Graham K Draughon, President, Blackthorn Cyber Security, LLC. & Advisory CISO, Onemain Holdings, Inc.
IT Service Management is often equated with Help Desk operations. Certainly, support tickets and break-fix can represent a significant number of incidents. A fully featured IT Service Management solution will support provisioning and de-provisioning processes, assignment to the appropriate work queue(s), tracking of workflow and status, retention of all associated artifacts, customizable analytics, reporting, and monitoring. Where applicable, the solution should also support interfacing and exchanging data and status with other IT / Corporate Systems through a robust API architecture. A service management lifecycle should provide a complete end-to-end closed loop that preserves all artifacts associated with the service request or incident and be extensible beyond a focus on IT to a Corporate Service Management solution.
While Help Desk functions are indeed important aspects of service management, request / approval processes are even more so. With highly regulated businesses subject to Sarbanes Oxley, HIPAA, PCI, SEC, and other state and federal regulations, a well-engineered request / approval capability is critical. It is this aspect of service management that plays a fundamental role with Cyber Security controls, enabling the enforcement of ‘least-privileged’ access and requiring proper approvals for any access requested while ensuring that all appropriate reviews and risk assessments are completed and discoverable. Approvals in many instances often must cross multiple areas from Security and Technology to the respective business department(s). Approval workflows can be very sophisticated, must be easily adapted and customized to corporate change, and carefully structured to align and keep current with business policies and procedures. Upon completion of the approval workflow, the Service Management solution should automatically generate a ticket and send communication to the requestor as to status, either approved or rejected. The ticket should auto-populate to the correct work queue(s) for action. From this point, the ticket behaves very much like a standard Help Desk request.
IT Service Management and the broader extension to Corporate Service Management are important foundations for any business regardless of size and complexity
Designing and constructing a corporate request and approval solution within IT Service Management can be a daunting task for a large and complex corporation. Depending on policy requirements, the approval chains can be quite varied and extensive. Owners / approvers for systems and applications, structured and unstructured data sources, hardware, software, physical assets, networking, and telephony must all be defined and implemented in a flexible and readily maintainable workflow. Rigorous security review and approval must also be incorporated. Approvers should be provided with an intuitive easy to use interface to approve, reject, and provide comments. Delegation must be supported to allow for changes in approver availability. The workflow should be multi-threaded to accelerate the approval timeline, enabling multiple approvers to act on a request simultaneously. This is an extremely important requirement for complex workflows where a request spans multiple areas of a company and, thus, requires many approvals to complete the request process.
A robust Corporate Service Management solution is extensible to other service management activities across the corporation. Areas such as HR, Legal, Finance, and Call Centers frequently require similar processes and workflow design. Deploying a platform solution that accommodates requirements for these areas as well as for Information Technology and Information Security will provide greater integration and visibility across the corporation while reducing cost and effort required to support a corporate vision of service management. No longer focused solely on IT, the Service Management solution is maturing to become Corporate Service Management.
Support for strong interface capabilities with other business applications is key to moving beyond IT Service Management to Corporate Service Management. These include applications that support HR, Treasury and Finance, Governance, Risk and Compliance (GRC), and Legal. It is also essential to integrate user stores such as Active Directory within IT Service Management to support automation of assignment based on elements such as group ownership and reporting chain for employees.
Data interfaces with these systems should be bi-directional. A common bi-directional use case is the ability to generate an incident from a separate system or application. An application that creates and manages ‘legal holds’ or alerts from systems monitoring infrastructure and security are good examples. By enabling these types of applications and systems to generate tickets in the Service Management solution, these incidents can be managed and tracked centrally. Notification of the resolution and completion status is then sent back to the alerting system upon completion for closure in that system as well.
IT Service Management and the broader extension to Corporate Service Management are important foundations for any business regardless of size and complexity. When choosing a solution or developing implementation strategy and roadmap, it is important to create a long view to the future yet implement incrementally. The ultimate target for success is providing value to your customers while fostering resilient processes and procedures that align with corporate policies to support legal, regulatory, audit, and security requirements.