Pink Elephant
The IT Service Management Experts

Troy's Blog

The Hitch Hiker's Guide to the IT Galaxy and Beyond
Don't Panic



Troy Dumoulin Photo

Troy DuMoulin, VP, Research & Development

Troy is a leading ITIL® IT Governance and Lean IT authority with a solid and rich background in Executive IT Management consulting. Troy holds the ITIL Expert certifications and has extensive experience in leading IT Service Management (ITSM) programs with a regional and global scope.

He is a frequent speaker at IT Management events and is a contributing author to multiple ITSM and Lean IT books, papers and official ITIL publications including ITIL’s Planning To Implement IT Service Management and Continual Service Improvement.


The Guide

"This blog is dedicated to making sense out of the shifting landscape of IT Management. Just when we thought we had a good handle on managing technology, the job we thought we knew is being threatened by strange acronym’s like ITIL, CMMI, COBIT, ect.. Suddenly the rules have changed and we are not sure why. The goal of this blog is to offer an element of sanity and logic to what can appear to be chaos."

Hitch Hiker's Guide to the Galaxy

"In many of the more relaxed civilizations on the Outer Eastern Rim of the Galaxy, the Hitch Hiker’s Guide has already supplanted the great Encyclopedia Galactic as the standard repository of all knowledge and wisdom, for though it has many omissions and contains much that is apocryphal, or at least wildly inaccurate, it scores over the older more pedestrian work in two important respects.

First, it is slightly cheaper: and secondly it has the words DON’T PANIC inscribed in large friendly letters on its cover."
~Douglas Adams


Troy On Twitter

Recent Entries



Other Blogs


Friday, October 21, 2011

Security and Legislative Implications for ITSM

All Data Is Not Equal In The Eyes of the Powers That Be!

Ever notice how some days seem to have themes? Well for me today’s theme is related to data management or more precisely the legislated data security, privacy, clearance and compliance requirements that apply to data management. I believe the readers of this article would agree that while the business unit is responsible for data accuracy the IT group and their integrated partners and suppliers are the caretakers and guardians of the digital life blood of any business, government or non-profit organization. 

What made this a theme for me today was the fact that three separate conversations caused me to think about the importance of business data and its relevance to IT Management responsibilities.

Conversation #1: The spark for this article came from a conversation I had with my fellow Pinker George Spalding. George and I were talking this morning about a webinar he is co-presenting with Axios. The subject of this particular webinar is very focused in respect to the implications of IT Management for the Health Care industry. George and I discussed his research into the security and privacy implications of online medical records and client data as it is being shared across state and federal boundaries. Legislation such as Health Insurance Portability and Accountability Act (HIPAA) and the HITECH Act required serious privacy requirements in system design and data management.

Conversation #2: Pink Elephant like many other companies today is exploring the benefits of Bring Your Own Device (BYOD) strategies when equipping our staff with automation. In the face of the growing consumerization of IT and the rampant growth of personal mobile computing platforms a “if you can’t beat them join and influence them” strategy makes a lot of sense. So with this practice in place several of us were tackling some of the finer points of policy related to making this work. Of course the challenge now becomes the reality of corporate data now being spread across devices that do not belong to the company. This was further enforced for me when I read the following baseline article later in the day “Undead Data Haunt the Enterprise” which talks about on-boarding and off-boarding new employees and being accountable for “Burning or Scrubbing” their personal devices when they leave. The reality is that the Network Perimeter is way beyond the corporate firewall’s. Whether we like it or not corporate and legislatively protected data is on on mobile devices, loaded into personal cloud storage services etc. The worst thing about this is that even though the business does not own this device they still have have legal obligation to keep the data safe and secure.

Conversation #3: The final conversation that promoted this article was a discussion I recently had with David Ratcliffe the President of Pink Elephant. We were discussing the dramatic evolution of personal storage. David remarked to me during our conversation that it was amazing that we can walk around with devices in our pocket with enough storage capacity to hold every byte of digital content we create during our working lifetime. That statement gave me serious pause.

With these three conversations in mind I invite you to consider the following observations:

1) Ignorance Is Not A Defensible Excuse

I often speak on IT Governance and as part of this subject matter I try to keep on top of a high level list of legislation that pertains to information systems which house sensitive business data. I refer to this list as the Hair Ball of legislation in that there is no integration and sometimes contradiction of the compliance requirements. As a sample but by no means comprehensive list consider the following

  • Canadian Personal Information Protection Electronic Document Act (PIPEDA)
  • US Patriot Act \ Homeland Security (Critical Infrastructure)
  • Personal Health Information Protection Act (PHIPA)
  • Health Insurance Portability and Accountability Act (HIPAA)
  • SEC Rules 17a-3 & 17a-4 re: Securities Transaction Retention
  • Gramm-Leach Bliley Act (GLBA) privacy of financial information
  • Children’s Online Privacy Protection Act
  • Clinger-Cohen Act (US Gov.)
  • Federal Information Security Mgmt. Act (FISMA)
  • Freedom of Information & Protection of Privacy (FOIPOP) Canadian BC Gov
  • FDA Regulated IT Systems
  • Freedom Of Information Act
  • Family Education Rights & Privacy Act (FERPA) (Higher Education)
  • Medical Information System Development (Medis-DC) (Japan)
  • Authority for IT in the Public Administration (AIPA) (Italy)
  • European Privacy Directive (Safe Harbor Framework)
  • Sarbanes Oxley (SOX)

The challenge is that we face is that legistaltors assume that the people who manage private and confidential information are aware of and compliant with the laws. In my experience this is not a safe assumption, if fact several of the laws counteract the others. For example, the Canadian PIPEDA privacy act is countermanded by the US Patriot act when Canadian data finds itself on servers within the US. Our challenge is that ignorance is not a satisfactory defense in a court of law.

2) Service Management Processes Must Be Designed & Managed To Account For Security & Privacy Requirements

When the Information Security Book first came out under ITIL version 2 one of the things I remember as striking were the intwined security requirements in all other processes. In fact I like to think of the Security Process as more of a DNA grafting or gene splicing into ITIL rather than a seperate process.

Service Strategy:is responsible for ensuring that business requirements are reiceved via Demand and Business Relationship Management. These inputs have a bearing on Portfolio Management in that it is necessary to understand both the Utility and Warrenty requirements. In this perspective Warrenty will also inlude understanding the security and in some cases the clearance level required for the proposed services and their supporting systems and data architectures. Of course the question here is who holds the accountablity to determin which legistlation applies to the proposed service? While the customer will perhaps have a high level understanding of the compliance requirements it falls to the Service Designer to ferret out the details and how they apply to the Service blueprint or in ITIL terms the Service Package and this brings us to Service Design.

Service Design: is now responsible to ensure that the service design has considered and covered the controls that pertain to (people, process, product and partner). Legal will need to be consulted for input into the legislation requirements relative to access rights, storage policies, IT Service Continuity requirements, Financial Reporting and Data Segregation. Service Design is also responsible for developing the transition and operations procedures required to comply with legistlative requirements.

Service Transition: All Services/systems and technologies are vulnerable when they are undering going change. Several legistlation such as HIPAA and FDA specifically require special consideration, approval and due diligence when changing systems and data under their purview. Transition Processes such as Release & Deployment, Testing & Validation, Change Evaluation will need to have specific security related criteria developed, tested and validated before changes are approved for promotion into production.

Service Operation: Once live special process considerations need to be applied to highly secured or legislatively applicaple services. For example: If an incident occurs on a critical business service with a secret clearance level it will take on a very high priority and be handled only by govermentally cleared staff. Or if it is determined that an Incident is related to a security viloation a special Security Incident Process and team takes over. I have worked in environments where due to data segregation requirements an agency must maintain seperate CMDB’s. 

In Summary, while very few people enjoy this subject it still remains that we are accountable to the business and the powers that be to design, build and deliver IT Services which protect sensitive data and are compliant with the powers that be!

Troy’s Thoughts What Are Yours?

But then, so far as I know, I am the only performer who ever pledged his assistants to secrecy, honor and allegiance under a notarial oath.
~Harry Houdini




(1) Comments
Posted by Troy DuMoulin on 10/21 at 05:33 PM
ITIL & Beyond (0) TrackbacksPermalink

Don't Panic

Friday, October 07, 2011

Practitioner Radio Episode 14 - Supplier Management

Every organization uses a mixed supplier model to deliver services. How well we integrate our adopted value chain family members is a critical success factor for business value generation.

An organization’s sourcing strategy is a key output of their Service Strategy processes. Being able to execute on this strategy successfully is critical to business success not to mention service delivery harmony.

Join Chris and I as we dive into the challenges and critical success factors of Supplier Management to understand that it is much more than just procurement!

Supplier Strategy - Practitioner Radio Episode 14 from ServiceSphere on Vimeo.

Show Notes:

  • Triskaidekaphobia
  • Service Portfolio Management Episode 13
  • All 14 Episodes of practitioner Radio
  • Integrating Suppliers Into Process Governance
  • Supplier Managers and Olympic Hockey
  • Brother from another mother
  • Just say no to the term “Outsource”!
  • Talk to the Hand
  • Service Strategy defines this part of the process, as in WHO does this piece of work
  • Out-tasking vs. Outsourcing – TASKS inside my value chain
  • Service owners, Supplier management group are both groups that make decisions on out-tasking
  • The “C” word – Cloud
  • What were we out-tasking BEFORE the cloud?
  • Service Asset = Part Resource and Capability
  • Procurements Job is to beat your supplier to a pulp, but is this good for business?
  • Involving our sourcing partners IN the business process model
  • Hollywood prenups and the mixed supplier Model
  • Does process maturity make a difference when picking a supplier?
  • Just because you speak Spanish as a second language doesn’t mean you can make a burrito.
  • The difference between bridging suppliers to your systems or BRINGING them INTO your processes
  • Where do BRM people get their skills?

Troy’s Thunder Bolt Tip of The Day: The Role of Supplier Manager is to establish and manage relationships with trusted suppliers in such a way that they contribute positively to your overall service goals.

Troy’s and Chris’s Thoughts What Are Yours?

“A learning experience is one of those things that says, ‘You know that thing you just did? Don’t do that.”― Douglas Adams, The Salmon of Doubt

To subscribe to Pink’s Podcasts on iTunes


(0) Comments
Posted by Troy DuMoulin on 10/07 at 03:49 PM
ITIL & Beyond (0) TrackbacksPermalink

Don't Panic

Page 1 of 1 pages