NAN - Fotolia
How can companies map ITSM innovations to regulations?
Those responsible for IT service management (ITSM) consistently struggle to align tech innovation with existing regulations, policies and procedures. Contracts are often not written to anticipate the innovations and these failures in foresight can create significant ITSM compliance risks.
Privacy, information security, confidentiality and intellectual property rules often express requirements using imprecise words such as "reasonable," "suitable" or "adequate" to define the level of quality required for specific services or systems. An example rule could read, "Employers shall adopt and use reasonable controls appropriate to the sensitivity of the health information records of their employees."
I refer to these terms as SIAM terms, because they are Semantically Intentionally Ambiguous in Meaning. These words are descriptors for a system, process, control or known data set. The challenge for ITSM managers is to align its innovations to compliance regulations or contract requirements with ambiguous terms like these.
Work with SIAM terms
When trying to decode SIAM terms for ITSM compliance risk, use a simple formula: X is Y if, where X is the object or thing, and Y is the SIAM term.
X= privacy control
Plug into the formula X is Y if so your statement reads: The privacy control is reasonable if…
What follows the "if" are answers to the following seven questions (be forewarned, the answers are not always easy to express):
- When does the rule apply? Answering this question requires accounting for the circumstances and context(s) in which a rule applies.
- To whom does the rule apply? The whom, or actor, may be a person, system, a process or any other well-described object or thing (note: being precise in the identification here is critical).
- What is the action governed by the rule? What behavior is required or prohibited?
- Which is the object of the action? Actors take actions against other objects: data, controls, gateways, portals, output, etc.
- How will the action be measured? Describing what will be measured is the key to mapping to SIAM-based rules. Are you measuring velocity, volume, rate of execution, size of input, size of output? Once a measurement is expressed, ask yourself, can I construct the innovation so these metrics can be automatically observed and recorded? If not, then the innovation needs to be amended to create that outcome.
- Where will the measurement be recorded? So many systems are engineered to create output metrics -- event logs, performance logs, etc. -- and the extra step is not taken to record and retain the recorded measurements in a meaningful and accessible manner.
- To whom will the measurement be reported? Effective ITSM compliance requires supervision and management engagement -- both to assure the continuity of good performance and to intervene and impose sanctions when appropriate.
Answering these questions produces a well-designed alignment between the ITSM innovations and compliance regulations or rules that are, in themselves, not authored to be easily aligned.
This Ask the Expert is based on "Bridging the Chasm of SIAM", a chapter in Jeffrey Ritter's book, Achieving Digital Trust: The New Rules for Business at the Speed of Light.