“You don’t change culture team by team or app by app. You don’t get to pick and choose where you DevOps. You can do it for a while – operating bi-modally – in order to experiment, to allow new ways of working to incubate, but it is essential to converge quickly. DevOps is not a piecemeal tool, it is an organisational transformation.” – The IT Skeptic Blog, July 22, 2017
This blog isn’t about DevOps. There are now thousands to choose from with authors off all walks. This blog is about Rob England and his blog, The IT Skeptic.
If you haven’t read this blog, start. It’s a must read. In fact, I’ve spent evenings rolling through his old content to follow his train of thought in the hottest topics all IT shops struggle with: How to do IT service delivery, effectively. It’s an art. It’s not simple. And done poorly, costs organizations dearly.
I do not have a recommendation where to start. If you read his last blog, currently on December 5, 2017, it’s titled, “Project Management was the worst thing that ever happened to IT“… Wow. And right on target. Do organizations think this way? Most can not.
“Everybody says they want to be free. Take the train off the tracks and it’s free, but it can’t go anywhere.”
Organizations require structure to operate, but most often end up creating silo towers with no connecting switch-track to communicate or change direction. Following a framework in exactness is limiting — but adapting a framework is not. There is no one-size-fits-all; that it’s a framework means you have the ability to lay the tracks any way you like. If, in the future, you decide to make an offshoot to a new destination, then you have the ability to do so with the guidance the framework provides.
ITSM is a continuous journey, not a project that ends on the ‘go live’ date. And if truth be known, there is no end to a project until all the chickens come home to roost (but that’s another blog). Count on this: There will always be other destinations to visit that will require you to lay tracks to get there.
Re-posting as we shift focus to ITSM. I found this article on BMC’s website and felt it’s right on.
“Below is a list of documents that is requested by a vendor management company. Information Technology needs to be able to provide these documents on demand:
-Information Security Policies (Current)
-Cyber/Network Security Policies with Testing Requirements and Results (i.e. Vulnerability and/or Penetration Testing) (Current)
-Incident Response Policies with client notification protocols (Current)
-Disaster Recovery/Business Continuity Plan(s) (Current)
-Disaster Recovery Testing Results (Current)
Whether it is a partnership, vendor relationship, or just being a customer, it’s no longer unusual to get asked how companies treat security. Risk Management survey’s include questions like, “Has your company been hacked in the last 12 months” and “What was your incident response plan to the breach”.
Where to go to get this stuff? Where do you keep it? How to manage? Many larger companies hire the talent to write it. Alternately, resources exist that can help with what is needed to cover. Here are a couple of resources:
I have used all three in my career with success. Managing these documents should be no different than other IT policies. In other words, manage collectively with yearly reviews and periodic changes as the organization matures.
What tools or resources have you used to help write security documentation? Drop me a link to add to the list!