Chapter One Preview: The State of Systems Management

The information technology (IT) in an organization is a dynamic resource that is constantly adapted to meet changing needs. The rational practice of controlling that change is known as systems management. As with many other organizational practices, systems management has evolved from informal ad hoc responses to immediate needs to a well-understood, formalized practice. This guide examines best practices for systems management with an emphasis on a modularized approach known as service-oriented management (SOM).

Overview
The book consists of twelve chapters that begin with a background on systems management practices, then describes SOM in terms of several well-known frameworks for systems management and related areas, and finally moves on to a detailed discussion of how to implement SOM. Specifically, the chapters will address:

• Chapter 1 discusses the goals of systems management, typical implementation styles, and the need for a rationalized process, such as SOM.
• Chapter 2 describes essential parts of systems management, including aligning with business objectives, managing assets, delivering services, and maintaining compliance.
• Chapter 3 discusses SOM in terms of well-known frameworks such as ITIL, COBIT, and ISO-17799.
• Chapter 4 describes the infrastructure required to implement a rational, efficient systems management environment, including a configuration management database.
• Chapter 5 examines the elements of service support, such as incident, configuration, and change management.
• Chapter 6 explores how to address financial issues, capacity planning, and availability management issues in SOM.
• Chapter 7 discusses application life cycles, software asset management, and managing hardware elements of IT infrastructure.
• Chapter 8 looks at systems management as a tool for supporting control objectives and management guidelines that govern IT operations.
• Chapter 9 examines the role of systems management in threat assessments, vulnerability management, incident response, and other aspects of security management.
• Chapter 10 describes the practice of risk management and shows how identifying risks, prioritizing assets, and mitigating risks serve both risk management and systems management objectives.
• Chapter 11 examines the business case for SOM with particular attention paid to the cost of not adequately managing systems.
• Chapter 12 describes how to assess the current state of an organization’s systems management practice and how to plan the transition of a SOM model as well as provides guidance on how to implement a mature systems management practice.

The responsibilities of systems administrators and IT managers are growing in complexity. The need to support a growing number of systems with increasing dependencies between those systems, meet growing quality of service (QoS) expectations, and be prepared for constant security threats are just a few of the challenges faced by systems managers. Fortunately, as the demands have expanded so too have the tools and practices for meeting those demands. The purpose of this guide is to help managers and administrators apply these practices and tools to their specific systems management challenges.

This chapter presents a high-level overview of the nature of systems management with a discussion of three aspects of the discipline:

• The goals of systems management
• The spectrum of systems management practices
• Rationalizing systems management with SOM

Let’s begin with a fundamental issue for all IT operations—aligning with business objectives.

Back to the top

Chapter Two Preview: Core Processes in Systems Management

Systems management is a multifaceted practice. The responsibilities of this domain range from ensuring servers are up and running to planning for future growth, which requires meeting the needs of business within the constraints of IT budgets and resources. This chapter examines the core processes entailed in enterprise systems management including:

• Aligning business objectives and IT
• Planning and risk management
• Business continuity and operational integrity
• Security and compliance
• Capacity planning
• Asset management
• Service delivery

These areas do, of course, overlap. For example, one cannot align IT operations with business objectives without planning for growth and potential risks. At the same time, these processes can be treated as distinct because best practices have emerged for each of these processes. In fact, much of this guide is devoted to elucidating the fundamental elements of these processes and describing the best practices that provide for effective and efficient implementation of those processes.

The best place to start a discussion about systems management is with its reason for being: leveraging IT to support business or organizational objectives.

Aligning Business Objective and IT Operations

IT is a means to an end for most organizations. IT is employed to increase productivity, improve communications, increase the reliability and reach of services, advance quality, and a host of other objectives. These objectives are what prompt businesses to deploy the collections of servers, desktops, mobile devices, and specialized network equipment that make up a contemporary IT infrastructure.

Ad Hoc Growth of IT Infrastructure

A common problem arises as organizations grow and shift their business focus: the IT infrastructure does not always change with the change in business objectives. Consider a simple case. A medical device manufacturer begins in business building a limited range of specialized products. The salient characteristics of the company are:

• It has a small sales force and each sales person tracks their leads with a contact management program installed locally on their laptops. Because the sales force is assigned to different markets, there is no overlap between them and no need to sales share information.
• A central office manages order fulfillment, inventory, accounts payable, and accounts receivable using a small and midsized business financials package installed on a local area (LAN) network server.
• An email server is hosted in-house on the LAN.
• The operations manager for the manufacturing process has installed and configured a database system to track production operations and track information needed to remain in compliance with government regulations.
• A Web site with basic company and product information is maintained by a local Web hosting company.

This infrastructure illustrates a typical small business IT scenario and it may work well for many businesses—at least until they start to grow. This type of organization can confront problems with:

• Management reporting—How will sales managers generate consolidated leads reports when their sales staff use standalone databases that are not integrated?
• Information sharing—Is data from the operations database re-keyed into the financials package to complete orders?
• System maintenance and trouble shooting—Who is responsible for fixing problems with the operational database?
• Systems administration—What are security policies regarding email use and antivirus scanning?
• Leveraging IT to expand business instead of simply reacting to immediate needs—How can a Web site be updated to offer online ordering and technical support for customers?

Often, hardware and applications will be procured and deployed to address a narrow problem. If the email server runs out of storage, buy more disk space. If the sales staff need the latest price sheets, export a list for the financial packages to a spreadsheet and email it to all the sales staff. These kinds of ad hoc solutions work in the short term but create an environment that is highly brittle and difficult to maintain. The problem is not that the IT staff is not providing a solution but that they are providing a solution to a series of small problems rather than providing a solution to one over-arching problem: IT operations are not aligned with business objectives.

Back to the top

Chapter Three Preview: Industry Standard Practices and Service-Oriented Management

Civilizations advance by preserving, passing on, and building upon existing knowledge. If we had not leveraged the advances of previous generations, our world would be a far different place. In a similar fashion, although on a far less expansive scale, IT practitioners have developed, formalized, and documented best practices in several areas related to managing IT services, particularly in the following arenas:

• Technology management
• Governance
• Security
• Risk management

Starting with best practices saves us from “reinventing the wheel” with commonly required procedures and methodologies. Many of us would never think of building computers from scratch when we can buy them off the shelf, perhaps with some customization. In the same way, we can take a number of best practices and adapt them to our organizational requirements without reasoning from first principals to determine the best way to accommodate change, plan for capital spending, secure the infrastructure, and a host of other tasks demanded of IT managers and systems administrators.

This chapter will begin with a brief discussion of the need for organizational frameworks and standards. It then provides an overview of four broadly applicable standards:

• IT Infrastructure Library (ITIL)
• Control Objectives for Information and related Technology (COBIT)
• ISO 17799 security standards
• National Institute of Standards (NIST) Guide for Technology Systems related to risk management

The chapter concludes with a discussion on the contribution these frameworks make to the practice of service-oriented management (SOM) practices.

Back to the top

Chapter Four Preview: Moving to a Service-Oriented System Management Model

IT infrastructures are like ecosystems, they grow incrementally and in response to changing conditions. Usually, but not always, IT infrastructures grow in response to an emerging business or organizational need. Consider some typical scenarios:

• Is there an opportunity to expand into another geographical area? Remote offices, new staff, and expanded network services will be needed.
• Is the company growing through acquisitions? How does an acquiring company know the true value of the company being acquired? Can IT make the acquisition more seamless? The financial industry is a perfect example of this growth model.
• Is the company downsizing and realigning divisions in response to maturing market conditions? Hardware resources will have to be reassigned, software licenses re-allocated and retired, and access control and other security policies revised to account for changes in the organizational structure.
• Will a number of agency departments merge with another agency? The assets allocated to those departments must be inventoried, software licenses reassigned, hardware moved, and inventories updated.
• Has an audit discovered shortfalls in IT practices? New policies and procedures may be implemented, additional security countermeasures might need to be deployed, and a new monitoring process may need to be established.

In each of these scenarios, changes are made to an existing infrastructure that must continue to function and provide services during the transition period. In fact, many IT organizations are in a constant state of transition. This chapter will address the question: What methods and resources are required to execute and manage those transitions in an efficient and effective manner? This chapter lays the groundwork for implementing service-oriented architectures—a topic that is addressed in detail in following chapters.

Building a Foundation for Enterprise IT Systems Management

IT systems management depends on two fundamental principals. First, IT serves broader organizational strategies, and IT policies define how IT operations will support those objectives. Second, keeping IT operations in compliance with policies requires constant attention because of an almost inevitable tendency of IT systems to change.

How to keep IT in alignment with organizational objectives is a broad and challenging question that is well beyond the scope of this chapter. For the purposes of this guide, we will have to assume that fundamental principal is met. Thus, assuming the direction of IT is synchronized with broader business objectives, you can focus on more tangible objectives; specifically:

• Defining policies to direct IT operations
• Implementing procedures and practices to enforce those policies

With these two pieces in place, you have the foundations for enterprise-scale IT systems management.

Back to the top

Chapter Five Preview: Implementing System Management Services
Part 1: Deploying Service Support

Much of the work in systems management is service support—keeping devices and applications functioning and ensuring that they continue to meet the changing needs of the organization. This task entails managing changes as new assets are added and others are retired; reconfiguring systems in response to changes in the infrastructure, such as growing demands for network bandwidth; and releasing new versions of applications to geographically distributed users. Service support is especially challenging because of the breadth of services that are typically supported by IT operations and the depth of detailed information required for service support.

The breadth of operations, from upgrading operating systems (OSs) and reconfiguring routers to planning software releases and responding to security incidents, can be labor intensive. For example, upgrading the OS on one desktop computer might take one hour in a simple case. Coordinating times to install the upgrade with users and dealing with unexpected consequences of the change add to that time.

Ensuring the Quality of Service (QoS) delivery depends upon detailed information about the state of devices and processes running on those devices. A systems manager cannot simply install a new application or upgrade an existing application without understanding how the system is currently used. For example, a Java application server may depend upon one version of the Java runtime environment (JRE), but another application, about to be in installed on the same server, requires a different version of the same runtime environment. The systems manager cannot uninstall one version of the runtime environment and replace it with another without disrupting the application server operations.

Back to the top

Chapter Six Preview: Implementing Systems Management Services
Part 2: Managing Service Delivery

Service delivery is a complex mosaic of multiple processes and procedures that are required to introduce, manage, and develop information services. The previous chapter examined how service delivery is deployed with processes such as incident management, configuration management, change management, and release management. This chapter continues with service delivery, but turns your attention to management.

The deployment step focuses primarily on executing procedures to keep IT operations running smoothly and adapting to the changing needs of users. Management is more about planning, monitoring, and adjusting. In particular, this chapter will address:

• Service-level management
• Financial services management
• Capacity management
• Availability and continuity management

These aspects of service delivery have a common characteristic: These activities address the long-term IT needs of an organization. The deployment operations discussed in the previous chapter are performed to ensure the proper day-to-day function of IT systems. If those activities were not practiced, the consequences would be seen rather quickly. Poor management, however, can continue for some time before the full effects are noticed. Nonetheless, proper systems management must address both the short-term and long-term needs of IT services.

Back to the top

Chapter Seven Preview: Implementing Systems Management Services
Part 3: Managing Applications and Assets

Networks, servers, and client devices alone do not address the information needs of an organization—applications, and their associated data, customize the functions of an otherwise generic infrastructure and allow IT to meet the information management requirements of businesses, agencies, and other organizations. The ability to finely customize software to meet particular needs makes it a key to aligning information services to business strategy. At the same time, the flexibility introduces a wide variety of management challenges. These challenges have by no means been completely mastered, and software developers continue to create and refine new development methodologies. There are, however, common elements to application management frameworks. This chapter will examine the challenges of application management from the perspective of application life cycle management and software asset management.

Application life cycle management entails how applications are created and deployed. Once constructed, or otherwise acquired, software applications are assets that must be managed as any other information asset. Of course, applications do not exist in a vacuum, and dependencies between applications must be understood to ensure they function properly. Another key to proper functioning is adequate security to protect the integrity of the application as well as the integrity and confidentiality of its related data. Finally, despite many differences with other kinds of assets, applications are assets and must be managed as such.

Back to the top

Chapter Eight Preview: Leveraging Systems Management Processes for IT Governance

Throughout, this guide has examined systems management processes as they apply to controlling assets, processes, and procedures; providing service support; delivering services; and managing applications. This chapter turns your attention to a higher level of management and asks: How do you control and manage the implementation of these systems management processes?

What Is Governance?

Governance is the process of setting long-term objectives, establishing controls that measure the progress toward those objectives, and monitoring to ensure controls are followed and objectives are being met. In short, governance is about deciding what an organization should do, how to ensure it will get done, and then making sure it does get done. As Figure 8.1 shows, the governance process encompasses all aspects of service-oriented management (SOM).

Figure 8.1: The governance process defines a framework in which SOM operations are controlled.

Let’s begin with an example that gives an overview of types of governance activities, including:

• Planning and organizing IT operations
• Acquiring and implementing IT solutions
• Ensuring proper delivery and support for IT solutions
• Monitoring services to ensure compliance with policies and procedures

When discussing each activity, let’s explore how to establish goals for each activity and how to measure progress toward those goals.

Back to the top

Chapter Nine Preview: Supporting Security with Systems Management

The security and systems management functions of an organization go hand in hand. Security professionals depend on the services and infrastructure maintained by application, server, and network administrators. Countermeasures such as firewalls, content filters, and anti-malware must be deployed, maintained, monitored, and integrated and these tasks fall into the domain of network and systems management. At the same time, systems managers have a wide array of responsibilities and they require a secure foundation upon which to do their work. We cannot expect application administrators to maintain a mission-critical application while the server is subject to Denial of Service (DoS) attacks or client devices are riddled with spyware and malware. There is much overlap between security and systems management, and this chapter will focus on how systems managers can support and help to improve the overall security of the IT infrastructure.

Information is a broad and challenging field. Several frameworks and organizing structures have been proposed. The ISO-17799 standard is popular among security professionals because it addresses the field from their perspective. Another approach, taken by the SANS Institute, is to think in terms of layered walls and defense in depth. This model is probably more similar to architecture models and infrastructure designs used by systems management. Although the topics addressed in this chapter span both the ISO-17799 standard and the SANS model, the SANS model will serve as an organizing principle.

The key areas of information security as it relates to system management are:

• Network security
• Host security
• Vulnerability management
• Authorized user support
• Security management

Some areas, such as network security, have dedicated administrators and engineers who specialize in both managing and securing network assets. The other areas are more likely to require the support of systems and application administrators and warrant the most attention in this chapter. However, for completeness, we will examine all the areas.

Back to the top

Chapter Ten Preview: Managing Risk in Information Systems

The focus of this guide has been on the practice of systems management with an emphasis on best practices for creating and maintaining IT infrastructure. As useful and effective as these practices are, they cannot guarantee that operations will always go as planned, that projects will stay on schedule, or that adverse events will not occur. Part of effective systems management is managing the risks inherent in IT operations. This chapter will examine the following topics within the broader area of IT risk management:

• The practice of risk analysis
• The impact of risks and their implications for risk management

The goal of risk management is to understand the breadth of risks facing an organization and to formulate strategies for mitigating those risks to the greatest extent possible.

The Practice of Risk Analysis

Risk analysis is a methodical process for identifying risks and assigning a cost to those risks. The four basic parts of risk analysis are:

• Identify information assets and threats to those assets
• Determine the impact of threats to an organization
• Determine the likelihood for each threat
• Assess the risk versus the cost of countermeasures

Together, these steps provide the basic information that is needed to align risk management strategies with overall business strategies.

Back to the top

Chapter Eleven Preview: Benefits of Mature Systems Management Processes

The SOM model discussed throughout this guide touches on many aspects of IT infrastructure management, from risk analysis and asset management to patch management and service delivery. It has to; IT is a broad and varied discipline. Despite the variety of topics, a single theme links them all—process management. The information systems that run businesses, governments, and organizations long ago reached levels of complexity that could not be managed with ad hoc approaches. Formalized processes and procedures, aligned with organizational objectives, are the foundation upon which successful IT operations are built.

This chapter examines the benefits of mature systems management processes by examining two related questions:

• How can a mature systems management model help control IT costs?
• What are the costs of not controlling IT operations?

Not surprisingly, the answers to these questions are as diverse and varied as the field of IT itself. There is no simple answer to either of these questions, but the following pages will provide a high-level overview that spans the breadth of the costs and benefits of mature systems management processes.

Controlling IT Costs

“Do more with less” is something of a popular mantra in management circles, and less popularly, with IT operations staff. As unpopular as it is with some, that four-word sentence captures the driving business factors that are shaping how we implement and manage information services. Consider how it translates into day-to-day operations:

• As employees and contractors leave, the remaining staff is expected to assume their responsibilities
• Strategic plans—driven by market conditions, perceived opportunities, government regulation, and other factors—create new requirements for IT services but not additional funding for meeting those needs
• Internal customers’ expectations are increasing because they are exposed to rich applications in other external environments, such as the Web

The outcome of these pressures includes the need for IT managers to deftly reallocate resources, leverage technologies in innovative ways, and constantly plan for change. To succeed, managers need to focus on business fundamentals while adapting to the dynamics of information technologies.

The fundamentals of controlling costs are the same in IT as any other part of an organization; economics textbooks will tell you that there are labor costs and there are capital costs. What those textbooks do not always tell you is what to do with those costs. To fill this knowledge gap, let’s first divide the world of IT costs slightly differently than the most basic branch and consider three types of costs:

• Labor
• Capital expenditure
• Operating costs

Let’s examine how mature systems management processes benefits each of these.

Back to the top

Chapter Twelve Preview: Roadmap to Implementing Service-Oriented Systems Management Services

Service-oriented management is the platform for managing systems management functions across the diverse and wide-ranging needs of today’s enterprises. The platform takes a function- rather than device-specific focus for several reasons:

• The need to stay aligned with business objectives requires an agile management structure
• Demands on IT management, such as compliance, apply to IT services not to specific devices
• Devices accessing enterprise resources may be managed (owned by the enterprise), semi-managed (owned by employees but subject to some IT policies, such as smartphones), or unmanaged, such as public kiosks and customer PCs that access Internet-accessible services

The evolution of service-oriented management is driven by the demands placed on IT managers and systems administrators; some of the most prevalent are:

• Responding to new market opportunities
• Reducing IT operations costs
• Sharing information and assets with business partners
• Making network resources accessible from remote locations
• Providing more services to customers online
• Meeting emerging requirements of auditors and regulators

Each of these drivers is a bridge point between business and IT operations. None of these are exclusively business or technical. The divisions between the technical and non-technical (or business) sides are fast becoming a legacy of earlier times. This chapter provides a roadmap for implementing service-oriented management by examining four topics:

• Limits of traditional management models in light of emerging challenges in systems management
• Current status of IT operations
• Transition to mature service model
• Implementation of a service model for systems management

As noted earlier, evolving demands on IT are bringing IT and business operations closer than they have been in the past.

Back to the top