Security

Study Highlights Best Practices for Achieving IT Service Management Excellence

Results demonstrate positive impact of ITIL change, configuration and release processes on IT performance.

by / February 26, 2008 0

CA has announced the results of a study of 341 global IT organizations that highlights the positive impact that best practices for ITIL change, configuration and release processes has had on those organizations' overall performance. The study, conducted by the IT Process Institute (ITPI) and sponsored by CA, also pinpointed five specific best practices that are crucial for achieving excellence in IT service management.

"The CA-ITPI study underscores the critical importance of best practices to enable IT to cost-effectively deliver highly reliable business services despite tight resource constraints, complex development and infrastructure environments, and huge portfolios of existing services," said Brian Bell, senior vice president and general manager of CA's Service Management business unit. "The study also provides IT managers with additional data points that support the acquisition of technologies that enable these IT service management best practices-including CMDB, operations security and release management tools."

The results revealed five sets of IT service management best practices that consistently improve the effectiveness of IT organizations' change, configuration and release practices. These improvements typically result in higher IT resource utilization, more consistent quality of end-user experience, and/or reduced overall risk from poor change management practices.

These best practices are:

  • Rigorous release management. Rigorous build, test, and rollback process for releases have a bigger impact on performance than any other set of practices in the study. Change tracking and change oversight alone are not sufficient to ensure effective IT service management. Release management practices impacted eight of the 15 of performance measures in the study including downtime, server to sysadmin ratio, release rollback rate and unauthorized change rate. For example, top performers roll back 46 percent fewer failed releases and measure 90 percent fewer unauthorized changes than others in the study. So, while change management may often be a logical starting point for ITIL implementations, IT organizations seeking the highest levels of performance should also focus on more rigorous release management practices.
  • CMDB deployment. Forty-seven percent of top performers among survey respondents use configuration management databases (CMDBs) to enable change processes in place-such as linking change requests to infrastructure, business need, and incident tickets. The implementation of CMDB-enabled change and incident management processes is a statistically significant predictor of effective IT service management performance in measures such as configuration drift, release rollback rate, and rate of incidents fixed within SLA limits. For example, top performers with CMDB-enabled processes resolve 28 percent more incidents within SLA limits than others in the study.
  • Process "religion." IT organizations that actively encourage compliance with documented processes and procedures achieve higher levels of performance. ITIL change, configuration, and release processes can only deliver expected results if they are applied consistently across all groups and projects. To build a process-focused culture, top IT performers diligently manage process exceptions and have IT executives enforce beliefs that following process is a basic job expectation for everyone in the IT organization. Building a process-focused culture and managing process exceptions is the second strongest predictor of top levels of performance in the study, impacting key measures such as downtime, configuration drift, process variability, release impact rates, and change success rates. Top performers with a strong process culture have an 11 percent higher change success rate than others in the study.
  • Standardized configuration. Effective standardization of system configuration is another primary predictor of a stable and secure computing environment. This standardization is typically achieved by identifying and using only approved production system configurations, ensuring that IT is fully informed about approved and current configurations, and putting specific controls and processes in place to detect and prevent both configuration variations and configuration drift. Standardized configuration practices predict top levels of performance in configuration drift and security breaches automatically detected, with top performers able to automatically detect security breaches 42 percent more often than others in the study.
  • Tight control of access to production systems. Access control is also a key best practice for high-performing IT organizations. This control typically includes clear definition of roles and responsibilities, appropriate segregation of duties, and restricted access to the production environment. Organizations that implement these controls tend to do a better job of limiting process variability and require fewer emergency changes-as well as gaining the benefit of improved IT security and improved compliance with regulatory mandates. Top performers have 60 percent fewer emergency changes than others in these areas.

The study noted that these best practices are ideally adopted in conjunction with each other. Tight control of access to production systems, for example, is itself one of the measures that helps enforce process discipline. But it is also a key component of change and release control. Similarly, standardizing configurations is difficult to achieve without change and release discipline.

ITPI conducted the study in two stages. In the first stage, ITPI interviewed 11 companies widely recognized for their excellence in change, configuration and release management in order to determine what their processes had in common. ITPI then developed a survey based on its findings and, in the second stage of the study, extended that survey to the 341 global IT organizations in its sample set. "Top Performers" in the study represent the top 15th percentile of all participants.