Wednesday, May 25, 2011

Getting to Accountable Configuration Management

So you have this wonderful ‘Medical Grade’ network but how do you intend to manage it? There are countless articles and blog posts out there describing major downtime events being caused by simple human error. How can these errors be minimized? Change Management.

There are numerous solutions in existence that address change management from a toolset perspective. Some examples of these might be the free RANCID system or more commercially oriented offerings such as Tripwire (acknowledging an open source edition can still be found). As effective as these systems might be for detecting network configuration changes they are simply toolsets. As we have learned through our ITIL journey the toolset is not the key – the process is. When it comes down to it we can likely do Incident and Problem management on note cards. We wouldn’t want to, but we could, the same goes for Change.

We have a fairly simple but seemingly well accepted Change Management process. Change Requests can be created by any member of our IT team and submitted into our ITSM system. We ask that those requesting changes specifically request Assessments from the Service Owner and any other staff they feel is applicable. Change Requests are then automatically emailed to all members of the IT team for further evaluation and assessment. Yes, we include everyone and why not, our feeling is that every team member may have valid concerns ranging from support all the way to service and organizational impact. Everyone has a unique perspective in a smaller organization.

Each week we conduct a CAB (Change Advisory Board) meeting using the WebEx tool. This allows us the flexibility to invite our entire IT staff and provide a mechanism for their participation regardless of location. Staff make themselves available based on their interest in changes currently being proposed. Upon review, should any non-emergent changes be seen as requiring additional assessment or representation those changes are ‘punted ‘ to the next meeting so that adequate representation can be present. Emergent changes are handled via email and phone calls ensuring adequate information is gathered before approval.

Nothing really profound here? Well it seems to be working. This hybrid approach (we do not require that we meet in person, we do not require specific attendance outside of those who can do approvals, and we virtualize assessments prior to the CAB meetings) has allowed everyone to feel as if they are active participants in the process while not burdening them with mandatory attendance during time periods where items do not impact their specific services.

We have received little pushback from staff and folks seem to be embracing the process. We have not made a single non-standard network change without the change management process in months.

This is enforced as it is policy. That is ok. The team embraces the process.

No comments: