The way to gain a good reputation, is to endeavor to be what you desire to appear. Socrates Balancing Customer Service and IT Security ITIL Based Solutions for a Service Desk Conundrum A satisfied customer is the best business strategy of all. Michael LeBoeuf As an employee, what do you want C&C to be? The user's going to pick dancing pigs over security every time. Bruce Schneier Topics for Discussion • ITIL – Best practices for improving IT Service Management Client hopes/requests for the future • The Service Desk as a function of ITIL • Information Security Management - Why does ITIL make a difference? • The Service Desk – helping balance the dichotomy • Challenges going forward • Discussion ITIL – A Best Practice Framework ITIL – Information Technology Infrastructure Library • a collection of best practices for the management of IT Services Technology leadership – MUN’s future • improving customer outcomes through the effective delivery of services • seeks to align people, processes and technology such that IT services become business activities that provide value to customers • in and of itself ITIL exists only as a best practice framework. It will give you the “what” but not the “how”. Implementations are usually custom and organization specific • benefits include better services for clients, cost savings for the organization, a better understanding and positioning of the role of IT in the business or organization ITIL Processes • • • • • • • • • • • Configuration Management Incident Management Problem Management Change Management Release Management Service Level Management Availability Management Capacity Management Financial Management for IT Services IT Service Continuity Management Security Management The Service Desk – a single point of contact for incidents and Service Requests. Primarily, it serves as a function of Incident Management whereby it helps restore normal service to clients as soon as possible. IT Security Management • Traditional ITSM thinking is far too limiting • The oft referenced CIA – Confidentiality, Integrity, Availability – is really just a starting point • Security is not just a process, but one of the most contentious intersections of people and culture with technology. • So where does ITIL fit in? • Best practices in IT Service Management point the way to defining, implementing, monitoring and assuring repeatable IT management objectives and processes. • It’s often said that we can manage what we can measure. In the case of IT Security we can make secure what is defined, recognized and understood. That of course, applies to people, technology and processes within our organizations. The ITIL Service Desk One primary goal of IT Security Management within ITIL is to align security with people, processes and technology for the betterment of our clients and our organization. Seems simple enough, but how do we go about doing it? The Service Desk should be a vital partner in IT Security. • a single point of contact for your customers that has its hands on the pulse of the organization. • broad understanding of everything that goes on around you. Why? Because they are answering questions about your infrastructure every day. A Collaborative Effort Communication is the key – Making security a priority The Service Desk should understand the critical nature of security related incidents and perhaps more than any other incidents, detailed processes should be defined so that procedures are followed correctly. Service Desk staff should be encouraged to bring forward security related concerns especially if they find themselves hard pressed to explain security related policies to your clients. If security related decisions within your infrastructure were based on policy make sure that your Service Desk staff are aware of the policies in question. ITIL, if implemented correctly, is oddly self aware or perhaps more precisely, introspective. Service Desk reporting of security incidents should happen regularly and should be reviewed for timeliness of response and resolution. Better still, the root causes should be analyzed and understood. Raising Client Awareness If the Service desk is the single point of contact for your customers then it can also play a crucial role in making clients aware of security concerns within your organization. Here comes the sales pitch! Not totally unlike a commercial entity that uses its Service Desk to push products and services, your Service Desk can be used to pitch ideas and to make clients aware of the how’s and why’s of security. If client awareness of your Security Changes stops at the table of the Change Advisory Board then you have failed. And you have failed even if everything related to the 1’s and 0’s was successful. A client who is consulted and informed is far more likely to be understanding of security policy and security related changes than the one who discovers that the new gadget he or she just bought is ….. not supported? Challenges Going Forward • ITIL – a lot of work and a slow process. • Look beyond yourselves to see if you’re getting it right. • The pace of IT will outpace you – just get used to it. • ITIL – not just a roadmap, it’s the road The way to gain a good reputation, is to endeavor to be what you desire to appear. Socrates