As a security professional, IT service management can be your\u00a0best friend. Service tickets indicate a regular, defined process that your organization\u2019s IT team follows. As security officer, you need to work with your IT team to make sure\u00a0they understand the security pitfalls of deviating from the intended purpose of the service tickets. One such practice is to create a single bulk ticket instead of multiple tickets.\u00a0Here's why bulk tickets are fraught with risk and what you, as\u00a0security officer, need to make sure your IT teams know about improving practices to mitigate risk.The fastest route can be the riskiestThere may come a time when IT is looking at entering a large number of IT workflow tickets to perform actions across a large number of employees, or a large number of computers. When the urge hits to combine all those tickets into one \u201cbulk\u201d ticket, I hope your organization will resist. Let me give you an example. When it comes time for a layoff at a company, the HR person works out a deal with the IT manager. Rather than generating termination service requests for each of those terminated employees, they suggest, \u201clet\u2019s just create one bulk ticket with a list of all the employees.\u201d Usually the IT manager has some reservation for allowing this, but when faced with the HR admin who must enter all the tickets, they bow to the pressure and allow the HR team to generate one king-sized ticket with all 200 laid-off employees in it. This is an example of misusing the IT automation systems and it has consequences. I\u2019ll tell you why.First, it is a problem because it circumvents the business-as-usual process.\u00a0 The normal termination workflow is tailored for individual terminations.\u00a0 A single termination service ticket needs to be routed through dozens of steps: removing access to central directory, email, CRM, finance, accounting and many other systems. The ticket is also routed to the direct manager to collect laptop, key cards, mobile devices, credit card, keys and other physical items prior to the employee\u2019s last day.\u00a0 The ticket then is routed to allow for email to be archived, laptop to be wiped and key cards to be reissued or destroyed.\u00a0 In short, there are a lot of steps to terminating an employee. As a company\u2019s processes change, the workflow gets adjusted to add new process steps, or remove them because of improving automation. The IT service management system acts as a repository of all of this corporate knowledge required to properly terminate an employee.\u00a0Bulk tickets are a security headacheSecondly, by creating the bulk ticket, it might be saving a bit of typing for the HR administrator, but it creates a ton of manual work for the IT administrators, managers and physical facilities teams. Now, all the automated workflow steps need to be done for each person in the bulk ticket. This will usually cause alerts and service level agreement violations. Not only is the IT manager on the hook for the service level violation, the business process team might look at the workflow and think that a change might be needed. Additionally, because we\u2019ve taken this beautiful automated process and made it bulk and manual there is a high likelihood that something will get missed.\u00a0 This is where the security team would have a problem. The security team now has to double check that all actions were handled correctly at all steps for all terminated employees in the ticket. This is a big, manual activity that circumvented the automated workflow.\u00a0Auditing by bulk doesn\u2019t workThirdly, in addition to the functional issues, there is the issue of audit. Many companies these days are held to standards such as PCI for handling credit card data, SSAE 16\/18 for Financial Services, HIPAA\/HITECH for healthcare, GDPR for European Union data, or Common Criteria and FedRAMP for federal institutions and providers. These security frameworks require the ability to demonstrate that the company follows a process for all terminations. By creating a bulk ticket in your service management system, it is likely that you lose that auditability. Typically, the auditor will ask for a list of terminated employees and then randomly select a subset of these employees and ask to see the termination tickets. A bulk ticket that contains a list of terminated employees will usually not pass audit muster because the auditor knows that the bulk ticket has circumvented the business-as-usual process.\u00a0For these reasons, when faced with the HR Admin requesting to open one bulk ticket with all the terminated employees listed in it, the right answer should be, \u201cThat will circumvent our process, we might miss something and it will not pass our audits, so I\u2019m sorry, but we can\u2019t do that.\u201d There are service management tools that can greatly simplify the process of generating these tickets, even generating them automatically, to be less of a burden on the HR team. A case study by Ivanti illustrates how tools simplified Oxford University\u2019s Service Management process.\u00a0\u00a0Think security firstHR termination practices are just one example of circumventing the business process that needs to be laid out in IT service management modules. You might see the same type of bulk consolidation in server changes, workstation decommissioning, or new hire onboarding tickets. It is important to remember that these workflows contain the process for how your company gets work done. By making changes, it will be more difficult downstream to complete that work, so it\u2019s important to think about that before any team decides to design their own workflow. If a team sees something in the workflow that is inefficient, they should bring it up to the business process team for evaluation. Often, there is a really good reason why the workflow is designed the way it is, even if it looks inefficient to a team\u2019s perspective. And often, security will be at risk if business-as-usual processes are not followed.Security officers can work with ITSM to evangelize how practices like bulk tickets may seem an efficient move at first, but really wind up creating more work as well as audit and security headaches.