On the roles of policies in computer systems management

https://doi.org/10.1016/j.ijhcs.2011.01.004Get rights and content

Abstract

Policies are a pervasive and critical aspect of computer system management. What makes an effective policy? How do policies work in practice? To what extent can policy specification and implementation be formalized and automated? We studied the work practices of computer system administrators to uncover some of the ways policies are used in practice, and to inform the design of tools that incorporate policies to support more effective system management. We found that polices come in many forms—documented in service-level agreements and best-practice guidelines, given by management directives, applied by system administrators through formal processes, and built into tools such as configuration management applications. We found that although policies sometimes make explicit statements and establish formal processes, much is left implicit, by design or omission, with appropriate interpretation and execution dependent on human judgment. We argue that people must play an active role in the application of policies to system management because complex situational demands require it, and we discuss some issues in the design of tools that incorporate policies in supporting computer system management.

Highlights

► In this paper we examined the policy use in system administration practice. ► We found that policies can make explicit statements and establish formal processes. ► Yet much is left implicit in policies to enable practitioners apply judgment. ► We argue that people must play an active role in application of policies.

Introduction

Productivity, compliance, and cost control are leading concerns of service businesses today (Spohrer and Riecken, 2006). To increase productivity and compliance and to decrease costs, businesses make and use policies that aim to standardize operations, making them more efficient and repeatable; for instance, most large enterprises have hiring policies, travel policies, and information privacy policies that help standardize common operations across the enterprise (Glueck and Jauch, 1984). Policies have a significant impact on processes, practices, and tools in organizations, as they govern how people work in a given setting. In the computing or information technology (IT) domain, policies often describe rules of conduct and behavior for the management and use of computing resources, ensuring fair allocation, mutual understanding of responsibilities and liabilities, and proper and consistent handling of policy violations (Dijker, 1996). Though policies are vitally important, little is known about how they are made, used, and maintained in real IT service organizations (Barrett, 2004). There are few studies of IT systems management (e.g., Barrett et al., 2004) beyond a handful of survey and interview studies (e.g., Goodall et al., 2004, Howell and Satdeva, 2001) and studies in related areas such as help desk operations (Halverson et al., 2004) and privacy (Karat et al., 2005).

In this paper, we report results of our ethnographic studies on processes and practices related to policy-use in the operations of several IT service organizations. We studied practices of people in their natural settings and aimed at descriptive rather than prescriptive analysis (as in Blomberg et al., 1993, Luff et al., 1999). Our study aims to inform both our understanding of policy-related work and also the design and use of tools to support such work.

So what is a policy, anyway? The dictionary defines a policy as “a definite course or method of action selected from among alternatives and in light of given conditions to guide and determine present and future decisions.”1 We define policies broadly to include guidelines as well as rules that people and organizations (e.g., employees in a company or users of a university computer system) are expected to abide by when conducting work (see also Dijker, 1996). Policies may be explicit (e.g., formally documented codes of conduct) or they may be implicit (e.g., part of the informal culture or wisdom that passed from one employee to another). They may be enforced by an authority (e.g., disciplinary action taken for failing to observe some rule or restriction) or they may be enforced implicitly by the negative consequences of failing to comply (e.g., failure to follow a network configuration policy may prevent a server from communicating). For our purposes then, policies are rules used to guide actions of individuals and groups; they may be codified explicitly in documentation or processes, or observed implicitly in practices; and their application may or may not be governed and/or enforced by a specific authority.

IT policies affect what actions computer system administrators should or can take under various conditions (e.g., all operators must change their passwords every 90 days). They may also define parameters for system operation (e.g., all systems must have a corporate-approved firewall installed) or at a higher level, describe the outcome of system operation (e.g., the system will be available 99.999% of the time). Policies come in various forms, including management directives, service-level agreements (SLAs), standard procedures or processes, operations cookbooks, and more. Monitoring and enforcement of policies are often ad hoc (Howell and Satdeva, 2001), as it is usually the responsibility of the user or system administrator to interpret policies and to choose appropriate actions for each circumstance. In our field studies, we sought out specific policy-related artifacts (e.g. documents containing directives, procedures, processes, flowcharts, etc.) and information, and we analyzed the development, use, and maintenance of these within service delivery organizations. Some policies we observed included:

  • There should be redundancy at all times.

  • All servers must be at the same level with patches that were released within the last 120 days.

  • Space on a shared storage system should be allocated such that each customer achieves the same reliability, efficiency, and extensibility as they would if the whole environment belonged to them alone.

  • Each security staff member must examine and report immediately any known or suspected violations of security procedures or any exposure of known sensitive material to unauthorized personnel.

We conducted field studies in IT service delivery organizations in the US. Our original goal was to learn about the work practices of system administrators to help inform the design of system administration tools (e.g., Bailey et al., 2007, Kandogan et al., 2005.) Previous reports on our studies examined collaboration, tools, and practices among security, database, web, data storage, and operating system administrators and data center operators (e.g., Barrett et al., 2004, Barrett et al., 2005, Maglio et al., 2008). We conducted 16 field visits, observing and interviewing 30 administrators, architects, operators, team leads, and managers over a total of 50 days. We studied large organizations (>1000 employees), including a large service delivery company with several sites across US, a large public university and computing center, and a government laboratory, totaling 6 distinct sites. At least two researchers participated in each visit, which lasted three to five days.

Our methods included naturalistic observation (often as a participant in daily activities), contextual interviews, and artifact collection. Typically, two researchers followed one employee per day as he or she worked in the office, attended meetings, and so on. One of the researchers took notes and occasionally asked questions about the work, while the other videotaped interactions with the computer and other activities in the office. We asked participants to speak aloud, which helped significantly in understanding the context of work. At the end of the day, we asked clarifying questions about the observations from that day. We collected physical and electronic materials and took pictures of the artifacts in the work environment. In all, approximately 250 h of videotape were collected, reviewed, and analyzed to varying degrees. We created transcripts of spoken and written words of anyone interacting with the main observed participant, including over the phone, instant messaging tools, and e-mail. We also recorded every interaction that were considered of interest with computer systems, including commands typed in, web pages visited, applications interacted with and time-stamped each to create a chronological index of observed events.

In analyzing the video we combined ethnography and interaction analysis approaches (Suchman and Trigg, 1991). While the ethnographic approach was essential to put our observations in the proper context interaction analysis facilitated detailed examinations of the interactions of people with each other, with computer systems, and with other artifacts in their environment. We examined all video content to identify segments where objectives, directives, guidelines, best practices – anything that could be considered as policy guiding behavior – were discussed, taken into account, or enforced in how the administrators worked and what they did. Relevant segments of the transcripts were coded with themes of interest and together with time-stamped interactions with the computers helped us put together a coherent story on what we observed. In this paper we present only a sample of these segments and describe the context around the uses of these policies as episodes of work involving policies. The videos from these segments, capturing administrator activities, computer screens, documents, etc., were then transcribed and analyzed. This was a very involved task, as it required us to look up each error message, command, and output, understand its use in the current context, and develop a complete understanding of the situation from these bits and pieces of information we tracked from video and audio of the observation sessions.

This paper aims to provide some insight into the definition and implementation of policies by analyzing policy-related activities in IT service delivery organizations. In what follows, we first describe and analyze four representative episodes from our observation and interview data, then discuss what we learned about policy creation and use.

Section snippets

Observations

We observed and interviewed system administrators as they went about their daily work. Here we describe episodes involving day-to-day use of various policies by an operating system administrator, a data storage administrator, a computer security administrator, and an application deployment architect. These episodes illustrate important aspects of policy use in work practices and represent the variety of policy use we observed.

Discussion

At the start, we described policies as rules used to guide actions of individuals and groups. These rules may have premises to determine when they are applicable (e.g., “when about to cross the street…”) as well as a conclusion indicating mandated action or final state (e.g., “…always look both left and right.”). Policies are written to guide the actions of people, thus they are written in a form that people can understand. They come in a wide range of generality, however, often omitting

Conclusion

Our goal was to do an empirical study of the nature and use of policies in IT service delivery to guide design of tools that support IT service delivery. Our observations indicate that policies are not simple and uniform in use, but are complex, varied, and context-sensitive, and as such their proper implementation in each setting requires substantial interaction among people and systems. Simply put, there is a gap between the formal specifications of policies and their real-world

References (24)

  • R. Barrett et al.

    Usable autonomic computing systems: the systems administrator's perspective

    Advanced Engineering Informatics

    (2005)
  • J. Karat et al.

    Privacy in information technology: Designing to enable privacy policy management in organizations

    International Journal of Human–Computer Studies

    (2005)
  • M.S. Ackerman et al.

    Organizational memory as objects, processes, and trajectories: an examination of organizational memory in use

    Computer Supported Cooperative Work

    (2004)
  • Bailey, J., Kandogan E., Maglio, P.P., Haber, E., 2007. Activity-based management of IT service delivery. In:...
  • R. Barrett

    People and policies: transforming the human–computer partnership

    IEEE 5th International Workshop on Policies for Distributed Systems and Networks

    (2004)
  • Barrett, R., Kandogan, E., Maglio, P.P., Haber, E., Takayama, L., Prabaker, M., 2004. Field studies of computer system...
  • Barrett, R., Maglio, P.P., Shallcross, M., 2004. Conference on the Human Impact and Application of Autonomic Computing...
  • J. Blomberg et al.

    Ethnographic field methods and their relation to design

  • Dijker, B.L., 1996. A Guide to Developing Computing Policy Documents, System Administrators Guild (SAGE). Available at...
  • G. Donaldson

    Corporate Restructuring: Managing the Change Process from Within

    (1994)
  • W.F. Glueck et al.

    Business Policy and Strategic Management

    (1984)
  • Goodall, J.R., Lutters, W.G., Komlodi, A., 2004. I know my network: collaboration and expertise in intrusion detection....
  • Cited by (3)

    View full text