Implementing Change Management in a Regulated Environment

Similar documents
ITIL Version 3.0 (V.3) Service Transition Guidelines By Braun Tacon

The ITIL Foundation Examination

The ITIL Foundation Examination

The ITIL Foundation Examination

The ITIL Foundation Examination

The ITIL Foundation Examination Sample Paper A, version 5.1

HP Change Configuration and Release Management (CCRM) Solution

Service Transition. ITIL is a registered trade mark of AXELOS Limited.. The Swirl logo is a trade mark of AXELOS Limited.. 1

An ITIL Perspective for Storage Resource Management

HP Service Manager. Process Designer Content Pack Processes and Best Practices Guide

ITIL v3. Service Management

EXIN.Passguide.EX0-001.v by.SAM.424q. Exam Code: EX Exam Name: ITIL Foundation (syllabus 2011) Exam

ITIL by Test-king. Exam code: ITIL-F. Exam name: ITIL Foundation. Version 15.0

Yale University Change Management Process Guide

Free ITIL v.3. Foundation. Exam Sample Paper 1. You have 1 hour to complete all 40 Questions. You must get 26 or more correct to pass

The ITIL Foundation Examination

HP Service Manager. Software Version: 9.34 For the supported Windows and UNIX operating systems. Processes and Best Practices Guide

ITIL Roles Descriptions

ITIL: Service Transition

HP Service Manager software

7 Practical insights for IT Asset Management

Applying ITIL v3 Best Practices

ITIL : the basics. Valerie Arraj, Compliance Process Partners LLC. White Paper July 2013

TechExcel. ITIL Process Guide. Sample Project for Incident Management, Change Management, and Problem Management. Certified

General Platform Criterion Assessment Question

Page 1 of 8. Any change, which meets the following criteria, will be managed using IM/IT Change Management Process.

ITSM Maturity Model. 1- Ad Hoc 2 - Repeatable 3 - Defined 4 - Managed 5 - Optimizing No standardized incident management process exists

performance indicators (KPIs) are calculated based on process data, and displayed in easy-to-use management views.

Achieving Control: The Four Critical Success Factors of Change Management. Technology Concepts & Business Considerations

Computer System Configuration Management and Change Control

GENERAL PLATFORM CRITERIA. General Platform Criterion Assessment Question

The ITIL v.3 Foundation Examination

Configuration Management System:

Requirements Analysis/Gathering. System Requirements Specification. Software/System Design. Design Specification. Coding. Source Code.

WHITE PAPER. Best Practices in Change Management

Change Management. Service Excellence Suite. Users Guide. Service Management and Service-now

INFORMATION TECHNOLOGY. SERVICE ASSET AND CONFIGURATION MANAGEMENT PROCESS Version 3, Rev. May 5, 2015

Release & Deployment Management

EXIN IT Service Management Foundation based on ISO/IEC 20000

Configuration control ensures that any changes to CIs are authorized and implemented in a controlled manner.

Computer System Configuration Management and Change Control

ITIL V3 Foundation Certification - Sample Exam 1

Best Practices in Change Management WHITE PAPER

MANDATORY CRITERIA. 1. Does the tool facilitate the creation, modification, fulfillment and closure of Service Request records?

An Implementation Roadmap

SACM and CMDB Strategy and Roadmap. David Lowe ActionableITSM.com March 20, 2012

Process Description Change Management

How To Create A Help Desk For A System Center System Manager

Combine ITIL and COBIT to Meet Business Challenges

White Paper. Change Management: A CA IT Service Management Process Map

Table of contents. Standardizing IT Service Management. Best practices based on HP experience in ITSM consolidation. White paper

Foundation. Summary. ITIL and Services. Services - Delivering value to customers in the form of goods and services - End-to-end Service

With Windows, Web and Mobile clients Richmond SupportDesk is accessible to Service Desk operators wherever they are.

Which statement about Emergency Change Advisory Board (ECAB) is CORRECT?

CA Configuration Automation

The CMDB at the Center of the Universe

Release and Deployment Management Software

Problem Management: A CA Service Management Process Map

Service Asset & Configuration Management PinkVERIFY

SPAN. White Paper. Change Management. Introduction

Automating the IT Operations to Business Connection

Release Management Policy Aspen Marketing Services Version 1.1

The safer, easier way to help you pass any IT exams. ITIL Foundation v.3. Title : Version : Demo 1 / 5

Enabling ITIL Best Practices Through Oracle Enterprise Manager, Session # Ana Mccollum Enterprise Management, Product Management

Subject: Information Technology Configuration Management Manual

BSM Transformation through CMDB Deployment. Streamlining the Integration of Change and Release Management

Commonwealth of Massachusetts IT Consolidation Phase 2. ITIL Process Flows

ITIL & The Service Oriented Approach. Vivek Shrivastava

The purpose of this document is to define the Change Management policies for use across UIT.

Master Data Management Enterprise Architecture IT Strategy and Governance

How To Standardize Itil V3.3.5

CHG-11-G-001 Does the tool use ITIL 2011 Edition process terms and align to ITIL 2011 N/A. Edition workflows and process integrations?

Integrating Project Management and Service Management

White Paper: AlfaPeople ITSM This whitepaper discusses how ITIL 3.0 can benefit your business.

Simplify and Automate IT

Improving Service Asset and Configuration Management with CA Process Maps

HP Service Manager software. The HP next-generation IT Service Management solution is the industry-leading consolidated IT service desk.

Governance, Risk, and Compliance (GRC) White Paper

Achieving Integrated IT Service Management

Service OnBoarding: A Process Approach for Uniting ITIL and DevOps. Bill Cunningham

White Paper August BMC Best Practice Process Flows for ITIL Change Management

Simplify and Automate IT

Moving beyond Virtualization as you make your Cloud journey. David Angradi

SESSION 709 Wednesday, November 4, 9:00am - 10:00am Track: Strategic View

ITSM Process Description

SOFTWARE ENDORSEMENT SCHEME

Identifying & Implementing Quick Wins

Software Asset Management (SAM) and ITIL Service Management - together driving efficiency

ITSM Reporting Services. Enterprise Service Management. Monthly Metric Report

Change Management Living with Change

SOLUTION WHITE PAPER. Align Change and Incident Management with Business Priorities

Introduction. What is ITIL? Automation Centre. Tracker Suite and ITIL

Change Submitter: The person or business requesting or filing the Request For Change (RFC) notice.

Moving Forward with IT Governance and COBIT

Copyright 11/1/2010 BMC Software, Inc 1

Change Management Process. June 1, 2011 Version 2.7

Summit Platform. IT and Business Challenges. SUMMUS IT Management Solutions. IT Service Management (ITSM) Datasheet. Key Benefits

Transcription:

Implementing Change Management in a Regulated Environment Valerie Arraj Managing Director Session 227

Compliance Process Partners Service Management-focused consulting, automation and training organization Uses IT Service Management good practice and control objectives with focus on: Compliance to regulatory and governance guidelines Efficient and effective IT process and automation Assisting companies for 8 years with ITIL-based consulting and training ITIL Expert, ISO 20000 & ISO 27000 Certified Consultants 2

Content Change Management Landscape for Regulated Environments Approach and Process Overview Benefits and Critical Success Factors 3

Regulated Environments Regulations Affecting IT Privacy Laws for Personally Identifiable Information (PII) e.g., 201 CMR 17.00 (Massachusetts) Sarbanes Oxley Public Companies HIPAA Health Care 21 CFR Part 11 Biotechnology & Pharmaceutical, PCI Retail Gramm-Leach-Bliley Act -Financial Services Federal Information Security Management Act Gov t Agencies 4

Why Service Management & ITIL? Good Practice is Foundational Aligns business with technology Promotes effective use of technology Improves the quality and reliability of IT services offered Optimizes IT resource utilization Provides well-defined processes that support business scalability Internationally adopted framework that enables consistency within enterprise IT organizations as well as with external service providers Facilitates adherence to regulatory requirements 5

Regulated Environments: Change Landscape Regulated Many regulation-specific change management processes Each technology area runs its own change management process BEFORE Applications & Infrastructure Non-Regulated Informal change management process. No change management process. AFTER One Risk-Based Process for IT Reduce compliance deviations Balancing Slowing things down versus deploying changes that don t destabilize service operation Eliminate the distinction between Regulated and Non-Regulated services 6

Approach WHERE ARE WE NOW? WHERE DO WE WANT TO BE? GETTING THERE Phase I Phase II Phase III... PEOPLE Executive/Team Overview ITIL Foundation Training RCV Capability Training Enterprise-Specific Process Training Across IT PROCESS ITSM Capability Assessment Change Management Additional Processes as Prioritized in Assessment Configuration Management TECHNOLOGY Technology Implementation Incident/Problem/Service Level Mgt/Capacity 7

Configuration and Change Management Processes go hand-in-hand Every decision needs configuration information Every decision results in a configuration change Implement: a CMDB (CMS) Strict change management to ensure accurate decisions (manual or automated) The automation journey must address both Forrester Research,. Glenn O Donnell 8

Taking this One Step Further. The CMDB can: Assist in change categorization Identify assessors and reviewers (CAB) Guide workflow steps 9

Approach for Change & Configuration Management Agree on: Change Definition Scope Change Models Standard Predefined Normal Emergency Approvers Level of detail for Configuration Items Targeted sessions with crossfunctional stakeholder teams Steering committee for guidelines and arbitration Use case walkthroughs and prototyping Decide on Service Types (Business (Core) vs Technical (Enabling)) Modeling techniques (accommodating virtualization & cloud) RACI matrix 101 0

An Example: Business and Technology Services Payroll Core Business Service Time Tracking Supporting Business Service Benefits Application Service Kronos VMServer1 VMServer2 Primary Service CI (parent) Can stand on its own as a core service Server Administration [Infrastructure Service] Supporting Business Service Primary Service CI Can stand on its own as a core service DB1 Database Administration [Infrastructure Service] VMServer3 VMServer4 111 1 Storage Array X Storage Administration [Infrastructure Service]

Risk-Based Change Types Approver Standard & Pre-defined Pre-approved or functional manager Normal Changes Minor Significant Major Federated Change Manager Change Advisory Board CAB + Sr. Management Part of routine, recurring maintenance and/or support Baseline business functionality impact Implementation procedures are well understood and documented. Impact to other services Does not alter baseline business functionality of primary or related service(s) Resources, time, cost to implement Existing Technology/Skill New 121 2 LOW R RISK I S K HIGH

Change Models Model Category Description/Characteristics Approval Standard Work which is part of routine, recurring maintenance and/or support; changes under applicable procedures. Well understood; does not alter baseline business requirements/functionality of primary or related service(s) Risk is well understood May include repair (break/fix) activities or like-for-like swaps Pre-Approved Predefined Part of routine, common support changes under applicable procedures. Well understood; does not alter baseline business requirements/functionality of primary or related service(s) Follows a predefined set of steps in association with a procedure or work instruction Requires approval from a specified individual(s) or role(s) Normal Changes susceptible to some level of risk and that require assessment and approval Minor Significant Changes of additions to configurable elements without significantly altering the business requirements Little or no impact to the validated state of the computerized system or software Require very few resources and minimal time to complete Risk of change to Service is generally assessed as low. Changes considerably alter a system s requirements or creating a considerable amount of new functionality or capability A sizeable number or resources and amount of time are required to implement Change Manager This could be a Federated role in large organizations. Change Advisory Board (CAB) Major Changes will alter system requirements and create substantial new functionality or capability Large number of resources and substantial amount of time required. Substantial estimated cost to the organization, often large, capitalized projects CAB and Senior Management 131 3 Emergency Unplanned changes requiring immediate action. To restore a service or protect electronic records/data, product or IT hardware. Urgent business needs such as modification necessary to meet an immediate regulatory requirement. Emergency CAB (ECAB)

Change Initiator Open RFC Is Emergency? No Business Impact Review The Change Management Process Technical Impact Reviewer Technical Impact Review Yes Compliance Impact Reviewer (Compliance-Related Services) Compliance Impact Review Change Manager / System RFC Categorize Change Manager CAB Reviewers Is Minor Change Manager or QA Lead Approval only Is Significant CAB RFC Review (CAB Approval) Is Major CAB RFC Review (CAB + Senior Mgmt Approval) Emergency CAB Links To SDLC Change Manager/CAB Release Manager Implement (Schedule, Release & Turnover) Release Management Change Manager RFC Closed PIR 141 4 Change Management Normal Changes

Moving a CI Through the Workflow Reserved Redeploy Create a New Configuration Item On Order/Inventory Being Assembled Setup and Configure Deployed Setup and Configure Decommissioned Retired Retired Approved Change Request On Order/Inventory: CIs that are purchased. Reserved CIs that are available or earmarked for an application/org. Being Assembled: CIs that are being set up & prepared for use in target environment (development, test, staging, production). Deployed: Represents CIs placed in target environment and are in production (live). Decommissioned: Represents CIs that are decommissioned from their original use. Redeploy: Represents CIs being reconfigured for a new purpose. Move CI from Decommissioned to Being Asssembled state. Retired: Past its useful life. No longer in use. 151 5 Configuration Management

161 6 Configuration Item Types & Attributes: The Drivers to Change Hardware Attributes Hardware Description Hardware Type Server Use Server SubType Network Subtype Storage Subtype Power Device Subtype Service Tag Asset Tag Manufacturer/Model OS Software Attributes Software Description Software Type Manufacturer Version Build Number Of Licenses Notes Software Admin Primary Software Admin Alternate IP Address(es) Hostname(s) # Processors # Cores # of Network Ports Memory Location Rack Other Administrator Primary Administrator Alternate Common Attributes CI Id CI Name Created Date Description CI Status Item Type Environment Contribute to Categorization Algorithm Contribute To Assessment Contribute To CAB Service Attributes Service Description SLA Type Compliance Implications - None/GxP/SOX/HIPAA/Other Service Criticality Service Provider Service Consumer SLA Status Service Tech Primary Service Tech Alternate Service Business Owner Service Business Owner - Alternate Service IS Owner Service IS Owner - Alternate Service Business Admin Primary Service Business Admin Alternate Additional CAB Reviewers Additional Watchers

Configuration Management Roles / Contacts Role Business Owners Service Owner Business Relationship Manager Technical Lead(s) Implementers Description Primary business liaison responsible for the service The IT Owner of the Service (Product Manager) IT lead responsible for interfacing to the business. Primary and alternate individuals with technical responsibility for the service or underlying configuration item Individuals assigned to the work associated with building and deploying changes 171 7

Assessing Risk The 3 dimensions of risk: Criticality, Complexity & Compliance Criticality = Business impact Complexity = Technical impact Compliance = Compliance to Regulation & Internal Standards Applies to both New Services & Changes Service risk is pre-determined and populated into the CMDB Change risk is determined by Change Initiator and assessors 181 8

191 9 Categorization Algorithm

Value Added 202 0 Configuration Management Metrics: Services Business or Infrastructure Impact of Change to underlying CI Regulatory implications guidelines (GxP, HIPAA, SOX, etc) Location Subscribers Consumers Servers Physical or virtual Application installed Connections Contracts For Service or any underlying CI Expired or expiring contracts Contracts by contract type (outsourcing, support or maintenance) Software licenses People/Contacts Primary and secondary support person for hardware or software Business Owner of a given service IT Owner of a given service Change Management Metrics: Number of changes by device, service, application Date of changes by device, service, application, database Number of changes successful Number of changes needing to be backed out Change schedule Changes that have some regulatory/compliance impact (need QA involvement) Changes that have no regulatory/compliance impact (no QA involvement necessary). Number of changes by category Changes by requestor Changes that have been approved Changes that have been rejected Average time to approve a change Average time to approve a change by approver Average time to close a change by type of change

Realized Benefits Consistent change process across the board More efficient and compliant process Integration with CMDB provides enhanced visibility of impact and risk of changes to focus work Integrating compliance review into process from beginning reduces rework and ensures that regulated services are maintained in a validated state 212 1

Critical Success Factors - CMDB Don t underestimate level of effort to maintain the repository Integration with HR systems is vital in order to keep contact information up to date with organizational changes Auto discovery tools are necessary for faster adoption and to maintain data accuracy Visualization is key! Self-service auditing of CIs is difficult to do without visual cues for dependencies 222 2

Critical Success Factors Include business customers during process definition and rollout Individuals need to buy-in and understand the responsibilities associated with their role in the process Integrate with Portfolio Management Office (PMO) Coordination between Change Manager and PMO is needed to ensure proper scheduling & resources, RFCs need to be balanced with project portfolio support 232 3

Thank you Contact details: Valerie Arraj valerie.arraj@cppit.com 888-718-1708 242 4

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information