A tool on the path of development

Fujitsu has treated the integrated management system implementation project as a tool, not an end in itself, and an investment, not an expense. It is part of the workshop of any manager who wants to make better and faster business decisions, grounded in measurable realities and concrete arguments.

Fujitsu treated the integrated management system implementation project as a tool rather than an end in itself and an investment rather than an expense.

 

The integrated management system at Fujitsu GDC was based on global standards ISO 9001, ISO/IEC 20000 and ISO/IEC 27001. The project, in cooperation with the BCC, was implemented in 2013-2014.

The integrated management system is focused on continuous improvement and optimizing the selection of security measures to the possible consequences of unforeseen events. It protects Fujitsu from overinvesting in security and helps provide a case for increased investment in the organization’s most at-risk areas (e.g., not in IT, but in employee training). This is made possible by the requirement to conduct a systematic risk analysis.

Risk analysis is exactly the same “input" to the decision-making process as other managerial tools, such as financial reports, sales reports, etc. In the context of ISO standards, the word “system “is also not insignificant – because it is a coherent set of procedures and activities, the effect of which is a constant search for the optimum between spending on quality and security and the “cost" of information loss. Example: thanks to ISO standards and risk analysis, it is very easy to come to the conclusion that there are, for example, areas where spending on quality and security is disproportionately high in relation to the risk that the “loss" of information may bring (since the low risk may be due to the low vulnerability of the security of a given asset/resource or the low frequency of adverse events).

In today’s reality and under conditions of high dispersion of information and multiple forms of its processing (traditional/paper and electronic – here we pay attention to the number and type of devices, i.e. not only servers standing in the company, not only users’ workstations such as laptops, but also mobile devices such as tablets and phones), information is a strategic resource powering business processes. This is particularly evident in companies in the financial services and insurance sectors, where customer information is particularly protected (a customer who feels that his information is properly secured is more loyal than a customer who does not have such a belief).

The tool in the form of an integrated management system has allowed Fujitsu to achieve a number of benefits, among which we can mention:

  • Meeting customer requirements and expectations, including restrictive SLA parameters in customer contracts,
  • Meeting legal requirements, including but not limited to personal data protection, copyright, classified information, business confidentiality,
  • Improving risk management mechanisms on individual service boards,
  • Continuous monitoring of the quality of customer service,
  • Transparent complaint procedures,
  • Increasing the level of security in the management area:
    • formal procedures that are the basis for requirements from employees,
    • Make employees aware of the importance of safety to management,
    • Clear and transparent rules of cooperation and responsibility for security between IT and business (appropriate distribution of accents),
    • Identification of specific persons responsible for security,
    • Systematic elimination of risks,
    • A change in the perception of security incident reporting – towards a function of continuous improvement, rather than pointing out mistakes (employee involvement is increased and thus the security system “seals itself", so to speak),
    • Shaping the mentality of employees in a pro-quality direction and increasing their commitment to the company; realizing that everyone is responsible for safety,
    • Monitoring the effectiveness of implemented solutions.

Marcin Dębowski, Operations Manager, Poland GDC, Services, Global Delivery Fujitsu

By implementing an integrated management system, we have achieved cost reductions – we approach IT management like business management. Another important element is increased productivity as a result of improved resource management and work organization.
Marcin Dębowski, Operations Manager, Poland GDC, Services, Global Delivery Fujitsu

Process optimization

One of the major challenges in the project was to establish a single, consistent management policy and popularize it by management at all levels of the company. The governance policy defined the company’s directions and main goals in the context of IT services and information security. The next steps were:

  • Making employees aware of the need to simultaneously meet customer requirements and regulations and laws,
  • Monitoring compliance with the implementation of the management policy,
  • Standardization of requirements for everyone in the organization – consistent rules, consistent requirements, consistent accountability,
  • Determining the qualifications required of employees, identifying training needs,
  • Ensure that employees have proven qualifications and necessary experience.

ISO standards have made it possible to optimize the flow of processes carried out at Fujitsu. As a result:

  • The quality of management has been improved,
  • optimized the company’s operating costs by matching measures (the amount of expenses) with real risks (resulting from the risk analysis),
  • the resources you have – especially in the IT area are used more efficiently,
  • made the business aware that it is as much responsible for security as IT,
  • There was an emphasis on “soft" security, such as sensitization to document protection, phone calls in public places, and social engineering attacks,
  • Improved customer relations – a focus on business benefits (looking at IT through the eyes of the business) and its changing needs,
  • business goals were made possible.
We see information security as an important process that needs to be managed properly and effectively, as it has a major impact on an organization’s ability to deliver services as expected by our customers.
Marta Gielec, Service Desk Team Manager, Poland GDC, Services, Global Delivery Fujitsu
Management standards as a tool for organizational innovation has improved customer relationships through a focus on business benefits, including by the IT department.
Malgorzata Kowalczyk, Service Desk Team Manager, Poland GDC, Services, Global Delivery Fujitsu

Documentation, organization management

Documentation of the management system was accomplished by describing the mode and conditions necessary for the implementation of processes, ensuring that the documents needed for the implementation of processes are up-to-date and available, and creating and maintaining records according to established rules known to all employees. A number of policies, procedures and instructions were documented during the project. A map of processes was defined, risks were established and a catalog of services was formalized.

Another interesting aspect of the project was the context of organizational management. Fujitsu’s work culture and principles helped define many interesting solutions that are used on a daily basis throughout the organization.

Certificate and what’s next

The success of this type of project is the confirmation by an independent certification body of operation according to an efficient integrated management system. At Fujitsu, the culmination of the work was the independent body’s audit in November 2014 and the certification for compliance with three standards: ISO/IEC 20000, ISO/IEC 27001, ISO 9001.

The resulting improvement in the company’s image in the eyes of owners, customers and suppliers has translated into:

  • Increased credibility of the company – promotional effects – ISO/IEC 20000, ISO/IEC 27001, ISO 9001 certificates are a “brand" in themselves. Their possession “says a lot" about a company’s quality and security and its business maturity,
  • Simplification of audit procedures (ready documentation, records, evidence, incident log always available for the auditor’s review; an auditor who has information “at hand" is a friendlier auditor),
  • Faster fulfillment of audit recommendations,
  • regulate the management of personal data (compliance with the law is an absolute condition for certification).

Tomasz Wawrzonek, Deputy Director of IT, All for One Data Centers

SZBI Practitioners
BCC (currently All for One Poland) offers a suite of services for the implementation and development of information security management systems and IT services in accordance with ITIL recommendations and the requirements of ISO/IEC 27001 and ISO/IEC 20000 standards. Our strength and differentiator in the IT consulting market is that we are practitioners. At SNP Data Centers, we use the same security standards ourselves, accumulating experience and good practices. The team that provides services to implement the ISMS for clients simultaneously takes care of the maintenance and development of the ISMS at SNP. The Information Security Management System is one of the pillars of All for One Data Centers, where we provide services to clients, including managed IT infrastructure hosting and administration of key business systems, mainly SAP. Dozens of clients and SLAs oblige us to maintain the highest security and management standards.
Tomasz Wawrzonek, Deputy Director of IT, All for One Data Centers

The implementation of an integrated management system has allowed Fujitsu to maintain its global market leadership in services. What’s next? According to the Deming cycle, the organization is now entering a process of improvement, which will translate into:

  • Improving the image outside the organization,
  • Greater trust in the organization, a greater sense of security for customers,
  • The correctness of the implementation of processes (reducing the number of complaints, claims),
  • Faster and effective response to incidents/violations of procedures,
  • Sealing the information management system,
  • Self-learning of the organization – ISO causes the organization to be “driven" by mechanisms of improvement and refinement, seeking the optimum between safety and efficiency,
  • professional, informed and effective organization of security in the company,
  • Orderly working conditions (clean desk, clean desktop),
  • faster adaptation of new employees, protection of information in cases of employee turnover,
  • Standardizing work rules across locations,
  • Clear terms of reference and responsibilities,
  • Improving the quality of services provided,
  • Involving all employees in company affairs and improving safety.
Fujitsu Global Delivery Centre Lodz, opened in 2009, plays a key role in Fujitsu’s global service network. Its activities focus on three core areas. Service Desk provides first- and second-level support to customers worldwide. Remote Infrastructure Management (RIM) is third-level support for various IT technologies, including servers, databases, virtualization, backup, among others. The Research and Development (R&D) area complements customer support services, providing solutions and applications that complement the systems landscape and perform development work. In addition to services for external customers, shared services center for finance and accounting for Fujitsu companies are also implemented in Lodz. The company works based on the ITIL standard. Services are provided in 15 different languages, 24 hours a day, 7 days a week, 365 days a year.