IT service management: security’s best friend

As a security professional, IT service management can be your best friend. Service tickets indicate a regular, defined process that your organization’s IT team follows. As security officer, you need to work with your IT team to make sure they understand the security pitfalls of deviating from the intended purpose of the service tickets. One such practice is to create a single bulk ticket instead of multiple tickets. Here’s why bulk tickets are fraught with risk and what you, as security officer, need to make sure your IT teams know about improving practices to mitigate risk.

The fastest route can be the riskiest

There may come a time when IT is looking at entering a large number of IT workflow tickets to perform actions across a large number of employees, or a large number of computers. When the urge hits to combine all those tickets into one “bulk” ticket, I hope your organization will resist. Let me give you an example. When it comes time for a layoff at a company, the HR person works out a deal with the IT manager. Rather than generating termination service requests for each of those terminated employees, they suggest, “let’s just create one bulk ticket with a list of all the employees.” Usually the IT manager has some reservation for allowing this, but when faced with the HR admin who must enter all the tickets, they bow to the pressure and allow the HR team to generate one king-sized ticket with all 200 laid-off employees in it. This is an example of misusing the IT automation systems and it has consequences. I’ll tell you why.

First, it is a problem because it circumvents the business-as-usual process.  The normal termination workflow is tailored for individual terminations.  A single termination service ticket needs to be routed through dozens of steps: removing access to central directory, email, CRM, finance, accounting and many other systems. The ticket is also routed to the direct manager to collect laptop, key cards, mobile devices, credit card, keys and other physical items prior to the employee’s last day.  The ticket then is routed to allow for email to be archived, laptop to be wiped and key cards to be reissued or destroyed.  In short, there are a lot of steps to terminating an employee. As a company’s processes change, the workflow gets adjusted to add new process steps, or remove them because of improving automation. The IT service management system acts as a repository of all of this corporate knowledge required to properly terminate an employee. 

Bulk tickets are a security headache

Secondly, by creating the bulk ticket, it might be saving a bit of typing for the HR administrator, but it creates a ton of manual work for the IT administrators, managers and physical facilities teams. Now, all the automated workflow steps need to be done for each person in the bulk ticket. This will usually cause alerts and service level agreement violations. Not only is the IT manager on the hook for the service level violation, the business process team might look at the workflow and think that a change might be needed. Additionally, because we’ve taken this beautiful automated process and made it bulk and manual there is a high likelihood that something will get missed.  This is where the security team would have a problem. The security team now has to double check that all actions were handled correctly at all steps for all terminated employees in the ticket. This is a big, manual activity that circumvented the automated workflow. 

Auditing by bulk doesn’t work

Thirdly, in addition to the functional issues, there is the issue of audit. Many companies these days are held to standards such as PCI for handling credit card data, SSAE 16/18 for Financial Services, HIPAA/HITECH for healthcare, GDPR for European Union data, or Common Criteria and FedRAMP for federal institutions and providers. These security frameworks require the ability to demonstrate that the company follows a process for all terminations. By creating a bulk ticket in your service management system, it is likely that you lose that auditability. Typically, the auditor will ask for a list of terminated employees and then randomly select a subset of these employees and ask to see the termination tickets. A bulk ticket that contains a list of terminated employees will usually not pass audit muster because the auditor knows that the bulk ticket has circumvented the business-as-usual process. 

For these reasons, when faced with the HR Admin requesting to open one bulk ticket with all the terminated employees listed in it, the right answer should be, “That will circumvent our process, we might miss something and it will not pass our audits, so I’m sorry, but we can’t do that.” There are service management tools that can greatly simplify the process of generating these tickets, even generating them automatically, to be less of a burden on the HR team. A case study by Ivanti illustrates how tools simplified Oxford University’s Service Management process.  

Think security first

HR termination practices are just one example of circumventing the business process that needs to be laid out in IT service management modules. You might see the same type of bulk consolidation in server changes, workstation decommissioning, or new hire onboarding tickets. It is important to remember that these workflows contain the process for how your company gets work done. By making changes, it will be more difficult downstream to complete that work, so it’s important to think about that before any team decides to design their own workflow. If a team sees something in the workflow that is inefficient, they should bring it up to the business process team for evaluation. Often, there is a really good reason why the workflow is designed the way it is, even if it looks inefficient to a team’s perspective. And often, security will be at risk if business-as-usual processes are not followed.

Security officers can work with ITSM to evangelize how practices like bulk tickets may seem an efficient move at first, but really wind up creating more work as well as audit and security headaches.