Analysis: Change Management Technology

Because all this is complicated to implement, many feel it's easier to avoid CM. In our reader poll for this article, about half of respondents said they don't have a formal change-control-approval process and have no plans to deploy one. And these aren't just small and midsize businesses--only 16 percent of poll respondents work for organizations with total revenue below $1 million. Meanwhile, a greater number of companies are facing external pressures--from clients, vendors and the government--to secure their information. And Gartner studies say CM can reduce unplanned downtime by 25 percent to 35 percent, cut planned downtime by as much as 25 percent and provide better customer service.

So, What's the Disconnect?

The main reason most IT pros give for not having developed or not adhering to CM processes is, simply, that it takes too long. But this reasoning is painfully shortsighted. Sure, it might be faster and more efficient to configure your computer to automatically log you onto the network every day, but the gains derived will be lost the minute an intruder uses your authenticated machine to steal company secrets. The same holds for CM: Although it may be more efficient on the front end to simply install patches, change ACLs (access control lists) and implement production systems ad hoc, in the long run this will cost you time and money.

Effective CM involves a blend of technology and process. Here we examine the technology side of the equation and profile CM offerings from BMC Software's Remedy Solutions and Computer Associates. In "Get Right With Change," we lay out an 11-step program to develop CM teams, policies and procedures.

Automation, BabyChange can be managed by paper or electronic means. We could go into excruciating detail on forms, but paper is inefficient, so let's focus on automated systems.

We examined two products that can streamline CM in enterprise environments: BMC's Remedy Change Management and CA's Unicenter ServicePlus Service Desk. A number of other products are also available. The key is to pick one and then use it every time a change is made--with no exceptions. Here are some must-haves. Both BMC's and CA's suites offer all these capabilities:

• Change-life-cycle management

• Simple methods for requesting and authorizing change

• A means to secure access at various user levels, ranging from those who simply make requests to those who can make changes• Customizable procedures for tracking a change throughout its life cycle. This is where things get a bit hairy: To track change throughout an environment, IT must have a structure and well-thought-out methodology for routing requests from initial request to final review.

Unless your organization has developed these methodologies, using any CM software is not simply a matter of plug and play. You'll need to put policies in place. Change review and authorization won't always follow the same path. Each pathway represents a separate trackable instance that must be taken into consideration. For example, say a user requests a new application. Depending on where that application is to be installed, this might invoke a review by security, architecture, IT, management, maybe even the CIO. To properly begin tracking and controlling these changes, each possible pathway must be outlined and subsequently programmed into your new software. Sure, some simple tasks are preconfigured, but every company is different, and as such, software will require customization.

This application sits on top of a Windows SQL architecture, but can be installed on a variety of other platforms, including IBM AIX, Hewlett-Packard HP-UX, Linux and Sun Solaris, and a variety of database systems, including IBM DB2, Informix, Microsoft SQL Server, Oracle and Sybase.

Remedy Change Management was cumbersome to install--it required substantially more time than CA's Service Desk did. And the Change Management module is only part of the picture. The entire architecture, which must be installed, includes the Action Request System, which ties everything into the core database, and the Approval Server, which lets you maintain policies for routing approval.

Although, in general, the installation and administration guides are thorough and understandable, you must prepare before beginning the adventure. Read the installation guides, perform a detailed enterprise evaluation, learn and test the Remedy system, and consider how users will be alerted and respond to alerts. Remedy's documentation goes a long way in helping you outline these tasks, and we found its support staff helpful. One note: Remedy's licensing is complex. You must traverse a series of question-and-answer screens, many of them confusing at first, to find the various licensing options. Be prepared to spend some time here.As with any CM product, you'll need to do a large amount of customization with Remedy's system before it's ready for your organization. You must configure your locations, categorizations and users (requestors, approvers, task implementers, managers), and how they interrelate. Fortunately, Remedy's admin interface, all Web-based, is well-constructed and easy to manipulate, with step-by-step windows for ease of entry.

Remedy uses change categories to organize requests for routing, setting urgency, alerting and tracking requests through completion. You can submit new service requests through a simple Web-based user interface. As with CA's product, each requester can view the current request status, who the request has been assigned to, and any applicable notes.

Remedy Change Management ships with a long list of handy predefined reports, ranging from complex change reports to risk/analysis reports to total cost of ownership (TCO) reports, with no add-ons needed.

In general, Remedy Change Management is a polished and market-ready application. It puts a big hit on the wallet, but an enterprise needing the extra functionality and ease of use that this product can bring will be pleased with the investment. On the other hand, though the product would prove equally useful to smaller organizations, it's unlikely many could justify the cost.

Remedy Change Management, starts at $40,000 for three user licenses. BMC Software, (800) 841-2031, (713) 918-8800. www.bmc.com This product was a breeze to set up. We installed it on a standard Windows system running Windows 2000 and Microsoft SQL Server 2000 (it supports a large number of other platforms, too). The entire process, not including the Windows and SQL installation, took about three hours.

Once you're up and running, however, it's no walk in the park. Although Service Desk is customizable, its admin interface is confusing and simplistic, almost as if someone imported a truckload of forms wizards from Microsoft Access. Through multiple waves of table definitions, you define your users (manually or by importing them through an LDAP directory), internal policies for notifications (e-mail and pages), service-level agreements (when tasks must be completed, based on your criteria), security (who is permitted to do what), and your order and task definitions (how and where a change request gets routed). CA does provide precompiled information for several items, but for the most part, you form your own based on company needs. The screens were all similar to one another, and the overall process wasn't very intuitive.

Orders are configured by entering routines, which dictate pathways for execution. Nested groups of commands are executed in sequential order or in tandem, depending on whether one is contingent on another. These are referred to as conditions and actions in Service Desk. Change orders can be created to route, based on various criteria, such as locale (sites/locations) and division (organizations)--adding flexibility for handling requests specific to a particular business function or physical location. At times, we weren't sure whether we were creating definitions or tasks or ... you get the idea. But in time this process should become easier. And, once configured, the Web interface is intuitive, polished and simple to learn for both end users and admins. It's easy to create new issues as well. Though once again reminiscent of an Access form, the process let us enter information quickly. Issues are handled immediately by first-tier admins or passed along to technical staff as change requests.

Service Desk's reporting capabilities are somewhat limited, but the addition of Unicenter ServicePlus Dashboard provides other options, including multiple graphical summaries of performance and status, most of which let us drill down directly into detailed information about events and tasks. More than a reporting tool, this add-on is a great supplement to Service Desk, and even with the extra cost, it's still less expensive than many competing products.

Overall, though this product will support large enterprises--say, Fortune 500 size--it isn't sufficiently polished to meet their needs. Smaller organizations with fewer chains of command, administrative levels and reporting demands, however, should find the investment worthwhile.Unicenter ServicePlus Service Desk, $3,000 per user (including end users. Discounts available. Computer Associates International, (888) 423-1000. www.ca.com

Kevin Novak is the COO and Mike Tyk is the director of consulting services for Chicago-based security consultancy Neohapsis.

The key to making change work for, rather than against, your organization is to remember that modifying your infrastructure should never be an ad hoc, on-the-fly operation. Whether you use a three-ring binder, a blogging app or a sophisticated suite of software, you must manage change--or it will bite you. The two change-management applications, from BMC Software and Computer Associates, we profile here represent ways to automate this all-important process. But before you implement one of these beasts, you must have policies and teams in place to ensure that changes are appropriately tested, authorized and documented, and never performed by only one person. This is the only way to keep your data safe--and stay on the good side of federal regulators.