Accountability

This term is one of the most important terms related to the Information Security discipline, without accountability no privacy or limit for information access, laws and systems are needed that hold people accountable for the misuse of personal information, whether public or private.

Definition: Accountability is an essential information security concept. The phrase means that every individual who works with an information system should have specific responsibilities for information assurance. The tasks for which a individual is responsible are part of the overall information security plan and are readily measurable by a person who has managerial responsibility for information assurance. One example is the policy statement that all employees must avoid installing outside software on a company-owned information infrastructure. The person in charge of information security should perform periodic checks to be certain that the policy is being followed.

Every information asset should be "owned" by an individual in the organization who is primarily responsible each one. (computer-security-glossary.org)

Its Relevance: The duties and responsibilities of all employees, as they relate to information assurance, need to be specified in detail. Otherwise, the attempt of establishing and maintaining information security is haphazard and virtually absent. (computer-security-glossary.org)

One of the fundamental requirements of information security, accountability is the property that enables activities on a system to be traced to specific entities; who or which may then be held responsible for their actions. It requires an authentication system (to identify Users) and an audit trail (to log activities against Users).

Accountability supports non-repudiation, deterrence, fault isolation, intrusion detection and prevention, and after-action recovery and legal action.

Information accountability means that information usage should be transparent so it is possible to determine whether a use is appropriate under a given set of rules.

Procedures and policies should be set information accountability, All employees should be involved about the access permission of data depend on the privileges for users (Example: department manager has a permission to access to all data about the department, but the department employee has a permission to access to specific privileges to access some of department data)

IT Need a Controller

Let’s start with some assumptions, IT department employed an administrator to manage one of critical systems at the organization this employee have the permission to install any software, another assumption you want to setup a new workstation for new business employee and the IT not have the proper document to manage this setup administrator setup the workstation without any procedures to follow, can you guess what the risk behind the tow assumptions?

Like any operations you need to control and manage the IT operations, what about the risk of the first assumption if the organization has a control unit monitor and control all administrators operations? This risk will be decrease and the organization will be safer, the second assumption give the IT employee to install what he/she want, maybe give the business employee an administrator permission to manage him/her workstation, what if you have a document contain all software’s and the permission for all business employees should be installed ? Again the risk will be decreased and the environment will be typical and follow the organization procedures and policies, you can audit control and manage the IT operations easily.

IT should have an“IT Governance“ function, the IT Governance will be responsible to setup the procedures, policies, processes... etc. to monitor and control the IT organization and keep IT environment safer and more auditable and controllable.

IT Governance is the responsibility of executives and the board of directors and consists of the leadership, organizational structures and processes that ensure that the enterprise?s IT sustains and extends the organization?s strategies and objectives           (IT Governance Institute)

COBIT one of IT Governance framework and I found it very helpful to start with to build the IT Governance in your IT Organization, for more information about COBIT you can access the ISACA website: https://www.isaca.org/Pages/default.aspx

and you can ask contact me directly.i will be happy to serve you anytime.

Before Planning for Disaster Recovery

I posted before The Difference Between Backup and Disaster Recover, I will explain more about disaster recovery, and I hope these information will help you to build an accurate disaster recovery plan that meets your organization strategy and needs.

One of the most important steps for IT people is to create “Business Impact Analysis” (BIA) before planning for disaster recovery at any organization, BIA is essential to success your disaster recovery planning, no matter how you do it whether by using computer software, survey, interview …etc., and by internal team or external team through contract with outsourcing company.

The benefits of BIA are to gather information to help the organization in planning for disaster recovery , design the disaster recovery site and prioritize computer application and software used by business/functional departments and keep the IT people focused on achieving the goals and objectives of disaster recovery.

BIA is a tool to document information about applications; all information will be analyzed to help the organization in disaster recovery planning. Sometimes you need experts to handle analyzing BIAs and document all analysis results to develop accurate disaster recovery plans.

The continent of BIA template is include but not limited to:

          1-      Name of application,

          2-      Department name,

          3-      Work hours for this application (i.e from 8:00 Am to 9:00 Am),

          4-      Number of users,

          5-      Effect on organization ( i.e Reputation, Cost, Legal..etc),

          6-      Key process for the application (i.e Reports to government, customer service, billing…etc.),

          7-      There is any alternative procedure when application is down,

          8-      Related Hardware and Software,

          9-      Infrastructure needed, and

          10-   Application administrator name.

Starting Customer Care Service

I don’t want to talk here about IT service provider to external customer or client, my post for IT people placed in the same organization with business departments.

IT people have customers so the IT people should know the customer care, how to deal with their customers and keeping them satisfied is one of the major responsibilities for IT people. Customers of IT are all people use the applications, computers and all IT services and solutions. In any organization IT people implement IT services and solutions, what about after implementation services (warranty, maintenance, spare parts …etc.). All customers like to be satisfied about services, IT people customers so.

Many of IT People don’t know the basic principles to serve their customers, what is the impact?

“If don’t care about your customers you will lose your business”. IT people will lose their business when they ignore customer care, negative impact will report to the management about bad service or non qualified services.

What IT people have to do to keep their customers satisfied?

My advices here are:

1.      Be careful about customer’s needs.

2.      Solve incidents and problems quickly.

3.      Develop a service improvement plan.

4.      Implement updates as needed.

5.      Monitor and control IT environment.

6.      Try to automate all customer procedures and functions if applicable.

7.      Practice customers on new IT features related to customers work.

8.      Teach IT teams how to resolve conflicts and disputes, and how to communicate to their customers.

9.      Sign service level agreement (SLA) between IT and business departments.

Incidents should be visible

One of reasons to employing IT people is to manage and resolve daily incidents, but not all organizations believe the helpdesk will be a very good tool to ease the communication between end users or customers and IT People, some of organizations use telephone, email or fax to report incidents to IT people, it’s applicable for small business, but what about 500+ employees with 50+ application and 200,000 customer?

We have to care bout incidents, some incidents cost the organizations time and money, IT people should track all incidents till resolved; with phone, email or fax not all incidents will appear to IT people  on a proper time which means cost the organization more money and time, you can’t create a decision reports to resolve the root cause of high frequency incidents, no report about IT employees performance, no priorities for incidents.

What about one communication channel between IT people and end users or customers, this channel offer a documentation for all incidents, categorized and prioritized incidents, monitor and control resolutions and maybe escalate unresolved incident to higher level technician, what about employee’s evaluations about their work on incidents resolution, and logging all resolutions in a Known Error Database, all those benefits and more can be easily implemented by using helpdesk systems.

IT people should view all incidents in a proper time, so the incidents should be visible all the time.

Backup and Disaster Recovery, What the difference?

Do you know what is the difference between backup and disaster recovery? Did you think before about those terms before?

All of us hear about backup, there is always a reminder in our life, you see it in smartphone and with software tips, but disaster recovery is not listed in our terms list it’s not in our dictionary.

Most of small business owners mostly don’t know the difference between backup and disaster recovery, today’s blog, is lowdown of backup vs. disaster recovery, to know the deference.

Backup, what is it?

Let’s start with basics, what is backup? In summary, backup is copying data to storage. This can be through DVD, SAN storage or by means of remotely storage "Cloud".

It is very important to have a backup solution in place. You will protect your data loss in case of employee accidents (delete data), theft (Laptop lost) and technical problems (Server crash); with backup you can restore your data easily.

Disaster Recovery, What is it?

Disaster recovery is similar to backup but disaster recovery used for larger instances. A full image of your servers and disks are mirrored. The image increases the probability to restore your systems faster than re-installing OS and restoring data.

Now read the term “Disaster” does this term make sense to you, don’t get caught up on this term and believe it has to be a major accident. A disaster can be your networks equipment’s and servers are crashes and all of the organization employees no longer work for one day or more. With disaster recovery plan, the organization employees can continue to work using the mirrored systems and servers and IT people work on fixing the problem at main site “Original systems place” while all of business employees are working on the mirrored systems.

Backup is similar to disaster recovery, but disaster recovery is more wider than backup and disaster recovery plan contains backup plans, backup is needed to restore data when case of loss of original data, data in disaster recovery is not needed to restore, employees are moved to work on the mirrored systems in case of data loss or system crash in main data location.

IT people is always right?

My professional career path gives me the chance to think about this question "IT people is always right?", IT people think most of time they have the power to put them in winner side and giving them the permission to be right always.
I worked for many years always I faced a conflict between the  IT and Business, my role as IT Manager gave me  the chance to be in the IT side but as a professional IT Manager I should keep the business satisfy and some time say for business "Yes, you are right", cause they know what is the business need more than IT,  when we think like this we will enhance our relationship as IT people with the Business people.

When you plan to build a success IT organization you should work to enable the needs of the business, remember you have to support business to deliver mission and to help the business to enable vision not fighting the business once you think like that you put your foot on the success way of your IT organization.

make sure the business is part of your success plan your support to the business one of the success keys  for your IT Organization.


My answer now is clear about the question "IT people  is always Right?" is of course "No".

IT Problem Management

Introduction

The IT Problem Management helps IT people to identify the root cause of an error, resolving a problem will fix the error which means stop these incidents from occurring in the future. Problem resolution and elimination of root cause often calls for applying a change to the configuration item in the existing IT environment.

IT Problem Management Definition

Wikipedia defines IT problem management as an IT service management discipline designed to “minimize the adverse imp

act of incidents and problems on business that are caused by errors within the IT infrastructure, and to prevent recurrence of incidents related to these errors”.

Which means effective IT Problem Management will reduce the cost, increase the availability and gives the IT people the time to focus on the business not on support and fixing errors.

IT Problem Management Objectives

The primary objectives of IT Problem Management are to prevent IT problems and resulting incidents from happening, to eliminate recurring incidents and to minimize the impact of incidents that cannot be prevented.

IT Problem Management Benefits

The main benefits from IT Project Management:

•  Improving IT service quality. Remember that high quality and reliable service is very good for business. 

•  Reducing number of incidents. Proactive problem management is instrumental in reducing the number of incidents that interrupt the business/organization every day.

• Build a known error database (Knowledge Base). Documenting the known errors and solutions will reduce the number and impact of problems.

•  Give the IT people the opportunity to start self-learning. One of the main concepts for IT problem management is learning from past experience. The process document all previous errors and problems to identify trends, and the means of preventing failures and of reducing the impact of failures, resulting in improved productivity.

•  Increase the rate of fixing errors by the Service Desk. Problem management enables the Service Desk to know how to deal with problems and incidents that have previously been resolved and documented.

IT Problem Management Processes
1. Identifying and Reporting Problems

A problem can be generated in a number of ways like:

• Problem form by IT staff member.

• Generate a problem from an incident by IT staff member.

• Service catalog allows user to log problems.

•  A problem can be generated from an email.

A problem can be associated with a configuration item using CMDB (I will talk about it in future) to help the problem management team see the affected item and its relationships to other configuration items and to measure the impact on the business.

Resolving problem can be done by a user or group. Which means the problem can be assigned to a user or group and this can be done manually or automatically.

The problem can be generated from an incident. This gives the problem management team the opportunity to quickly refer to knowledge base already generated and find the solution or start workaround to reduce the problem impact on the business. Once the problem is solved all related incidents will be solved.

2. Investigating and Updating Problems

Problem was identified and reported in the first step, the second step is to know what is the problem, what it is impact on business and do updates on the problem.

In this stage the user or group was assigned to solve this problem will start solving the problem and update the problem status and information.

Problem can be associated to Service Level Agreement (SLA) to monitor the progress of the problem according to the defined rules in the SLA. As time passes, the SLA will dial up the priority of the problem, and leave a marker as to its progress. SLAs can also be used as a performance indicator for the problem management team.

3. Resolving Problems

If a problem needs a change in order to be resolved, it is possible to request a change (Read My previous blog “IT Change Management”), which will be then resolved using the change management process.

Once you start saving the problem by using change management the problem will be closed when the change is close.


Workflow Sample

Here is a sample of Problem Management workflow (The workflow for IT Problem Management is configurable; it depends on the work environment).

Don't Do This Mistake #4

Introduction

Most of IT managers have a backup solution in case of disaster; and IT Managers was set the tools (softwares and/or hardwares) to implement backup solution to meet business needs.

Definition

Backup solution is a tools (software and/or hardware) to safe your data on storage media (Tape, HD, DVD, etc.).

Why backup solution?

Backup solution is the key weapon in case of disasters (i.e. lost data, hardware failure, natural disaster, etc.). Once you lost the information stored on your IT Assets the business will affect negatively. So you need the backup to recover the business.

Testing Backup Solution

Backup solution is the key part of your backup plan, and you have to integrate all backup plan parts to get the value from backup solution (what we are taking about in this post). The big mistake I want to mention it is not testing your backup solution.

Testing your backup solution is a very important part of your backup plan and it is the key to make sure your backup solution is working correctly. Don’t forget testing your backup solution you don’t know when you need to use one of your backup it is working normally and the backup was taken correctly.

Remember that

Backup solution is the key of your backup plan this key must be tested to make sure this key will work normally when you need it.

And also remember

Not testing your backup solution is a big mistake.

Don’t Do This Mistake #3

I have a problem, the system is down and I don’t know too much technical information about this system. I will try to solve it by myself; yes I will try many times to fix it. I am the manager and it is a weakness point if asked someone for help. Stop please you do a very costly mistake by trying to solve the problem without asking for help.

Some problems appears in the IT environment for the first time, don’t expect to know everything about everything in your IT environment, keep improving your skills by reading, asking and sharing knowledge to know more and being the manager doesn’t give you the power to solve all problems.

Once the problem appears do the right thing and seek help. The success key for the IT Manager is not know the correct answers; it’s being able to find them and implement a solution as quickly and cost effectively as possible. Don’t hesitate to ask the experts if it necessary.

Not asking for help is one of the biggest mistakes in the IT Managers life. It is not a weakness point of you if you asking someone for help. Asking for help gives you the opportunity to solve your problem faster and reduce the cost and time.

Why you should ask for help?

Many reasons to ask for help:

· Solving problems faster.

· Reduce the cost and time needed to solve the problem.

· Reduce the risk of trying solving the problem without prior knowledge about the solution.

· Improve the quality of IT services.



How to ask for help?

1- Persuading yourself that you need help by telling yourself you need help and what you need exactly from help.

2- Seek for one can help you and be positive with your helper, remember that it is not a reason to feel weak or stupid it is a sign of strength.

3- Understand your helper’s advice.

4- Say thanks for your helper’s.

5- Don’t afraid to ask for help again if needed.

IT Change Management

Introduction

Change is inevitable in every IT work environment it is includes but not limited to (hardware, software, processes, etc.). Many types of changes in work environments, as example:

1- Strategic changes.

2- Governance changes.

3- Technological changes.

4- Operational changes.

Some of the changes should be applied, for example, changes that come from the government.

Definition

The change management is an IT service management (ITSM) discipline. The process responsible for controlling the life cycle of all changes. The change management is a set of procedures, processes, and processes to manage all changes in the work environment with minimum negative effect on the IT service and/or business.

Change management objectives

The primary objective of Change Management is to apply beneficial changes, with minimum disruption to IT services.

Another objective of Change Management is to ensure that you applying the standardized methods and procedures for efficient and prompt handling of all changes to control IT infrastructure, in order to minimize the impact of any related incidents.

Change Management Processes

1. Raising and record changes

Many of ways can generate a new change record:

• Request a change from an incident.
• Request a change from a problem.
• Request a change from a business need.
• Request a change through a service catalog.
• Request a change from an email

2. Assessing and evaluating changes

Once a change request is in place, the change management team must populate the change request with as much information as possible in order to fully assess the requested change.

Information that can be collected :

• Priority
• Category
• Impact
• Urgency
• Schedule - Includes a requested by date, a planned start and end date, and work start and end dates. This can be integrated with Outlook so that the change schedule will appear in Outlook's calendar. Note that changes made to the schedule in Outlook will not change the change record.
• Change/Roll Out Plan/Backout Plan/Test Plans
• Approvers - All CAB members.
• Related Problems - All related problem to the change will be associate to the change form. 
• Related Incidents - All related incident to the change will be associate to the change form.
• Affected CIs - a list of configuration items (from the CMDB) that will be affected by the change.
• Impacted Services - a list of business services (from the CMDB) that will be affected by the change.

3. Planning Changes

Changes can be planned directly in the change record, but for complex, multi-step changes, Project Management allows specificity of planning. 

4. Authorizing Changes

Any change should be reviewed and approved by the Change Advisory Board (CAB)  before put it into production environment. Usually, the CAB consist of a group of people with different perspectives, backgrounds and areas of expertise. Their function is to review the change from a process and governance standpoint to assure that all foreseeable risks have been identified and mitigated, and that compensatory techniques are in place for any elements of exposure (things that could go wrong). The development team and the change sponsor will present the change to the CAB. Evaluation of risk will be the focus. Implementation strategies, communication to affected stakeholders, backout plans and post-implementation monitoring are elements on which the CAB is required to focus. The CAB is not responsible for determining if the change is appropriate – that decision has already been made. The CAB is also not responsible for determining if the change is cost effective. Again, that is strictly a business decision.

5. Closing Changes

Once the change has come to an end, and the change has been tested and confirmed, the change can be closed by changing the state. If the change was generated from an incident or problem, you have to close all related incidents and/or problems.

Workflow Sample

Here is a sample of change management workflow (The workflow for change management is configurable, it depends on the work environment).

IT Change Management Workflow Sample

Don't Do This Mistake #2

I love my work too much so I will work more and more!  My team not have the capability to do the business as I do! My business will not live if I take a vacation! So I will not take a vacation, be careful about what you trying to do. This is a formula for disaster.

Do you plan to do everything by yourself, what about vacations?  No plans done for rest? If you don't plan for your vacations please do it right now.

Why you need a vacation?

There are many vacation benefits; I will list a few of them below:

1-      Improve your mental skills.

2-      Reduce stress.

3-      Improve your physical health.

4-      Check your employee skills.

5-      Test what your leave effect on the business.

Do a favor for yourself, family, and business and take some time off. Really you need this do not try to burn yourself.

Don't Do This Mistake #1

One of the top mistakes that IT Managers do is focusing on the technology not the business; it is really a big mistake when you do this.

Focusing on the technology comes from technical background of the typical IT manager. From their technical background, the focus their efforts in their expertise when in fact they should be seeking for the ways to help, enhance, and activate the business.

To be success the IT Managers must become business oriented leaders and turn their focus and expertise to business.

As IT Manager you have to focus on Business issues and problems. To give your business what they need with cost efficiency for the organization. Keep your focus on the business will enhance the business environment, improve the employee knowledge in the business of the organization and increasing the customer satisfaction.

You have to start working on this concept by building a good knowledge about your business and participating in business meetings.

Your next level of business starting now

Do you planned to improve your team skills? Do you have any idea to improve your team members motivation? What is your expectation about your team? Are you ready to move to next level with your business? Did you start your housekeeping? Is your team satisfied about your work, management and decisions? Are you open minded to hear from your team?

Many questions you have to think about to improve your IT team skills and competencies if you looking to move to next level with business, when you are thinking as businessman IT Manager you have to set your plan to align with your business for current and future expectations.

You have to start your planning right now if you didn't before to improve your team members skills and give them the guideline to start their self-motivation.

My advice to you is to put the questions above on a paper and start to answer them honestly, once you review your answers, meet your team members and share them the questions and ask them to answer them, compare your answers with your team members answers find the gaps and solve them immediately.

Your team members are the most valuable asset to innovate your business and they are the base to move your business to next level, take care of them will increase the opportunity to success your business, don’t forget to give your team members the chance to share their ideas with you some ideas will be the base block to build your business for future.

Motivation, Motivation, Motivation keep this word always in your mind and always do the best to build the motivation in your team, help your team members to improve their skills, give them the tools and guidelines to increase their efficiency and maximize their productivity.

Simplified IT Management & Operations

I engaged to a new job 1 month ago and the first thing I did is thinking about my mission, I read my job description a lot and I reviewed the company mission, vision and values to create a sentence collect all these information, my sentence is “Simplified IT Management & Operations”.

When I looked to this sentence many times I found it very hard to implement and we have to start inside the company before we go outside, I spent a lot of time to set the market plan to help the company to achieve this mission, but really I found it very interesting mission and we can implement it easily.

Many of IT people thinking the processes and procedures are developed to make the work more complex, in my point of view is procedures and processes help us to simplify the work and help us to automate the work specially those repeated tasks.

What is the simplification mean?

In my point view I see the simplification is set of procedures, policies and procedures set to control and organize the work and IT infrastructure and applications aligned with those polices procedures and processes. Awareness is needed also to do the simplification better.

Simplifying IT Management & Operation gives the IT people the opportunity to focus on the business, you need very good communication skills to contact with business, just keep in your mind the business people is your customer and you have to keep them satisfied.

Unbreakable IT Environment

Business is looking always for a robust IT environment with the lowest down time, building unbreakable IT environment is a mission for IT department, and the functional or business department should support the IT to build this environment.

Key of success for any organization is a strong work environment, metrics to measure strong work environment depends on business needs which means the strongest work environment must be compatible with business needs, IT department should analyze the business needs to know if it doable or not, and discuss the result with business departments.

IT department should document all business requirements and the analysis results and sign it from authorized person or group from business side.

Unbreakable IT environment is one of the things that will keep the functional and business departments satisfied, and will decrease down time and cost. IT people should focus on service not on technology to give the business what they expect.

Weak IT environment in some businesses will cost the business extra money, reputation will be negatively affected, decrease customer satisfaction, and maybe pay to the government penalties.

The business should support the IT people to build a strong work environment by giving them the authority, budget and human resources as needed.

To build your unbreakable IT environment there are many technologies you can use like (cloud, virtualization, mirroring ...etc). You can use your facilities or you do it with outsourced company.

Good understanding of the company’s business and business needs it’s a mission for IT people, this mission will give the IT better chance to build unbreakable IT environment.

My advice to build your unbreakable IT environments is:

1-      Collect the business needs and do the business impact analysis to categories the business processes that depend on IT environment.

2-      Analyze the requirements to determine if they are applicable or not.

3-      Be honest with your business people by reporting them the result of your analysis, and say “No” when it’s needed.

4-      Choosing a good technology depends on the budget, business needs and analysis results.

5-      Don’t try to give the business extra features it is a “Gold Plating”.

Motivate your team, Key of success

Most or all managers expect from employees to do their work with a high performance, but some of those managers think about the work but do not think about the employee’s satisfaction, how keep the employees in good performance? How can appraise the work performance? How to enhance employee’s creativity?

I will explain in this blog my point of view about one thing to keep your employees in good performance and always creative. Your employees work together to achieve the organization targets but not all employees work in same performance, not all employees achieves their targets.

Motivate your good employees by rewards, rewards not always a money, “Thanks” in some cases will be more effective than money or reduce the work assignments will be a good choice, don’t forget or ignore giving rewards to the good performer employees, if you forget or ignore rewards expect the employee will do the same for his/her work, he/she will forget or ignore his/her work or some of his/her work, if you don’t have the decision, fight for it.

Know your employee needs, and give them their needs as is as rewards and appreciate employee effort and help them to work in high performance. The high performance work will increase cost of rework or delay, and increase the productivity.

Remember these words” Motivation and creativity comes from satisfied employees”, keep it in your mind when you manage your team to get the best performance, keep you employees satisfied and have a reasons to implement their best performance.