Home �   ITIL�  Index

Accurate Configurations -Technology Alone Isn't the Answer

Feb 7, 2007

George Spafford

Groups that fail to have proper change management fail to properly manage their organization’s risks. An automated configuration scanner that is implemented instead of change management, or instead of fixing what ails change management, is an incomplete band-aid fix that fails to address the true problem or, worse, simply masks the true nature of the problem.

Concerns over bureaucracy and slowing down the rate of changes need to be carefully scrutinized. Organizations that implement appropriately designed change management processes find their availability, integrity, overall security and agility actually improve as plans are scrutinized, errors detected and corrected, improvements factored in, right parties contacted, etc.

The objective is to design a controlled change management process that balances risk with agility and the ability to support attainment of organizational goals.

Tools Are Just Tools

The automated configuration detection tools are aids to processes, not replacements to processes. If change management is being bypassed then these should be flagged and investigated. The only level of unauthorized change that should be accepted by management is zero.

If something changed and there isn’t and approved RFC then corrective and appropriate disciplinary action should be taken. A recent IT Process Institute study on the value of controls identified the two controls present in high-performing IT organizations was the ability to detect unauthorized changes and the willingness to impose disciplinary action when processes were flagrantly disregarded.

In addition, these tools are trying to determine CI attribute details and CI relationships in a complex environment. Some of the assumptions/findings may not always be correct. Just because a change is detected doesn’t mean that the system is right.

If an organizations plans to import changes into the CMDB then someone must review the proposed updates first for accuracy to ensure that the CMDB’s data integrity is protected. Furthermore, to reinforce what was stated earlier, questions must be asked about why the changes transpired by mapping them back to approved RFCs.

In closing, these automated discovery tools can help organizations collect data but they must support processes designed to meet business needs. This means the goals of the business must be taken into account, then the IT requirements defined and then processes designed with the correct blend of people, process, and technology.

Simply buying the tools and running them is not the solution. Understanding why changes are happening and gaining control over the infrastructure via an effective change management process to better ensure availability, integrity and overall security must be the primary focus.

George Spafford is a Principal Consultant with Pepperweed Consulting and a long-time IT professional. George's professional focus is on compliance, security, management and overall process improvement.