How to Implement Policy Based Management
This page was last modified 04:47, 27 April 2006.From Documentation
About This Manual
Policy based management
This document describes the principles of policy-based management and outlines a workable approach to creating and implementing a policy based management approach, including the process of formulating policies and the need for ongoing review.
Companion Guide: Sample Policy and Procedures Manual
This manual defines operations management policies and procedures for a representative UNIX site. It is intended for use by:
- UNIX system administrators;
- Computer operations staff;
- Clerical staff who have responsibility for remote systems management of UNIX servers.
About COSmanager
COSmanager provides systems and operations management for distributed open systems data centers. COSmanager includes a management framework, a suite of system management applications, and an enabling technology that allows you to automate and delegate key system administration functions.
COSmanager modules
COSmanager is the central framework module within COSmanager, consisting of a set of management applications, including operations automation and duty scheduling, system administration, network backup and media management, audit and access control.
sentinel3G is the automated monitoring and response management module that supports proactive management of UNIX systems through centralized monitoring and control of multiple distributed hosts from an operator console.
task3G is the batch job scheduling module.
Policy Based Management
Overview
Management problems need management solutions. Technology can assist greatly in the implementation of system management solutions. Unless the correct policies and procedures have been defined, it is impossible to achieve an effective systems management environment; no matter how sophisticated and advanced the technology.
This section discusses management solutions for UNIX systems and outlines a step by step guide to implementing policy based management. In particular, it is about how to implement policy based management within a UNIX data center environment in a way that supports key IT business processes.
Prior to outlining a structured approach to implementing policy based management, the critical differences between mainframe and UNIX data centers are highlighted and potential barriers and distractions flagged.
Mainframe versus UNIX environments
Management of UNIX data centers should be identical to management of mainframe data centers. The underlying operating system should make no difference.
But all data centers are not the same.
Mainframe data centers
The traditional mainframe data center evolved over a number of years into the well regulated, disciplined system and operations management environment that is today’s benchmark. This evolution took place over time in a relatively static and well-defined information systems environment. The costs of entry to the market were high and the players were limited. The market was stable.
UNIX data centers
UNIX data centers exploded onto the scene amongst a frenzy of downsizing. The entry costs to the market were an order of magnitude lower than for mainframes and the number of new players rose accordingly. The old players also hopped onto the bandwagon to further confuse the issue.
Although UNIX may have been around for 20 years, it is a safe bet that most vendor's knowledge has not been around anywhere near that long. The result is a continually changing, often ill informed, environment creating a climate of uncertainty
Implications
This uncertainty sets traps for even the most experienced of mainframe operations specialists. Whilst basic system and operations management philosophies and principles apply equally to both UNIX and mainframe data centers, UNIX data center management needs to be approached from a different perspective. What worked in the mainframe data center may not necessarily work in the UNIX data center. Simply cloning a mainframe environment to UNIX may be the wrong approach.
While the basic management principles are the same, the implementation techniques often differ. Before discussing the application of policy based management principles to UNIX data centers, it is important to understand how facts can get distorted and distractions created.
Danger of Hype
One of the main barriers to effective systems management is hype. Extensive and often misleading marketing campaigns initiated by major technology vendors subliminally perpetuate the myth that technology is more important than management.
Make no mistake, the driving force is competitive advantage. The aim is market domination. The motivation is vested interest. Effective system management and improved service levels may be tragic casualties of “friendly fire."
Hype has successfully turned the old mainframe adage that “No one got fired by buying IBM” on its head. The brilliant marketing technique of exploiting the manager’s fear of trying something innovative or unproven has been reversed. Major vendors have introduced the even more brilliant technique of exploiting the manager’s fear that if they do not switch to the latest, greatest (but generally unproven technology) they will get left behind in the rush and be consigned to the ranks of the information super poor.
The extensive marketing that the industry is now subjected to creates a huge of awareness throughout the business community. Executives hear about products well ahead of release and then subtly or overtly pressure their Information Services (IS) Managers to implement the often non-existent “solution."
Armchair experts abound and the IS Manager needs to actively work at setting realistic expectations. At best the IS Manager is distracted from solving the real problems; at worst, he falls for the hype and actually encourages the adoption of non performing or non-existent systems. The best defense is a disciplined, structured approach to system management. Always remember, management problems need management solutions.
Ask the Experts
Whilst hype is an ever-present pressure that can distract you from effective systems management, an even greater threat comes from bad advice. Wrong or misleading advice will inevitably result in project failure and a loss of management and user confidence in the information services group.
When the dust has settled and the knives are out in the aftermath of an unsuccessful project, the buck generally stops with the Manager. It is up to the Manager to separate fact from fiction. This is often not as easy as it sounds. In many cases, consultants and vendors provide their advice in good faith or so eloquently that it is hard to spot the flaws.
So, do not believe everything you are told. Do not believe everything you read, even when it is from so called “Industry Experts." Learn to question. Confirm the facts.
Technology needs to be recognized for what it is - an enabling component of a service delivery process. Technology should never be bought for technology’s sake. It should be bought to support the IT business process.
Automation
When all is said and done, the major challenge facing the industry through to the end of the decade and beyond is automation. If you cannot document it, you cannot automate it. Policy based management is used to document the IT business process. Technology is used to automate and implement the process. And that is the order the activities need to be done. Resist the temptation to rush in and buy the latest, whizziest piece of technology. Get the policy management done first.
How to best spot the lies? Develop clear strategies for technology implementation well ahead of any technology purchase and take a structured approach to evaluating and selecting technology components.
Why policy manuals?
In the inaugural edition of the Network and Systems Managers Best Practices Report (March 1994), the editorial stated:
“...effective systems management depends primarily on strategic planning and implementation of policy based management. You simply can’t count on technology alone to see you through. You need to establish the policies and procedures governing your hardware, software and staff which will allow you to establish uniform centralized management without being inflexible. This is a daunting task, but it is achievable....”
A policy based management approach works. It is a practical, solutions oriented way of facilitating effective systems management. Apart from the fact it is good management practice, there are a number of compelling business reasons why a policy based management approach should be taken: increasing costs, complexity and automation. These factors are discussed in more detail below.
Increasing Costs
To a large extent, the move to UNIX and open systems is being driven by ‘downsizing’ of corporate IT budgets. In the proprietary environment, hardware and software costs represented around 70% of the total budget with the remaining costs being spent on staff and operations costs. In the open systems environment, the situation is reversed with operations costs being the single biggest component of expenditure. With the relatively higher percentage costs of operations management in an open systems environment, these costs will come under scrutiny and be targeted for on-going review and reduction.
Expenditure on operations management of open systems is increasing far more rapidly than expenditure on hardware. The rate at which operations costs are growing will need to be contained. To contain costs, operations workloads will need to be automated and delegated in a controlled way.
Increasing Complexity
The open systems environment is becoming increasingly complex. In the area of storage management alone, it is estimated that:
- the amount of data stored on the average network is growing at between 50 and 100% pa
- the administration cost of managing a single UNIX server can cost up to $35,000 pa
- a hard disk system that costs $3/Mb to purchase and install will cost an additional $8/Mb to manage
- the cost of recreating 20 Mb of lost data is between $15,000 and $100,000 depending upon the application
- companies will spend $300m on data management software in 1996 and $600m in 1997
- the lost productivity cost of 1000 users each spending one hour per week backing up, and managing their files is over $1m per annum
Increasing Automation
Survival in the prevailing economic environment means that data centers need to:
- increase workloads
- maintain or reduce staffing levels
- increase service levels
There are not enough skilled resources available. Routine and repetitive work will need to be moved away from administrators to enable them to concentrate on higher value activities. To achieve these goals, data centers need to automate.
The Need for Strategic Approaches
The main theme of this paper is that management problems need management solutions. Awareness of this situation is growing within the industry.
Despite the frantic efforts over the last few years to develop system management tools and technology, most system managers are disillusioned. The technology has failed to solve the problems. There is no single integrated system management solution, nor will there be.
So, what can be done?
The key strategy is to move the focus from technology to management. Support for business processes and their associated applications should be the goal. The technology should be used to implement the process. The process needs to be defined ahead of the technology being selected. A policy based management approach is an essential management tool in establishing an effective and secure systems management environment. If you can’t document it you can’t automate it.
Policy Based Management
This section outlines a proven practical approach to implementing policy based management which:
- is an important part of an overall Quality Management System
- defines good practice
- clearly allocates responsibility
- records and preserve an organisation’s methods of computer operation
- ensures a consistent approach to systems and operations management throughout the organisation and over time
- facilitates the training of new employees and to ensure they are provided with details of key aspects of system and operations management
- enables the authority for operations tasks to be delegated within the defined policy framework
- provides a basis of control over system and operations management activities
Policy and Procedures Manuals
A policies and procedures manual defines
- what needs to be done
- when it needs to be done
- who will be responsible for its implementation
- what system management tasks are to be automated to a set schedule
- what tasks are to be stored for future use on an as-required basis.
Strategy
Policy based management takes a structured approach to defining policies and procedures and communicating their associated ‘road rules’ and controls throughout an organization. It is a management technique that translates quality management theory into effective operational practice.
The policy management strategy should detail the management framework used to define, implement, communicate and review policies and procedures. This includes defining guidelines that take into account the prevailing corporate culture, e.g. what attitudes, tools, techniques, documents & implementation constraints are used by the organization
Framework
Operational procedures must reflect business policy and business policies must be communicated to operational staff. The management framework needs to reflect this focus.
Summarizing framework issues:
- Business policies should be clearly defined by management and communicated to systems managers and operations supervisors
- Business policies should take into account corporate objectives and strategies, audit requirements and appropriate government regulations
- IS management policies should be clearly defined
- Business and IS management policies need to be translated into workable operations management procedures
- Operations management procedures should incorporate good existing practice where applicable
- Operations management procedures should be automated where possible and encapsulated to ensure their safe retention
Philosophy
The management framework establishes an agreed and structured basis upon which a policy based management approach can be developed and reviewed. The management philosophy establishes the underlying philosophical approach that needs to be taken to implementing procedures within the framework.
It is inevitable that the changing UNIX data center environment means that a management philosophy should take into account the requirement to automate system management tasks and delegate them to non technical staff.
As a broad guide:
- routine and repetitive tasks should be documented and automated;
- tasks should be delegated to the correct level within the organisation in a secure and controlled manner;
- staff should only be permitted to perform the range of duties that have been specifically assigned to them;
- all tasks should be audited;
- the operations supervisor or systems manager should be (automatically) notified if scheduled tasks are not carried out.
Structure
A structured approach to identifying policies and procedures is essential. The number of procedures that need to be defined can otherwise seem overwhelming. It is important to remember that some procedures are more important than others.
The recommended approach is to once again take a business perspective. Business Functions should be grouped into a series of Work Categories which should be broken down into Policy Areas. Within each Policy Area, specific policies and procedures should be developed. Procedures should be developed progressively, in priority order.
Layout
Each policy and its associated procedures should be documented in a standard format that clearly identifies the key elements of the policy. There should be a policy manual entry for each system management topic.
Be brief, try to keep individual procedures to less than a page. Keep it simple and keep it on-line.
Avoid the “Never mind the quality, feel the width” trap. The aim is to achieve quality, not to build manuals. Minimize the pain and suffering associated with distributing voluminous, out of date and weighty tomes around the office and around the world. Consider use of company “Intranets” or report distribution software that facilitates accurate, timely and complete access to policy information.
The following (minimum) information should be documented for each policy manual entry:
Section | Description |
Subject | Topic or central theme |
Scope | The area or range that will be covered |
Background | What the Company is trying to accomplish with the policy including any specific requirements or standards that need to be met and the strategy for implementation. |
Policies | Specific policy details and management guidelines |
Procedure(s) | Detailed step by step instructions on how a particular operation is to be carried out |
Controls | Any specific controls relating to the procedure |
References | Other references that should be consulted in conjunction with this manual entry |
Updated | Date updated and by whom |
Priorities
Whilst most installations have similar systems management requirements, priorities will differ. Setting priorities will always be a subjective exercise; there is no prescriptive approach. However the best source of input to the prioritizing process is to talk to people who know what they are doing, or to read about other people’s experiences.
Find out what works and what doesn’t work. Learn how others have dealt with the political and cultural situations within their organizations. Most of all, listen.
You will not avoid a learning curve but you should aim to minimize its duration and inclination. Some suggested sources of information are:
- personal experience
- experienced managers and operations supervisors
- hardware and software vendors
- documentation from other sites
- journals and library searches
- the Internet
Categories
Different organizations will define their work categories in different ways.
The terminology that is used does not matter; the structured approach does. What categories are called and what policies are placed within what categories is a subjective matter. The fact that the policies and procedures are documented and defined is the key issue. The aim of the exercise is to focus on breaking the problem into its component parts and identifying what policies are needed. If you are going to eat an elephant, eat it in lumps.
For example, within a computer services organization, the System Management business function could comprise the following categories (and probably quite a few more):
- Administration
- Audit and Security
- Computer Operations
- Environment
- Planning
- Procurement
Policies
Within each work category, policy areas should be listed and prioritized. Within each policy area, individual policies and procedures should be progressively documented and implemented.
Correct definition of key policies is essential. The costs of implementing new procedures to fix ill-defined policies can be horrendous. It is important to take the appropriate amount of time to ensure you are doing things right as well as doing the right thing.
Refer to the sample policy and procedures manual for specific examples.
Review
Because of the speed at which the UNIX data center environment is changing, new policies will emerge, existing policies and procedures will need fine tuning and some policies will fall into disrepair. A review process needs to be established and implemented to ensure the validity and continuity of the policy based management process.
The policy based management process needs to outlive the individuals involved in establishing it.
Conclusion
As the UNIX data center market matures and the full influence of mainframe ‘downsizing’ takes effect, attitudes will need to change. Terms such as ‘mainframe strength’ and ‘mainframe class’ have already crept into the UNIX vocabulary. But what do these terms really mean?
Essentially they mean that organizations in the mainframe world have a strong strategic focus and a well disciplined, policy based approach to systems management. It is important to learn the valuable lessons gained from the mainframe world and to implement these practices within the UNIX environment in a way that enhances rather than simply ‘clones’ that environment.
One of the most valuable lessons to be learned is that a policy based management focus and its associated policy manuals (on-line of course) are essential in any mature commercial computer environment.