The Skinny on ITIL

The Information Technology Infrastructure Library (ITIL) is coming to America; early adopters say it's a friendly invasion with security benefits

In this respect, suggests Bowey, the ITIL implementation at Thresher Group, an 1,800-outlet liquor store chain headquartered north of London, is fairly typical. Change management was an early and obvious area of focus, says Debbie Homer, service delivery manager within Thresher's business systems group. "Businesswide changes such as implementing XP Service Pack 2 could have far-reaching implications if not carried out correctly," she notes. "We're a retail company with a lot of dial-in users, as well as customer-facing EPOS tills [a British phrase for cash registers], and it's vital to guard against something knocking out our firewalls, or leaving our systems open to viruses or abuse."

Accordingly, says Homer, every change to Thresher's IT systems goes through the company's ITIL-compliant change management procedure, which calls for proposed changesâ¬even security patchesâ¬to be documented, approved, tested and piloted. What's more, the IT vendors to which key aspects of Thresher's IT have been outsourced must also follow the procedure. Those outsourcers include EDS, which hosts the company's retail systems at an offsite data center, and Dutch company Getronics, which handles Thresher's desktop management and help desk operations. (Getronics, Europe's largest IT service provider, is in fact the organization that first introduced Thresher Group to ITIL, says Homer.)

The integral security of the overall system is enhanced by a practice of prohibiting changes at critical sales periods. Weekends are the busiest time of the week, says Homer, explaining that changes are not allowed from Friday to Monday, inclusive. The Christmas holiday season is another "no change" period: from a certain point in December (the timing of which varies, but is essentially the point at which the shops are fully stocked and the Christmas "deals" are coded into the EPOS system), until early January, no changes take place.

"It's not quite true that no changes take place; we have a provision for what ITIL calls â¬Üurgent changes,'" adds Homer. "They have to be critical, though, and we have a higher security procedure for them. Essentially, more people have to approve them."

Enter the Matrix

Another benefit of ITIL, according to Tim Mathias, vice president of IT security and CISO at Thomson Financial (part of The Thomson Corp.), is the extent to which it forces businesses to focus on their organizational structures. When Thomson first implemented ITIL in fall 2003â¬having been introduced to it by the business's large presence in Londonâ¬the organizational structure was very different from what it is now.