database Administrator certification or MCDBA for short. This involves going through various steps from training, to testing and actual certification attainment. It doesn’t necessarily come easy, but in the long run, to become a successful, accelerated and respected DBA, one must have their MCDBA certification as validity to one’s IT and specific DBA skills and capabilities. And once this is had, a DBA position can be acquired and the above responsibilities are then put into effect.

It is a great for professionals to strategically combine the related bodies of expertise. For someone involved with IT infrastructure projects, ITIL is a great complementary certification. What I find is that often the specialty knowledge drives the PRODUCT of efforts, but the project management skills drives the PROJECT that produces the PRODUCT. On solid technical teams, that second mindset is often missing.

Background

When you get any level experience in the workplace, you realize that the world is a collection of operations and projects. We are always seeking to systematize where possible, to streamline operations, and to improve results. We are always trying to create a “business as usual”, “runs by itself” environment, although in reality the full achievement of this is elusive. We are always cognizant of change in external conditions, and of the need to be proactive in changing our operations when necessary. This intersection of operations and project management, is, I believe, where ITIL and project management come together.

The IT Infrastructure Library® (ITIL®) describes a set of best practices processes for stable, high quality IT services. Project management, as a discipline, provides the capability to implement a defined change in a controlled way, so that cost, schedule, and quality of deliverable are as expected. It would seem that awareness of ITIL in an environment where it is embedded would be an input to project management. Likewise, project management is a great skill to use in implementing and continuously improving the best practices provided by ITIL.

PRINCE2 and ITIL

PRINCE2 and ITIL originate from a single source, the OGC (The Office of Government Commerce) in the UK. While I do not have hard core statistics, ITIL seems to be more strongly on the radar screen in the United States than PRINCE2, probably in part because the PMI PMBOK is more heavily established. But the practice of ITIL does seem to draw on PRINCE2 to an extent due to its common origins, despite the fact that a project management framework such as PMBOK can, in my opinion, be just as effective.

Both ITIL and Prince2 have a mechanism for evaluating the change or project. The Post Project Review in Prince2 is the same as the ITIL Post Implementation Review. A successful review can therefore lead to the end of the project.

Where ITIL and Project Management Meet

IT Infrastructure Library (ITIL) is all about providing service within the operations of IT in an organization. This includes management of the Service Lifecycle, Service Strategy,

Service Design, Service Transition, and Service Operation. It also means continual improvement of the whole set of services that are in place. Management challenges within this realm include Service Desk and Incident Management, Configuration and Release Management, Service Level and Capacity Management, Problem and Change Management, Continuity and Availability Management, and Financial and Security Management.

ITIL itself, as a discipline, takes care of the operations within the defined services realm. However, any changes to that services realm can and should be handled by applying a good project management discipline. The difference is that the ongoing operations will be concerned with maintaining and improving services as an in-place, as-is process. The project management discipline will be concerned with defining the beginning of an initiative, delivering the product of that initiative, and turning over the results of that effort to be incorporated into the operation before finally closing out the project.

The two disciplines have significant differences, and using the wrong one can result in lower effectiveness. In the case of ITIL and Project Management, both disciplines will provide inputs the other. For example, ITIL will provide the current situation to a project. It also provides certain procedures, like configuration management, that must be followed within the confines of the project. The results, or “product of the project”, will become the key input to changes or improvements to be implemented within the ITIL implementation framework in the organization. The professional that understands both sides in depth will be quite valuable to the organization and will have a leg up in knowledge and credibility.

A Little about ITIL (ITIL certification, that is)

ITIL certification has 3 levels: the Foundation Certificate, the Practitioner Certificate, and the Manager’s Certificate. Project Management Training Online offers ITIL training that supports the Foundation Certificate.

In a nutshell, here is what these 3 levels are about:

The Foundation Certificate: There are no entry requirements, and the foundation test consists of a one hour long multiple choice examination testing a candidate’s basic understanding of the principles and terminology of the IT Infrastructure Library. It is designed to provide familiarity with the IT Infrastructure Library (ITIL) best practices for IT Service Management.

The Practitioner Certificates: This is aimed at those who are responsible within their organization for designing specific processes within the IT Service Management discipline, and performing the activities that belong to those processes. The Practitioner’s Certificates focus on the depth of understanding and application of those subjects, treating each subject as a specialty. Prerequisites include the Foundation certificate and mandatory attendance at an accredited training course.

The Manager’s Certificate: Aimed at managers and consultants, 2 – 3 hour examinations test the practical application of the theory of ITIL, and the exam is typically preceded by a 10-day training event other assessments may also be required. Candidates must hold the Foundation certificate and mandatory attendance at an accredited training course is required.

IT, by nature, is innovative – changing and adapting to remove the constraints of manual business operations and streamline the efficiency of organization. To adopt the mentality of “set it and forget it” with your technology is a sure way to tell your clients “we are resolved to becoming outdated and inferior.” At the same time, the industry has taught us that technology for technology’s sake is not a sound business model either. Keeping up with trends in the technology world becomes an even more overwhelming challenge for with every new, in vogue capability, there are countless iterations already in incubation. So, how do CIO’s and IT executives stay ahead of the curve to ensure systems will grow with an organization and protect valuable capital from being flushed away? Server Virtualization is a prime example of what was once looked upon skeptically as an interesting attempt to change the way IT managed cost and systems until it was proven prudent and lucrative by Fortune 500 firms across the spectrum. Now however, companies are out of license compliance, and have lost control and visibility into the enterprise.

Business is constantly changing, and this trend of change is seen more than ever in recent years with virtualization, cloud computing and IT outsourcing. These changes are difficult to effectively orchestrate but your people, your needs, your clients, and you must be able to adjust and evolve if everyone is to survive as value-players within the organization. Like any other evolution cycle, this one, too, is survival of the fittest.

So are you adapting (driving business innovation) or are you strong (stabilizing the platforms for better business operation)? To begin, you need to take a step back and evaluate your current IT situation and the services IT is providing. Understanding the longevity and sustainability of the services, software, and hardware you are currently managing is imperative to current viability. Whereas adapting to changing business needs is crucial for your future viability.

Where’s the balance?

Here’s how to avoid stagnancy and keep your IT systems evolving, while keeping your company’s long-term goals in mind.

Model your business and IT services

By mapping out your business services to IT services and the assets that support them, you build the solid connection that is required to understand the complex relationship between technology health and business health. So how do you get the information and where do you start? More than likely, you already have 2 key areas where this information is kept.

1st) Your catalog issues listed in your help desk.

Yes, you have probably already mapped your critical business services. The simple reason is users don’t call to complain about the “Server03″. They call to complain about the “registration system” or some other business function not working. This is a great source of information to start your business service modeling.

2nd) Your functional QA team.

No QA team has time to test 100% functionality which is why they must prioritize the critical functions of the business to be tested first. Within the service, they will also have the vital business functions labeled and mapped to the interfaces and applications.

Monitor your End-User Experience

End-User Experience Management is all about viewing your services through the eyes of your user. Nothing is more frustrating than when a product marketing manager insists that there are issues with an application or user-interface module and IT argues that from a functionality stand-point, everything is A-OK. End-user experience monitoring incorporates so much more than tracking click-through metrics. Understanding the intricacies of back-end systems, content delivery networks, streaming technology and other factors contributing to a positive end-user experience can have a huge impact on your bottom line. The system not only has to just work; it has to work for your end-users. The value of the technology is not only found in the functionality it provides, it also comes from its ability to be utilized over the internet, in the middle of the night, within five seconds – whatever is required. That is where the real value of the technology is seen, in its utility and warranty.

Manage your Application Performance

It would be unwise and counterproductive to hire new employees, train them, and leave them to their own devices – never again checking in to see how things are going. Yet, this is often the case with new application deployments. Application implementations require upfront customization for your organization and thorough testing to ensure functionality with all current operations, but it should never be considered complete without a system in place to measure performance. If there is a problem, you need to isolate it and determine root cause in order to keep the problem from reoccurring. As changes are released and the complexity increases, you need to ensure that your end-users are not adversely affected. Implementing a system to measure application performance gives you the ability to keep your operations running at optimal levels.

Infrastructure Management

Infrastructure Management (IM) has always been about managing more than hardware, software and the multitude of cables that connect it all together. While we would like to say keeping it running is easy, the reality is that infrastructures are more complex than ever. A strategy needs to be built to help manage the state of the infrastructure as it relates to the quality of service it is providing to the end user. Monitoring needs to incorporate more than just availability or faults. Performance, capacity, changes and security are all conditions of the infrastructure that will translate into a healthy or unhealthy condition for the business to operate in. Each of these attributes must be polled and brought together into a single engine to determine root-cause-analysis. Otherwise you risk over-alarming (page-floods) which can be worse than no monitoring at all because it causes the “cry wolf” syndrome. Like any observation, it should be instrumented methodically and matured (or increased) over time.

What is Availability Management

As you will have learned on your ITIL Managers training course, the most important feature of a quality IT service is availability. Users / customers need the service to be there when they need to use it! Availability Management aims to deliver these levels of availability at the appropriate cost and despite hardware failures and major contingencies.

Availability Management takes into account a number of sub activities all of which a crucial to the delivery of an I.T. service the organisation can depend on. These are:

Reliability

The ability of a configuration item (usually a hardware or software component) to operate as it is designed providing it is correctly used.

Maintainability

The ease with which a Configuration Item can be maintained in or restored to its operational state.

Serviceability

Contractually assured (usually with a 3rd party) availability, reliability and maintainability.

Recoverability

The capability to restore normal operation after a failure.

Resilience

Ensuring a single failure will not affect the delivered service.

Getting Priorities Right

Determining Priorities

In 2001 Gartner published research that analysed system downtime -allocating the causes to one of seven categories – thus:

Assessing Risk

Many organisations fail to realise that risk is a combination of threat and vulnerability and that management of risk is about evaluating one risk relative to another and determining which risks need attention more urgently. A methodology for doing just this is the widely used CRAMM (CCTA Risk Analysis Management Methodology). This methodology weighs the value of the asset to the organisation, against the threat and the vulnerability – see example below:

Definitions:

Asset

A component of a business process. Assets can include people, accommodation, computer systems, networks, paper records, fax machines, etc. Score from 1-10

Threat

An indication of an unwanted incident which could impinge on the system in some way. Threats may be deliberate (e.g. wilful damage) or accidental (e.g. operator error). Score from 1-3

Vulnerability

A weakness of the system and its assets which could be exploited by threats. Score from 1-3

Example 1

The E-mail service (being a relatively critical business Asset) might be assigned an asset value of 7.

The Threat of (say) a major server hardware failure would render the entire service inoperable and would therefore be assigned a maximum value of 3.

The Vulnerability might also be assigned a maximum value of 3 because the server hardware is known to be ageing and therefore more vulnerable to failure.

When one multiplies Asset x Threat x Vulnerability, in this example, one arrives at a Risk value of 63. This number, on its own means very little but it serves as a mean of assessing this risk relative to another – see example 2.

Example 2

In this example we explore the stereotypical I.T. disaster scenario – a plane crashing onto the data centre.

Here one would assign an Asset value of 10 (the maximum) as the total loss of the data centre would have a catastrophic effect on the business.

The Threat too would be assigned its maximum value 3 as the entire data centre would almost certainly be destroyed.

As the chances of any plane crashing in the UK is low, of it actually landing on this building even more remote and as the data centre is not situated on any climb-out or approach to an airport – the Vulnerability would be assigned a value of just 1.

So when one multiplies Asset x Threat x Vulnerability, in this example, one arrives at a Risk value of 30. Again, on its own, this number means very little but when assessed relative to another Risk as in example 1, one can see that taking action to reduce the Vulnerability of the E-mail server is a higher priority than dealing with the improbable consequences of a plane crash.

Risk Management Policy

By assessing and ranking the Risks to the business of the various Threats to its Assets one can set a policy to (say) address all risks with a value greater than 60 in year one, progressively reducing the Risk threshold year by year to (say) 50 then 40. The cost of mitigating the Risk weighed against the business benefit will be the determining factor in deciding when it is no longer necessary to lower the threshold.

Using ITIL

Many Risks can be significantly reduced by adopting better procedures and processes. Some Risks are generated from within – consider the DWP premature roll-out of desktop software that brought their systems to a grinding halt. The ITIL service-management disciplines, developed to improve the quality of I.T. services, are now universally accepted as “best practice” by governmental and private sector organisations alike.

ITIL is supported in the worldwide marketplace by three not-for-profit organisations: itSMF, The Institute of Service Management and the Information Systems Examination Board (ISEB) a subsidiary of the British Computer Society (BCS).

itSMF

Formed in the UK in 1991, the IT Service Management Forum (itSMF) is now an internationally recognised organisation dedicated to IT Service Management. It is a not-for-profit organisation, wholly owned, and principally operated, by its membership. The itSMF is a major influence on, and contributor to, industry “best practice” and Standards worldwide, working in partnership with a wide range of governmental and standards bodies.

itSMF aims

o To develop and promote industry best practice in service management

o To engender professionalism within service management personnel

o To provide a vehicle for helping members improve service performance

o To provide members with a relevant forum in which to exchange information and share experiences with their peers on both sides of the industry

The Institute of IT Service Management

The Institute of IT Service Management aims to promote and support the standing of its members by establishing high-standards of professional and ethical conduct, ensuring continuing professional development of its members in order to demonstrate their competence and commitment.

The ITIL Managers Certificate

The principal qualification for entry to the Institute of Service Management is the holding of the ITIL Managers Certificate. Qualification is gained only after gaining the ITIL Foundation certificate and attending a further 10 days of accredited training and passing both papers in an exacting 6 hour examination.

In 2003, 1,500 people sat and passed the Manager’s certificate examinations. Their training was almost entirely supported by their employer’s – testimony to the business benefit these organisations have gained from adopting ITIL “best practice” across their I.T. estate.

Any companies in the life science industry are required to reach compliance with the regulations of the FDA, ISO, CLIA, and EMEA and other regulatory bodies. There are a few ways to accomplish this. As a part of reaching compliance, companies must manage and record their own training processes. Some companies will find outside agencies to take care of this. Other will do it in-house. Both methods have their benefits and drawbacks.

The agency method, for example, is generally employed by companies that don’t have their own knowledge base in regulatory requirements. These agencies have the experience to help companies through this difficult process, but they aren’t cheap. The costs continue to mount because these companies must be used on an annual basis. Some companies believe this is the only option for them, but there may be a better way.

Some other companies may go for an in-house training solution.

When you do the training yourself, it will likely be more affordable at first, but there could be some other financial difficulties down the road. For example, the management personnel that are in charge of training the staff could waste a lot of time by manually trying to keep track of, in some cases, hundreds of different employees.

This refers to management trying to take care of all the forms and documents related to training with a hard copy. That always generates more hassle. Hard copies can be difficult to track, file, or even locate. They can take up a lot of storage space and will often make things very frustrating for your employees. Even for these companies, there is still a better way.

The best thing to do is combine the best characteristics from these two regulatory compliance training solutions. This will lead to a more reliable, efficient, and affordable solution. If you use the knowledge availability of the agency method along with the goals based in economic success that comes with the in-house method, you can throw in some modern technology and create a real solution for regulatory compliance training success.

There are some things you can do to make sure you succeed. First of all, do your research. Training is useless without the technical know-how to back it up. Second, watch your expenditures closely. If you wind up further in debt then the training won’t help a thing. Finally, use the proper technology the streamline your company. This way you can automate many of your training systems.

Always take the time to find the regulatory compliance training solution that fits your needs. A good program should include automated routing and tracking systems, automated follow-ups, notices for new training assignments, and much more. You should also expect a wide range of intuitive and useful analytics and reporting features.

Regulatory compliance training isn’t always a simple undertaking, and many companies find it very difficult. If you want to take a lot of the trouble out it, though, you should work on trying to gain the knowledge you need, keep an eye on your bottom line, and find a quality web-based solution.

Is this yet another article about the sort of business architecture that discusses the construction of environmentally friendly, eco-efficient buildings that recycle their own waste for power and have vast acreages of grass for a roof?

Nope, sorry, everyone looking for that sort of business architecture article should stop here. Having said that, this business architecture article, as we will see shortly, does have an environmental message to share……only it has nothing to do with constructing better and more efficient buildings as such!

The focus of this article is on the use of business architecture as the unifying blueprint in organisational transformation initiatives (and similar), and how the productivity in ‘virtual’ working it helps enable reduces costs and work-life balance stresses in a VERY GREEN way. What does business architecture remotely have to do with anything environmental you say? Well, we are glad you asked.

Did you ever stop and consider just how much money, time and energy that business travel absorbs? All those things tied up in travelling to and from as well as staying, eating and entertaining yourself while you are there? Well, it won’t surprise you to know that the costs are quite considerable. In our own industry (management consulting) for example, common rules of thumb for travel related costs are:

* Domestic only travel costs are typically between 5%-15% of fees charged;

* ‘Light’ travel abroad (i.e. to a single regional destination per week comprising a stay of multiple days) are typically between 15%-25% of fees charged; and

* ‘Heavy’ travel abroad (i.e. multiple regional destinations or a single long-haul destination per week comprising a stay of multiple days) are typically between 25%-35% of fees charged.

We believe the above examples, citing illustrative costings related to a service like management consultancy, are particularly useful; unencumbered as they are with product-related cost breakdowns and all the additional cost factors that can cloud the apparent size of the travel budget……making it ‘feel’ smaller and less significant than it is.

With most services you are able to see the travel costs for what they are……a large expense which is often a significant percentage of total income.

And while the percentages noted above vary depending on whether you:

* Drive versus fly;

* Dine in local eateries versus quality restaurants;

* Stay in budget versus full-service hotels;

* Use a hire car versus taxis;

* Fly economy versus business class; and

* Use a higher or lower the level of fee rate as the basis for your calculations.

They DO NOT reflect the sort of extravagant ‘fat-cat’ spending you read about in the newspapers. ‘Fat-cat’ style travelling can easily top 50% and more of fee’s charged……the sky literally being the limit in that scenario!

Instead, what we are talking about here represents the normal, legitimate and ‘at reasonable actual cost’ travel expenses of individuals (like management consultants) who travel extensively for their work……and are sometimes also known as ‘road warriors’.

For those who would quibble about whether these figures are realistic….yes, we believe that they, in our not inconsiderable experience, are very representative. Yes, they are high, but that is the point of writing this article about them. And yes, it would be possible to do it a bit cheaper if those involved really tried.

But you also have to keep in mind that these are the sorts of people who routinely spend 2, 3 and 4 nights (or sometimes more) a week away. During this time they need to be highly available, productive and positively disposed to the people they meet and work with despite all the inconveniences and sacrifices involved.

And no, travel, when you have to do it all the time, is not fun or glamorous after the early novelty wears off……try a few months of it if you don’t believe us!

So these folks can’t realistically be expected to cut every corner on costs that might be possible if they were retired or just on holiday for the week. They have to be where they are needed, when expected and ready to work on what are often time sensitive matters……no excuses related to faulty alarm clocks, traffic congestion or missed connections please!

The essential point being made here is that business travel, extensive or not, is almost unavoidably WEARING, EXPENSIVE and often ANTI-SOCIAL……with negative consequences for productivity, the bottom line and staff morale.

Having hopefully succeeded in making the point that reducing levels of business travel is mostly desirable, there then remains the question of how do you achieve it in practice? Drum-roll, trumpet fan-fare, cue the use of modern technology to serve our cause!

Although many people still intuitively prefer face-to-face contact there is also an increasing acceptance that working ‘virtually’ can often be a sensible substitute for some business travel. Especially after the initial, sensitive stage of establishing a new relationship is past.

Email, IM, tele-conferencing and increasingly video-conferencing are now ubiquitous means of ‘virtual’ communications. Particularly as the available bandwidth grows even as the cost of a connection continues to fall.

And these technologies are just the beginning compared to what Web 2.0+ potentially has to offer us as it steadily marches forward. Driven by the availability of the technology, and the cost containment pressures of the recent global financial meltdown, new avenues for ‘virtual’ working are rapidly emerging into the mainstream, including online:

* Email, calendaring and office productivity tools;

* Interactive collaboration and project management workspaces;

* Continuous connectivity (e.g. public spaces, homes, trains, etc);

* Social media sharing (e.g. Facebook, Linked-In, etc);

* Virtual world environments (e.g. Second-Life, etc).

Clearly there are still many new routes open to all of us that will allow us to remain connected, available and productive without the need to actually travel for business. And with the potential for massive cost savings at stake there is the financial incentive too.

Obviously, less business travel also means less stress on the environment or on those doing the travelling. It is generally accepted that the environmental, financial and (personal) social costs of electronically interacting are a small fraction of those for being there in person.

But this is not an article dedicated to singing the praises of the available technologies as such. Rather its purpose is to showcase the potential advantages of ‘virtual’ working IF you can find a way to transition to it efficiently and effectively.

Unfortunately, as many have found, this is not so easy as just providing people with technical tools and training…..that part of it is almost trivial. More importantly and of much greater challenge is that it also requires new or stronger disciplines related to how we work as well. Often the lack of these holds back the adoption of ‘virtual’ working.

Although many of us may not consciously realise it, one of the chief impediments to effective ‘virtual’ working is the lack of the physical intimacy and coordinating social cues found in face-to-face environments.

People cannot so easily fall back on their usual meeting room antics in a ‘virtual’ meeting. To be effective such ‘virtual’ meetings must be well planned and attendees well briefed and prepared…..otherwise the result can be an unmitigated fiasco. A fiasco that cannot as readily be retrieved as when you are in a face-to-face meeting with the others involved.

If you get a ‘virtual’ meeting wrong the judgements about you and the effectiveness of your contribution can be both harsh and difficult to reverse…..there is no dinner and drinks afterwards to ‘win’ the attendees back over with your smooth manner and ready charm. The data point for most will remain related to your performance in the meeting!

Therefore, preparation and careful coordination are often the keys to the success of a ‘virtual’ meeting…..and that nicely introduces the role of business architecture in all of this.

We are not going to pretend that a business architecture speaks to all the reasons for business travel. Or that it can by itself cure all ‘virtual’ meeting ills, or precludes the need for all business travel even in those situations that it does relate to.

For a start there is obviously still a fundamental need for basic meeting disciplines to be observed; like having an agenda, specifying and doing attendee pre-work, checking that the supporting technology will work on the day, etc. If anything the need for observing these basics is even stronger in a ‘virtual’ meeting environment.

We also concur that sometimes, especially in important, non-routine or new situations, being there in person is by far the most prudent course of action. However, for much of the rest of the time, working ‘virtually’ makes a huge amount of sense.

As has already been mentioned, a major key to successful ‘virtual’ working lies in careful preparation and coordination. We would also now note that a significant amount of business travel is related to activities such as transformation initiatives, performance improvement efforts, M&A ventures, contracts agreement and troubleshooting, etc.

Each and every one of these are activities that a business architecture can speak to in strong and direct terms.

Business architecture is about providing a common, holistic, top-down and integrated view of how the People, Process, Technology and Infrastructure assets (existing or new) of an organisation will be structured so as to align with and achieve the objectives set out by its vision and strategy as well as satisfying nearer-term tactical imperatives.

Having an appropriate business architecture will by its definition represent a robust and agreed source of preparation and coordination for any and all work related to it. It becomes a common touchstone and language with which everyone involved can converse to test and synchronise their understanding of what is being done, by whom, when and why.

It is precisely the sort of guiding envelope that ‘virtual’ workers and extended team members need to align their efforts. Giving them confidence that what they are doing locally ‘offline’ is broadly correct and the ability to discuss globally ‘online’, in common terms, the things about which they still have questions.

In short, it provides the common focal point needed for efficient, effective and productive ‘virtual’ working; with all the environmental, financial and staff morale advantages that implies. For our part we fail to see why, for the types of work to which it is suited, you wouldn’t choose to use business architecture as an essential ‘virtual’ working enabler!

Where should you start when building your CMDB?

Many consultants and vendors suggest purchasing a tool before beginning the building of the CMDB.However, this is unnecessary since most IT organizations have very little idea, from the outset, about exactly what type of information will eventually wind up in the database(s).

To start, an Excel spreadsheet will work fine. The idea is to begin by mapping out the entire Configuration Management process prior to the purchase of a fancy, and expensive tool. Often one of the biggest dilemmas associated with building the CMDB is deciding where to begin.

It is considered good practice to involve other process owners in the design of the CMDB. This way, you can ensure that the database contains information that will be immediately useful and beneficial to the organization. This also helps in getting started.

Most organizations usually already have some form of Incident and Change Management processes in place. These processes are sometimes referred to as the “customers” of the Configuration Management process.

In this sense, Incident and Change Management will benefit directly from the data to be stored in the CMDB. Starting with the requirements from these two processes is also an effective way to resolve the often lengthy discussions regarding the CMDB strategy and design.

For example, the Change Management process uses relationship data from the CMDB to help in determining the potential impact and/or risk, to IT service availability, associated with changing a particular Configuration Item (CI). This is helpful in the planning and coordinating of changes so as to prevent unwanted downtime.

Likewise, the Incident Management process (with the Service Desk) utilizes the relationship data in the CMDB to determine the impact of an unplanned outage event on the user community or on defined service levels. The Service Desk can also use the CMDB to discover whether the CI is associated with any known defects or errors. In this event, workarounds may also be available to resolve the situation and thereby minimize the impact on the IT service.

It’s also helpful for the Incident and Change Management processes to have a certain level of maturity before beginning Configuration Management. This is mostly because, there should be some idea as to what type of information will be best in helping these processes to be effective in achieving their objectives.

For example: what level of detail is required for the Incident Management process to be able to adequately resolve breakdowns in order to meet agreed service levels? For Change Management: What level of system detail is necessary to accurately assess the risk associated with a particular change so as to maintain the required level of stability.

In practice, these thresholds are usually different for different IT systems and services. Therefore, the decisions regarding the breadth and depth of your CMDB will depend largely on the level of control required for each IT system/service. This control will depend mostly on the importance and required system availability.

For each service, start with those CIs that:

Are subject to change

Are necessary to deliver a service

Can be managed

Can be uniquely identified

Once the scope of the CMDB has been decided, a detailed project plan should be created. This plan should probably be divided into several phases with discovery and CMDB population for each IT Service. This means that once the level of detail is defined for each IT Service within the project scope, this master plan should be divided into roll-out phases and outline all services included for each phase.

Each phase will include CI discovery tasks followed by CMDB population tasks. Additionally, auditing and verification (of data) tasks are also very important as the accuracy of the data is critical to the success of the database.

Each CI entered into the database should have an owner or someone who will be responsible for making sure that the data regarding that CI is both complete and accurate. The CI should also be assigned a unique identifier (CI Name) that will never change throughout the entire life cycle (i.e., CI purchase to retirement.) This means, that you should think twice before including any intelligence in the naming convention that references things which are subject to change (location, owner, host names etc.)

The name should make sense (i.e., servers begin with the letter s, perhaps) but should not be such that the name no longer makes sense when circumstances change (data center move, for example). This information can always be included in the CI attributes.

The naming convention should also be consistent across all environments. When deciding which relationships to map for each CI, consider first only the important relationships. This means, begin by describing in the CMDB, the most obvious relationships between CIs.

For servers, the important relationships might be what the server is connected to, which applications are running on the server, which services are dependent on the server, etc.

Once this has been decided, it is time to begin the population of the CMDB. Again, the CMDB can start off being something as simple as one or more excel spreadsheets.

What’s important is the process. A sound and well thought out process regarding the design of the CMDB as well as the ongoing maintenance of complete and accurate information are the keys to creating a successful and effective repository.

Good luck!

Lots of folks seem to have high expectations for the newly updated version of the IT Infrastructure Library (ITIL).

In an interview with IT Business Edge, ITIL: Change Is Gonna Do You Good, Mark McManus of Computer Economics says that Version 3 of ITIL, released in late May, “provides a more practical approach to ITIL implementation” and one that should more clearly illustrate ITIL’s benefits to business folks.

Buy-in doesn’t appear to be as big of an issue for IT – though there are some interesting exceptions. For instance, a Forrester Research analyst notes in a recent internetnews.com article that there seems to be little interest in ITIL in storage circles, though the two are “an excellent mix.”

After all, the analyst says, storage often suffers from a lack of consistent processes – which is exactly what ITIL delivers. ITIL can help streamline storage management by eliminating the duplicative processes that are common in many organizations.

The key challenge in marrying the two, says another expert in the article, is that vendors typically market their products as standalone storage management solutions – while ITIL would likely dictate that storage management be integrated into Service Delivery and Service Support processes. This could change, however, as major storage vendors like EMC and CA move to incorporate ITIL into their products.

An InfoStor Magazine article notes parallels between ITIL and information lifecycle management (ILM). ITIL’s Service Management components address several key storage concepts, including availability, capacity and performance.

Like ITIL, the toughest part of ILM is an upfront, business-focused analysis, the InfoStor article points out. Yet neither initiative is likely to be successful without it.

As McManus points out in his interview about ITIL -

You really need to sit down and do an assessment of where you are today. You can’t fix it if you don’t know where you are today. Companies that have been successful have done a good assessment of their current IT and business processes, and identified the most serious deficiencies so they can tackle those in a prioritized manner. Lacking that good planning and project management will be a killer.

The modern Enterprise IT Infrastructure as we know it today has evolved over the years, from the huge computers in the mid 1940s, which could not even do what our small calculators can do today, to the years of mainframes. We now have high processor computers with lots of storage space and high speeds that are easily affordable. We have seen a shift of focus from centralized to decentralized, distributed, network computing within enterprises. All these developments have been great, as they have eased the way we do business, but also brought myriad of enterprise security issues.

In this article we look at the top 10 enterprise security controls that we could deploy to reduce on the effect of known enterprise infrastructure security issues.

1. Take a holistic approach to security

Successful enterprise security requires good planning and a holistic security strategy that considers everything in the organizations, from business processes to the people, on an ongoing basis. Many at times enterprises consider costly technical solutions, as a reaction to security breaches.

2. Develop an Enterprise security program / policy

Organizations need to develop security programs that outline the Roles, policy, procedures, standards and guidelines for the Enterprise security.

Roles: Outline who is responsible for what e.g. Chief Information security officer (ISO) could be s responsible for ensuring a good security posture for the organization.

Policies: These are general organization wide statements that set out the mandatory requirements to ensure a minimum security level. Examples include: Acceptable E-mail Use Policy, Internet use policy, Mobile devices use policy etc…

Standards: these are derived from policies, laying out specific steps or processes required to meet a certain requirement. For example a requirement that all email communication be encrypted.

3. Manage Risk – On a continuous basis

Risk management is the process of identifying risk, assessing risk, and taking steps to reduce risk to an acceptable level. This involves identifying the assets in the organization that you need to secure; these could include human resources, technology, trade secrets, patents, copyrights etc… Then identify all possible risks that could affect the availability, confidentiality and integrity of these assets. Management can then decide what to do with the identified risks; risks can either be mitigated or transferred to a third party like an insurance company.

4. Refine Business Processes: Adopt Industry best Practices

Beyond the need to manage Enterprise IT technology, is the need to establish and employ best practices and processes to optimize IT services. A number of internationally recognized frameworks have been developed already to describe effective ICT infrastructure management processes. Hence there is no need to re-invent the wheel.

Examples include:
COBIT – Control Objectives for Information and related Technology {1},
ITIL - The Information Technology Infrastructure Library {2}
and ISO 27001 {3}

5. Streamline physical / environmental security

Physical and environmental security is vital in protection of information assets and ICT Infrastructure in the Enterprise. Physical security should look at issue like, monitoring and detection e.g. security guards, alarms, CCTV. Access control and deterrent solutions e.g locks, fencing, lighting, mantraps, Biometrics etc. Environmental control and design, server room temperature, humidity, air conditioning, static electricity, fire suppression and detection, Power generation and backup, all these should be well streamlined.

6. Deploy content filtering / inspection solutions.

As content, (email, internet traffic etc…) moves in and out of the enterprise, there is need for it to be managed well to avoid any security breaches and attacks. Controls could include:

- Web filters to enforce organizational Internet usage policies through content filtering, application blocking, and best-of-breed spyware protection.

- Spam filters / Firewalls to protect your email server from spam, virus, spoofing, phishing and spyware attacks.

- Unified Threat management solutions(UTM): Several organization choose to deploy UTM solutions that offer industry leading functionalities within one package including Intrusion Prevention System; Antivirus with Antispam; Web Filtering; Antispam; Firewall; SSL – VPN; Traffic Shaping and many more.

7. Manage the inside of the Corporate Network

We have already seen that there are increased security breaches that come from within the enterprise; therefore it’s vital to manage the inside of the enterprise network very well. Some of the steps we could take include the following:

- Taking an inventory of all authorized and unauthorized software and devices on the network.
- Maintenance, Monitoring, and Analysis of Audit Logs
- Continuous Vulnerability Assessment, patch management and Remediation
- Limitation and Control of Network Ports, Protocols, and Services

8. Have an Identity and Rights Management System

Identity management is very vital and important to avoid user rights violation and excessive rights issue. Put in place procedures, guideline and a system for Identity management, which involves creation of users, change of user rights, removal of rights, resetting lost user password. This also calls for Controlled Use of Administrative Privileges. Is access in the Enterprise based on a need to know basis? For example should everyone in the organization have access to the payroll database?!

9. Put emphasis on Data Loss Prevention (DLP).

Data loss prevention puts into consideration the security of data, both in motion and static. With the advent of portable devices and memory sticks that have lots of storage space, it very easy for someone to copy lots of corporate data on a removable media in just a matter of seconds. I have heard of stories of disgruntled employees selling clients databases to the competition. Data loss prevention (DLP) encompasses the tools that prevent accidental data leakage, including device and port control, encryption (both hard-drive and removable media encryption).

Also how does your organization handle hard disks that have sensitive information and need disposing off? How about paper documents? I bet one could get lots of information by just dumpster diving into corporate trash bins (am told some investigative journalists use this method to “snoop”). There is no excuse for organization not to shred sensitive paper documents, given all the shredders available on the market; some can even shred plastic and CD media.

10. Don’t go it alone

Securing information assets is becoming more vital every day; unfortunately many organizations do not consider it important until a breach has actually happened.

You can imagine the direct cost of not being proactive as far as information security is concerned, which could include, the cost to recover data lost or altered during an incident, cost to notify customers of breaches, fines for non-compliance and indirect costs e.g., lost customers, lost productivity, time spent investigating/resolving breaches and hoaxes, and so many. Therefore it’s crucial to seek for external assistance from an external firm or consultant if need be, to assist in areas like:

- Carrying out an IT audit and Penetration Tests a.k.a “Ethical hacking” on your own infrastructure.
- Assisting with Information security awareness training for your staff etc…

It’s important to note that securing information assets in an enterprise is not just an event, but is a continued process that requires an ongoing effort and support of the top management, this is because the threats to information systems continues to evolve and change daily.

References:

1 itgovernance
2 itlibrary.org
3 http://www.27000.org

Communications are a critical deliverable of every successful project and a key project management soft skill. You may not have thought of communications as an actual project deliverable, but it is. It may not be the one your client or customer places the most emphasis on, but that’s because every client and customer will take good communications for granted.

Project communications is one deliverable that you are personally responsible for and it’s one that has a large influence over your project’s success or failure. I say this because personal experience has taught me that the best managed projects, delivering on all their promise, on time, and on budget can still get a bad reputation and be perceived as failures. The reason: the project manager did not do an adequate job of communicating project success to their stakeholders.

We hope that the information and template in this section will help guide you to choose the right information, schedule, and communication vehicles for your project.

The Major Elements of Project Communications

Who to Communicate to

You could just say that it’s important to communicate with all the project’s stakeholders and leave it at that but this approach would guarantee failure. Each individual stakeholder has a different set of requirements for project information, and prefers different ways of receiving their communications. It will not be possible to define a unique set of communications and communication vehicles for each stakeholder in most projects so the best you can do is identify the different category of stakeholder and define the required information and communication methods that best suits the group.

Executive Sponsor/Business Sponsor Probably the most important customer(s) of your project’s communications. It’s going to be worth your while to define a custom set of communications for each person in this category. Generally speaking, these are busy people who don’t have a lot of time to read a lot of detail. Charts and graphs that tell the viewer a lot about the project at a glance will probably work best for them.

Take the time to interview them about their preferences: what they need to know, how they want to be communicated with, and how often. Keeping them informed about project performance is critical because they sign the cheque for the project (including your salary). They also need information so they can keep their peers apprised of the project’s performance. Remember, they are your project’s champions so the better armed with information they are, the better job they can do promoting your project.

Tip: don’t report a problem to them without suggesting a solution. For example, if you’re reporting an SPI of less than 1.0 for the 2nd week in a row, you need to include a corrective action with the report.

Project Team Members This is the single most populous group in your list of stakeholders. You may want to subdivide the group into sub-groups based on their roles. For example you may want to have a different set of communications for the Business Analysts and Software Developers, or for the Electricians and Plumbers on your project. This group has a different perspective on project performance than sponsors: the sponsor views the project as work being done for them. The team member views the project as work being done by them and therefore reports on project performance are a reflection on them. A good report pleases everyone – project sponsors and team members. A bad report will cause the sponsor to worry but may negatively impact team morale.

Customers/Clients These can be internal to your organization, or external to it. These people may profess no particular interest in project communications until the final product or service is delivered. You need to overcome this disinterest and pique their interest in project progress. The more informed they are on the project as it progresses through its lifecycle, the more likely they are to accept the resulting products or services.

Partners These are people who are doing work that is in some way affected by the work of your project. You may both be working on projects that are part of a program, or your projects may simply affect one another without further integration. For example, you may be managing a software project that requires a corresponding database project – the database project team is your partner. Or, you may be working on a software system new software system that will utilize an existing web portal for customer access – the portal team is your partner despite the fact they aren’t performing a project.

Community Stakeholders These are an increasingly important category of stakeholder. As more emphasis is being placed on organizations ethical behavior and social responsibility, there is an increasing demand for projects to be performed ethically. One of the ways this is done is by treating those who don’t belong to the performing organization, or to the customer/client organization, as project stakeholders. Consideration of these stakeholders must go beyond communications, but project communications constitute an important part of your ethical dealings with them.

Project Manager Don’t forget to include yourself as a stakeholder. Your need for project information is perhaps the most important for the project. If you aren’t receiving the information you need to run the project, you won’t be able to share it with other stakeholders. Your needs will stem from the need to be updated on the progress of the individual tasks of the project so that you can keep the project plans up to date and identify preventive or corrective actions.

Project Management Office (PMO) Your PMO may have requirements for project information that will enable it to identify opportunities for process improvement. While these needs are very much like the needs of sponsors, customers, and clients to know how the project is progressing to plan, its focus is on the project processes, tools, techniques, and best practices it supports. Your PMO may also be tasked with reporting on project progress to the organization. Reports which the PMO is responsible for should provide very specific requirements for information.

What to Communicate

What project information to communicate to a stakeholder group is inextricably tied to the information that is available for communication. After all, you can’t communicate what you don’t know. On the other hand, if the need for the information is real and gathering the information is feasible, you should make every effort to make it available. The choice of the information to be communicated cannot be made without considering the project’s tools and techniques for gathering the information and vice versa.

Project communications is not a key deliverable of the project, but it should be treated as a project deliverable. Start with your Project Charter: does the project charter contain any requirements for information? If it does, the information and its target audience ought to be included in your Communications Management Plan. Your Scope Statement may also include requirements for project communications. The Statement of Work (SOW) may also have captured requirements for project communications. When you are performing a project for an external customer or client the SOW is your bible and any project communications that are part of the legal contract should be specified there.

After identifying all the needs already expressed in the project documentation to date, you need to solicit requirements from the various groups of stakeholders. This solicitation should be done in the context of what is feasible for the project to deliver. Be prepared to meet with your sponsor to identify their requirements. Be specific as to presentation: should the SPI (Schedule Performance Index) be shown as a bar graph with a rolling 6 week tally? Should it be shown as a line graph with the benchmark line of 1.0 and a rolling 6 month tally? You may even want to mock up some sample reports to let them choose the format.

A project dashboard is a popular instrument for communicating project progress to sponsors and other senior executives. The dashboard is meant to show the status of your project at a glance and may consist of the project’s SPI, CPI (Cost Performance Index), SV (Schedule Variance), CV (Cost Variance), PV (Planned Value), AC (Actual Cost), and EV (Earned Value). As a rule, you shouldn’t mix schedule indicators with cost indicators, but you can show schedule and cost indicators in any combination your sponsor would like. You may also want to include such things as the top 5 risks, top 5 outstanding issues, metrics on change (number of change requests, number accepted, number of rejected, total costs, etc.), and quality (number of tests, number passed, number failed, outstanding bug reports, etc.). You should try to keep your dashboard to a handful of slides and provide supporting detail in text, or Excel format as backup.

You should repeat the requirements gathering exercise with each group of stakeholders, weighing their need for information with the project’s ability to gather and communicate it. Tip: share as much of the information reported to the other groups with the project team (the people actually doing the work of the project), as is possible. Your organization may have policies or guidelines around what can and cannot be shared outside executive offices; share as much information with the team as possible without violating these policies. You’ll find sharing positive reports will boost morale, while sharing negative reports will stop the rumors that will further erode morale.

Be prepared to capture and report information by stakeholder group, department, or sub-project. The individual groups on your team will want the ability to view their progress in isolation from the rest of the team. Tip: make sure that you break the work down so that tasks performed by individual groups or departments are identifiable. This will enable you to report performance group by group or department by department and still roll totals up to report for the entire project.

The information you plan to communicate will drive your activities throughout the project. Your plans should include the metrics that must be gathered in order to support the information you plan to communicate. You will need to identify who is responsible for providing the information and where the information is to be stored and reported from. There are 2 questions you need to ask yourself before you commit to providing a report:

1. How do I get this information? (i.e. what metrics do I need to capture and where will they come from)

2. Where will I store the metrics?

A failure to answer both questions will mean that either you have to alter your plan to task someone to gather the metric, identify a tool to capture and retrieve the metric, or drop the requirement.

Finally, don’t forget individual accomplishments and rewards when reporting project progress. There’s nothing like a good news story to keep team morale high and the celebration of a team member’s accomplishment is something most sponsors enjoy hearing about.

How to Communicate

There are many different means of communication available to you – face to face, e-mail, intranet, internet, regular mail, phone, video conferences, etc., etc. These can be grouped into 2 groups: “push” communications and “pull” communications. Push communications requires you to push the information onto the recipient as the name would suggest, while pull communications requires the recipient to actively retrieve the information from a central source. Web sites and centralized repositories are examples of pull communications, while e-mail and meetings are examples of push communications.

Preference for either push or pull communications is typically a personal preference. Some people deal with information best when it’s presented to them and some prefer to retrieve it at their own convenience. Be prepared for conflicting requirements from individuals in your stakeholder groups. You may have to make the final decision on which method to use if there are conflicting requests. Alternatively, you may be able to identify a spokesperson for the group who will be empowered to identify the group’s requirements. The exception to this rule is your project’s sponsor. Because there is only one or two of these people, you need to ensure that your communication methods suit their requirements.

Tip: If you determine that the project must have a new tool, such as a web site, to satisfy a stakeholder requirement, you’ll need to justify the cost with a business case. State the benefits to the project in business terms that justify the costs. You can also include benefits that supersede your project. For example a web site or tool such as Lotus Notes could benefit all projects your organization performs, and may even provide a benefit to operations. You may also want to explore having the PMO, or Operations bear the cost of the new tool.

When to Communicate

Your communication schedule will be driven by the needs of your audience and the availability of the information to be communicated. For example, if you had the bandwidth, you could report on any metrics managed by your MS Project file daily. On the other hand, you can’t report on the results of your Gate Meeting until the Gate Meeting has actually been held. There is also no reason that a report communicated to one stakeholder group bi-weekly, can’t be communicated to another group every week.

You need to use common sense in addition to capturing your stakeholders’ requirements. If you choose to use a “town hall” to communicate to all stakeholders, don’t schedule the meeting to occur weekly. Tip: when planning a meeting that involves you (or another team member) communicating information to an audience, count the audience, multiply that number by the number of hours the meeting lasts and multiply that number by the loaded labor rate for that group. Avoid spending large amounts on frequent communications.

Other meetings, such as status review meetings with project teams must be done more often to avoid the project going off the rails. I find that when the project is on track, weekly status review meetings are sufficient. When your project encounters problems, you might want to increase the frequency to better control the work. In extreme cases such as a project rescue, you may need to hold them daily. Tip: when the project is running smoothly and you have an alternate means of identifying completed tasks, don’t be afraid to cancel a status review meeting and give the team an hour off!

Remember that communications is part of the project work. You should manage that work in your MS Project file like other project tasks, but be sensible – don’t overload yourself by tracking every meeting in MS Project. You should be using the “walk around” style of management if your team is collocated, you needn’t track each informal meeting you have with individual team members. Use MS Project to help you control the project, not overload yourself with work.

Tools and Techniques

Tools and techniques include tools you’ll use to convey the information, tools you’ll use to gather the information, and tools you’ll use to store and retrieve the information. Conveyance tools will include e-mail, web sites, web casts, conference calls, video conferencing, public directories, town hall meetings, and graphical tools such as Excel. What you’re communicating, how you need to communicate it, and your communication budget will determine which of these tools you’ll use.

There is one tool that you’ll rely on more than any other to manage information about your project: MS Project (or Primavera, if that’s the tool your company has selected for use). These tools are referred to as Project Management Information Systems (PMIS) by most PMP Exam preparation courses and in the PMBOK. These tools are capable of capturing, manipulating, and reporting most of your project’s relevant information so you need to be very familiar with their use. There are many excellent courses available that will ground you in the fundamentals of their use.

Your organization may employ a time tracking system in which case you have an additional source of information. Your time tracking tool should allow you to report on labor costs for your project (i.e. support the charging of time to your project code). It should also support the reporting of these costs by group and by type of work. For example it should tell you how much time was spent last week on analysis of your software project. You should reconcile the metrics from the time tracking system with your MS Project file to ensure they tally. Tip: if your time tracking system is used to generate the pay cheque for your team, make it your bible. A discrepancy means your MS Project file may be inaccurate.

MS Project comes complete with a selection of “canned” reports ready for your use. I have found that it’s most useful feature for reporting project progress is its ability to export data to an Excel spreadsheet. Because Excel has been around so long it’s feature rich and supports just about any type of graph or chart you can imagine. The trick here is to export the information you need to base your report on, then edit it in Excel. MS Project contains ample help facilities on how to export data.

I mentioned the 2 different categories for distributing information: push and pull. Many of your project’s communications will lend themselves equally well to both methods. For example, if you communicate you can review your dashboard report with the project executive steering committee during a meeting, push it to the project team via an e-mail broadcast, and archive it on a public directory or the project’s web site.

Lastly, remember that the accuracy of the information you communicate about the project will have a profound affect, either good or bad, on your reputation. You need to do your utmost to ensure the information you communicate is accurate. Measures such as the reconciliation between time sheets and your MS Project file can save you from making claims about project progress that aren’t supported by the facts. Even with that degree of scrutiny your information can still be misleading or out of date. Be open and honest with your communications: tell your audience where the information comes from, how it was compiled, and how old it is. Be forthcoming with any information that could impact on the accuracy of your reports and let your audience form their own opinions of the accuracy and value of your communications.