Wednesday, November 21, 2007

Ever heard of ITIL?

If you work in IT, especially if it is large scale, you will probably have heard of ITIL. If not here's a quick explanation. It stands for IT Infrastructure Library, and it's aligned with ISO 20000 and is a registered trademark of our very own Office of Government Commerce who drew it up. It consists of standard practices, or shall we say "procedures" that should be followed in relation to IT systems and service. It has a very large section about something known as change management.

In the Commons at lunchtime, Gordon Brown said in relation to the HMRC data loss issue that "this was a failure in implementing the proper procedures....only authorised staff must be allowed access to protectively marked information; information must not be removed without appropriate authorisation".

According to this evening's news the data copy was actually authorised by a senior civil servant not the junior that did the work. OK you might say, still a procedural failure right? But what about the change management procedures?

Was there a Change Request raised via the proper ITIL procedure for the data extract? Apparently there was. Was the change request authorised by the change manager and relevant "business owners"? Rumour has it, it was. Did the junior do the work then give the data over to the senior as requested and per the correct change management procedures? Effectively yes.

So.... was there really "a failure in implementing proper procedures" in relation to the junior that carried out the work? Or did he do everything by the book when it was the pages inside the book that were the problem? I'm sure PriceWaterhouse Cooper will find out!

18 comments:

AloneMan said...

Mmm, interesting point. I wonder what the back-out plan was...

Geezer said...

OGC also created Prince2, Project/Programme management methodology. Largely designed to improve the management of risk on large scale government projects/programmes, and avoid massive failures in controlling spending, time and quality. Official qualifications, in Prince2, have been a pre-requisite, for employees/contractors, on public sector projects/programmes, for many years, yet they still f**k-up big-time on just about every project they do!
Prince2 has been adopted by almost all, blue-chip, private sector companies as well, but is much more successfully implemented,
The reason is, that tolerances in the public sector, are so great, that it becomes a matter of going through a few motions for reasons of passing the occasional audit. Extra tax-payers money is so readily available, and no one's career/job/pension prospects rely on them actually getting results and controlling the risks of project/programmes. The day-to-day working dynamic, is so poor in the public sector, as it is not results driven and there is a seemingly endless supply of easy tax-payers money to finance them. It attracts low-calibre people who want an easy life, the outputs show this.
The private sector is results driven, from bottom to top, that is why they manage working practices, so much more efficiently, and they still struggle to manage risk effectively and get the desired results!
The irony is, that, the government has the largest and most complicated IT programmes that any organisation has, in this country, yet they end up being managed by the lowest calibre personnel, when they need the best. That is why consultants are so widely used by the public sector, because the Civil Servants just aren't up to the job, and why the failures of these consultants are endlessly tolerated and rewarded with further contracts!
The methodologies, for good organisational management are only paid lip-service to, in the public sector, nobody actually enforces good practice.

Anonymous said...

Dizzie

It's the SQL mmonkey from earlier - just heard John Hutton on Newsnight explain that the data on the National ID database will be secure because it'll be "biometrically ringfenced".

Should we laugh or should we cry?

SP

Anonymous said...

Working in banks I am of course allowed to download the whole customer data base and walk out with it when ever I like.

Doh!

Anonymous said...

Geezer: I'm a civil servant. I'm Prince2 qualified, I have run several large projects while in the civil service.

There are many, many fantastic people in the civil service; it's not that "It attracts low-calibre people who want an easy life" - bear in mind that it often attracts highly skilled people who have excelled in the private sector and choose to move to the public sector in order either to have an improved work/life balance, or for a more interesting challenge (because working in Government is a different challenge).

There will always be problems, and people who are either not up to it or who make mistakes. Fortunately, we live in a country where any mistakes by the Executive are transparent to our Legislature, and we can seek to improve.

Mistakes happen in the private sector too - anyone who doesn't think that cock ups don't happen there is deluded (and yes, I acknowledge that this is a tremendous cock up, a shocking mistake). However they are not as obvious, and unless a whistleblower is involved may go completely unnoticed.

This is not an excuse for this mistake - clearly, it is an appalling breach. However, please don't write off all the hard working people in the public sector on this basis - I've done a 12 hour day today and would like to think I'm helping the tax payer. So would my other colleagues, none of whom I would describe as low calibre and most of whom took substantial pay cuts to join me at work.

Hedley Lamarr said...

This is absolutely unbelievable. I worked on a bit of the NHS IT project and we had to transfer large amounts of data between GP's surgeries and the newly built datacentres. How did we do it? We had 2 people physically attend the GP's surgery, back up and encrypt the data and then drive the tapes to the datacentre. We a) wouldn't have even dreamt of posting it, and b) didn't even consider FTP'ing it. It cost us a fortune but there is no other way with such sensitive data.

I am amazed, truly amazed at this. I'm actually surprised it's not a bigger story The BBC don't seem to be all over these catastrophic Nu Labour screw ups in the same way they crowed over the Tories screw ups in the mid-90's.

Un-f**cking believable.

Mostly Ordinary said...

ITIL exams are the most boring thing in the World, apart from Alex Hilton's blog obviously.

I don't think protection of data comes under ITIL (didn't when I took the courses, that could have changed) that should be rolled up in the Data Protection training. What confuses me here is either a) the application lets you export the entire database which is pretty poor if a low level user can do that or b) someone with access to the actually database severs did it and I find it hard to believe that a DBA deals with requests from third parties to receive data.

It would be nice to see the process they say wasn't followed, but now it's been kicked into the long grass (e.g. a review) I doubt they'll ever happen.

Mulligan said...

Anon 23:04.

yes, frighteningly Hutton clearly had no comprehension about the problems with biometric data as described by the computer scientist. Earlier some numpty MP called Palmer appeared on Radio 4 claiming that these problems make the case for ID cards and ID register even stronger, although laughingly said "well nothing is 100% safe".

So Mr Palmer, having someone fraudulently take cash out of your bank account is one thing but if some criminal could alter or compromise your biometric data how the hell are you going to get your identity back??????

dizzy said...

Mostly Ordinary, you are right re: ITIL and security. However, ITIL is part of change management procedure, and the guy that did this, on 12K allegedly, will have been following the change procedure. Change authorised = do it.

Steve_Roberts said...

ITIL / Prince etc have their strengths (and weaknesses) but you have to dig deeper for the causes of this fiasco.

1. Brown as Chancellor made our taxes much, much more complicated
2. Brown as chancellor created organisational chaos by downsizing and merging IR and C & E at the same time as continuing with (1)
3. The tax credits sytem deliberately swept tens of millions of extra people into the tax / benefit net - creating another wave of chaos.
4. Brown set up outsourcing relationships with IT suppliers, which are in ordinary circumstances diificult to get right. Against the background of accelerating complexity and organisational chaos there was never a hope.

Finally, something has blown up publicly. You can bet your liver that a) there's plenty just as bad blown up in private b)there will be another disaster arising from the same roots along very shortly.

Giving a civil servant the sack - or rather letting them take early retirement on full pension - is not going to make a big difference. We need to roll back ten years of mismanagement of taxes and administration, which will not happen while the instigator of these is at No 10.

GGRRRR

Mostly Ordinary said...

"Change authorised = do it."

I'm willing to bet this wasn't classed as a change and was implied practice i.e. done often

dizzy said...

L:ets wait and see if a ticket audit trail appears

Anonymous said...

PWC won't find out if they value future government contracts.

Mulligan said...

anon 11:53

Nail on head. The big consultancies make an absolute fortune from telling customers exactly what they want to hear.

Anonymous said...

re: Anonymous 11:53:00

It won't be all that difficult for PWC to not find out, after all, they didn't spot Leeson in the act of bringing Baring's down.

And all the separate enquiries are designed to ensure that any remaining evidence (that hasn't already been removed to the tip) is trampled underfoot before its significance is recognised.

Anonymous said...

Dizzy:

As an ITIL Qualified Manager, system security effectively comes under the Availability Management module.

However ITIL deals with the effective provision of IT Services. So the security aspect relates purely to the security of the systems. It is arguable whether CD media copies, paper print outs etc are part of the 'service' or a product of it.

Strictly speaking this is not a 'change' either but a customer request.

For these reasons the fact that it became a 'security incident' doesn't really come under ITIL as it did not affect the effective provision of IT services. What it affected was people's privacy.

In fact the IT 'service' that was requested by the customer was seemingly carried out effectively based on the instructions received.

However, that does not let them off the hook as there is another ISO standard ISO27001 which deals with data security and a Government approved methodology CRAMM (CCTA Risk Analysis Management Methodology) which is used to assess data security risk. Here is the Wikipedia Link:

http://en.wikipedia.org/wiki/CRAMM

Ironically the CCTA was the technical audit review arm of the TREASURY but I believe it was 'privatised' many moons ago. I don't know what has replaced it (if anything).

Semantics to some extent I know but if the Government is to be clobbered on this then we should allow them as little wiggle room as possible.

So I think the question is when was HMRC last CRAMMED and should it be as a result of this fiasco!

dizzy said...

Arggghhh *runs away*

Seriously you're probably right regarding my terminology. hell I know you're right. Many ITIL practices that I have experienced often role lots of things into change control. i.e. anything you do that touches a system or deals with data gets a CR raised even if it is not really a "change" as such.

Anonymous said...

Dizzy:

Indeed I have spent many often wasted hours trying to get IT people to understand what a change system should be!

What the hell it keeps my partner in the luxury I deserve!

Either way HMRC are on the hook for this one and should be dealt with accordingly!


Cheers