Blog-2: IT Service Management Frameworks – Exercise

In this blog, I am going to answer the questions given in the activity mentioned below. This activity allows us to play the role of a manager who will be appointed to complete the scenario given below.

Scenario: You have had a permanent position at the ITS department at NMIT for around a year, within firewall configuration and maintenance. You are therefore already familiar with the procedures and the structure of the department. You are now approached by your team leader because the ITS department is planning to implement a new firewall product, and he knows that you know something about governance and management frameworks. Therefore, you would be a potential manager candidate for the project. As you already know your team leader, and he knows that you master the tasks you are doing presently, the interview is not a job interview, and you don’t have to worry about losing your present position. But you would obviously like to advance your career and convince him about your capabilities.

Firewall

Initiating the project: What would your initial approach be to get an overview of the scenario?

For starters, I will try to implement the processes from the frameworks that would be useful for me to collect the data/information from the existing firewall in the network. The next step would be to use the knowledge base to get the configuration settings, specs., risks in using the existing firewall, issues encountered by the firewall till now, its weak points and strong points, and, the defense level of the firewall against external or internal threats.

Since I know about ITIL and COBIT frameworks, I will be looking at the processes of each of these 2 frameworks and work my way around to get a better understanding of the scenario/ situation.

In case of ITIL:

Out of all the processes in ITIL framework, below are some of the processes that would help to understand the scenario better.

1. Information security management: This service management will allow me to assess the products, understand more about about the risks involved with the product, and to review the security controls.
2. Change Management: This is the most important process in ITIL for this scenario as it allows the changes to happen in the system and everything gets documented for future purpose. Since this process’s main job is to manage the changes made in the system, all the issues, risks and other types of analysis gets recorded which can then be used for reference or comparison with other products in the future.
3. Knowledge management: This type of service management allows the organisation to record, store and share all the data/knowledge/information of all the assets, their configurations, their relationships with other assets, risks, issues, security, and many other components of the product to the users. By using this information, we can then create a statistics to see the history of the product and understand the current situation with the product much better.
4. Transition planning and support: This process is the starting point for a transition from one product to another. Once we found that the firewall is too outdated for our system, we can initiate the transition planning phase, where we look into other new firewall products. After doing thorough research about the new product, I will then start comparing the existing and the new firewall products to find out which one is better than the other in terms of compatibility, security, usability, risk management, better performances and quality, maintenance cost, a higher chance of successful defense against threats to the system, enhances the business to get more profits, etc. If the new firewall is better than the existing firewall, then a meeting is held with the stakeholders to get it approved and get their support to start working on the project and configure and deploy the new firewall.

In case of COBIT 5:

Below are some of the processes that would help me better understand the scenario:

1. BAI02- Manage Requirements Definition: Under this process, I will be using the practice number from .01 to .03. I will be using BAI01.01 to understand better the business requirements, technical requirements, and will be able to maintain them. BAI02.02 is usually used for a feasibility study to find better alternative solutions that could be useful when looking for a new firewall product. The last one which is BAI02.03 is used to identify the risks of the product, document them, and then look into mitigating the risks option. This would be useful to identify the risks that come with the existing firewall and see if it meets the business requirements or not.
2. BAI05- Manage Organisational Change Enablement: All the practice numbers under this process will be required. This process starts with establishing a desire/ need to have a transition/ change in place. This process allows us to understand the requirements, identify actions that can help in getting approval from the stakeholders to get their support, and initiate the project. Because there is a desire to change, we will be looking into alternatives to the existing firewall and look for the ones that meet the business requirements, provides better security than the existing firewall, has fewer issues and risks when compared to the existing firewall, etc. This will then help me to get a better understanding of the whole scenario and I will also be equipped with the right information to impress the stakeholders and get their approvals.

There are other process that could help me in the current situation whether it is ITIL or COBIT framework. But the ones I have mentioned above are the core processes in my opinion.

Methodology level: Please line up and explain the overall planning framework you would use. You can choose several approaches or create your own hybrid approach.

For the overall planning framework, I would use the ITIL framework. The reason being that this framework follows the ITSM standards and because I have more experience in ITIL than COBIT, it is a good selection of framework to achieve better results while working on the above scenario.