CA Community

Who owns IT Governance, the Business or IT?

Steve Romero — Fri, 09 May 2008 14:18:00 GMT

Is IT Governance primarily a function of the business, or a function of IT?

Many organizations are misled by the label. Sure, IT enables IT Governance, but the ITG discipline is a means for the business to govern IT, to ensure IT is aligned, delivering value and appropriately managing risk, resources and performance. The business must govern IT just as it must govern every other important business function, such as Finance or Human Resources.

Recently I received affirmation that some organizations are coming around to this way of thinking.

During a trip to Australia, I spent five days in three cities as the featured speaker in a seminar series entitled "Critical Components of Effective Project Management Offices (PMOs)". While there, I visited with several organizations to discuss their IT Governance challenges.

My very first meeting was with an IT leader from one of the government agencies located in Sydney. He wanted to meet with me to obtain a greater understanding of IT Governance. As he introduced me to his four colleagues, I was amazed to find that not one of them was from IT! They were all from the "business side" of the organization!

This IT leader recognized the role of the business as a partner--if not leader--of IT Governance in their organization. He was hosting this discussion to provide his peers with critical insight into their IT Governance roles and responsibilities. We had a great meeting and they are now eager to work together to achieve the enterprise-wide goals of IT Governance.

As I continue my travels evangelizing IT Governance, I expect the overwhelming majority of my audience will be members of IT. I look forward to the day when they are outnumbered by the real owners of IT Governance--the business partners IT serves.

Share this post: Email it! | bookmark it! | digg it! | reddit!

Mainframe = Kicking Technology??

Marcel Hartog — Wed, 07 May 2008 12:46:00 GMT

In an New York Times article of March 28^th, the words of Steward Alsop, who predicted that the last mainframe would be unplugged in 1996 were put in context.

The mainframe was use as one example how “old” technology proved to be a strong survivor together with Radio, railways and the most modern one, print media. All these “old” technologies were supposed to be replaced by new ones like television, cars & trucks and the Web respectively.

One of the conclusions is that, to survive, these “old” technologies all have some sort of enduring advantage that is not replaced by its “successor”. And for the mainframe, this typically was the rock-solid stability and security to run vital transactions, while at the same time it allowed companies to integrate “new technology” like the Web & SOA transactions.

The most important conclusion was that the business decisions matter most. People tend to overestimate the importance of technological innovation and underestimate the role of business judgment. “The rise and fall of technologies is mainly about business and not technological determinism”.

Too often, we allow ourselves to get overexcited about new technology, and so do our clients. As a software vendor, it is our responsibility to talk about that. With more than 30 years of experience, we need to demonstrate that we understand that it IS about the business. That is what sets CA apart as a company. We lived through the “near death experience” of the mainframe and we have seen the revival. We all understand why this happened, but we need to talk about it with our clients. Share our experience, talk business and become the advisor our clients expect us to be.

Like many, you are probably convinced that dinosaurs were wiped out long ago. The "new" climate better suited mammals, right? But smaller dino's adapted and survived and today, more than 8,000 species of reptiles still exist, compared to about 5,400 species of mammals...

Like many, some of you are still convinced that the IBM mainframe is in it's final days. But today, 90% of the Fortune 500 still runs their most important transactions on an IBM mainframe, using CA software to Manage & Secure it.

http://www.nytimes.com/2008/03/23/technology/23digi.html?_r=2&scp=2&sq=mainframe&st=nyt&oref=slogin&oref=slogin

Share this post: Email it! | bookmark it! | digg it! | reddit!

Run Book Automation (RBA) - A Crucial Component to any DCA Initiative

Ben Scheerer — Fri, 02 May 2008 17:38:00 GMT

When talking about automation in the data center we think about the use of tools and processes to coordinate and execute on activities with hopes to reduce complexity, errors, labor, and costs while increasing productivity. To further automation goals, we have to consider outside influences to the data center as well as existing software tools and processes that are already in place. It is likely that any given data center environment consists of a spattering of technologies across multiple platforms and vendors. This platform/vendor mix results in increased data center complexity and can best be dealt with by the proper tools for integrating and orchestrating IT processes across IT silos, regardless of the vendor or vendor specific platforms. Integration is the key concept and Run Book Automation (RBA), aka IT Process Automation (ITPA), is a critical component in any automation initiative.

Recently CA announced an OEM agreement with Opalis, a leader in RBA tools. This partnership will allow CA to take advantage of an already established, industry leading technology as well as to further enhance its integration points for CA software. But, this does not preclude the existing integration points across other vendor platforms, nor Opalis' continued R&D efforts as a vendor neutral solution.

So what does RBA bring to the table? "IT process automation provides the ability to launch a process in context and pass information from one process to the next with a level of accuracy far superior to that of any entry into an administrator interface. Solutions in this space replace the scripting of application production rules (run book)." The demand for process automation is driven from senior IT leadership looking to: Increase IT operations efficiencies, especially around the adoption of best practices, increase IT agility and proving IT operations' accountability to the business.

You may have noticed a theme of process automation, coupled with best practices? Yes, RBA/ITPA can help achieve higher levels of process maturity, notably those specified in best practices frameworks, such as ITIL. IT process automation can easily assist IT Operations in automating those processes that are established and repeatable, while setting the stage for future process design and improvements. As IT Operations continues to identify, define and improve on IT processes, ITPA serves as a fundamental step in furthering their goals.

Share this post: Email it! | bookmark it! | digg it! | reddit!

Straight Talk About Project Failures

Steve Romero — Mon, 28 Apr 2008 16:46:00 GMT

I recently recorded a podcast with Tim Jennings, Research Director with the Butler Group. The Butler group completed a study finding that 50% of IT projects fail. My brief discussion with Tim focuses on this issue and highlights best practices for guidance on implementing successful project management initiatives in IT organizations.

I find the topic of IT project failure rates interesting and compelling. I speak frequently on the topic, citing numerous studies with varying conclusions. The most optimistic figure I have encountered is 40% and the most pessimistic came from a major analyst study in 2006 that put the IT Project failure rate at 78%!

I thought the 78% number was a bit sensationalistic. I think the number is closer to 60%, which is still quite alarming. Regardless of the number, whenever I talk about the rate of project failures, I think it is necessary to define what I mean by project failure. I do so in the Podcast and was surprised to find that Tim Jennings and the Butler Group agreed with my characterization because, frankly, I thought I was being militant about the subject.

I contend if a project takes longer than we scheduled, it is a failure. If a project costs more than we said it was going to cost, it is a failure. If a project does not deliver the value we said it was going to deliver, then it is a failure. Keep in mind, I am allowing for the variance thresholds agreed upon at the onset of the project. If a project is not completed within those thresholds, it is a failure.

I have shared this view with countless people in my travels. I have found the majority of them find my definition of project failure to be too harsh and uncompromising. I am not surprised by their reaction. In fact, it is their reaction that provides some insight as to why so many IT projects fail in the first place.

We take for granted that IT projects take longer than we think they will. We expect them to cost more than we thought they would cost. It is not realistic to believe we can deliver everything we said the project would deliver. In fact, we have the reasons for this at the ready. Do any of these statements sound familiar?

It is too hard to estimate the time and cost
We didn't have enough time to plan
IT projects are very complex and inherently unpredictable
The customer didn't know what they wanted
Our requirements process is terrible
We don't have enough resources to get the work done
Production emergencies adversely affected project progress
We didn't have the information we needed
Scope creep!!!

I am sure you have heard all of these and more. We have grown accustomed, if not complacent to IT projects taking too long, costing too much, and not delivering as expected. Couple that with the human tendency to wince at the word "failure" and it is easy to understand why people judge my interpretation of project failure to be too harsh if not outright unreasonable.

So how do we change the project failure rate? Anyone who has met me or read my blog knows my answer is good IT Governance and more specifically, good Project and Portfolio Management. Tim Jennings of the Butler Group offers some great insights and ideas so I urge you to listen to our podcast. But first, let's get everyone to agree on our definition of project failure. Let's call the slipped schedules, cost overruns, and missed deliverables what they are - failures. Only then will we aggressively and relentlessly pursue the solutions that will ultimately ensure project success.

Share this post: Email it! | bookmark it! | digg it! | reddit!

The Invisible Mainframe

Reg Harbeck — Fri, 25 Apr 2008 13:53:00 GMT

"Housework is something nobody notices unless you don't do it."

"The squeaky wheel gets the grease."

"Out of sight, out of mind."

What do all of these quotes have to do with the mainframe? Two words: It works.

Who'd have ever thought that would be a problem?

Just think: over four decades of building and refining the ultimate business machine, and very few people seem to know or care that it even exists, let alone that it's still effectively running the world economy.

After all, 70% of organizations and governments are still running critical applications on the mainframe per the Butler Group (see http://www.informationweek.com/story/showArticle.jhtml?articleID=196900665).

That's a pretty spectacular number for a machine that doesn't appear to exist.

The funny thing is, it actually could have been argued to be a good strategy to keep the mainframe out of sight - less threat of being a target, given how important it is.

The only problem is, the strategy (if that's what it was) worked so well that the management of many organizations that rely on mainframes don't seem to realize its importance either.

And that's a problem - after all, the cost of the mainframe can seem quite large when its value is not apparent.

Fortunately, some of the largest organizations on earth seem to have recognized the value of their mainframes and increased their commitment to this platform in a very big way. That would certainly explain its spectacular growth over the past decade.

But what about the rest of the mainframe world - those organizations that haven't "seen the light"? Often, they've curtailed investment in this "goose that lays the golden egg" and even tried to move to narrower platforms for the sake of perceived savings.

I think the time has come to wake them up. In fact, if the management of an organization doesn't see the value of their mainframe, they don't have the information necessary to run their businesses properly.

So, the question is: who's going to do it?

The answer? Us! You and me. It's time for us to stop being apologetic about the mainframe and stand up and let people know how important and valuable it is - and particularly people who ought to know in order to do their jobs properly.

So, my question for you is: what can you do to help your management appreciate the critical importance of your mainframe to your organization's success?

I look forward to your thoughts!

Share this post: Email it! | bookmark it! | digg it! | reddit!

Automatic Patch-Based Exploit Generation

Ken Williams — Thu, 24 Apr 2008 20:27:00 GMT

The Full-Disclosure mailing list is good for interesting, and often humorous, content on a daily basis. The highlight of the week last week was a link to a paper entitled "Automatic Patch-Based Exploit Generation", by David Brumley, Pongsin Poosankam, Dawn Song, and Jiang Zheng. From the abstract ... "In this paper, we propose techniques for automatic patch-based exploit generation, and show that our techniques can automatically generate exploits for vulnerable programs based upon patches provided via Windows Update. [...] Attackers can simply wait for a patch to be released, use these techniques, and with reasonable chance, produce a working exploit within seconds. Coupled with a worm, all vulnerable hosts could be compromised before most are even aware a patch is available, let alone download it." 2008 is going to be an interesting year for security enthusiasts.

Edited to add: Halvar.Flake has a blog post with very insightful commentary on the paper.

Share this post: Email it! | bookmark it! | digg it! | reddit!

Recent news and how IAM could have helped

Merritt Maxim — Wed, 23 Apr 2008 15:27:00 GMT

As information security professionals, we are always interested in finding stories or anecdotes to help make a point or to further educate people on the importance and need for strong information security.

An item grabbing US headlines recently was the story concerning the inappropriate access to the passport files of the 3 major US presidential candidates, Barack Obama, Hillary Clinton, and John McCain: http://www.cnn.com/2008/POLITICS/03/21/obama.passport/index.html

At first glance, this story did not seem particularly interesting, especially when I realized that a passport file contains basic statistics such as birth date, height, weight and eye color-information that is already widely available for such public figures as these. Other than the applicant's social security number, there is no real significant private data in these files. Clearly, this was purely a case of random snooping by curious employees, much like the similar incident when people accessed the medical files of actor George Clooney's and Britney Spears. http://abcnews.go.com/US/story?id=4498155&page=1

But, as more details around this story emerged this week, my interest in the story evolved from that of a concerned citizen to that of an information security professional. According to State Department spokesman Sean McCormack, Senator Obama's files had been viewed three times by contractors working for the agency starting in January. In Clinton's case, a trainee accessed her files in 2007. McCormack said two of the contractors in the Obama case were "low-level" personnel and the other was in a mid-level position with no management role.

Now, let's reconsider this situation. These were not full-time employees doing this, but contractors and trainees who do not even work for the State Department. And while there is nothing wrong with hiring contractors (we have since learned that the State Department hires contractors to design, build and maintain their systems), this incident raises questions about how well (or not) the State Department is provisioning access to data, application and systems. In this situation, it is not just that it was contractors that accessed the files, but that the contractors themselves were ‘low-level' personnel. Unfortunately, we do not know the specific IT architectural details of the passport system, but the fact that contractors in non-management roles were able to access any and all data for highly public figures suggests that the passport system suffers from a monolithic "access for all" security model. Unfortunately, this is often the case in legacy systems that were designed and deployed decades ago with no elaborate security access control mechanisms. In the initial years of operation, such systems are only accessed by a small defined group of individuals. Thus, auditing and controlling access to information is easy.

But, as such systems become more widespread, the number of users requesting access increases rapidly. And in the case of a high value application like the passport application system, it cannot be taken off-line over an extended period of time so that developers can create a more robust security model for the application. As a result, this "access for all" model becomes the standard, meaning that everyone ends up with the same level of access, regardless of responsibility, title or function.

Situations like this scream out for identity and role management. These types of systems empower organizations to create security and access models specific for individual roles and functions. In the State Department case, a separate role category of ‘contractor' could be created and within the contractor category, certain roles such as trainee, manager etc. could be created with the level of security access commensurate with each role. Such systems deliver two levels of benefits. One, they greatly simplify management and administrative operations because the IT team only needs to manage dozens of roles instead of hundreds of individuals. And secondly, identity management systems can reduce risk by ensuring that users' access to information is limited to their actual business function. Had such systems been in place at the State Department, it is unlikely that these kinds of breaches would have even happened.

Share this post: Email it! | bookmark it! | digg it! | reddit!

CA ARCserve Backup r12 and CA Secure Content Manager r8 vulnerabilities

Ken Williams — Mon, 21 Apr 2008 23:10:00 GMT

CA is currently investigating vulnerability reports concerning CA ARCserve Backup r12 and CA Secure Content Manager r8 that were published publicly on 4/17/08 and 4/18/08 respectively. CA will issue an advisory if and when the reports have been verified.

Share this post: Email it! | bookmark it! | digg it! | reddit!

Liberty Alliance Workshop at the RSA Conference Drives Home the Point that Identity Federation is Entering the IT Security Mainstream

Matthew Gardiner — Thu, 17 Apr 2008 13:31:00 GMT

I recently returned from a week at the RSA Conference which is somewhat of an annual pilgrimage for IT security people that takes place in the heart of San Francisco in the Moscone Center.

http://www.rsaconference.com/2008/US/home.aspx

Even though the Olympic flame relay was also in town on its only stop in North America on its worldwide tour, we RSA Conference attendees stayed focused on IT security.

http://edition.cnn.com/2008/US/04/08/us.olympic.torch/index.html

As I arrived in San Francisco on the Sunday before the start of the conference, one question on my mind was where are we in the adoption of identity federation? This is a question I get asked a lot so I am always looking for evidence supporting one view or another. So I wanted to find out how interested the average RSA Conference attendee was in the topic of federation? This would certainly be a valid data point to help answer the larger question.

Fortunately I had a great way to gauge that because the very next day on the afternoon of "workshop monday" at the start of the RSA Conference, the Liberty Alliance was having a half-day workshop entitled, "Identity Federation & Web Services: Happening Today - Enabling Tomorrow". Certainly one measure of interest and adoption can be taken from the nearly 500 people who registered and attended this workshop. To see the slides from all of the presentations from this workshop please go to the Liberty Alliance Web site here:

http://projectliberty.org/liberty/resource_center/presentations_webcasts.

One of the key points of this workshop was to show interested RSA Conference attendees how the use of standards-based identity federation technologies can provide immediate business value as well as prepare the organization to thrive in a heavily federated and trust-based world that is rapidly descending on us in the form of SaaS, identity as a service, application outsourcing, user centric identity or whatever terminology or perspective fits your view of the world.

CA was fortunate to have two excellent federation customer case studies presented during the event, the first one from BT's Chief Security Architect, Robert Temple, in which he discussed their success in extending their Web security infrastructure to enable browser-federation with many partners of BT. The second CA customer case study session was from Chris Sharp of MEDecision in which he discussed the key enabling role of a centralized, policy-based security service for SOA & Web services based applications.

My personal perspective is that federation in its broadest sense is now entering mainstream usage. Will it solve all identity related problems that came before it? Of course not. But it has proven itself to be a valuable tool when applied by experienced practitioners to the right project. To me that is a sign that mainstream, thought not necessarily ubiquitous usage, is currently unfolding.

Share this post: Email it! | bookmark it! | digg it! | reddit!

Manage IT Governance Components in an IT Governance Context

Steve Romero — Wed, 16 Apr 2008 19:45:00 GMT

I just finished studying an analyst report entitled "The State of IT Governance In North American and European Enterprises." You already know that almost anything about IT Governance excites me, with an analyst report about my favorite topic high on the list. But, while there was certainly a lot of compelling data in the report, I was left wanting more.

The study focused on 8 areas: Strategic Positioning, The Perception of IT In The Enterprise, Standardization, How IT Is Structured, IT Planning, Architecture and The Role Of R&D In IT, Managing Vendors, and Managing Projects.

While these areas do fall within IT Governance, what I was looking for was information on enterprise efforts to establish IT Governance, or enterprise progress in regards to IT Governance initiatives. I was interested in the 8 areas, but more interested in how they were managed as part of a larger IT Governance initiative. Were the enterprises surveyed even aware that these were the major areas of IT Governance?

I continue to believe very few organizations adequately understand the nature and discipline of IT Governance. Until enterprises recognize the areas of the Forrester report as subsets of IT Governance, they have little chance of fully achieving the very specific goals, and realizing the very specific benefits, of IT Governance.

But I am hopeful that the day will come. And I am anxiously awaiting the next IT Governance analyst report in my inbox.

Share this post: Email it! | bookmark it! | digg it! | reddit!

CA DSM gui_cm_ctrls ActiveX Control Vulnerability

Ken Williams — Wed, 16 Apr 2008 15:34:00 GMT

On April 15th, 2008 CA published a security notice to address a vulnerability in CA products that implement the DSM gui_cm_ctrls ActiveX control.

Title: CA DSM gui_cm_ctrls ActiveX Control Vulnerability

CA Advisory Date: 2008-04-15

Reported By: Greg Linares of eEye Digital Security

Impact: A remote attacker can execute arbitrary code or cause a denial of service condition.

Summary: CA products that implement the DSM gui_cm_ctrls ActiveX control contain a vulnerability that can allow a remote attacker to cause a denial of service or execute arbitrary code. The vulnerability, CVE-2008-1786, is due to insufficient verification of function arguments by the gui_cm_ctrls control. An attacker can execute arbitrary code under the context of the user running the web browser.

Mitigating Factors: For BrightStor ARCserve Backup for Laptops & Desktops, only the server installation is affected. Client installations are not affected. For CA Desktop Management Suite, Unicenter Desktop Management Bundle, Unicenter Asset Management, Unicenter Software Delivery and Unicenter Remote Control, only the Managers and DSM Explorers are affected. Scalability Servers and Agents are not affected.

Severity: CA has given these vulnerabilities a maximum risk rating of High.

Affected Products:
BrightStor ARCServe Backup for Laptops and Desktops r11.5
CA Desktop Management Suite r11.2 C2
CA Desktop Management Suite r11.2 C1
CA Desktop Management Suite r11.2a
CA Desktop Management Suite r11.2
CA Desktop Management Suite r11.1 (GA, a, C1)
Unicenter Desktop Management Bundle r11.2 C2
Unicenter Desktop Management Bundle r11.2 C1
Unicenter Desktop Management Bundle r11.2a
Unicenter Desktop Management Bundle r11.2
Unicenter Desktop Management Bundle r11.1 (GA, a, C1)
Unicenter Asset Management r11.2 C2
Unicenter Asset Management r11.2 C1
Unicenter Asset Management r11.2a
Unicenter Asset Management r11.2
Unicenter Asset Management r11.1 (GA, a, C1)
Unicenter Software Delivery r11.2 C2
Unicenter Software Delivery r11.2 C1
Unicenter Software Delivery r11.2a
Unicenter Software Delivery r11.2
Unicenter Software Delivery r11.1 (GA, a, C1)
Unicenter Remote Control r11.2 C2
Unicenter Remote Control r11.2 C1
Unicenter Remote Control r11.2a
Unicenter Remote Control r11.2
Unicenter Remote Control r11.1 (GA, a, C1)
CA Desktop and Server Management r11.2 C2
CA Desktop and Server Management r11.2 C1
CA Desktop and Server Management r11.2a
CA Desktop and Server Management r11.2
CA Desktop and Server Management r11.1 (GA, a, C1)

Affected Platforms:
Windows

Status and Recommendation:

CA has provided the following updates to address the vulnerabilities.

BrightStor ARCserve Backup for Laptops and Desktops r11.5:
QI96333

CA Desktop Management Suite for Windows r11.1 (GA, a, C1),
Unicenter Desktop Management Bundle r11.1 (GA, a, C1),
Unicenter Asset Management r11.1 (GA, a, C1),
Unicenter Software Delivery r11.1 (GA, a, C1),
Unicenter Remote Control r11.1 (GA, a, C1):
QO96283

CA Desktop Management Suite for Windows r11.2a,
Unicenter Desktop Management Bundle r11.2a,
Unicenter Asset Management r11.2a,
Unicenter Software Delivery r11.2a,
Unicenter Remote Control r11.2a:
QO96286

CA Desktop Management Suite for Windows r11.2,
Unicenter Desktop Management Bundle r11.2,
Unicenter Asset Management r11.2,
Unicenter Software Delivery r11.2,
Unicenter Remote Control r11.2:
QO96285

CA Desktop Management Suite for Windows r11.2 C1,
Unicenter Desktop Management Bundle r11.2 C1,
Unicenter Asset Management r11.2 C1,
Unicenter Software Delivery r11.2 C1,
Unicenter Remote Control r11.2 C1:
QO96284

CA Desktop Management Suite for Windows r11.2 C2,
Unicenter Desktop Management Bundle r11.2 C2,
Unicenter Asset Management r11.2 C2,
Unicenter Software Delivery r11.2 C2,
Unicenter Remote Control r11.2 C2:
QO99084

CA Desktop and Server Management r11.2 C2:
QO99080

CA Desktop and Server Management r11.2 C1:
QO96288

CA Desktop and Server Management r11.2a:
QO96290

CA Desktop and Server Management r11.2:
QO96289

CA Desktop and Server Management r11.1 (GA, a, C1):
QO96287

How to determine if you are affected:

For products on Windows:
1. Using Windows Explorer, locate the file “gui_cm_ctrls.ocx”. By default, the file is in the “C:\Program Files\CA\DSM\bin\” directory.
2. Right click on the file and select Properties.
3. Select the Version tab.
4. If the file version is earlier than indicated in the list below, the installation is vulnerable.

Product	File Name	File Version
CA Desktop Management Suite for Windows r11.1 (GA, a, C1), Unicenter Desktop Management Bundle r11.1 (GA, a, C1), Unicenter Asset Management r11.1 (GA, a, C1), Unicenter Software Delivery r11.1 (GA, a, C1), Unicenter Remote Control r11.1 (GA, a, C1), CA Desktop and Server Management r11.1 (GA, a, C1)	gui_cm_ctrls.ocx	11.1.8124.2517
CA Desktop Management Suite for Windows r11.2, Unicenter Desktop Management Bundle r11.2, Unicenter Asset Management r11.2, Unicenter Software Delivery r11.2, Unicenter Remote Control r11.2, CA Desktop and Server Management r11.2	gui_cm_ctrls.ocx	11.2.2.4332
CA Desktop Management Suite for Windows r11.2a, Unicenter Desktop Management Bundle r11.2a, Unicenter Asset Management r11.2a, Unicenter Software Delivery r11.2a, Unicenter Remote Control r11.2a, CA Desktop and Server Management r11.2a	gui_cm_ctrls.ocx	11.2.3.1896
CA Desktop Management Suite for Windows r11.2 C1, Unicenter Desktop Management Bundle r11.2 C1, Unicenter Asset Management r11.2 C1, Unicenter Software Delivery r11.2 C1, Unicenter Remote Control r11.2 C1, BrightStor ARCserve Backup for Laptops and Desktops r11.5, CA Desktop and Server Management r11.2 C1	gui_cm_ctrls.ocx	11.2.1000.17
CA Desktop Management Suite for Windows r11.2 C2, Unicenter Desktop Management Bundle r11.2 C2, Unicenter Asset Management r11.2 C2, Unicenter Software Delivery r11.2 C2, Unicenter Remote Control r11.2 C2, CA Desktop and Server Management r11.2 C2	gui_cm_ctrls.ocx	11.2.2000.4

Workaround: As a temporary workaround solution, disable the gui_cm_ctrls ActiveX control in the registry by setting the kill bit on CLSID {E6239EB3-E0B0-46DA-A215-CFA9B3B740C5}. Disabling the control may prevent the GUI from functioning correctly. Refer to Microsoft KB article 240797 for information on how to disable an ActiveX control.

References (URLs may wrap):
CA Support:
http://support.ca.com/
Security Notice for CA products using the DSM gui_cm_ctrls ActiveX control
https://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID=174256
Solution Document Reference APARs:
QI96333, QO96283, QO96286, QO96285, QO96284, QO99084, QO99080, QO96288, QO96290, QO96289, QO96287
CA Security Response Blog posting:
CA DSM gui_cm_ctrls ActiveX Control Vulnerability
http://community.ca.com/blogs/casecurityresponseblog/archive/2008/04/16/[...]vulnerability.aspx
Reported By:
Greg Linares of eEye Digital Security
CVE Reference:
CVE-2008-1786
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1786
OSVDB References: Pending
http://osvdb.org/

Changelog for this advisory:
v1.0 - Initial Release

Customers who require additional information should contact CA Technical Support at http://support.ca.com.

For technical questions or comments related to this advisory, please send email to vuln AT ca DOT com.

If you discover a vulnerability in CA products, please report your findings to vuln AT ca DOT com, or utilize our "Submit a Vulnerability" form.

URL: http://www.ca.com/us/securityadvisor/vulninfo/submit.aspx

Share this post: Email it! | bookmark it! | digg it! | reddit!

Automating the Data Center - Where to Start

Ben Scheerer — Tue, 15 Apr 2008 17:33:00 GMT

Data center automation (DCA) is designed to deliver value back to the business through increased levels of service and flexibility to meet business needs and demands. With increasing complexity within the data center, including but not limited to: a growing number of applications, bare metal and virtual server sprawl, security and regulatory requirements, there is an increased need for effective management in minimizing its effects.
In a recent independent study on data center automation sponsored by CA (http://www.ca.com/dca/survey), the majority (46%) of the respondents identified business compliance/ uptime as the number one challenge that they hope to address with automation. However, the survey respondents also indicated that those who have already implemented some sort of automation (an average of 48% of their data center tasks) saw that only 12% had seen these efforts as highly effective.
This brings into question where to begin an automation effort?" The right tools are essential in obtaining your automation goals, and tools that are flexible enough support your organization's unique processes and capabilities are an absolute necessity. Begin by identifying and defining your current and repeatable processes. This task could present some difficulty depending on where you are in establishing a best practices approach to IT service management (ITSM). Of course the IT Infrastructure Library (ITIL), takes the lead as an approach to define and map these processes as part of the overall IT services lifecycle.
In the event that you have not introduced any of these process frameworks or best practices in your environment, simply identify the existing approaches to the routine tasks currently undertaken in the data center such as patch management, maintaining consistency through gold standards, workload automation and/or server provisioning. Once your routine and repeatable processes have been successfully identified and automated, be sure to continuously measure their effectiveness and implement any changes as needed for improvement.
Next in your quest for automation, begin to identify and define more complex processes that can bring additional value from IT services to the business. At this point you may have already experienced a level of "enlightenment" in the quest for data center automation, meaning that you have already freed-up resources (both human and technology), allowing more time to focus on more strategic efforts. Examples of more complex processes include intricate workloads and policy based provisioning (based on business policy).
Data center automation has many points of entry and is only limited by your organization's ability to plan and execute where it makes sense to the business (cost vs. value). Take a careful look at what your situation has to offer and evaluate the best course of action for automation in your unique environment.

Share this post: Email it! | bookmark it! | digg it! | reddit!

CSI: Crime Scene Investigation or Continual Service Improvement – You decide

Marvin Waschke — Mon, 14 Apr 2008 12:11:00 GMT

Most of the country thinks CSI stands for "Crime Scene Investigation," as popularized on TV. In a convoluted sort of way, the acronym means something similar in ITIL® v3. This is a stretch, but bear with me.

In v3, CSI stands for Continual Service Improvement and it is the fifth volume of the v3 publication. In the v3 scheme of things, CSI is the culmination of Strategy, Design, Transition, and Operation and is the phase in the service lifecycle that actually is part of all of the previous four phases. But too often, CSI becomes Crime Scene Investigation when we in IT mess up.

On TV, the ensuing activity takes place in Las Vegas, Miami and New York. In this blog, we visit Washington DC...

Recently, the Census Bureau announced that they are abandoning a plan to replace paper and pencil with wireless handheld computers for the 2010 census, a move that will add 3 billion dollars to the cost of conducting the census according to the New York Times in an article entitled "Dust Off the Pencils: Plans for High-Tech Census Collapse." The Washington Post article is entitled Census Back to Pen and Paper. I'm not sure what bothers me more, overlooking industry best practices, the $3 billion, or sharpening all those pencils.

As a student of ITIL, the phase "crime scene" might come to mind when reading the details. I don't want to point fingers or try to second guess the participants based only on a couple of news items, but this is an example of a failure in service management that ITIL good practices are designed to prevent.

Apparently, the problem began in the strategy phase when the requirements for a projected service are formulated based on the strategic goals. I infer from the news reports that the strategic goal of this service was to increase the accuracy and decrease the cost of the census. The strategic plan was a reasonable, even modest, extension of commonly used inventory technology: use GPS enabled handheld computers to record the exact location of each canvassed household and wirelessly transmit the collected data to regional accumulation centers. According to the reports, the requirements for implementing this plan were not thoroughly understood or communicated to the partner who was to supply the devices. As the project proceeded, more and more requirements were added, under-estimates were revealed, and costs ballooned, eventually resulting in the cancellation of plans to implement the service.

It is not clear whether the service ever got beyond the design phase and into transition where it would have been tested and deployed into the production environment, and it certainly never reached the operation.

In the ITIL v3 service lifecycle, CSI plays a role in every phase. Experience with the service in each phase is collected and analyzed to discover ways to improve the service. In the case of a failed service, this is a lot like Crime Scene Investigation, looking for the mistakes made and tracing flaws so that the service can be improved in the future.

Census takers may still use pen and paper in 2010, but if the Census Bureau applies CSI properly, there is a good chance that the 2020 census will be automated.

ITIL® is a Registered Trade Mark, and a Registered Community Trade Mark of the Office of Government Commerce, and is Registered in the U.S. Patent and Trademark Office.

Share this post: Email it! | bookmark it! | digg it! | reddit!

Some thoughts on e-ID

Mike Small — Fri, 11 Apr 2008 13:22:00 GMT

In late February I gave a talk at a conference on e-ID in Belgium organized by L-SEC http://www.lsec.be. Belgium is one of the first countries in the world where all citizens will have their identity supported by a digital identity card. Unlike Finland, where the e-ID card is optional, in Belgium it is a legal requirement that every resident registers their address. This registration process is performed at the local town hall and delivers an e-ID identity card at a cost of around 10 Euros. Up to date around 7 million e-ID cards have been distributed; by the end of the year all 8.3 million citizens older than 12 years of age should be in possession of their e-ID. It is no surprise that Belgium is looking for ways to exploit this card.

One example of this is eBay who recently entered into an agreement to integrate e-ID as one of the verification options for its users in Belgium. This new functionality allows new and existing eBay-users to (re)register on the site by having their identity confirmed quickly, and safely. On top of that, eBay-sellers who use this verification method will get an ‘e-ID Verified’ label next to their username. Next to the seller’s profile and feedback score, this will be an additional indicator to that the buyer or seller is trustworthy.

The three basic functionalities of e-ID are data capture, authentication and electronic signature. Around 40 to 50% of all e-ID applications in Belgium relate to data capture and 40 to 45% are for authentication. Together data capture and authentication cover 90 to 95% of all the current applications. The much smaller number around 5% to 10% relate to electronic signature. ‘Data capture’ is when the card is put into the reader in the library, a hotel or in the city hall and the application reads the name and some other data on the e-ID card. ‘Authentication’ is used in all kinds of web applications (and incidentally CA’s SiteMinder is used by the Flemish Government MVG for this). The e-ID card is also well suited as authentication mechanism for PC banking.

The card stores a visible and digital picture but also allows to log on to the National Register, the government database. The e-ID card is used to authenticate the citizen for access to public services. The resident can also consult the Register and see what the authorities have stored and who has accessed that information (except for State Security). For example a user can use the card to borrow books from the library and later check which books he has borrowed and when they are due to be returned. A more mundane side effect of this is that access to municipal garbage dumps is now controlled by your e-ID card. If you try to dump your garbage at a dump that is outside of the commune where your address is registered you will not be allowed access!

Share this post: Email it! | bookmark it! | digg it! | reddit!

ITIL v3 – You’re doing it whether you know it or not

Robert Stroud — Tue, 08 Apr 2008 18:36:00 GMT

I'd like to make a quick point. There are times when I find the discussions surrounding ITIL® v3 popularity to be superfluous. That's because whether or not people are "for" ITIL v3, if they want to work for successful organizations, they have probably already put several aspects of ITIL v3 into practice -- whether they realize it or not.

I recently visited several European ITIL practitioners who are in process of transforming their ITSM implementations to support their dynamic business environments -- the objective, to innovate as the market demands. As the head of the ITSM team at a large manufacturer commented, "any ITIL implementation that is service aligned is doing much of v3 already." I concur.

In his case, Knowledge Management, Self Help and Access Management have been part of his culture for the last 12 months and pre-date the launch of v3.

So please. There is no "for" or "against." You are going to adopt some practices that are suspiciously reminiscent of ITIL v3. If you choose not to label them as such, so be it. Or, to paraphrase Chelsea Clinton, "that's absolutely none of my business."

ITIL® is a Registered Trade Mark, and a Registered Community Trade Mark of the Office of Government Commerce, and is Registered in the U.S. Patent and Trademark Office.

Share this post: Email it! | bookmark it! | digg it! | reddit!

User-centric Identity - a joint CA/Microsoft effort

Jeffrey Broberg — Tue, 08 Apr 2008 15:29:00 GMT

The Identity Metasystem offers a new way to think about the relationship between parties that are interested in either consuming or producing identity information. Sometimes this is referred to as Identity 2.0, or more correctly as User Centric Identity. This new paradigm offers many benefits, from increased security, enhanced privacy, and the opportunity for new business models. It is sometimes misinterpreted as a technology that nullifies the current identity practices that many enterprises have in place. This is most likely due to the technical nature of most literature available on User Centric Identity, and on the focus of standards and interoperability. But it could not be farther from the truth.

What is really important about the Identity Metasystem is that it defines an “Identity Dial Tone” that prescribes how identity can flow seamlessly through enterprise websites, web services, and the ever growing social networking and collaboration services, spanning both high and low trust situations. For the potential opportunity of this new ecosystem to thrive, it is important that it is embraced and delivered to enterprise customers in a way that allows them to incorporate the concepts in their existing infrastructures, without the fear that large portions of the solutions will need to be replaced or significantly modified.

CA and Microsoft are committed to the Identity Metasystem and on helping customers realize the benefits of the Identity Metasystem, while protecting their current investments. To focus the discussion on business objectives, and less on technical practices, CA and Microsoft have jointly developed a White paper “CA and Microsoft Support for User-Centric Identity and the Identity Metasystem” that describes the Identity Metasystem, InfoCards and how they can be incorporated into existing solutions where CA and Microsoft technologies are being used.

Share this post: Email it! | bookmark it! | digg it! | reddit!

CA ARCserve Backup for Laptops and Desktops Server and CA Desktop Management Suite Multiple Vulnerabilities

Ken Williams — Fri, 04 Apr 2008 12:47:00 GMT

On April 3rd, 2008, CA published a security notice to address multiple vulnerabilities in CA ARCserve Backup for Laptops and Desktops Server and CA Desktop Management Suite.

Title: CA ARCserve Backup for Laptops and Desktops Server and CA Desktop Management Suite Multiple Vulnerabilities

CA Advisory Date: 2008-04-03

Reported By: Dyon Balding of Secunia Research

Impact: A remote attacker can execute arbitrary code or cause a denial of service condition.

Summary: CA ARCserve Backup for Laptops and Desktops Server contains multiple vulnerabilities that can allow a remote attacker to execute arbitrary code or cause a denial of service condition. CA has issued updates to address the vulnerabilities. The first issue, CVE-2008-1328, occurs due to insufficient bounds checking on command arguments by the LGServer service. The second issue, CVE-2008-1329, occurs due to insufficient verification of file uploads by the NetBackup service. The NetBackup service is a component of CA ARCserve Backup for Laptops and Desktops Server. In most cases, an attacker can potentially gain complete control of an affected installation. Additionally, only a server installation of BrightStor ARCserve Backup for Laptops and Desktops is affected. The client installation is not affected.

Note: the previously published patches for CVE-2007-3216 and CVE-2007-5005 did not fully address some issues.

Mitigating Factors: Client installations are not affected.

Severity: CA has given these vulnerabilities a maximum risk rating of High.

Affected Products:
CA ARCserve Backup for Laptops and Desktops r11.5
CA ARCserve Backup for Laptops and Desktops r11.1 SP2
CA ARCserve Backup for Laptops and Desktops r11.1 SP1
CA ARCserve Backup for Laptops and Desktops r11.1
CA ARCserve Backup for Laptops and Desktops r11.0
CA Desktop Management Suite 11.2 English
CA Desktop Management Suite 11.2 localized
CA Desktop Management Suite 11.1

Affected Platforms:
Windows

Status and Recommendation:
CA has provided updates to address the vulnerabilities.
CA ARCserve Backup for Laptops and Desktops 11.1, 11.1 SP1, 11.2 SP2: QO95512
CA ARCserve Backup for Laptops and Desktops 11.5: QO95513
CA Desktop Management Suite 11.2 English: QO95513
CA Desktop Management Suite 11.2 localized: QO95513
CA Desktop Management Suite 11.1: Upgrade to 11.1 C1.
CA ARCserve Backup for Laptops and Desktops 11.0: Upgrade to ARCserve Backup for Laptops and Desktops version 11.1 and apply the latest patches. QI85497

How to determine if you are affected:

For Windows:
1. Using Windows Explorer, locate the file"rxRPC.dll". The file can be found in the following default locations:
Product: CA ARCserve Backup for Laptops and Desktops 11.5
Directory Path: C:\Program Files\CA\BrightStor ARCserve Backup for Laptops & Desktops\Explorer
Product: CA ARCserve Backup for Laptops and Desktops 11.1
Directory Path: C:\Program Files\CA\BrightStor ARCserve Backup for Laptops & Desktops\server
Product: CA Desktop Management Suite 11.2 English
Directory Path: C:\Program Files\CA\DSM\BABLD\MGUI
Product: CA Desktop Management Suite 11.2 localized
Directory Path: C:\Program Files\CA\DSM\BABLD\MGUI
2. Right click on the files and select Properties.
3. Select the General tab.
4. If the file date is earlier than indicated in the below table, the installation is vulnerable.

Product	File Name	File Date / Size
CA ARCserve Backup for Laptops and Desktops 11.5	rxRPC.dll	February 18 2008 / 126976
CA ARCserve Backup for Laptops and Desktops 11.1	rxRPC.dll	February 18 2008 / 114688
CA Desktop Management Suite 11.2 English	rxRPC.dll	February 18 2008 / 126976
CA Desktop Management Suite 11.2 localized	rxRPC.dll	February 18 2008 / 126976

Workaround: None

References (URLs may wrap):
CA Support:
http://support.ca.com/
Security Notice for CA ARCserve Backup for Laptops and Desktops Server and CA Desktop Management Suite
https://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID=173105
Solution Document Reference APARs:
QO95512, QO95513, QI85497
CA Security Response Blog posting:
CA ARCserve Backup for Laptops and Desktops Server and CA Desktop Management Suite Multiple Vulnerabilities
http://community.ca.com/blogs/[...]-vulnerabilities.aspx
Reported By:
Dyon Balding of Secunia Research
CVE References:
CVE-2008-1328 and CVE-2008-1329
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1328
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1329
OSVDB References: Pending
http://osvdb.org/

Changelog for this advisory:
v1.0 - Initial Release

Customers who require additional information should contact CA Technical Support at http://support.ca.com.

For technical questions or comments related to this advisory, please send email to vuln AT ca DOT com.

If you discover a vulnerability in CA products, please report your findings to vuln AT ca DOT com, or utilize our "Submit a Vulnerability" form.
URL: http://www.ca.com/us/securityadvisor/vulninfo/submit.aspx

Share this post: Email it! | bookmark it! | digg it! | reddit!

CA Alert Notification Server Multiple Vulnerabilities

Ken Williams — Fri, 04 Apr 2008 11:55:00 GMT

On April 3rd, 2008 CA published a security notice to address a vulnerability in CA Alert Notification Server.

Title: CA Alert Notification Server Multiple Vulnerabilities

CA Advisory Date: 2008-04-03

Reported By: An anonymous researcher working with the iDefense VCP

Impact: A remote authenticated attacker can execute arbitrary code or cause a denial of service condition.

Summary: CA Alert Notification Server service contains multiple vulnerabilities that can allow a remote authenticated attacker to execute arbitrary code or cause a denial of service condition. CA has issued updates to address the vulnerabilities. The vulnerabilities, CVE-2007-4620, are due to insufficient bounds checking in multiple procedures. A remote authenticated attacker or local user can exploit a buffer overflow to execute arbitrary code or cause a denial of service.

Mitigating Factors: Remote attacker must have legitimate authentication credentials.

Severity: CA has given these vulnerabilities a maximum risk rating of High.

Affected Products:
CA Anti-Virus for the Enterprise 7.1
CA Threat Manager for the Enterprise (formerly eTrust Integrated Threat Management) r8
CA Threat Manager for the Enterprise (formerly eTrust Integrated Threat Management) r8.1
CA Anti-Virus for the Enterprise (formerly eTrust Antivirus) r8
CA Anti-Virus for the Enterprise (formerly eTrust Antivirus) r8.1
BrightStor ARCserve Backup r11.5
BrightStor ARCserve Backup r11.1
BrightStor ARCserve Backup r11 for Windows

Affected Platforms:
Windows

Status and Recommendation:
CA has provided updates to address the vulnerabilities.
CA Anti-Virus for the Enterprise 7.1, CA Anti-Virus for the Enterprise r8: QO96079
CA Threat Manager for the Enterprise r8: QO96387
CA Anti-Virus for the Enterprise r8.1, CA Threat Manager for the Enterprise r8.1: QO96080
BrightStor ARCserve Backup r11.5, BrightStor ARCserve Backup r11.1: QO96079
BrightStor ARCserve Backup r11.0: Upgrade to 11.1 and apply the latest patches.

How to determine if you are affected:

For products on Windows:
   1. Using Windows Explorer, locate the file "alert.exe". By default, the file is located in the "C:\Program Files\CA\SharedComponents\Alert" directory.
   2. Right click on the file and select Properties.
   3. Select the Version tab.
   4. If the file version is earlier than indicated in the below table, the installation is vulnerable.

Product	File	Version
CA Anti-Virus for the Enterprise r8.1	Alert.exe	8.1.586.0
CA Threat Manager for the Enterprise 8.1	Alert.exe	8.1.586.0
CA Threat Manager for the Enterprise r8	Alert.exe	8.0.450.0
CA Anti-Virus for the Enterprise 7.1	Alert.exe	7.1.758.0
CA Anti-Virus for the Enterprise r8	Alert.exe	7.1.758.0
BrightStor ARCserve Backup r11.5	Alert.exe	7.1.758.0
BrightStor ARCserve Backup r11.1	Alert.exe	7.1.758.0

Workaround: None

References (URLs may wrap):
CA Support:
http://support.ca.com/
Security Notice for Alert Notification Server
https://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID=173103
Solution Document Reference APARs:
QO96079, QO96387, QO96080, QO96079
CA Security Response Blog posting:
CA Alert Notification Server Multiple Vulnerabilities
http://community.ca.com/blogs/casecurityresponseblog/archive/2008/04/04/ca-alert-notification-server-multiple-vulnerabilities.aspx
Reported By:
An anonymous researcher working with the iDefense VCP
CVE References:
CVE-2007-4620
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4620
OSVDB References: Pending
http://osvdb.org/

Changelog for this advisory:
v1.0 - Initial Release

Customers who require additional information should contact CA Technical Support at http://support.ca.com.

For technical questions or comments related to this advisory, please send email to vuln AT ca DOT com.

If you discover a vulnerability in CA products, please report your findings to vuln AT ca DOT com, or utilize our "Submit a Vulnerability" form.
URL: http://www.ca.com/us/securityadvisor/vulninfo/submit.aspx

Share this post: Email it! | bookmark it! | digg it! | reddit!

COBIT and ITIL – Better Together

Robert Stroud — Tue, 01 Apr 2008 13:25:00 GMT

Those of you struggling with bringing IT and business alignment to life through your ITIL® initiative may be surprised to learn that your salvation may lie in a free download.

Even with the improved use of organizational charts and metrics in ITIL v3, some practitioners have commented that the linkage to a sound maturity process is still lacking. This is where COBIT, which is available for free from http://www.isaca.org/, can assist.

Many companies that I work with have been using COBIT's Key Performance Indicators, Maturity Models and RACI Charts (which track Responsible, Accountable, Consulted and Informed persons for every process) to provide metrics and structure for their ITIL processes.

COBIT is the governance framework that aligns business strategies and objectives with IT deliverables by identifying and analyzing the IT processes and measurements needed to construct processes that deliver desired business results.

COBIT provides the missing governance capabilities for your ITIL processes, helping you measure and assure performance and roll up the metrics to business requirements to provide a holistic view of your performance.

While ITIL does offer performance measurements and organizational information, in my opinion these don't roll up to the business level to the extent COBIT does.

For example, take a look at COBIT process DS1, Define and Manage Service Levels, which is defined as control over the IT processes of defining and managing service levels with the objective of ensuring the alignment of key IT services with business strategy. COBIT identifies requirements, inputs, outputs, report requirements, organizational impact, metrics and the maturity model (every COBIT process has its own maturity model to show you where you are and where you are going ) -- all of which can assist you in your ITIL journey.

So go to isaca.org and download COBIT. It's on me.

By the way, check back at isaca.org in the next few weeks for mappings of COBIT 4.1 to ITIL v3. We'll have two versions to choose from depending on whether you have an existing leaning towards COBIT or ITIL.

ITIL® is a Registered Trade Mark, and a Registered Community Trade Mark of the Office of Government Commerce, and is Registered in the U.S. Patent and Trademark Office.

Share this post: Email it! | bookmark it! | digg it! | reddit!

Should Service Users Be Tracked as CIs in the CMDB?

Marvin Waschke — Tue, 01 Apr 2008 13:17:00 GMT

As CMDB experts go, I have a lot of experience, starting with implementations a decade ago when ITIL was almost unknown in North America. Still, a question posed to me at CA's recent customer-focused Development Buddy Summit sent me to the books -- the ITIL® books that is -- hunting for an answer.

In a one-on-one conference, a customer asked me if it was appropriate to use "people CIs" in the CMDB to track subscribers to services.

Hmmm. Technically, the CA CMDB can support such a practice. After all, it has a CI family representing people that can be connected with applications such as HR and LDAP (Lightweight Directory Access Protocol that helps you locate individuals and other resources on the Internet or on an intranet) that specialize in information about people. Theoretically, those "people CIs" could have a "subscribes to" relationship with service CIs. But maintaining these "people CIs" would be a predominantly manual process that would not scale easily throughout an enterprise.

I suggested that CA Service Catalog could be the solution as it is designed to track and manage subscriptions to services.

Though I had provided an answer, the nagging question followed me back to my hotel room and kept me awake that night. When a customer asks for something, I like to examine the need in depth. If one client perceives a need, then others might as well and that could lead to useful product enhancements.

This question sent me to the ITIL v3 library for an answer. If ITIL suggested using people CIs to represent service subscribers, then perhaps we should consider putting more support for it into the CA CMDB.

After hours of research that took me through several ITIL v3 volumes, I concluded that ITIL does not suggest using people CIs in this manner.

The ITIL v3 Service Transition publication does list "people" as potential CIs, but only in two types of CIs. The first type of CI that includes people is the Service Capability CI. This represents the intangible capabilities or expertise that organizations, functions, teams, or people have to design, implement, operate, and maintain services. The second type of CI is the Service Resource CI. Service resources are tangible assets that can be drawn upon for services. A person is a service resource when he or she is employed to design implement, operate, or maintain services.

Subscribers, users or customers of a service are neither service resources nor service capabilities. Rather than contributing to a service, they receive value from a service.

ITIL talks about services as a way for users to assign costs and risks to a service supplier. In other words, service users are seeking to gain the benefits of service capabilities and service resources without taking on the risk of owning these capabilities or resources. Therefore, although ITIL v3 suggests people be included in the CMDB, it does not suggest service subscribers, users or customers should be CIs.

Since ITIL is good practice, not law, I did entertain the notion of including service customers in the CMDB even though this practice was not mentioned by the ITIL authors. Ultimately, I decided against it. SACM (Service Asset and Configuration Management, the processes that own the CMDB) focuses on supporting the implementation of service designs that represent solutions that meet requirements based upon enterprise business strategies. That is a tall order, but it does not include managing the users of services. Loading the CMDB up with subscribers, users and customers is bound to invite confusion and error.

The conclusion I came to after several days of research matched the answer I gave during my client meeting: A service subscription catalog, which is designed to support the customer-to-service relationship, is the right place to house service subscriber, user and customer information.

I don't regret having invested the time. Researching answers is my favorite way to learn. Plus, I'm sleeping soundly once again.

ITIL® is a Registered Trade Mark, and a Registered Community Trade Mark of the Office of Government Commerce, and is Registered in the U.S. Patent and Trademark Office.

Share this post: Email it! | bookmark it! | digg it! | reddit!