VIEWS: 2 PAGES: 173 POSTED ON: 2/8/2012
BT-450 A Lecture 3: IT Processes Instructor: Rajeev Dwivedi firstname.lastname@example.org Phone: 201-216-8508 Desk-7A, Library Admin (3rd Floor) Library Building Stevens Institute of Technology, NJ-07030 Venue: Kidde-380 Time: 06:15-08:45PM (Tuesday) 1. Business Strategic Planning 2. Architecture Scanning & Definition 3. IT Strategic planning and Control 4. Application Planning 5. Data Planning 6. Systems Planning 7. Network Planning 8. Project Planning 9. Service Level Planning & Management 10. Business Continuity Planning 11. Security Planning & Management BT 450 12. Audit Planning & Management 13. Capacity Planning & Management 14. Skills Planning & Management 15. Budget Planning & Value Management SMC Projects 16. Vendor Planning & Management 17. Management Systems Planning & Monitoring 18. Project Definition 19. Project Scheduling 20. Project Controlling 21. Project Requirements Control 22. Project Evaluating 23. Change Control 24. Asset Management 25. Production and Distribution Scheduling 26. Problem Control 27. Service Evaluating 28. Software Procurement 29. Software Upgrade 30. Hardware Procurement and Upgrade 31. Systems Maintenance 32. Tuning and System Balancing 33. Financial Performance 34. Education and training 35. Staff Performance 36. Hiring, Retention 37. Production 38. Service Marketing (11)Security Planning & Management Using individual requests, this process builds an overall plan to ensure the agreed levels of security for the systems and services will be met. 1.Consolidates security requirements of all service agreements. 2.Define business and IT security operating environment. 3.Identify variances between operating environment and agreements. 4.Develop overall security plan. Most companies don’t spend as much money on protecting data as they do spend on coffee for employees. Less than 0.0025 percent of corporate revenue is present on corporate information-technology protection. Our adversaries, be they run-of-the-mill hackers or devoted members of terrorists cells, have the same training and much the same access to technology as we do. “Our future enemies understand out technology at least as well as we do” Most of the nation’s critical infrastructure-the power grid, voice networks, and water supplies-are vulnerable. You’ll find computers at the heart of all these systems. Terrorists have a wide range of technology targets, not all of them in cyberspace Richard Clarke White House Special Advisor On Cyber Security Issues How many vendor’s products have you currently deployed for…. Antivirus 43% 30% 27% VPN 57% 27% 17% Firewall 67% 23% 10% Network IDS 10% 57% 20% 7% 7% Two-factor 23% 63% 10% authentication Personal firewall 33% 40% 10% 13% Host IDS 50% 37% 7% Single sign-on 60% 27% 7% 0 venders 1 venders 2 venders 3+ venders Don’t know Ref: Forrester What is the single greatest threat to your company’s enterprise network security? Trojans, viruses and malicious code 31% Employee error (unintentional) 13% Internet worms 10% Spyware 7% Hackers 6% Sabotage by employee or partner 5% Application vulnerabilities 5% Spam 4% Cyberterrorism 2.5% Government regulations 2% Other 15% Base: 606 respondents SOURCE: IDC. “WORLDWIDE IT SECURITY SOFTWARE, HARDWARE, AND SERVICES 2004-2008 FORECAST.” 2004 BAD BUG BYTES 2000 HIT BY HACKER HACKER ENTERED THE SITE AND COPIED 15,700 CUSTOMER CREDIT-CARD & DEBIT-CARD NUMBERS. CUSTOMERS WERE TOLD TO GET NEW CREDIT-CARDS AND ACCOUNT NUMBERS. BAD BUG BYTES 2003 HIT BY HACKER HACKER ENTERED THE SITE AND GOT HOLD OF CUSTOMER SATISFACTION SURVEY. THEY LEAKED OUT ALL NEGATIVE COMMENTS TO ANALYSTS AND PRESS. BAD BUG BYTES 2003 Data Processing International HIT BY HACKER MASTERCARD IMPACTED 2.2 MILLION CREDIT-CARD NUMBERS VISA IMPACTED 3.4 MILLION CREDIT-CARD NUMBERS AMERCIAN EXPRESS & VISA ALSO EFFECTED HIT BY INSIDER June 2004 A former employee was charged with stealing the Internet provider's entire subscriber list -- over 30 million consumers, and their 90 million screen names -- and selling it to a spammer. 1 2 Bank of America Corp. lost digital tapes containing the credit card account records of 1.2 million federal employees including 60 U.S. senators, when shipping backup tapes to offsite storage. Security addresses all elements of e-business Employees, Vendors, Suppliers, Customers E-business Transactions e-business infrastructure Assets and Networks Assess Protect Detect Recover Manage Deliberate Accident Natural Attack Disaster Deployment Security Security is about managing risk, not eliminating it Eliminating risk is nearly impossible Reducing risk to an acceptable level is possible e.g., credit card fraud Security is a process, not just products Software cannot resolve people problems Annual Internet security incidents reported 15000 12000 9000 6000 3000 0 2000 2001 2002 2003 Ref: Computer Emergency Response Team (CERT). Newly documented Win32 worms and viruses 5000 4000 3000 2000 1000 0 1H 2001 2H 2001 1H 2002 2H 2002 1H 2003 2H 2003 1H 2004 Ref: Symantec Corp. Software and network holes continue to plague IT security 1500 1200 900 600 300 0 1H 2001 2H 2001 1H 2002 2H 2002 1H 2003 2H 2003 1H 2004 Ref: Symantec Corp. Types of Attack or Misuse PERCENTAGE OF RESPONDENTS VIRUS 82% INSIDER ABUSE OF NETWORK ACCESS 80% LAPTOP 59% UNATUTHORIZED ACCESS BY INSIDERS 45% DENIAL OF SERVICE 42% SYSTEM PENETRATION 36% SABOTAGE 21% THEFT OF PROPRIETARY INFO 21% FINANCIAL FRAUD 15% TELECOM FRAUD 10% TELECOM EAVESDROPPING 6% ACTIVE WIRETAP 1% RE: CSI/FBI 2003 COMPUTER CRIME AND SECURITY SURVEY INFECTIOUS MESSAGES Email Attachment 56% Diskette from home 25% Diskette (other sources such as sales demos) 13% Download (External) 11% Web Browsing 3% Download (Internal Systems) 2% Don’t Know 7% 0 0.2 0.4 0.6 69% of U.S. companies have been hit by a computer virus -- FBI Note: Multiple answers permitted. Sample: 300 enterprise organizations. Source: International Computer Security Association’s Computer Virus Prevalence Survey Cybersecurity Strains Reported Worldwide cost Average corporate virus incidents of worms and viruses IT-security budgets 130,000+ $180 10% Number of incidents % of IT budget $ Billions 2.5% $45 21,000 2000 2003 2000 2003 1998 2003 Virus attacks …and the cost of the …but security are up dramatically… damage is exploding… budgets aren’t keeping pace Ref: Good Harbor Consulting LLC Of Companies hit by Viruses and Espionage, most can’t estimate the value of the damage Damage Unknown 58% Under $100,000 15% Above $ 100,000 1% Damage Unknown Under $ 100,000 Over $ 100,000 84% 40% 2% Hit Not hit Hit 51% 49% 38% Not hit 62% Micro Viruses Industrial Espionage Respondents = 627 US IT Professionals Data: Information Week/Ernst & Young Security Survey What was the most severe impact of the security breaches your company has experienced? total 72.% We were inconvenienced and lost 73.2% 75.2% productivity We lost tangible assets (data, 2.1% Under 1,000 employees 1.9 1.7 revenue) Over 1,000 employees Customers/vendors were unable 9.1% 7.7 to retrieve information 6.0 Publicly embarrassed 17.2 16.8% 17.1 Ref: CIOINSIGHT VIRUS IMPACT How have viruses affected your company? Loss of productivity PC was unavailable Corrupted files Loss of access of data Lost data Loss of user confidence Interference or lockup Unreliable applications Trouble reading files Trouble saving files System crash Trouble printing Threat of job loss 10 20 30 40 50 60 70 80 % of respondents Data: ICSA Labs WORST SECURITY OUTBREAKS EVER Name, Year Worldwide Impact * 1. Love Bug, 2000 $8.75 billion Hopelessly lonely recipients think they are getting a real love letter in their e-mail. 2. MyDoom, 2004 $4.75 billion At its peak, infects one in 12 e-mails on the internet. 3. Sasser, 2004 $3.5 billion German cybercops nab its teenage author, Sven Jaschan. An IT security firm then offers him a job. 4. NetSky, 2004 $2.75 billion One of its variants disguises itself as a Harry Potter computer game. 5. SoBig, 2003 $2.75 billion Hits a week after Blaster (No. 8, below), helping cause a summer of pain for computer users and Microsoft. 6. Code Red, 2001 $2 billion Give the phrase “denial of service” new meaning. 7. Slammer, 2003 $1.5 billion Targets small businesses running Microsoft programs most didn’t even know they had. 8. Blaster, 2003 $1.5 billion Shuts down Maryland DMV for a day. Famous for twitting Billing Gates: “Stop making money and fix your software.” 9. Klez, 2002 $1.5 billion Randomly spews files of its victims everywhere as e-mail attachments. 10. Nimda, 2001 $1.5 billion Striking the week after 9/11, this combination virus and worm triggers three FBI investigations. SOURCE: FORTUNE, October 18, 2004. *Estimated cost to corporations Dollar Amount of Losses by Type Theft of Proprietary Info $120,827K Financial Fraud $115,753K Insider Net Abuse $50,099,000 Virus $49,979,000 Denial of Service $18,371K Sabotage $15,134K System Penetration $13,055K Laptop Theft $11,766,500 Telecom Fraud $6,015K Unauth. Insider Access $4,03K Telecom Eavesdropping $364K Source: Computer Security Institute, CSI/FBI Low Confidence in Net Privacy Users who are very or somewhat worried about interception of: E-Mail Telephone Call Fax US Mail 0 20 40 60 Source: Louis Harris for Privacy & American Business www.digdirt.com Internet Detective 5.0 The Easy Way to Find Out the Truth About Anyone Instant Unlimited Searches! In the privacy of your own home. Right on your own personal computer. Find out ANYTHING: People Search Motor Vehicle Records Background Searches Court Searches Phone numbers and Addresses Credit records Social security numbers and records Current or past employment < order> Net DetectiveIs an amazing new tool that allows you to find out "EVERYTHING you ever wanted to know about your friends, family, neighbors, employees, and even your boss!" You can even check out yourself. It is all completely legal, and you can do it all in the privacy of your own home without anyone ever knowing. It's even better than hiring a private investigator. NetDetective5.0® self installs and is compatible with all Internet-related software If you have a credit card you can save by ordering direct, only $29.00 ($49.50 - retail price). With our INSTANT DELIVERY system your copy will be running on your computer in less than 3 minutes. IT'S AMAZING! The Feds Are Watching The three enforcement actions – which provide a road map for what other companies should do – are described at the following Web address: www.ftc.gov/opa/2003/06/guess.htm www.ftc.gov/opa/2002/02/elililly.htm www.ftc.gov/opa/2002/08/microsoft.htm In addition, the FTC provides a security checklist at: www.ftc.gov/bcp/conline/pubs/buspubs/security.htm How will your enterprises arm itself to address increasing information risk? Information Security Hierarchy Layer 5 Auditing, Monitoring, Investigating Layer 4 Layer 6 Information security Technologies & Products Validation Layer 3 Information security Awareness and Training Layer 2 Information security Architecture & Processes Layer 1 Information security Policy & Standards Source:Gartner Group Which of the following are hurdles in your efforts to improve data-protection capability? Funds are not available for building a better system 66% Business managers do not perceive the value of data protection 33% We lack the human resources to maintain or manage our capability 31% Our business processes are changing constantly 23% We lack the ability to test and validate alternative approaches 23% 23% Options and vendor claims are confusing 21% Our data is growing faster than is our ability to protect it 20% We don’t have any specific disaster-recovery or data-protection competency in our staff Data protection is not a centralized function; every department or business unit has its own approach We have trouble making data-protection technology work with our infrastructure Other Ref: Network Computing E-mail Poll, 623 respondents Top Security Obstacles Need to get hit to change Inadequate budget Lack of HR Support Lack of awareness Lack of tools % of respondents Note: total exceeds 100% because multiple responses were permitted.Respondents = 530 U.S. IT managers and professional DATA: INFORMATION WEEK/ ERNST & YOUNG SECURITY SURVEY e-business Security Threats We Think About: Hackers Terrorists Foreign Governments Organized Crime Nature But Don’t Forget: Competitors Unethical Insiders Human Error DO YOU HAVE A FIREWALL??? % Offenders Occupations Application programmers 18 Clerical personnel 14 Other system users 14 Students 12 Managers 11 System analysts 6 Machine operators 6 Top executives 4 Other EDP staff 3 Data entry staff 3 Systems programmers 3 Consultants 3 Accountants 2 Security officers 1 Controllers 0 Auditors 0 “Other” stands for a general category of nonclerical and nonmanagerial users 30% Motivations for Abuse 20 % 10 % 0% Personal Gain Ignorance of Misguided Maliciousness Proper Conduct Playfulness FBI Who’s Breaking Into Your Systems? 6% 5% 2% 5% 82% Disgruntled existing and former employees and contractors Organized crime (extortion,money-laundering,insider trading) Cybercriminals (fraud and information reselling) Kids and teen-agers Other (including governments) SIM THE ENEMY WITHIN Employee theft has overtaken workplace violence as the top corporate security concern, while fraud and white collar crime have rocketed up from seventh place to third. RANKING POTENTIAL SECURITY THREATS Employee theft Workplace violence Fraud, white-collar crime Careless employee selection Hardware & software theft Source: Pinkerton's, Inc., Encino Calif.. Base: 147 corporate security directors at Fortune 1,000 companies; 137 corporate security directors at Fortune 1,000 companies Top Tips for Preventing Insider Attacks 1. Do not give employees access to system they don’t need or allow them continued access when they no longer need it. 2. Tie identity management and password provisioning systems directly to your HR systems, including payroll. 3. Establish basic policies. For example, no user should have unfettered access to both accounts payable and accounts receivable. 4. Establish clear consequences for inappropriate employee behavior, such as looking at unauthorized material after hours. 5. Enforce the use of strong passwords, virus protection software, and personal firewalls for employees who work from home. 6. Perform a risk analysis on your key data assets to identify their value and potential damage from a loss, and to determine their vulnerability. 7. Use redundant logging systems to deter malicious behavior. Keep all logs. Sources: IBM, Symantec, Netegrity THE AVERAGE INTELLECTUAL PROPERTY THIEF IS AN EDUCATED 42-YEAR-OLD WHITE MAN WITH NO PRIOR CRIMINAL HISTORY. SOUND FAMILIAR? DEFENDANTS ARE INCREASINGLY YOUNGER AND MORE EDUCATED. 1998 2002 characteristics EDUCATION at least some 42% 49.6% college AGE 25 – 34 years 24.1% 32.1% 35 – 50 years 50.4% 44.8% GENDER male 83.2% 92.5% U.S. CITIZENSHIP 65.9% 78.4% NO PRIOR CRIMINAL HISTORY 75.7% 76.1% Sources: U.S. DEPARTMENT OF JUSTICE, U.S. SENTENCING COMMISSION, EXECUTIVE OFFICE FOR U.S. ATTORNEYS How to be sure your company is prepared to handle a security breach: >> Establish clear definitions of what constitutes a security breach and ways to detect them >> Identify a single point of contact in the event that a breach occurs >> Know local and federal law-enforcement officials >> Know legal requirements with which your company must comply >> Consider encrypting database records that hold financial information >>Audit for proper security controls and procedure >> Educate employees on procedures in the event of a security breach >> Check that third parties handling your customers’ data have adequate security Activities Included in Job descriptions for Information Security Managers Developing, presenting, and managing the dissemination of information security awareness and training materials. Evaluating the effectiveness, efficiency of, and compliance with existing information security control measures. Recommending control measures to improve information security (including evaluating and selecting products and services. Monitoring developments in the information security and information processing fields to identify new opportunities and new risks. Interpreting information security requirements emanating from external bodies, such as government agencies and standards-setting groups. Investigating alleged information security beaches and, if necessary, assisting with disciplinary and legal matters associated with such breaches. Developing security policies, standards, guidelines, procedures, and other elements of an infrastructure to support information security. Coordinating and monitoring information security activities throughout the organization, including the preparation of periodic status and progress reports. Serving as a liaison between various groups dealing with information security matters (e.g., with the legal department and the insurance department). Preparing implementation plans, security product purchase proposals, staffing plans, project schedules, budgets, and related information security management materials. Representing the organization on information security matters to external groups (e.g., participating in meetings to establish technical standards). Providing information security system administrative support (e.g., to maintain data bases for password access control systems). Performing research on new and improved ways to properly protect the organization's information research assets. Providing consulting assistance on implementing information security controls (e.g., encryption system deployment and secure application system development procedures). Guidelines for Good Passwords DON’TS: × DON’T choose a password that uses public information about you, such as your social security number, credit card or ATM card number, birth date, driver’s license and so on. × DON’T choose a password that uses public information about your family or friends. × DON’T choose a password that is composed of any word or words that could be found in a dictionary, in any form or combination. × DON’T reuse old passwords or ones that are similar to old password. × DON’T use your user ID, or any variation on your user ID, as your password. DO’S: DO choose a password that has no easily discerned significance to you. DO choose a password that is six to eight characters long. DO memorize your password. Never write it down. DO use a password that has atleast two alphabetic characters (a-z, A-Z) and at least one numeric (0-9) or special (punctuation) character. DO use both uppercase and lowercase characters. Passwords are case sensitive. Which technologies consume the bulk of your security dollars? (multiple responses accepted) Firewalls Encryption Digital Certificates Now Remote Access In two years Labor Consulting & Services Security awareness & Training Policy Systems Authentication Threat Analysis Maintenance Other 0 20 40 60 80 100 Source: Forrester Research, Cambridge, Massachusetts, forrester.com Which of the following Security Vendors do you expect to purchase more software from in the next 12 months? Cisco 48% Symantec 34% Check Point 30% Verisign 22% McAfee 20% Computer Associates 18% IBM 18% WebSense 16% NetIQ 12% Trend Micro 12% WatchGuard 10% RSA Security 8% Internet Security Systems 4% NetScreen 4% BMC Software 2% Netegrity 2% Ref: Merrill Lynch HONEYPOT SECURITY LURES INTRUDERS TO WHAT THEY THINK IS A SENSITIVE AREA Current Authentication Authenticators and their Subtypes: Biometrics Stable Biometric Signal Alterable Biometric Signal fingerprint iris voice 472839… retina Random challenge- response face hand formants geometry P(f) f0 f1 f2 f3 O’Gorman, “Securing Business’s Front Door” Body Use Type How it works Advantages Disadvantages Part Examples Face Face recognition Suitable for Prone to errors caused by Identification (law Recognition captures characteristics identification environmental influences enforcement) uses Face of a face either from applications; (e.g. light), as well as identity video or still image and relatively Sunglasses, facial hair, authentication translates them into unobtrusive etc. Expensive uses digital form Retina Captures unique pattern Secure and accurate Expensive; requires perfect Suitable for high Scanning of blood vessels. It is alignment: usually the user security extremely secure and must look in monocular or applications in Eyes accurate. binocular receptacle controlled environment Iris Scanning Captures unique patterns Secure; does not Expensive; sensitive to of an iris need physical environmental conditions contact and non- intrusive Voice Captures unique Easy to use and Sensitive to background Automated call Voice Recognition characteristics of voice understand; non- conditions such as noises centers intrusive Hand Captures up to 90 unique Easy to use and Balky and sensitive to Access control, Geometry hand characteristics inexpensive environment computer access Hands Fingerprintin Uses unique patterns Easy to use, Less reliable than retina or Access control, g known as loops, arches, inexpensive; iris scanning computer access and whorls. fingerprints control. databases are already available Human Body and Types of Biometric Technologies for Security Top Barriers to IT Security 1 Limited budget 2 Limited staff dedicated to security 3 Limited or no time to focus on security 4 Limited or no security training/awareness 5 Complex technology infrastructure 6 Limited support from executives Ref: IDC, Framingham, Mass., December 2004 When was the last time your company’s emergency response plan was reviewed or updated? Within the last 30 days 25% In the last 1 to 3 months 11% In the last 4 to 6 months 23% In the last 7 to 12 months 14% More than 12 months ago 11% never 2% Source: InfoWorld security survey What % of your overall IT Budget is dedicated to Security? 70% 22% 4% 0 – 5% 6 – 10% 11 – 20% Ref: Merrill Lynch Industry Security What percent of your company’s IT budget goes to information security? Banking Computer Telecommunications Government Insurance Education Health care Professional services Manufacturing 3 6 9 12 15 % of IT budget Data: InformationWeek Research Global Information Security Survey of 8,100 technology and security professionals Staff Assigned to Information Security Other Health Care Transport/Distribution Retail/Wholesale Manufacturing Education Utilities Financial Services Computers/Telecom Government Aerospace/Defense 0 2 4 6 8 10 12 14 16 Information Security workers for every 10,000 employees Data: Computer Security Institute Survey of North American Companies IS YOUR IT SECURITY BUDGET HIGHER OR LOWER THAN LAST YEAR’S? 34% 47.9% FLAT HIGHER 18.1% LOWER Base: 257 data center managers surveyed earlier this year Source: AFCOME’S DATA CENTER INSTITUTE. ORGANCE, CALIF. Three Components of a Balance Approach to Organizational Security Organization • Structure • Business Environment • Culture and Politics • Standard Operating Procedures • Education, Training, Awareness Management • Asset Identification • Risk Management and Assessment - CIP - Organization Critical - Technical Technology Infrastructures • Control Environment • Operational Balance • Firewalls • Critical Infr. Protection (CIP) • Intrusion detection • Govt. Industry • Password Layering Collaboration • Public key encryption, escrow, • Management’s Role in CIP and authentication • Secure Servers, VPNs Remote Access Security Reference Materials NCSA News, The Journal of the National Computer Security Association, NCSA (10 South Courthouse Ave., Carlisle PA 17013). (717) 258-1816 INFO Security News, MIS Training Institute Press 498 Concord St., Framingham MA 01701-2357. (508) 879-9792 CERT Coordination Center, Software Engineering Institute, Carnegie Mellon University, Pittsburgh PA 15213-3890. E-mail: email@example.com. (412) 268-7090 24-hour hotline National Infrastructure Protection Center, www.nipc.gov The Firewalls mailing list Send e-mail to firstname.lastname@example.org with the following as the first and only line of text in the body: subscribe firewalls (your address) Various online World-Wide Web resources include: catless.ncl.ac.uk/risks http://www.tansu.com.au/info/security/html http://www.tis.com http://www.alw.nih.gov/WWW/security.html The COM-SEC BBS, (415) 495-4642 modem, (415) 495-1811 ext. 10 voice Computer Security Institute, 600 Harrison St., San Francisco CA 94107(415) 905-2626 voice IT Security Resources Internet Security Cert Coordination SANS Institute Alliance Center www.sans.org www.isalliance.org www.cert.org Research, education and A forum for sharing A center of internet training on IT security information on security security expertise at the issues. issues. Software Engineering Center for Internet Institute, a federal funded Information Security Security research and development Forum center operated by www.cisecurity.org www.securityforum.org Carnegie Mellon Methods and tools to University. Information and An international improve, measure, training on protecting your corporate membership monitor and compare the system, reacting to current organization whose security status of Internet- problems and predicting members share connected systems and future problems. information about security applications. issues. Big Names in Identity From modular components to full- fledged suites, the top vendors in the identity management space offer a range of tools to strengthen the security of your network. Vendor Solutions Platforms IBM Tivoli Access Manager, Directory Integrator, Directory Server, Identity AIX, HP-UX, ibm.com Manager, Privacy Manager for e-business, Risk Manager, Security Linux, Solaris, Compliance Manager Windows Microsoft Identity Integration Server 2003 Windows microsoft.com Netegrity eProvision, IdentityMinder, SiteMinder, TransactionMinder HP-UX, Linux, netegrity.com Solaris, Windows Novell iChain, Nsure AIX, Linux, novell.com NetWare, Solaris, Windows Oblix CorelD, ShareID, CoreSV AIX, HP-UX, oblix.com Linux, Solaris, Windows openNetwork Universal IdP AIX, Solaris, opennetwork.com Windows RSA Security I&AM (Identity and Access Management) AIX, Solaris, Rsasecurity.com Windows Which, if any, of the following security vendors does your company use for intrusion detection and/or prevention? Cisco Systems 55% Symantec 48% Network Associates/McAfee 29% Internet Security Systems 15% Juniper/NetScreen 7% Sophos 5% Enterasys 5% Tipping Point 3% Sana Security 2% Source fire 2% 0% 10% 20% 30% 40% 50% 60% Ref: InfoWorld; Note: Multiple responses allowed Which, if any, of the following vendors do you trust to provide companywide enterprise OS security? Microsoft 38% IBM 33% Novall 23% Red Hat 20% Sun Microsystems 19% Other Linux 18% Don’t know/Not applicable 30% 0% 5% 10% 15% 20% 25% 30% 35% 40% Ref: InfoWorld; Note: Multiple responses allowed (12)Audit Planning & Management Using individual requests, this process builds an overall plan to ensure that the agreed levels or auditability for the systems and services will be met. 1.Consolidate audit requirements of standards and service agreements. 2.Define business and IT audit operating environment. 3.Identify variances between operating environment and agreements. 4.Develop overall audit plan. THE AUDIT MISSION OBJECTIVE & INDEPENDENT (who?) REVIEW OF OPERATIONS or BENCHMARK EVALUATE ADEQUACY OF INTERNAL SYSTEM OF CONTROLS REVIEW COMPLIANCE WITH LAWS-LEGISLATION BE ALERT TO POSSIBILITIES OF FRUAD, BRIBERY ….ILLEGAL TRANSACTIONS REPORT FINDINGS TO MANAGEMENT Fair Information Practices Principles 1. There should be no personal record systems whose existence is secret. 2. Individuals have rights of access,inspection, review, and amendment to systems that contain information about them. 3. There must be no use of personal information for purposes other than those for which it was gathered without prior consent. 4. Managers of systems are responsible and can be held accountable and liable for the damage done by systems for their reliability and security. 5. Governments have the right to intervene in the information relationships among private parties. GLBA in a nutshell Gramm-Leach-Bliley Act, Title V Ensure the security and privacy of customer information and maintain the safety and Why soundness of financial institutions Where Banks and financial institutions under the regulation and supervision of the Treasury Department, FDIC and Federal Reserve When July 1, 2001 (but for some service providers July 1, 2003) IT impact Requires financial institutions to have written comprehensive security policy to protect the security and confidentiality of a customer’s nonpublic, personal information Penalties Actions to enforce the regulations by individuals will not exceed damages of $1,000; damages to a class of individuals are available up to $500,000. Each agency can enforce its regulations under any authority conferred on the agency by law. GLBA Source Code Law Public Law 106-102 (1999); 12 U.S. Code Section 1811 Regulations Department of the Treasury Office of the comptroller of Currency 12 CFR Part 30 Office of Thrift Supervision 12 CFR Parts 568 and 570 Federal Reserve System 12 CFR Parts 208, 211, 225 and 263 Federal Deposit Insurance Corporation 12 CFR Parts 308 and 364 Source: www.nwc.com, 7.10.2003, Networking Computing HIPAA in a nutshell What The Health Insurance Portability and Accountability Act of 1996 (HIPAA) Combat fraud and abuse in health care and improve health-care systems by Why encouraging the electronic transfer of health-care information Where Health plans, health-care clearinghouses and certain health-care providers April 14, 2003 Privacy; All covered entities except small health plans When April 14, 2004 Privacy: Small health plans April 21, 2005 Security Standards: All covered entities except small health plans April 21, 2006 Security Standards: Small health plans IT Impact Ensure the security and privacy of health-care information Penalties Up to $100 for each such violations; the total amount imposed for all violations of a General identical requirement during a calendar year may not exceed $25,000 Wrongful (1) Fine not more than $50,000, imprisonment not more than one year, or both. disclosure of (2) (2) If the offense is committed under false pretenses, fine not more than individual $100,000, identifiable health (3) If the offense is committed with the intend to sell, transfer or use individually information identifiable health information for commercial advantage, personal gain or malicious harm, fine not more than $250,000, imprisonment not more than 10 years, or both. HIPAA Source Code Law Public Law 104-191 (1996) Regulations Privacy 45 CFR Parts 160, 164 Security 45 CFR Parts 160, 162, 164 Sarbox in a Nutshell What Sarbanes-Oxley Act of 2002 Fight corporate corruption Why Where Publicly traded companies and their auditors, attorneys When April 15, 2005 IT Impact More stringent reporting requirements, mandating internal controls on financial reporting systems Penalties Corporate officer who knowingly certifies a false financial report can be fined up to $1 million or face up to 10 years in prison, or both. If done willfully, up to $5 million in fines or 20 years in prison, or both. Sarbanes-Oxley Source Code Law Public Law 107-204 (2002) Regulations Implementing Sections 17 CFR PATRS 210, 228, 229, 240 404,406,407 249,270 and 274 Source: www.nwc.com, 7.10.2003, Networking Computing Some companies averaged $35M SARBANES-OXLEY Info Details: Securities and Exchange Commission: www.sec.gov/rules/final/33- 8177.htm & www.sec.gov/spotlight/sarbanes-oxley.htm Dedicated site: www.sarbanes-oxley.com Gartner Discussion: sox.weblog.gartner.com/weblog/index.php?blog=11 FAQs: •Five things IT Needs To Know about Sarbanes-Oxley Compliance,” AMR Research: www.amrresearch.com/content/view.asp?pmillid=15951&docid=10387 • Association for Information Management Professional: www.arma.org/legislative/sarbanes_oxley.fcm • Financial Managers Society: www.fmsinc.org/cms/?pid=3253 • The N.Y State Society of CPAs: www.nysscpa.org/oxleyact2002.htm • Pricewaterhouse Coopers Barometer Survey: www.barometersurveys.com WebLinks 1-2 Related Stories “Complying With the Feds,” www.nwc.com/1410/140fl4.html “Secure to the Core,” www.nwc.com/1401/1401f1.html “Managing Your Digital Rigghts,” www.nwc.com/1319/1319ws1.html “Employee Provisioning,” www.nwc.com/1317/1317f1.html HIPAA Web Resources Department of Health and Human Services, aspe.os.dhhs.gov/adminsimp Health Provacy Project (State Law Health Provacy), www.healthprovacy.org HIPPA.org, www.hippa.org Startergic National Implementation Process (SNIP), www.wedi.org/snip GLBA Web Resources EPIC, www.epic.org/provacy/glba FTC on GLBA, www.ftc.gov/provacy/glbact CERT Coordination Center, www.cert.org Federal Computer Incident Response Center, www.fedcirc.gov National Infrastrure Protection Center, www.nipc.gov NIST Computer Resource Security Center, www.csrc.nist.gov SANS Institute, www.sans.org Do you anticipate your company will spend more, less, or about the same amount this year to be compliant with government regulations? 71% More 27% About the same 2% Less Data: InformationWeek Media Network Compliance study of 650 business-technology professionals WHEN WAS YOUR ORGANIZATIONS POLICY LAST UPDATED? Don't know Within the last 9% three months 26% Never 3% More than 2 years ago 11% Four to 12 One to two years months ago ago 35% 16% Data: Information Week research survey of 200 IT Managers Which department created the data policy? IT Legal Other . Don’t Know An industry standard Policy adopted 0 10 20 30 40 50 60 % of respondents Top ten factors that could trigger workers to act unethically or illegally 1. Balancing work and family 2. Poor internal communications 3. Poor leadership 4. Work hours, work load 5. Lack of management support 6. Need to meet sales, budget or profit goals 7. Little or no recognition of Should HR be achievements Involved too? 8. Company politics 9. Personal financial worries 10. Insufficient resources REF: IBM & Marrist College Ten Tips for Taming the E-mail Problem 1. Create a reasonable and enforceable policy. 2. Spell out privacy expectation clearly. 3. Require that each employee sign the policy. Issue frequent policy reminders. 4. When the policy is broken, consult the legal department and have an immediate conversation with the employee, accompanied by a human resources representative. 5. Don’t limit employee training to policy issues. Also include etiquette, proper use of group mailing lists, and information about recognizing scams and urban legends. 6. Limit employee mailboxes to an appropriate size (CIOs interviewed for this article recommended a range from 15MB to 150MB depending on the type of work). 7. Consider your potential legal liability in determining how long to store messages. 8. Consider filtering tools, but be aware of the limitations. 9. Install two different antivirus software packages (one for servers, one for the desktops). 10. Teach users to distrust all attachments, particularly unexpected ones. . Steps in developing Responsibility Audit 1 Gain CEO Commitment 2 Appoint a steering committee to guide the audit 3 Appoint an auditing team(auditors, key managers, and organizational development experts) that will develop questions to be used in examining the firm 4 Diagnose the corporate culture and investigate designated functional areas, such as employee relations and human rights, community relations (the company’s social impact), quality programs, and environmental practices. 5 Analyze the mission statement, and look for circumstances when the stated mission/goals and actual company performance do not coincide 6 Seek fundamental or underlying reasons that performance and goals are not consistent. 7 Collect relevant industry information, existing benchmark studies, and available information on competitors and industry standards in each designated functional area 8 Interview relevant stakeholders who are involved in each functional area (e.g. customers, employees, federal and local environmental officials, local community officials) about their perceptions of the firm’s socially responsible performance 9 Compare internal data and external stakeholder perceptions 10 Write final report for company managers and the audit steering committee Source: Waddock, Smith, Sloan Management Review Winter 2000 (13) Capacity Planning & Management Using the forecast load from new projects or from the evolution of existing services,this process defines in a capacity plan how resources will cover the demand.It also proposes alternatives to management (number of shifts,decreased services,changes in systems plan….) 1.Translate service requirements into a load forecast of hardware,network,software,facilities and supplies. 2.Define capacity of existing and planned resources (hardware,network software,facilities and supplies) 3.Compare load forecast against this defined capacity 4.Identify,evaluate and propose alternate load forecasts and capacity 5.Document capacity plan Why is Capacity Planning Important ? User Productivity Budgetary dissatisfaction Stability decrease constraints Proper capacity If your systems With proper By identifying planning can cannot handle the capacity planning potential problem help identify expected peak upgrades can be areas and potential bottle throughput, budgeted ahead of capacity necks before productivity will time limitations, they occur, suffer. Employees stability problems preventing most may spend a can be avoided, performance significant portion or at the very related of their day waiting least predicted problems for results from a query CAPACITY PLANNING PROCESS • - A process which combines the monitoring of current resources with forecasting of future service requirements and growth if existing system. •- The data gathered is compared against existing capacity and needs and translated into a projection of future demands for I/T services •-Implications for organizations include: - Budgets - Disaster Recovery /Business continuation - Service level agreements - Effective User of Resources - Business Growth - New Services - Performance Management - Integration Don’t you think they would have been better prepared? Delta Airlines: advertised new discount fairs & incentives to book online tickets Red Cross: tsunami relief Amazon: pre Christmas volumes Walgreen: pre Christmas volumes Hallmark: Valentines Day online requests CAPACITY PLANNING RATIONALE • The cost of capacity planning is high especially in the highly complex distributed environments of today • The value of the investment depends largely on the maturity of the process. • There are 5 levels of organizational process maturity according to Gartner Group: Where is your organization? Level 1 - reactive,firefighting Level 2 - efficient ,professional and sophisticated firefighting Level 3 - fewer,fires,analysis of problems,start of process improvement Level 4 - process includes procedural improvement Level 5 - process becomes self-correcting CAPACITY MANAGEMENT ‘THE IDENTIFICATION PLANNING, AND ACQUISITION OF IT RESOURCES TO MEET CURRENT AND FUTURE SERVICE OBJECTIVES.’ High $ CAPACITY Low Faster RESPONSE TIME Slower CAPACITY MANAGEMENT FUTURE DEMAND CAPACITY EOP today TIME (MONTHS) When should the order be placed??? CAPACITY PLANNING LOW COST COMPLEXITY ACCURACY HIGH RULES BENCH LINEAR ANALYTIC OF SIMULATION MARKING PROJECTION TECHNIQUE THUMB INCREASING ACCURACY VALUE COST How select Pentium? How select Merced? Planning Capacity Network planning and simulation tools enhance the performance of E-business applications Vendor Product Function CACI Application Profiler Simulates app performance on enterprise networks Comdisco Managed Network Adds capacity planning to Services suite services Network Associates Sniffer Predictor Gathers performance data Optimal Networks Application Vantage Identifies trouble spots DATA : INFORMATIONWEEK (23) Change Control Using the change requests, this process selects, coordinates, groups and monitors all changes to the I/S resources and procedures in such a way that there is either minimal impact on the I/S operations or minimal risk.It triggers resource and data inventory updates. Further discussion with Organization and Culture. 1. Record change requests. 2. Prioritize and group changes based on a technical assessment. 3. Prioritize and group changes based on a business assessment. 4. Schedule defer or reject changes. 5. Monitor test 6. Monitor install 7. Report and control the status of all recorded changes. Originator submits change request Submitted Evaluator performed impact analysis CCB decided not Evaluated to make the Rejected change CCB decided to make the change and assigned it to a modifier Change was cancelled Approved Verification Modifier has made the change Failed and requested verification Change was cancelled Change Made Cancelled Verifier has confirmed the change Change was cancelled No verification required Modifier has Verified installed product Originator - Someone who submits change Modifier has installed request product CCB - Change Control Board Closed Modifier - Person responsible for making changes Verifier - Person responsible for determining State - transition diagram for a change request - if the change was made correctly Wiegers Who’s involved in planning, developing, and executing your company’s change-management efforts? CEO/president Business-division leaders CIO/SVP of IT CFO HR executives Employee representatives Consultants 20 40 60 80 % of Respondents NOTE: Multiple responses allowed DATA: Optimize Research’s change-management survey of 100 business-technology professionals How much are your critical business partners, such as key suppliers or distributors, involved in your change-management efforts? Not at all Kept abreast Provide input Have significant influence 20 40 60 % of respondents Note: Multiple of respondents allowed DATA: Optimize Research’s risk-management survey of 100 business-technology professionals Sample Job Description for Change Control Coordinator Overview of Responsibilities •Analyzes each change request to ensure that no conflicts exist with other requests •interacts with IS personnel to develop a scheduled date for each change request •Monitors all change requests to ensure timely implementation •Is a member of, and reports any conflicts to ,the change control committee •Is responsible for the maintenance of change files and production libraries Detailed Responsibilities •Coordinates all changes in the production environment concerning online and batch systems through the use of appropriate forms •Monitors and logs progress of changes to ensure that scheduled dates are met;if a scheduled date cannot be met ,ensures that all affected areas are notified of any schedule changes •Reviews all change requests to ensure that the requested dates are feasible;schedules requests that have little impact on the production environment;reports to the change control committee for scheduling of those changes that conflict with other requests or that significantly affect the production environment •Maintains the change file to ensure that all historical data is correct and upto date •Ensures that all change request entries are removed from the change file when implemented •Provides special reports to the change control committee or management on request •Moves all test programs to production libraries on the scheduled date and controls the production libraries passwords •Forwards to the change control committee all problem reports resulting from a previous change request •Interacts with the technical standards group(if one exists)when a change request warrants a technical announcement bulletin. Qualifications •Ability to communicate and work effectively with all levels of IS,communications,and user personnel •Strong oral and written communication skills •Three to five years experience in information systems,including atleast one year of hands-on JCL experience •Working knowledge of procedures for maintaining computerized files and databases •Understanding of the user community and its use of ,and dependence on,computing services Change Request Form Document Preparation Information (To be completed by preparer) Change Request/Problem Log Number: Prepared by: Phone: Date Prepared: Change Information (To be completed by preparer) Proposed Change: Business Purpose: - Easier to do Business with Chubb - Reduce/Manage Expenses - Domestic/Overseas Growth - Better/More Timely - Increase Productivity - Reduce Losses or Loss Expenses - Employee Skill/Knowledge Improvement - Regulatory Mandates - New Market/New Products -Senior Management Directive - Competitive Position - Other (explain) Reason for Change/Description of Problem: Request Implementation Date: /Priority Change Impact Assessment (To be completed by the I/T) Describe the impact of the Change on Quality effort: days, weeks, months: Impact assessed by: the Project, including all components affected (Design, Database design; System, Subsystem, or process impact; conversion, etc.) as well as any organizational impacts. Provide Release and/or date this change could be implemented Approval for Impact Assessment Change Request Control Number Client Project Representative/Date Project Manager or I/T (Provided by Project Manager) Approved Representative/Date Approved Assigned to Assigned to Date Assigned Date Completed QA testing Assigned to : Date Assigned Outcome/Sign off date: Approval for Implementation Date and Release Number for Date Approved Date implemented to production: Delivery Change Management Expert Logout To view Tasks, click ONCE on the Action Icons FILL IN THE BLANKS Change Management Expert’s from Applied Innovation Management, two-pane interface shows operations on the left and forms on the right CHANGE MANAGEMENT USER SATISFACTION WHY??? TYPICAL CHANGES TIME HARDWARE SYSTEMS SOFTWARE APPLICATION PROGRAMS PERSONNEL (24) ASSET MANAGEMENT Using change information , this process builds and manages inventories of all the IT resources. (including personnel and financial ) 1. Identify system, application,data,personnel,supplies,and financial resources. 2. Update inventory status. 3. Maintain security of these resources. 4. Administer access of these resources (including data set space allocation and password administration). 5.Report and control status of inventory. Asset Management Practices Requisition Procurement Deployment Maintenance Retirement Architecture & Budgeting & Network & Performance Standards Financial Mgmt. Management Asset Tracking Systems Management Capacity Backup & Planning Recovery Procurement Technology Config Management Change Mgmt Mgmt Security Application Management Software Technical Contracts Distribution License database Mgmt Application Management Management Domain Integrated Asset Technology Domain (Business/End User) Management System (Information Systems) Organizational Inventory Portfolio Training Asset End User Change Management Asset Management Support Management Management Function Gartner Shared IS/Business Practices Which asset-management activities do you track and measure? Software/hardware License compliance 75% Component configuration 48% Depreciation planning/scheduling 45% Maintenance Planning 37% Ad hoc asset maintenance 35% Spare parts management 31% Facility/space utilization 27% Lease compliance 19% Other 6% Multiple responses allowed Source: Network Computing IT Asset Management Implementation (1 OF 2) Seven Ways to Save 1. Software Volume Licenses •Aids implementing standards •increase discounts by 10 percent to 15 percent •Savings of 25 percent 2.Consolidated Procurement •Reduce the number of buying centers •Acquire equipment faster •Save as much as 10 percent annually 3. Maintenance Contracts •Differentiate user profiles for maintenance contracts •Save 10 percent to 20 percent on per-seat maintenance payments 4.Property Tax •Accurate inventory reduce tax bills •Savings may reach 20 percent of property tax bill Source :Garner Group IT Asset Management Implementation (2 OF 2) Seven Ways to Save 5. Help Desk •Inventory reduces diagnosis and response time •Cut technician time by 50 percent •Savings as high as 57 percent over worst case 6. Electronic Software Distribution •Save 2,000 hours labor •Invest $100,000 first year •Save 55 percent on software distribution costs 7.Software Metering •Most effective when on current use is at 20 percent to 40 percent •Invest $50,000 first year •Save 27 percent on PC software budget Source : Gartner Group Fate of Old PCs This year, what percentage of your retired PCs will be : Donated to schools,nonprofits or charity 39% Handed down within your organization 34% Sold or given to employees 31% Thrown out 17% 9% Sent to a recycler 9% Warehoused or stored 8% Sold to a remarketer 7% Traded in to a PC maker Base: 102 IT managers; multiple responses allowed SOURCE: COMPUTER WORLD SURVEY Recycling your desktop Here are some of the ways computer components are recycled: Monitor Tower A monitor contains lead - to strengthen the glass tube and shield the user Recycling methods: The components within the computer case are from radioactive rays - as well as cadmium, phosphorous, and mercury. The disassembled and stripped of circuit boards, which are recycled in the materials are sealed inside the tube along with gas. If the glass breaks, the same manner as the monitor. Metal frame and the other metals are tube can implode, spraying lead particles. If it happens in a landfill, the lead crushed, melted, and recycled. The system’s lithium batteries are can leach into the ground water. If the tube breaks during trash collection, removed and sent a hazardous waste facility. The hard drive is removed sanitation workers may breathe lead-laden air. and tested. If it works and is sufficiently large, the drive is installed in Recycling methods: Plastic shell is melted down and the glass is melted another computer or possibly sold.Those that do not down and the glass screen or “tube” is punctured and work are stripped and the metal frames melted. Other melted. The recycled glass is used to make components such as the floppy drive,CD-Rom drive, more tubes. Copper wire is pulled out and memory modules, and system board can sometimes recycled. Metals such as aluminum, brass, be reused. If not, parts of each can be recycled. and steel are crushed and recycled. Circuits boards are ground down and melted and precious metals such as gold, silver, platinum, and paladium are extracted and sold. These metals can also be picked out of the boards by hand. Mouse Recycling methods: A mouse is tested to see it functions and is still usable. If not, the plastic casing, cable, and tiny circuit boards are recycled for Keyboard other computer components. Recycling methods: The keyboard is made mainly of plastic, which is recycled. It also includes connecting plugs with gold and silver, which is extracted. Source: Summit Metals Recovery Corps; Advanced Recovery Inc WAYS TO PROTECT YOURSELF 1 LEASE EQUIPMENT so that the title 6 INCLUDE CONTRACT WORDING to the equipment transfers to the that prohibits the recycling vendor or leasing company at the end of the its subcontractors from exporting equipment to developing countries term- along with the disposition issues. that lack environmental regulations. 2 DISPOSE OF IT EQUIPMENT when it’s removed from service. 7 REQUIRE A FULLY DOCUMENTED 3 BUNDLE DISPOSAL COSTS into new AUDIT TRAIL that shows what happened to each IT asset through its purchases by including the disposition final disposition, whether sold, of old IT assets in the RFP for recycled or destroyed. equipment that replaces it. 4 EMPTY THE IT CLOSETS: Dispose of 8 CONDCT A DUE DILIGENCE unused, stored equipment background check on the recycling vendor and its practices that includes immediately. This equipment incurs an on-site visit. storage costs and property taxes plus disposal costs that are likely to 9 CONSIDER DISPOSITION increase over time. SERVICES from IBM, HP, Dell or 5 INCLUDE A COPY OF THE other major IT equipment vendors. They charge more than smaller OPERATING SYSTEM when donating recyclers, but they have reputations to equipment. Machines without an protect and deeper pockets if liability operating system are likely to be issues arise. discarded or shipped overseas. SOURCES: RECYCLING VENDORS, PRODUCT MANUFACTURERS AND CORPORATE USERS What are the chief hurdles to effective enterprise asset management? Lack of personnel or budgetary resources 64% Isolated management of different asset types 46% Inability or expense of entering initial asset data 45% Latency of asset status and performance data 33% Inadequate executive visibility and involvement in 32% asset management Multiple responses allowed Source: Network Computing What tools do you use to track and manage assets? Spreadsheet application 64% Paper system 32% Computerized maintenance management system 23% Enterprise asset management system 21% Asset-centric procurement system 9% Other 14% Multiple responses allowed Source: Network Computing Real-world LABS REPORT CARD Asset-Management Software Computer Altiris Associates NetSimplicity LANDesk Asset Unicenter Visual Asset Asset Management Asset NetSupport ManageSoft Manager Manager 8 Suite 6.0 Management 4.0 DNA 1.01 7.2 2004 INTIAL DATA LOADING Autodiscovery (15%) 5 4 5 2 2 2 Bulk import ( 5%) 3 3 4 2 3 1 FEATURES Out-of-date systems/upgrade reporting(10%) 4 4 4 3 4 2 End-of-life management (5%) 4 4 4 4 3 2 Lease management (5%) 3 3 3 3 2 2 MANAGEMENT AND CONFIGURATION Configuration and agent deployment (10%) 4 3 3 3 4 2 Rights management/security (5%) 3 4 3 2 2 3 Tracking of related assets (5%) 4 4 3 3 4 4 Price (20%) 4 2 1 3 2 5 RESOURCE TRACKING AND REPORTING Asset reporting (10%) 4 4 3 4 4 1 Hardware-resource management (5%) 5 3 4 4 3 3 Software-license management (5%) 4 4 4 4 3 3 TOTAL SCORE (100%) 4.05 3.35 3.20 2.95 2.90 2.70 A≥4.3, B≥3.5,C≥2.5, D≥1.5,F<1.5 A-C B+ C+ C+ C C C Grade includes + or – in their ranges. Total scores and weighted scores Are based on a scale of 0-5. www.nwc.com Selected Systems Management Software(1 OF 6) Vendor Product Price Device Management/ analysis management tools BindView NOSadmin for NT and Starts at: $695 per Server, Hardware inventory, 800-813-5869 Novell Netware managed server, workstation asset and configuration www.bindview.com $1,595 per managed management, user performance analysis, usage monitoring. BMC Software Resolve Contact vendor 800-841-2031 www.bmc.com Callisto Software Orbiter 3.5 $5,000 per server, Workstation, Hardware inventory, 630-682-8200 $150 per client notebooks asset, remote and www.callisto.com configuration management, DMI 2.0 Cisco Systems CiscoWorks Windows 5.0 $1995 Server, Device diagnostics, 800-462-4726 workstation, SNMP, remote and www.cisco.com printer, hubs, configuration routers, switches management, topology mapping, traffic and performance analysis, usage monitoring, RMON CiscoWorks2000 $10,000 Campus Bundle Hardware inventory, asset, remote and configuration Routed WAN $14,995 management, device Management Solution Diagnostics, SNMP, traffic, performance and protocol analysis, RMON (26) Problem Control This process receives problems (including performance problems) and monitors their resolution by requesting bypass actions and/or projects (maintenance or tuning).It informs the service evaluating process of the service impact of the problems. 1.Recognize problem 2.Reporting problem 3.Determine nature, impact and true extent of the problem. 4.Select predefined bypass and recovery procedures. 5.Initiate action to resolve the problem 6.Report and control status of all problems in hand. PROBLEM MANAGEMENT ‘Minimizing the impact of problems on IT services by focusing attention and responsibilities on identifying problems.’ •Fewer shorter outrages •improved I/S-user relations •Enhanced productivity •Environment for growth •Management control What Can Go Environment Disaster Wrong??? •Natural •Unnatural Hardware Failure Operator Error Power Failure Accidents Network Failure Devices Vendor Failure Processes Software Failure Theft Vandalism Corporate Espionage Intentional Data Corruption People Business Recovery Drivers • Most business experience 2 hours of downtime per week • Approximately 30% of computer users spend one week per year reconstructing lost data • 52.2% of U.S. Companies had business operations interrupted due to computer hardware problems • 43.1% of U.S. Companies had business operations interrupted due to computer software problems • 46% of U.S. Companies have had business operations because telecommunications failure From “What Can We Learn From The September 11th Attacks? Are You Prepared In The Event Of A Disaster?” by Mark T.Edmead. This article was originally published in the Insight Newsletter of the Internet Security Conference (http://www.tisc2001.com/insight.html), and has been posted with permission by TISC, LLC. CAUSE OF UNPLANNED APPLICATION DOWNTIME Operator Technology errors failures 20 % 40 % 40 % Application Errors Source : Comdisco Vulnerability Study RELATIVE OCCURRENCE OF OUTAGE INCIDENTS 5% - software error Other 2% 1% - Service Failure 8% - Hardware Error Power Outage 27% 2% - Human Error 10% - Flood Burst water pipe - 1% 2% - Network Outage Bombing - 7% 12% - Storm Damage Employee Sabotage - 3% Power Surge/Spike - 3% Hurricane - 6% Earthquake - 6% Fire - 6% REF : Contingency Planning Research, Inc. Based on 5,320 incidents Fundamentals of autonomic computing ▪ Self-configuring ▪ Self-healing ▪ Self-optimizing ▪ Self-protecting Evolving to autonomic operations BASIC MANAGED PREDICTIVE ADAPTIVE AUTONOMIC LEVEL 1 LEVEL 2 LEVEL 3 LEVEL 4 LEVEL 5 • MULTIPLE • CONSOLIDATION • SYSTEM • SYSTEM • INTEGRATED SOURCES OF OF DATA THROUGH MONITORS MONITORS, COMPONENTS SYSTEM MANAGEMENT CORRELATES, AND CORRELATES, AND DYNAMICALLY GENERATED TOOLS RECOMMENDS TAKES ACTIONS MANAGED BY DATA ACTIONS BUSINESS RULES/POLICIES • REQUIRES • IT STAFF • IT STAFF • IT STAFF MANAGES • IT STAFF FOCUSES EXTENSIVE, ANALYZES AND APPROVES PERFORMANCE ON ENABLING HIGHLY TAKES ACTIONS AND INITIATES AGAINST SLAs BUSINESS NEEDS SKILLED IT ACTIONS STAFF • REDUCED • IT AGILITY AND • BUSINESS POLICY • GREATER SYSTEM DEPENDENCY RESILIENCY WITH DRIVES IT AWARENESS MINIMAL HUMAN MANAGEMENT • FASTER AND INTERACTION • IMPROVED • BUSINESS AGILITY BETTER DECISION PRODUCTIVITY AND RESILIENCY MAKING AUTONOMIC MANUAL From IBM Global Services and Autonomic Computing, IBM White Paper, October 2002; see http://www-3.ibm.com/autonomic/pdfs/wp-igs-autonomic.pdf. How many calls does the help desk get ? EXAMPLE HELP DESK CALLS 1000 943 900 800 742 737 697 700 657 627 622 649 605 600 600 594 596 549 545 548 531 543 534 543 467 525 # of calls 500 435 491 454 400 400 410 315 339 300 251 252 200 170 150 100 0 Month •Calls are 83% software, 17% hardware EXAMPLE:Who calls the HELP desk? 500 464 448 400 311 300 233 Calls 202 YTD:2333 200 144 118 118 120 92 100 42 40 0 Reagent MFG. Instr. MFG R&D EXAMPLE:What are the calls for ? 900 830 800 700 600 500 394 391 400 300 252 208 200 100 34 37 25 43 13 0 Software AS/400 install Helping the help desk In its Service Management Strategies report, Meta Group analyzed some key characteristics of help desk usage 15% to 35% of help desk call volumes are password resets 25% to 35% of call volume is from new service requests or status checks Average number of calls to help desk, per end-user: 1.75 calls per month In 2003: Three calls per month (20% annual increase) Help Desk queries via internet: 6% By 2003/2004:20% By next year, 40% of IT help desks will migrate to IT customer service centers By *** PROBLEM REPORTING FORM *** OPENED BY-------------------------------------> DATE OPENED---------------------------------> PROBLEM TITLE------------------------------> REQUIRED CLOSE DATE-------------------> SUGGESTED ASSIGNED PERSON--------> SCHEDULED ACTIVITY IMPACTED-----> DESCRIPTION OF PROBLEM--------------> Problem reporting form Paying Less for Passwords PART I: Costs of employees calling help desk EXAMPLES YOUR COMPANY A Number of employees at company 5,000 B Average salary (fully burdened) $71,500 C Weeks each employee works, on average, per year 48 D Average hourly cost of a non-technical employee $37 (assuming a 5-day,40-hour work week,48-week year) B÷(C×5×8) E Cost per minute of employee time D ÷ 60 $0.62 F Number of help desk calls placed per year at 1.75 105,000 calls per employee per Month (Meta Group estimate). A × 1.75 × 12 G Length of average help-desk call in minutes (Meta 12 Group estimate) H Total minutes per year spent on help0desk calls F× 1,260,000 G PART II : Cost of help-desk staff fielding calls EXAMPLES YOUR COMPANY J Average salary of help-desk worker (fully burdened) $61,910 K Weeks worked, on average, per hour 48 L Average hourly cost of a help-desk support staffer ( assuming a 5-day, 40-hour $32 work week, 48-week year) J ÷ ( K × 5 × 8 ) M Cost per minute of a help-desk staffer L ÷ 60 $0.53 N Total number of minutes per year spent on the phone with employeesF × G 1,260,000 O Cost of help-desk time for technical staff M×N $667,800 PART III: Cost of password-related calls P Total cost of the time both technicians and employees spend on $1,449,000 help-desk calls I + O Q Percentage of calls attributable to password issues 17% (Help Desk Institute survey) R Total cost of password-related calls P×Q $246,330 PART IV : Cost of password-automation software S Cost of password-automation software for each employee $10 T Hours to install on Web server, application servers 16 U Cost of implementation L×T $512 V Total cost of software ( A×S)+U $50,512 PART V: Benefits W Gross savings: Two-thirds the cost of each call, from using password-automation $162,578 software (HDI estimate) R × .66 X Net savings after cost of software & implementation W–V $112,066 SOURCES: HELP DESK INSTITUTE’S 2004 PRACTIVES SURVEY (WWW.THINKHDI.COM) , AVATIER CORP.,BASELINE RESEARCH (27) Service Evaluating Using the performance status and the problem impacts,this process translates them into user terms and compares them with service agreements.It also identifies and reports any variances to users and management. 1.Translate & integrate operational data (production, distribution, performance & problem ) into service level terms. 2.Assess user rating of service 3.Evaluate compliance to service agreements 4.Identify and report reasons for variance. 5.Report service status and new service requests. 6.Learn and improve. The Service Desk Toolkit Integrates: Problem Management Critical Evaluation Criteria Integration Internet Scalability / performance Inventory / Vendor Stability/Vision Change Configuration Platform/Client Support Management Management Database Support Knowledge Bases Expert Systems Services and Support Robust Reporting Call Tracking/Management Source: Gartner Group How effective would you rate your PMO(s) at improving process integration in your organization? Chemicals and energy 19% 48% 33% Manufacturing 18% 55% 27% Technology and telecom 16% 67% 16% Very Effective Reasonably effective Finance and insurance Ineffective 16% 55% 29% Distribution 14% 56% 31% Services 12% 66% 22% Source: Forrester Research Inc., Systems Management Tools 4.8 % HP OpenView 10.6 % BMC Software 17.3 % IBM/Tivoli 23.3 % Computer Associates 44 % Other REF : GARTNER GROUP/ DATAQUEST (29) Software Procurement Within the framework of a project,this process procures and modifies applications,operating systems software,other supporting software and all the related documentation.It controls the basic “buy” cycle. 1.Define detailed requirements for ideal system 2.Review, integrity and performance of available offerings including promised vendor modifications. 3.Negotiate compromises with users 4.Confirm or amend “buy” decision and select system. 5.Define system recovery for operating environment. 6.Generate system and execute provided tests. 7.Publish instructions for integrating into operating environment. 8.Integrate and test application/Software including supplied modules. 9.Install application software 1. Create the vision, strategy & objective 2. Create a prioritized feature/function list 3. Create a software candidate list 4. Narrow the field to four to six serious candidates Steps in 5. Create the Request For Proposal (RFP) 6. Review the proposals Selecting a 7. Select two or three finalists 8. Meet with customers Vendor 9. Select the winner 10. Justify the investment 11. Negotiate the contract 12. Run a pre-implementation pilot 13. Validate the justification 14. Share lessons learned Factors influencing CIOs when buying software Average ranking on a five-point scale Functionality 4.04 Total cost of ownership 3.64 Compatibility with existing systems 3.10 Ease/speed of implementation 2.83 New technology 2.40 0 1 2 3 4 5 Ref: survey of 500 CIOs by Salomon Smith Barney Inc. Software Contract Elements 1 of 2 1. The right to assign the software license to a new corporate entity resulting from the merger, consolidation, acquisition, or divestiture. 2. The right to use the software for the benefits of a business unit formerly within your corporate organization has been sold. 3. The right to assign the software license to or allow the software to be used by an outside entity if you outsource your data processing operations. 4. The right to make and own derivative works (i.e., code changes, translations, adaptations) based upon the software. 5. The right to port the software to any platform supported by the vendor at no or minimum charge. 6. License that permit unlimited use within your corporate organization (i.e., “enterprise-wide” licenses). 7. In situations other than enterprise-wide licenses, the right to transfer the software to other equipment and operating systems at no cost. 8. In situations other than enterprise-wide licenses, the right to use the software for the benefit of other entities (e.g., parent, subsidiary, division)within your corporate organization at no cost. 9. In situations other than enterprise-wide licenses, the right to transfer the software license to an existing entity (e.g., parent, subsidiary, division) within your corporate organization at no cost. 10. Limited liability for breach of your obligations under the software license agreement. 11. Prohibition against devices in the software that control your compliance with the software license. Software Contract Elements 2 of 2 12. The right to customize the duration of the software acceptance period. 13. The right to define software acceptance as occurring only upon your written notice. 14. Specific remedies for vendors non performance. 15. Incentives to licensors to reward the performance in providing services. 16. A remedy for consequential damages that you suffer. 17. Use of your own form in place of the licensors form for licensing contracts. 18. Contractually defined differences between i) enhances, release, versions,etc., that you receive by subscribing to software support ii)Those the vendor insists are a new product requiring a new license. 19. Vendors responsibility to meet the cost of procuring alternatives third-party support if the vendor fails to provide adequate and timely service. 20. A cap on future maintenance prices. 21. Permissions to exempt individuals-employee, contractors from signing documents that acknowledge confidentiality of software or to bind them to terms of the license. 22. Avoidance of partial payments to vendors based on check points. 23. Contractual assurances regarding forward compatibility of software which changes in operating systems. 24. Contractual assurances regarding forward compatibility of software which changes in hardware. 25. Contractual assurances regarding forward compatibility of software which changes in other software from the same vendor. To get better software & service and pressure the industry to reform its practices: • Refuse to pay in full for a license up front. Instead, negotiate a contract with your vendor that allows you to pay a percent of the total cost up front and then the remainder six months to a year later if the product and services is acceptable. • Adopt open-source technologies. Open source provides CIOs with the flexibility to custom-build applications under their own control. • Seek out vendors that offer renewable and subscription licenses. • If you’re having continual problems with an application, go directly to the developer rather than to the tech support staff or salesperson. The person who has worked on the application may have some pride of ownership. • Network with your vendor’s other customers to find out if they too are experiencing problems with the software. If so, band together and plan a tag-team meeting with the vendor. There really is strength in numbers. • If all else fails, take your vendor to court. SW Product Assessment Criteria •Community adoption and Experience •Ease of Use •Features/Function •Flexibility •Future Direction •Integration •Installation effort •Maintenance •Maturity •Methods •Performance •Politics •Price •Response Time •Security •Service/Support • Skills •Tools •User Growth •Vendor Financial Relationship •Vendor History •Vendor Reference •Vendor Reputation (30) Hardware Procurement and Upgrade Within the framework of a project,this process selects, Installs, removes, modifies and upgrades I/S hardware /facilities. 1.Define detailed requirements 2.Select hardware/network/facility 3.Layout physical planning. 4.Define hardware/network/facility recovery. 5.Test new unit. 6.Test complete system. 7. Install hardware/network/facility. Vendor List Vendor Screening Process Data Sources Determine Screening Criteria Publications • Vendor Size • Product Technology Trade Show • Geographic Presence • Industry Focus Screen for • Functional Coverage Primary Criteria Peer Companies • Vendor Size • Functionality List of Master Vendor • Technology Determine Vendors/ Consultants Inventory & Vendor Options Selection Screen for Approach for Due Criteria Secondary Diligence Web Search DECISION STATEMENT : Criteria • Full Coverage ALTERNATIVES A B C D E F G H I J K L M WT WT WT WT WT WT WT WT WT WT WT WT WT OBJECTIVES WT SC SC SC SC SC SC SC SC SC SC SC SC SC SC SC SC SC SC SC SC SC SC SC SC SC SC • Industry Focus • Best-of-Breed • Geographic • High-Custom Vendors Presence TOTAL WEIGHTED SCORE Financial Analysts Research Firms HW Product Assessment Criteria •Community Adoption and Experience •Ease of Use •Features/Function •Flexibility •Future Direction •Installation effort •Integration •Maintenance •Maturity •Methods •Performance •Politics •Price •Response Time •Security •Service/Support • Skills •Tools •User Growth •Vendor Financial Relationship •Vendor History •Vendor Reference •Vendor Reputation SAME AS SW Decision Analysis Worksheet DECISION STATEMENT : ALTERNATIVES A B C D E F G H I J K L M WT WT WT WT WT WT WT WT WT WT WT WT WT OBJECTIVES WT SC SC SC SC SC SC SC SC SC SC SC SC SC SC SC SC SC SC SC SC SC SC SC SC SC SC TOTAL WEIGHTED SCORE Price Is Your Top Factor in Choosing a Vendor 52% 38% 28% 25% 24% Price Expertise in Integration Qualifications of Service level my particular Capabilities customer service agreements industry representatives Ref: IDC What’s the most important value of a premiere or platinum level service and support agreement for PCs? Volume price discounts Custom PC configuration PC warranties of more than 1 year On-site services: 4hours or less Dedicated technical support On-time delivery of PC systems Other 0 5 10 15 20 25 % of respondents Data: Information Research survey of 150 IT Managers Base: 64 premiere support customers How important are these attributes of hardware service providers, and how satisfied are you with their delivery? Importance Satisfaction Getting correct part Knowledge of technician Meeting contracted for response time Fast resolution of problem Overall on - site service quality On - site service during warranty Depot repair service quality Telephone Technical Support 1 2 3 4 5 Not at all Extremely important or satisfied important or satisfied DATA: DATAQUEST SURVEY OF 211 IT HARDWARE MANAGERS Room for Improvement In which areas would you like to see improvement from your hardware service providers? On - site response time Technical product skills Parts availability Price charged for the value received Problem resolution time Telephone support response time Customer - relationship skills Multivendor capabilities and skills Number of products serviced Adequate geographic coverage Simplified contract administration Electronic remote support 0 10 20 30 40 50 60 70 % of respondents Note : Multiple responses allowed DATA: DATAQUEST SURVEY OF 211 IT HARDWARE MANAGERS Approaches to Contracting Competitive Non Competitive Purchase cards Borrow funds or petty cash Simplified Auctioning Purchase agreements Sealed bidding Two-step sealed bidding Formal Competitive proposals Competitive negotiations Sole-source negotiation Single-source negotiation Contract Categories and Types Fixed-Price Cost- Time- and- Reimbursement Materials or Unit Price Firm-fixed-price Cost-reimbursement Time-and- materials Types of Fixed-price with Eco- Cost-plus-a- nomic price adjust- percentage-of-cost Unit-price Contracts ment Cost-plus-fixed fee Fixed-price incentive Cost-plus-incentive fee Cost-plus-award fee Types of Lock-In and Associated Switching Costs Type of Lock Switching Costs Contractual commitments Compensatory or liquidated damages Durable purchases Replacement of equipment; tends to decline as the durable ages Brand-specific training Learning a new system, both direct costs ; and lost productivity tends to rise over time Information and Databases Converting data to new format; tends to rise over time as collection grows Specialized suppliers Funding of new supplier; may rise over time if capabilities are hard to find/maintain Search costs Combines buyer and seller search costs; includes learning about quality of alternatives Loyalty programs Any lost benefits from incumbent supplier, plus possible need to rebuild cumulative use Do most IT salespeople Has an IT salesperson understand your used hard sell or overly business? aggressively tactics? SOME 5% YES NO NO YES 55% 73% 45% 22% Source: Computer Information Management Group, Framingham, Mass. Get to Know Your Vendor 1. Who are some of their customers? 2. What is their previous experience in our industry? 3. Can they provide data on recently completed projects? 4. What is their fiscal calendar? 5. Can our CFO meet their CFO? 6. How big is their workforce, and what portion is onshore vs. off-shore? 7. What’s their corporate hierarchy? 8. What if…? 9. Who is our account manager? 10. What is their business plan? FOUR WAYS NOT TO PERSUADE They attempt to make their case with an up-front, hard sell. They resist compromise They think the secret of persuasion lies in presenting great arguments They assume persuasion is a one-shot effort. Tips for dealing with IT sales representatives: Establish ground rules up front Keep it simple Bring in your procurement officers and negotiators as early as possible Establish a single point of contact for the salesperson and stick to it If they go over your head, respond by going over theirs and ask to meet with their supervisor Have them first meet with technical staff members who can evaluate their products Keep it competitive - But reduce the number early Insist on testing the product within your own environment Don't let them take control of the sales process. Focus on your objectives Don't let them pressure you into a sale. (As in, "Act now before our prices go up.") Chances are they're just trying to land a quick deal to make their quarterly quota Identify the issues to be negotiated Establish a "Bottom Line”, Walk Away Leave room to negotiate back to the “bottom line" Offer sound business justification for your position Vendor Negotiating • Negotiate each point separately • Keep at least two vendors in the mix • Don’t single-source the negotiation • Timing is everything • Keep talking to current and prospective customers • Don’t compare apples to oranges • Nominate a “bad cop” for your team in advance • Ensure that the vendor must close the deal • Employ “bogeys” to force reciprocal concessions • Check the contract for liability limitations • Know when to disappear • Know when to say when • Watch the licensing terms •Do not be afraid to ask Power up to Persuade Do Use: Don’t Use: •Affirmative language-”when” •Phrases that call your integrity into question- instead of “if” ”To be perfectly honest..” •Words that convey •Ineffective intensifiers -”very”, “definitely” and acceptance of “surely” -or hesitation and fillers. responsibility-”I'll •Tag questions at the end of sentences-”… help you myself” don’t you think?”-that convey •Win-win phrasing-”Let’s talk uncertainty it through and see •Disclaimers-”I’m not an expert but…”-that where we end up” invites the listener to disagree with or •Decisive phrases that get to challenge you. the point-”This will fit •Hedges and qualifiers-”sort of” or “perhaps” your needs exactly” •Apologies for situations over which you lack control Source: Artful Persuasion: How to command RELATIVE IMPORTANCE OF STANDARD COMPUTER CONTRACT PROVISIONS Most Important Less Important Least Important Scope of the software Governing law Events of Default license Venue Amendments to Warranty Term of the contract Exclusion or limitations Agreement Waiver of of warranties contract Assignability of provisions Limitation of user's the Agreement Notice remedies Period of requirements Limitation of user's limitations Survivability of right to damages clauses Price Severability Ownership of Intellectual property rights Return of property at conclusion of agreement PICK YOUR FIGHTS!!! 17 Ways to Bust a Deadlock Brainstorm creative alternatives. Look for an outside standard or precedent. Go off the record. Have the principals work it out. Take a break. Get a mediator or arbitrator. Try a procedural solution (e.g., draw lots; flip a coin-one cuts, the other chooses). Appeal to someone with more authority. Set a time limit. Speed up. Slow down. Crack a joke. Set up a meeting or a conference call. Change the negotiators. Spend more time studying the problem. Bring in an expert. Do nothing. WIN-WIN WILL KILL YOUR DEAL Start with “no” Develop your mission & purpose The dangers of Needness The Columbo effect Ask questions (who, what, where, when, where, why, how, which) Think about how to say it • Nurturing • Reversing • Connecting • Telling 3 times • Strip line before hooking • Find an opportunity to say “Wow this is bad. I don’t know if we can recover from this” No expectations, no assumptions, do your homework Know their pain The importance of time, money, energy, emotion Be sure to know the real decision makers Negotiation Tactics and Countertactics Tactics Countertactics Attacks (personal insults, emotional reactions, professional insults) Disclose the attack Strike back Give in Break off Explore alternatives Tricks (false data, no authority to negotiate) Know the truth (have the right data, establish in writing who has authority) Escalate Arbitrary deadlines Agree with deadline Counter the offer with compromise schedule Refuse to change schedule Limited availability Coordinate schedules in advance Counter with your limited availability Be flexible Escalate Third-party scapegoat (third-party approval required, pretending that such approval is Escalate to third party required) Giveaways Compromise Disclose them as giveaways Exchange giveaways Good guy-bad guy Counter with bad guy-good guy Escalate Prolonging the negotiation Take a break or have a caucus Maintain silence Delays (submission of data, start of negotiation, return from breaks) Start on time Claim limited availability Leave or create greater delays Diversions (questions, telephone calls, fax messages, personal breaks) Keep things on track (refocus the team, have no phones in the room, allow no interruptions) Take a break Stonewall ("take it or leave it," "I shall not move") Give in Say "Yes, and......" Walk away Escalate End-of-quarter or end-of-year negotiation pressure [management wants to spend money Settle next quarter or next year (do not let time pressure you into a bad now (buyer) or get the deal now (seller)] deal) …the ability to be on the dance floor and in the balcony at the same time. Crafting Your Behavior • Slow down the conversation • Listen and think • Maintain a buffer between your brain and your mouth. Consider your response carefully in light of your new guiding principles • Ask questions to get relevant information • Catch the cue(s) • Ask for time-out (that is, postpone your response) if need be • Prepare for, and reflect on, interactions • Think ahead to conversations and interactions • Reflect back on conversations and interactions Ref: The set-up-to-fail syndrome by Jean- Francois Manzoni & Jean-Louis Barsoux (1 of 2) Charismatics Thinkers Skeptics Followers Controllers Description Charismatics Thinkers account Skeptics account for Followers Controllers account for 25% for 11% of the 19% of the executives account for 36% account for 9% of all the executives we we polled. They tend of all the of the executives we surveyed and can to be highly executives we executives we polled. They are be the toughest suspicious of every surveyed. They interviewed. easily intrigued executives to data point presented, make decisions They abhor and enthralled by persuade. They are especially any based on how uncertainty and new ideas, but impressed with information that they’ve made ambiguity, and experience has arguments that are challenges their similar choices in they will focus taught them to supported by data. worldview. They often the past or on on the pure make final They tend to have have an aggressive, how other trusted facts and decisions based a strong aversion almost combative executives have analytics of an on balanced to risk and can be style and are usually made them. They argument. information, not slow to make a described as take- tend to be risk- just emotions. decision. charge people. averse. Typical Enthusiastic, Cerebral, Demanding, Responsible, Logical, Characteri- captivating, intelligent, logical, disruptive, cautious, brand- unemotional, stics talkative, academic disagreeable, driven, bargain- sensible, detail dominant rebellious conscious oriented, accurate, analytical Prominent Richard Branson, Michael Dell, Steve Case, Peter Coors, Jacques Examples Lee Iacocca, Bill Gates, Larry Ellison, Douglas Daft, Nasser, Ross Herb Kelleher Katharine Graham Tom Siebel Carly Fiorina Perot, Martha Stewart (2 of 2) Charismatics Thinkers Skeptics Followers Controllers Buzzwords Results, proven, Quality, academic, Feel, grasp, Innovate, expedite, Details, facts, to use actions, show, think, numbers, power, action, expertise, similar reason, logic, watch, easy, clear, intelligent, plan, suspect, trust, to, previous power, handle, focus expert, proof demand, disrupt physical, grab, just do it Bottom line When trying to Have lots of data You need as much Followers tend to Your argument persuade a ready. Thinkers credibility as you focus on proven needs to be charismatic, fight need as much can garner. If you methods; structured and the urge to join in information as haven't references and credible. The his excitement. possible, established testimonials are controller wants Focus the including all enough clout with big persuading details, but only if discussion on the pertinent market a skeptic, you factors. They need presented by an results. Make research, need to find a way to feel certain that expert. Don’t be simple and customer surveys, to have it they are making too aggressive in straightforward case studies, transferred to you the right decision – pushing your arguments, and cost-benefit prior to or during specifically, that proposal. Often, use visual aids to analyses, and so the meeting- for others have your best bet is to stress the on. The want to example, by succeeded in simply give him features and understand all gaining an similar initiatives. the information he benefits of your perspectives of a endorsement from needs and hope proposal. given situation. some-one the that he will skeptic trusts. convince himself. Negotiating the Contract Checklist - Use only a few vendor providers or consider using a "general - Include a 30 or 60-day "escape clause" for the contractor" which will coordinate other activities of other benefit of the institution vendors - Clearly identify the institution's negotiation strategies and - Include annual renewal provisions coupled with goals prior to beginning negotiations price adjustments - Fully understand the scope of the outsourcing proposal before - Collect fines for non-compliance and non- negotiations begin performance - Insure that risks are assigned to vendors rather than the - Don't be afraid to confront the vendor institution - Have an agreed structure for conflict resolution - Use outsourcing experts and good attorneys who are experienced in outsourcing agreements to insure a "level - Go to the top when necessary playing field" during negotiations - Set up governing boards and meet regularly - Clearly document all discussions and decisions - Clearly specify procedures for problem and change - Discard the service provider's standard contract management, as well as escalation procedures - Do not sign incomplete contracts leading to penalties for failure to resolve problems within the agreed-upon timeframes - Retail institutional approval over the vendor's account and service teams members - Clearly define training programs for internal staff It institution staff are replaced, specify training and/or - Conduct comprehensive reference checks, especially for other outplacement services higher educational customers - Continuously adapt to business conditions and - Develop service level measures business volume - Measure everything during the baseline period - Include a termination clause - Clearly identify the pricing model(s) to be used - Beware of 'change of character' clauses e.g. support - Reduce potential avenues for cost overruns for new technologies - Include price adjustment clauses based on the market cost of - Maintain continuity of management acquiring or managing specific technologies during the life of the agreement - Do not force a bad fit - Clearly identify transition plans at the beginning and end of the outsourcing relationship Source: Lacity & Herscheim Managing Vendor Access to Your Business •Coordinate efforts •Set up a vendor management capability •Develop an internal “consumer reports” •Work with the purchasing department •Establish consequences for inappropriate vendor behavior •Reward appropriate behavior LAST CHART; THE CHARTS FOLLOWING ARE BACK-UPS (2) Architecture Scanning & Definition Using the information obtained in the Strategic Planning process and considering the whole enterprise, this process defines in IT terms the goals towards which all further action should be taken. Technology Scanning is defined in a subsequent class. 1.Define data, information, knowledge architecture for the enterprise. 2.Define application architecture for the enterprise. 3.Define IT technology (e.g., networks, computers) architecture for the enterprise. 4.Integrate architectures. DEVELOPING AN IT ARCHITECTURE •Knowledge, Information and Data storage - Accessibility Viability Accuracy •Security •Network Communications & Data Transport - Obtaining - Exchanging - Client Server •Computer Systems •Interfaces •Application / Data Transformation - Traditional / 3rd Generation / 4th Generation - ERP - CASE - OOPS - ASP - KBS - Virtual Reality - Internet/Intranet/Extranet DEVELOPING AN IT ARCHITECTURE • DO WE HAVE THE RIGHT TECHNOLOGIES? ARE THEY INTEGRATED APPROPRIATELY ? •WHAT LEVELS OF INFORMATION ACCESS, SHARING & SECURITY SHOULD WE SUPPORT? •WHICH APPLICATIONS WILL WE DEVELOP, & WHICH WILL WE BUY? •WHO WILL MAINTAIN &UPGRADE TOOLS, DATA, & APPLICATIONS? •WHO WILL ASSESS WHETHER OUR HORIZONTAL ARCHITECTURE IS MEETING THE FIRM’S NEEDS? •ARE STANDARDS DEFINED, COMMUNICATED, & ADHERED TO? Platform Decision Makers A user department when The CFO because it is a it buys a package money decision The Data center based The Boss based on its capabilities on politics Application Developers The CIO based on based on their skills? enterprise goals Technology Domains Tiered Systems Architecture INTERNET WEB BROWSERS CLIENTS M A S LOAD BALANCING IP LOAD N E BALANCERS A C G U E R M I E T APPLICATION SERVERS WEB SERVERS N Y T DATA RESOURCES CLUSTERS Integrating Architectures By Network Internet Border Router Border Router MCI Worldcom IUUNET Perimeter Network Local Director Local Director Failover Intrusion Detection System Front End Router Front End Router CC Auth Order Entry Your Bubble DNS SMTF TNG Epro Goes Here Firewall Back-End Back-End Router Router (Shared Services) Back-End Router (DSM) Interior Network Firewall Firewall Firewall Production Test Corporate Business Center Network Partners SECURITY ARCHITECTURE Access • Abuse of controls Accidental errors in processing storage Viruses Local Area Network Firewall Database Hardware Systems Software Application Denial of services •Unauthorized access • Failure of protection Programmer mechanisms • Failure of protection mechanisms • Copying • Programming of Internet • Information leakage applications to behave • Theft • Contribution to software failure • Installing unauthorized software contrary to specification • Installation (use) of unauthorized hardware Tap Terminals Database Crosstalk Processor • Located in insecure environment Access rules Radiation Systems Programmer PCs Operator • Duplication of confidential reports • Bypassing security mechanisms • Fraudulent identification • Initializing insecure system • Disabling security mechanisms • Illegal leakage of • Theft of confidential material • Installing insecure system authorized information • Viruses (on disks) Authorizer • Physical theft External Environment • Incorrect specification of security • Natural disasters policy • Malicious attacks • Unauthorized access to computer center • Illegal or illicit use of computing resources • Electronic theft • Fraud Web Services Architecture Web Services Directory (Public) Partners’ Internet External Marketplaces Internet Sites Web Services UDDI Loadbalancer Infrastructure Firewall DMZ Web HTTP Server HTTP Server HTTP Server Enterprise Trusted Network Service Bus (WSDL) UDDI Application Web Services Directory (SOAP) Server (Public) CRM Data Mgmt. Security Content Mgmt. Business User Profile Infrastructure Web Services Services Services Services Services Services Services Service Broker ODBC/JDBC Message Brokers Other Middleware Native APIs’ Third Party Systems Collaboration Services Enterprise Infrastructure Email, Chat, Systems Enterprise etc Legacy Data Open System Database Data Mgmt. Security Hosting/DR System Mgmt. Network Transaction Mgmt. Based on Web services standards Ref: RCG Information Technology; ‘White Paper on Web Services Architecture’ By Rasesh Trivedi, Senior Manager - RCG IT www.rcgit.com/company/whitepapers/WebServicesArchitectureModelsWPv1.pdf ARCHITECTED DATA WAREHOUSING SYSTEM Parent Legacy Systems Data Mart Web Enabled Data Transformation Data Mart Cleansing Ware house Process Data Mart Archive Strategic Operational Reporting Systems Meta Data Integrating Architectures By Applications Customers • Partners • Sales Force • Call Center • Employees Firewall Single Sign On Entitlement Personalization Workflow Common UI Globalize Integrated Development Environment XML Legacy systems ERP EDI CRM Adaptors Source: Asers Systems CRM ARCHITECTURE SALES DELIVERY AFTER-SALES Order Customer Marketing Sales Delivery Billing Service Management LOW Degree of integration for CRM (i) Completely disparate systems, no interface, no information sharing (ii) Separate systems, some interfaces, some information sharing, a partial view of the customer over the life cycle (plus optionally a data warehouse not shown) (iii) Full information sharing, full view of the customer over the life cycle, interfaces to back-office systems HIGH (plus a data warehouse – not shown) Business Architecture Business Architecture Business Strategy & Organization Business Process Model Information Data Architecture Architecture Applications Architecture APPLICATIONS PORTFOLIO Applications Technical Design Standards Technology Plan Operations $ Service Delivery Model Infrastructure Architecture IT Standards Documentation, Communication, and Update Process Analyze Current Platform Analyze Set current Standards platform Scope and Develop and set execute standards appropriate migration plan Steady-State Document Management standards Document/ and rationale manage Periodic exceptions standards Refine update/review standards Update based in IT Processes input Communicate Update to IT Steering procurement Committee processes and refine Communicate standards corporate wide Ref: The Executives Guide to Information Technology by Baschab & Jon Piot Systems Integration in the Global Enterprise Strategic Business Current interfaces, Key Factors Units problems and issues (Data Collection) across SBUs Centralized human Organizational Culture Narrative resources? Primary Language Barriers Secondary Screen language differences? Primary Denominators Currency Translation Auxiliary Denominators Multicurrency? Local Government Value-added tax? Statutory Laws Requirements Privacy? Autonomy Corporate Links Local Area Networks? Decentralization Wide Area Networks? Measurement Systems Business Rules Activity-Based Costing? Model Numbers Core Products Part Numbers Consistent? Model Descriptions Suppliers / Customer Files Supplier / Customer numbers Customers Vendor Files consistent? REF:Zachman, IBM Systems Journal 1987 Notable Standards Efforts • Central Computing and Telecommunications Agency (CCTA) Methodology - IT Infrastructure Library (ITIL) http://www.exin.nl/itil/itinf/home • Service Level Agreement (SLA) Working Group created by the Distributed Management Task Force (DMTF) http://www.dmtf.org • The Appl MIB by the Internet Engineering Task Force (IETF) http://www.ietf.org • Application Resource Measurement (ARM) INFRASTRUCTURE MANAGEMENT TOOLS Fenway Silk Performer Starts at $15,000 to $30,000 Starts at $25,000 Dirig Software Inc. Nashua, N.H. Silk Test www.dirig.com Starts at $6,500 Segue Software Inc. HP Open View Lexington, Mass. Starts at $23,900 for Operations console, $230 per node www.segue.com Hewlett-Packard Co. www.hp.com SiteScope $995 for 25 monitors Patrol Freshwater Software Inc. Separate Predict and Perform versions for Oracle ($290 Boulder, Colo. and $390 per server, respectively) and Unix ($395 and www.freshwatersoftware.com $875); Storage Resource Manager (starts at 40,000); Service Level Management (starts at $5,000 plus $195 Tivoli enterprise Console per managed node; Windows versions start at $815) Approximately $300 per node Tivoli systems Inc. Site Angel Austin, Texas Starts at $900 per year www.tivoli.com BMC Software Inc. Houston Unicenter TNG www.bmc.com Starts at $2,500 Computer Associates Peakstone eAssurance International Inc. $48,000 plus $4,800 annually per Web server CPU Islandia, Peakstone Corp. N.Y. Sunnyvale, Calif. www.ca.com www.peakstone.com The US standard railroad gauge (distance between the rails) is 4 feet, 8.5 inches. That is an exceedingly odd number. Why was that gauge used? Because that is the way they built them in England, and English expatriates built the US railroads. Why did the English build them like that? Because the first rail lines were built by the same people who built the pre railroad tramways, and that is the gauge they used. Why did "they" use that Gauge then? Because the people who built the tramways used the same jigs and tools that they used for building wagons, which used the same wheel spacing. Okay! Why did the wagons have that particular odd wheel spacing? Well, If they tried to use any other spacing, the wagon wheels would break on some of the old, long distance roads in England, because that's the spacing of the wheel ruts. So who built those old rutted roads? Imperial Rome built the first long distance roads in Europe (and England) for their legions. The roads have been used ever since. And the ruts in the roads? Roman war chariots formed the initial ruts, which everyone else had to match for fear of destroying their wagon wheels. Since the chariots were made for (or by) Imperial Rome, they all had the same wheel spacing. The United States standard railroad gauge of 4 feet, 8.5 inches is derived from the original specification for an Imperial Roman war chariot. Specifications and bureaucracies live forever. So the next time you are handed a specification and wonder what horses' behind came up with it, you may be exactly right. This is because the Imperial Roman war chariots were made just wide enough to accommodate the back ends of two war-horses. Now, the twist to the story... There is an interesting extension to the story about railroad gauges and horses' behinds. When we see a Space Shuttle sitting on its launch pad, there are two big booster rockets attached to the sides of the main fuel tank. These are solid rocket boosters, or SRBs. Thiokol makes the SRBs at their factory at Utah. The engineers who designed the SRBs might have preferred to make them a bit fatter, but the SRBs had to be shipped by train from the factory to the launch site. The railroad line from the factory happens to run through a tunnel in the mountains. The SRBs had to fit through that tunnel. The tunnel is slightly wider than the railroad track, and the railroad track is about as wide as two horses' behinds. So, a major design feature of what is arguably the world's most advanced transportation system was determined over two thousand years ago by the width of a horses behind! Think? • Which processes are most important? • Who owns each of these process containers? • How much resource will be applied to each process? • How effective are each of these processes today? • What priority should be placed on improving each of these processes?
"JSR IT Processes"