February Issue: Security

Letter from the President 2

IT Service Management = ITSM = IT Security Management 3

Integration Spaghetti Made Easy as Pie 6

Playing My Position: Manager for Service Management Office/Governance 9

The SourceFor IT Service Management

THE SOURCE – FEBRUARY 2016 2

Pam Erskine discusses how ITIL and security fit into ITSM

People often use ITIL® and ITSM interchangeably. ITSM or IT service management includes so much more than ITIL. I often describe ITSM as including

all of the good practices that are necessary to effectively identify and manage IT services that provide value to the customer. ITIL is an integral piece of the puzzle but for many organizations, DevOps, Agile, Service Integration and Management (SIAM), Lean, COBIT, etc. are also incorporated into their service management strategy.

In this month’s issue of The Source, Rich Ham-Kucharski explores how security management fits into ITSM. With technology changing so fast, it is difficult to keep up, yet cybercriminals seem to be thriving. Steve Durbin, the Managing Director of the Information Security Forum, has declared 2016 the “year of cyber risk” due to the increase in activity that we’ve experienced over the last few years. Looking into the future, if your company hasn’t been the victim of a cyber attack, it is a victory. Unfortunately, it is also making your company a target. Maturing security management is key to effectively managing services and managing risk.

itSMF USA focuses on providing IT professionals with the resources they need to develop their skills and integrate best practices, frameworks, and standards to help improve efficiency and increase the value of IT. We can learn so much from each other, and itSMF helps to connect individuals across organizations so we can learn how best practices are being applied in other companies.

As an itSMF community, we can learn how to take the best of standards and practices to make our organiza-tions more successful and safe. Join the conversation at #itSMFUSA.

I look forward to hearing from you.Pam ErskineitSMF USA President

Letter from the President

THE SOURCE – FEBRUARY 2016 3

IT Service Management = ITSM = IT Security ManagementRich Ham-Kucharski discusses the security practices inherent when applying ITIL v3 to your ITSM solutions.

By Rich Ham-Kucharski

Many in today’s highly specialized ITSM and security management practices believe that ITSM, and one of its core methodologies, ITIL,

have become outdated and outmoded in that they do not include enough Security Management in them.

When we review these service delivery methodologies and take a closer look into how to truly leverage the best practices within them, we find quite the contrary. Security management is at the heart of all well-developed ITSM solutions based upon a founda-tion of ITIL v3.

Let us look at each of the five core processes of any ITSM solution: Service Strategy, Service Design, Service Transition, Service Operation, and Continual Service Improvement, and map them against best practice secu-rity standards such as COBIT 5 and the SANS Institute’s Top 20 Critical Security Controls.

Service Strategy

When setting out to develop your IT service management strategy, you must include many business requirements including budget, user features, and functions. Most important, you must secure these systems and all the data within them in accordance with regulations, indus-try requirements, business intellectual property and confidentiality, and ethics. No system today should be

implemented without comprehending these solution requirements.

In COBIT, we find the strategic enablers and con-trols listed in the table. These framework components address specific strategic requirements such as ensur-

ing framework governance and maintenance, benefits delivery, and risk optimization. Each of these critical controls is con-sidered, defined, and used to make strong IT service manage-ment solutions and to ensure those solutions are governed throughout the life cycle of service delivery.

The same can be said for the SANS Institute controls identified in the Service Strategy category. In fact, during the Service Strategy process, almost every one of the Top 20 Critical Controls should be considered, to ensure capturing all of the security-related requirements addressed in the next ITIL core process, Service Design.

Service Design

The COBIT-related processes that map to Service Design include managing the IT service management framework, strategy, and enterprise architecture to ensure that risk and other security concerns are built into the designs of the ITSM model.

The SANS Critical Controls again will span almost the entire list. However, in this portion of the ITSM model, the

Security management is at the heart of all

well-developed ITSM solutions based upon a foundation of ITIL v3.

THE SOURCE – FEBRUARY 2016 4

controls are used to identify the specific configurations and procedures to be implemented within this ITIL core process to ensure success in the next process, Service Transition.

Service Transition

The COBIT process mapping most closely to this ITIL core process are within the COBIT process domain Build, Acquire, and Implement. The specific processes that most closely align work to ensure requirements management, organizational change, technical change, solution acceptance, and configuration management.

Once again we leverage almost every SANS Critical Control, but this time, we use the outputs from the assessments and design configurations to implement the relevant controls in the most effective and efficient manner. This, in turn, leads to next ITIL core process, Service Operation.

Service OperationIn this, the most recognized of the ITSM and ITIL meth-odologies, we find the COBIT processes for Delivery, Service, and Support (DSS). All six of the DSS processes relate very closely to this core process. The management of operations, service requests and incidents, problems, continuity, security services, and business process con-trols are strongly aligned to how IT services are delivered from ITSM and ITIL methodologies.

While all of the COBIT controls have at least a minimal role in this process area, the above-listed controls are specifically designed to ensure (1) continuous oper-ational updates, (2) security incidents are responded to appropriately, and (3) configurations are effectively maintained. This will ensure compliance with the original business requirements captured and defined within the Service Strategy and Service Design processes. This continuous evaluation feeds directly into the ITSM/ITIL core process, Continuous Service Improvement.

ITSM Security across Security Best Practices

Service Area COBIT 5 SANS Critical Controls

Service Strategy EDM01, EDM02, EDM03 All 20 are used to set the strategy for security services

Service Design APO01, APO02, APO03, APO12, APO13

All 20 are used to set the Design of security services

Service Transition BAI02, BAI05, BAI06, BAI07, BAI09, BAI10

All 20 are used to implement security services

Service Operation DSS01, DSS02, DSS03, DSS04, DSS05, DSS06

CSC4, CSC12, CSC14, CSC15, CSC16, CSC18, CSC20

Continual Service Improvement

APO11, MEA02, MEA03 All 20 are used to continuously review security services

Sources: COBIT 5, SANS Institute Top 20 Critical Controls

THE SOURCE – FEBRUARY 2016 5

Continuous Service ImprovementThe COBIT controls for quality management of the system and internal controls and compliance with external requirements —APO11, MEA (Monitor, Evaluate, and Assess), MEA02, and MEA03—ensure the continuous feedback and evaluation loop expected in this IT service management process.

Once again, we find there are aspects of each of the SANS Critical Controls that provide for continuous evaluation of the security practices and configurations. This is critical to the ongoing security of any IT service management framework.

To summarize, we can see that an ITSM model based upon ITIL v3 standards provides ample opportunities to include critical security management practices. In fact, balanced ITSM models can not only provide for in-depth security services, but it can also be stratified depending on the differing needs of small, mid-sized, and large enterprise models.

Many professionals claim that ITSM does not provide enough focus on security management, but in fact, a well-designed ITSM solution using ITIL v3 best practices provides strong security compliance and controls!

Imagine the level of security you could implement with all of the ITSM and ITIL v3 best practices leveraging security standards like COBIT 5, the SANS Institute, and more!

SourcesMiranda, Joao. “ITIL vs. DevOps: Different Viewpoints.” InfoQ. InfoQ.com, 25 June 2015. Web. 23 Dec. 2015 (http://www.infoq.com/news/2015/06/itil-vs-devops); Skeptic. “Why COBIT Wins in a Showdown with ITIL.” Why COBIT Wins in a Showdown with ITIL. The IT Skeptic, 11 May 2012. Web. 23 Dec. 2015 (http://www.itskeptic.org/content/why-cobit-wins-showdown-itil); Ibaraki, Stephen. “Canadian IT Manager’s Blog.” COBIT versus ITIL. Microsoft, 6 Apr. 2014. Web. 23 Dec. 2015 (http://blogs.technet.com/b/cdnitmanagers/archive/2014/04/06/cobit-versus-itil.aspx).

Rich Ham-Kucharski is Manager of e-Com-merce Infrastructure Architecture for Macy’s Systems & Technology, and Founder and Principle Solution Architect for Cyber Defense & Compliance Services (CDCS). Rich has almost 20 years of IT service

management and security compliance experience with companies ranging from Fortune 500 to SMB.

@HamKucharski in/richhamkucharski

Discover your potential!Become a member of

THE SOURCE – FEBRUARY 2016 6

Integration Spaghetti Made Easy as PieNancy Van Elsacker discusses the three pillars to overcome challenges of an ever more complex service landscape

By Nancy Van Elsacker

The service landscape is becoming ever more com-plex. In large organizations, multiple supporting departments are using endless numbers of appli-

cations and links. While service management processes are re-invented to keep up with customer expectations and service trends, behind the curtain, this complexity means mistakes are easily made. A comprehensive vision of clear, future-proof services is essential.

A Vast Service Landscape . . .

In large organizations, supporting departments operate every day in a complex service landscape. Generally speaking, this service landscape comprises three parties working in a chain: the internal or external customer at one end, then the supporting organization or back office, and on the other end of the chain, the internal and external suppliers. Together the suppliers and supporting departments provide services for customers.

In this landscape, there are several supporting departments, including IT, facilities, HR, finance, and marketing. They support the same customer and aim for the same customer satisfaction. Some processes transcend departments, so there is a certain degree of collaboration. Nevertheless, supporting departments often have their separate process levels, work instruc-tions, agreements, and software: the IT department uses incident management, facilities uses call management, and HR uses its own ticketing system. Different questions are captured by different departments, but all from the same customer.

. . . Or Individual Islands?

The customer has to deal with several parties, with each processing requests in its own way. However, even though questions are different, at the end of the day the IT customer is the same as the facilities or HR customer. This is also true for suppliers: They often have their own, separate integration with one of the back office departments. Processes relating to manage-ment—process management, contract management, supplier management, and links—are often taken care of in different ways on different levels.

It is these differences that have customers up against the limits of the service landscape. It’s a fragmented landscape: Each department working on individual

Your Ad Here

Reach 25,000

ITSM Professionals

THE SOURCE – FEBRUARY 2016 7

islands with an abundance of application links. This makes the service landscape more complex and makes good, comprehensive services more difficult to achieve. Applications are integrated to allow the supporting departments to continue serving customers, result-ing in integration spaghetti: many complex links with many points of failure. Moreover, in practice, a lot goes wrong—and the customer notices.

The Solution Is Simply Working TogetherProcesses run through different departments, from the customer to the self-service desk and back again. Integrations with linked suppliers on one side and the customer at the other should be optimal from beginning to end. The service chain in the service landscape is only

THE SOURCE – FEBRUARY 2016 8

as strong as its weakest link: if one part of the chain does not work then the entire chain is not optimized. And the negative effect impacts the customer. In this story, we see that the customer is not put first and that a fragmented service landscape is still a reality for many organizations.

Extensive collaboration offers the solution. Happy customers are the ultimate goal of every supporting department. Happy col-leagues are the best way to make this a reality. Colleagues who work more happily and efficiently provide better ser-vice. The service of tomorrow rests on three pillars: (1) Standard and Simple, (2) Shared Service Management, and (3) Chain Integration. The first pillar, Standard and Simple, means simplifying and standardizing the service landscape. The second pillar sees the customer as a single customer, with one inte-grated service department for supporting departments, and the third provides for optimal service integration at the back end.

Three Pillars, One Solution

The three pillars streamline the entire service landscape. Keeping the service landscape standard and simple results in high customer satisfaction levels, as well as happier employees who can do their job more easily. The Shared Service Management pillar helps you provide the best possible support for customers by having departments collaborate and eliminate the fragmented service landscape’s bottlenecks. Having a single point of integration for all suppliers instead of expensive, laborious integrations makes it easier for suppliers to align with and serve their customers.

Even though there are three separate pillars, they are an inextricable whole. Often only a part of the landscape is integrated. After all, what does your supplier have to do with mine? Supporting departments that aren’t able

to see the bigger picture ultimately affect the customer negatively. Organizations look at the shared set-up for incident management, but not whether the customer at the end of the chain benefits. And if organizations

are developing largely shared services, there are still weak links.

The Weakest LinkIntegrating the three pillars is necessary for an organization to continuously improve. As consumers, we are already used to current trends at the front of the chain, such as

self-service, service catalogs, and portal customization. However, supporting departments are often behind the times. A single portal at the front end is still a mess of integrations behind the scenes. And when each appli-cation has its own self-service portal, organizations with a hundred core business applications cannot see the forest for the trees. These new trends require complete coordination of the chain.

Good collaboration starts with the service growth model. At TOPdesk, this model illustrates the problems the service landscape faces and provides steps to achieve completely shared services. Improve incrementally, start-ing with the weakest link. Don’t optimize in the margins, but improve the entire chain by tackling weak links further down. The customer experience depends on the weakest link, so that is the main focus of the improve-ment process. Step by step, each service department grows toward a simplified service landscape and higher service quality.

Utopia?

Shared services are the foundation of success, letting more satisfied employees do their job and make their customers happier. This is a drawn-out process. It requires a lot of time, but it yields great results. And you can

When each application has its own self-service

portal, organizations with a hundred core business applications cannot see the forest for the trees.

THE SOURCE – FEBRUARY 2016 9

take it a step further: you can support all core business functionalities with one application. A single portal for the entire organization. Not just for IT, but also as an Intranet access portal for all underlying information sources.

Three Levels of Service Organization

1. The starting service organization: one integrated part. The customer has several access points for different service departments, and sometimes one of the portals is part of one of the service tools. Each service department has its own tool; each tool has its own integrations.2. Advanced service organizations. In practice, people depend on a primary service tool, usually in the front office. For example, calls go to the first line of the IT

service tool, and incoming facilities or HR calls are passed in via a link. There is a single point of contact for customers, usually the front office portal, and an integration between the front and back offices. Behind the scenes, departments continue to work independently. 3. Complete shared service management: a tool for the front and back offices, a tool for all back office service departments, a single point of contact for customers, an integration point for all suppliers and third parties. Standard and simple collaboration.

Nancy Van Elsacker is President of TOPdesk USA, a division of the world-wide provider of service management solutions and services.

@nancyvelsacker in/nancyvanelsacker

Playing My Position: Manager for Service Management Office/GovernanceBy Cathy A. Kirch

My professional position is the Manager of the Service Management office at Allstate Insurance and my volunteer role is with the

itSMF USA Board of Directors as President Elect.During my journey in technology, I have been a part

of many exciting adventures. In the late 80s, I worked on developing and delivering the first IT network chargeback system, based off of a batch tape data recording with over $20 million of records. In the early 90s, I participated in creating the first online inquiry lookup system in my company. It accessed a component inventory of all things IT, and today we would call that a configuration management system. In the late 90s, I was able to

implement the first relational database in our newly implemented open system environments. Y2K was an event unto itself where everyone was focused on inven-torying date references which had been hard coded and upgrading most everything in IT this actually set the stage for the value of a Service Desk. More recently, I have participated in an organizational change program implementing an enterprise systems management prac-tice. It provides a line of sight to the moving parts of our technology structure and has enabled us to make continual improvements.

All of that leads to now—where we are all in the third generation of technology, facing change at the

THE SOURCE – FEBRUARY 2016 10

The Source is published by itSMF USA20333 State Highway 249 Suite 200, Houston, TX 77070; Phone: 626.963.1900

Editors: Mary Ward, Megan MillerContributors: Pam Erskine, Rich Ham-Kucharski, Nancy Van Elsacker, Cathy A. Kirch

The Source is free to itSMF USA members.For advertising and sponsorship opportunities contact sponsors@itsmfusa.org.

Interested in contributing to The Source? Contact editor@itsmfusa.org.

Copyright © 2016 itSMF USA. All rights reserved.

fastest rate ever. This is a time of exciting potential and opportunities. As I look backward, I am thankful for living in an era of easy travel, microwaves, cable television, home internet, smartphones, my own network in a pocket, social media, and virtual work environments. I am even more excited about the next generation of smart cars, connected homes, and things that we haven’t even thought of yet.

With both the accomplishments of the past and the possibilities of the future, we do have some consistencies in our technology environments even with all of the changes swirling around us. The biggest consistency, of course, is change—we live in the middle of change, and that will be a constant.

Currently, I am a small part of an effort to move service management into a world of autonomy, lean thought processes, and big data analytics. Now is the time to take these disciplines, along with all of our proven practices in delivering consistent and auditable technology, to manage and improve the support we provide our businesses.

As we face the opportunities around us we must look at processes to lean them out, find automation opportunities, integrate data points, record all things

relevant and use that information to remove risk, speed delivery, and make room for new technology capabilities. We need to use our toolkits that we have acquired as well as seek new knowledge and approaches.

I will play many positions in the near future, but they will certainly include tools and tasks like CobiT, LeanIT, Agile practice, ITIL, ISO, service management disciplines, volunteerism, giving back to the community, and a real-ization that it all revolves around technology and the organizational change of people. Now more than any other time, we must ensure networking in ITSMF stays a part of our future as we evolve our organization to support everyone through these changes.

Cathy Kirch is currently the President Elect for the itSMF USA Chapter. Cathy is the Manager for Service Management Office/Governance at Allstate Insurance Corporation, and working on leaning the processes. Cathy has been present-

ing internationally on IT service management implemen-tations and cultural change since 2005.

Linkedin.com/pub/cathy-kirch/1/7b/473