Published: April 25, 2008 | Updated: October 10, 2008
This scenario uses a fictional company, Woodgrove Bank, to demonstrate the use of MOF 4.0. The scenario shows how Woodgrove Bank IT uses each MOF component in meeting a new business objective. For more information on any of these processes, see the MOF Phase Overviews and SMFs.
Woodgrove Bank is a small, regional U.S. bank. It has a new business opportunity that involves expanding operations to California. This puts the company under state laws that they have not had to comply with in the past. These state laws require that they make some changes to their existing security and privacy policies and systems.
Janet is the CEO of Woodgrove Bank. She and other members of the senior staff are going to drive the California expansion project, and they need to identify the actual work that needs to be done, assess the risks, and ensure compliance with the new state regulations. She knows that Woodgrove must greatly improve the ways in which it protects the security of the bank’s data and the privacy of its customers’ personally identifiable information (PII).This involves thoroughly understanding the California laws, defining the necessary security and privacy controls, assessing the risk and impact of the changes, planning for the changes, building, testing, and deploying the changes, and preparing Customer Service and Operations to support the changes.
Governance, Risk, and Compliance SMF
Janet arranges a series of meetings with the management team to determine how to provide the necessary security and privacy controls for the California expansion. During their meetings, they review pertinent California regulations and define the following security and privacy controls:
- Standards, policies, and procedures
- Data access controls, including encryption
- Controls that protect the bank’s computer systems
The bank already has an IT governance policy in place, but Janet knows that they must assess the risks to security and privacy in their new endeavor and then design, document, and implement the proper controls. They begin by examining Woodgrove’s:
- Mission statement.
- Risk tolerance and approach to risk management.
- IT portfolio.
- IT service maps.
- Incident reports and security events.
- Regulatory environment and past non-compliance events.
The result is an IT services risk characterization report. This and an awareness of possible threats and vulnerabilities to the bank’s data, allows the team to prioritize the risks and identify the necessary controls—the most important of which is the encryption of data—and then implement them. The team also recommends systems for monitoring, tracking, and reporting risks and controls.
The team knows that the most critical aspect of its preparations for the expansion concerns compliance with the California state regulations and law. The team identifies all pertinent California policies, laws, and regulations, creates a compliance plan, and sets up compliance auditing.
Janet (CEO), Charles (CIO), Kevin (Security Manager), and Neil (IT Manager) need to update the bank’s policies to incorporate the new state laws with which they must comply and to increase security and privacy through the use of data encryption.
First, they determine the areas requiring policy changes. Next, they create security, privacy, and appropriate use policies. After the policies have been created, they perform a policy review and incorporate any changes.
The team then establishes controls for enforcing the policies and corrective actions for infractions, sets up a system for recording infractions, and then releases the policies to bank employees who need to know about them. After the policies have been released, the team needs to analyze enforcement of the policies and evaluate their effectiveness, so it sets up a structure for periodically reviewing policies and changing them if necessary.
Neil (IT Manager), Ray (Infrastructure Manager), Linda (Development Manager), and Jamie (Operations Manager) tackle ensuring the reliability, dependability, and trustworthiness of the changes that must be made to comply with the California laws.
First, they define the business and service requirements for the changes by examining the new laws, internal bank policies, risk analysis, and reliability parameters. This results in service level requirements, data classification, and data handling policies. Next, they plan and develop a reliability specification model, project plan, and responsibilities for development activities.
The team reviews and updates the following documents:
- The availability plan, which describes the plans for ensuring high availability for the service and which addresses the hardware, software, people, and processes related to the service.
- The capacity plan, which outlines the strategy for assessing overall service and component performance and uses this information to develop the acquisition, configuration, and upgrade plans.
- The information security plan, which describes how the service will be brought to acceptable levels of security. It details existing security threats and how implementing security standards will mitigate those threats. The information security plan addresses data confidentiality, data integrity, and data availability.
- The disaster recovery plan, which specifies the actions and activities that IT will follow in the event of a disaster. The purpose of this plan is to ensure that critical IT services are recovered within required time frames.
- The monitoring plan, which defines the process by which the operational environment will monitor the service, the information being sought, and the ways in which the results will be reported and used.
The team reviews the plans with Janet (CEO), Charles (CIO), and Kevin (Security Manager), make appropriate changes, and then approve the plans.
Financial Management SMF
Working with its Finance team, the team creates an IT cost model and sets up the budget model covering the proposed changes. As a result of this process the team:
- Determines maintenance and operations costs.
- Defines how to track the project and operations costs.
- Adds the tracking requirements to the project plan.
- Estimates the project costs and expected value realization.
The team was satisfied that it now had a methodology to forecast, track, and eventually evaluate the business value realized from the decision to move into the California market.
Business/IT Alignment SMF
The team decides to create a service map for the changes to clarify the relationships between IT and the business and to determine requirements for the work that needs to be done.
Service mapping requires that the team:
- Identify the specific services to be created and their owners.
- Identify the key customers and users.
- Classify and categorize the components of the new services.
The team then takes this information and creates a draft of the service mapping illustration in Microsoft Visio® and a draft of the service mapping table in Microsoft Excel®, reviews the drafts, and publishes them.
Change and Configuration SMF
Kevin (Security Manager) and Neil (IT Manager) baseline the bank’s system configuration and do an initial assessment of the impact of the changes. After this is complete, they initiate a Request for Change (RFC) and route it to the bank’s change advisory board (CAB) for approval. Since this is not a standard change, the CAB analyzes the impact of the changes and then approves the RFC.
The teams will use change and configuration management throughout the rest of the IT service lifecycle.
Portfolio Management Review
The team presents the project proposal at a Portfolio MR to review and approve the proposed project, and then forms teams to design and deliver the new services. The ultimate outcome of this MR is the initial project charter. With the charter in hand, the team can now begin the process of creating and deploying the new services.
The management team analyzes the scope of the project, determines the roles that will be needed, and then organizes the core project team. The team then creates the project structure document that describes the project team’s organization, and specifies roles and responsibilities of each project team member. Phil, the IT Services Manager, also regularly participates in the team meetings to ensure that the customer is well represented. The management team now hands off the work to the project team.
The project team identifies a number of projects that will bring Woodgrove Bank into compliance with California laws, but it decides to start with the most critical component of the solution. The team decides to call this project the Data Encryption Project, and its goal is to implement Internet Protocol Security (IPSec) to encrypt all of the bank’s data including customer personal data. IPSec is a suite of cryptography-based protection services and security protocols.
The team then writes the vision/scope document, which provides a clear vision of what it wants to accomplish. The vision/scope document defines the deliverables for the project:
- IPSec deployment plan
- Definition and assignment of IPSec policies and rules
After the vision/scope document is approved by the team and the stakeholders, the project team completes the milestone review report for the Vision/Scope Approved Milestone. The team and stakeholders sign off on this report, indicating that the project is ready to proceed to planning.
Project Planning SMF
Now that the vision/scope document has been approved, the project team is ready to do the planning work for the project.
The team documents the project requirements and usage scenarios and creates the functional specification.
The project team also creates the design documents (conceptual design, logical design, and physical design) that record the results of the design process. These documents are separate from the functional specification and are focused on describing the internal workings of the solution.
Now the team begins the detailed planning of the project. The team leads prepare project plans for the deliverables in their areas of responsibility and participate in team planning sessions.
After the project plans are complete and approved, the project team rolls up the individual project plans into the master project plan. It then creates individual project schedules and rolls them up into the master schedule, which includes the release date for the solution.
Project Plan Approved Management Review
The project team, management team, and stakeholders review the functional specification, the master plan, and the master schedule and agree that the project team has met the requirements of the Project Plan Approved MR. The team is ready to move on to the development of the solution.
Now the project team begins developing the solution: the IPSec deployment plan, policies, and documentation.
The developers begin by developing the IPSec deployment plan. This plan addresses the following considerations:
After it has created the deployment plan, the project team starts the IP Security Policy Management snap-in in the test lab and begins defining the IPSec policies.
The developers implement the policies and rules in interim builds, and the testers review each build, providing feedback to the developers through the bug-tracking database. To obtain realistic performance data in the test environment, they run standard workloads on programs.
At the same time, the technical writers begin developing the user and operations documentation. This work continues through a number of interim milestones until all of the solution’s features are completed. After this happens, the project team can begin to prepare for the solution’s release. It prepares for deployment of the solution by developing a pilot plan, a deployment plan, and a deployment infrastructure, including hardware and software.
The team also prepares a training plan, so that the bank’s employees will understand the new requirements and learn how to use the new software. Developing ends with the Scope Complete Milestone.
After the development of the solution’s features is complete, stabilizing the solution begins. During the initial parts of stabilizing, Test writes the test specification document, and Test and Development work together to find and resolve bugs. They hold regularly scheduled bug meetings to triage bugs, and team members report and track the status of each bug by using the bug-tracking procedures developed during planning.
As stabilizing progresses, the team begins to prepare release candidates. Testing after each release candidate indicates whether the candidate is fit to deploy to a pilot group. After Test and Development have a pilot-ready release candidate, the stakeholders, including Operations and Support, perform user acceptance testing of the solution. When the users accept the solution as pilot-ready, the project team archives the solution in the definitive software library (DSL).
The project team then performs the pilot test, which is a deployment of the solution in a subset of the live production environment. During the pilot test, the team collects and evaluates pilot data, such as user feedback. The team continues to fix reported bugs and other issues until it is satisfied that the solution is stable.
Release Readiness Management Review
Stabilizing culminates in the Release Readiness MR. This review occurs after a successful pilot has been conducted, all outstanding issues have been addressed, and the solution is released and made available for full deployment in the production environment. This review is the opportunity for customers and users, operations and support personnel, and key project stakeholders to evaluate the solution and identify any remaining issues that they must address before deployment.
When the review is complete, the project team approves the release signoff.
The solution is now ready to be deployed in the production environment. The project team deploys the infrastructure that supports the solution—new domain controllers and remote access servers. Then, the team deploys the solution to all targeted users and computers at each site.
Stabilization continues during deployment as customer and user feedback from the deployed sites reveals bugs with the solution. The development team fixes the bugs that are approved through the project team change control process.
The Post-Implementation Review finalizes the project and signifies that the project team has fully disengaged and transferred the solution to Operations and Support personnel. At the completion of this review, the project team signs off on the project. Finally, the project team members, management team members, and stakeholders perform a post-project analysis, sign off on the project, and then close it.
Service Monitoring and Control SMF
Jamie (Operations Manager) knows that she needs to determine what is required to monitor the health of the new service. She creates a health model and defines the monitoring requirements.
Next, she determines that the new service is aligned to existing processes and functions, specifies which Operations groups will do the monitoring, and defines the service monitoring requirements in the bank’s service monitoring and control (SMC) tool. She also ensures that the service will be continuously monitored.
Jamie now leads a team that identifies the operational requirements for the new services—for instance how the service is backed up and restored, the tasks needed for disaster management, and the tasks needed for the security of the services.
The team builds the operations plan and then uses it to write the operational work instructions. These instructions identify resources and operational guidance for the new services, and specify the operational work instructions. The team then plans the operational work, assigns the resources, and identifies dependencies. Finally, the team executes the operational work and performs maintenance on the work instructions.
Operational Health Management Review
The new service is added to the regularly scheduled Operational Health MR with the Operations team. It is during this review that requests for changes to the OLA documents, IT services, and configuration of the underlying technology components are made.
Customer Service SMF
Even though the software has been deployed automatically to all bank employee computers, the project team knows that customer service representatives (CSRs) will have to respond to questions and requests for information. In response to these needs, the project team writes knowledge base articles and procedural documentation and trains CSRs to deal with the new IPSec policies and rules. When incidents are recorded, Kate (a CSR) reviews the knowledge base articles about IPSec to find answers needed to resolve the incidents.
Problem Management SMF
Kate noticed in the incident trend reports that there were many incidents regarding intermittent problems with connections refused. She escalates this to the Problem Management team. Jerry on the Problem Management team researches the incidents related to the problem and finds that one server was not updated correctly. He submits a standard change request to update this server and the problem is fixed. He further finds that a root cause of the problem is that the update to the servers should have been done using Auto Enrollment rather than a manual configuration of the certificates. Jerry updates the knowledge base article with this information.
Service Alignment Management Review
The new service is added to the regularly scheduled Service Alignment MR with the account manager and the business customers. It is during this review that requests for changes to the SLA documents and IT services are made.
Policy and Control Management Review
After operations had been running for several months, Woodgrove Bank’s management assessed the policies and controls that were put in place to support the bank’s move into the California market. Taking a view across the lifecycle, they could see how well risk is being managed and the likelihood that management’s objectives were on track to be achieved. They found that one policy around access to customer credit card information was not effectively being enforced. Their outsourced storage solution provider was allowing shared administrator passwords that violated Woodgrove’s policy for tracking the specific person that had access to the data. They initiated a change request to address the situation with the service provider both in terms of their contract and their SLA.
Woodgrove Bank’s management and project teams have successfully deployed IPSec to provide data encryption for the bank’s data. With this important step completed, they can now begin work on other security and privacy solutions that will allow them to expand their operations to California and take advantage of new and exciting opportunities.