Lecture 3: IT Processes
Instructor: Rajeev Dwivedi
Desk-7A, Library Admin (3rd Floor)
Stevens Institute of Technology, NJ-07030
Time: 06:15-08:45PM (Tuesday)
1. Business Strategic Planning
2. Architecture Scanning & Definition
3. IT Strategic planning and Control
4. Application Planning
5. Data Planning
6. Systems Planning
7. Network Planning
8. Project Planning
9. Service Level Planning & Management
10. Business Continuity Planning
11. Security Planning & Management BT 450
12. Audit Planning & Management
13. Capacity Planning & Management
14. Skills Planning & Management
15. Budget Planning & Value Management SMC Projects
16. Vendor Planning & Management
17. Management Systems Planning & Monitoring
18. Project Definition
19. Project Scheduling
20. Project Controlling
21. Project Requirements Control
22. Project Evaluating
23. Change Control
24. Asset Management
25. Production and Distribution Scheduling
26. Problem Control
27. Service Evaluating
28. Software Procurement
29. Software Upgrade
30. Hardware Procurement and Upgrade
31. Systems Maintenance
32. Tuning and System Balancing
33. Financial Performance
34. Education and training
35. Staff Performance
36. Hiring, Retention
38. Service Marketing
(11)Security Planning & Management
Using individual requests, this process builds an overall plan to
ensure the agreed levels of security for the systems and services
will be met.
1.Consolidates security requirements of all service
2.Define business and IT security operating environment.
3.Identify variances between operating environment and
4.Develop overall security plan.
Most companies don’t spend as much money on protecting data as
they do spend on coffee for employees. Less than 0.0025 percent of
corporate revenue is present on corporate information-technology
Our adversaries, be they run-of-the-mill hackers or devoted members of
terrorists cells, have the same training and much the same access to
technology as we do. “Our future enemies understand out technology at
least as well as we do”
Most of the nation’s critical infrastructure-the power grid, voice networks,
and water supplies-are vulnerable. You’ll find computers at the heart of
all these systems. Terrorists have a wide range of technology targets,
not all of them in cyberspace
White House Special Advisor
On Cyber Security Issues
How many vendor’s products have you
currently deployed for….
Antivirus 43% 30% 27%
VPN 57% 27% 17%
Firewall 67% 23% 10%
Network IDS 10% 57% 20% 7% 7%
Two-factor 23% 63% 10%
Personal firewall 33% 40% 10% 13%
Host IDS 50% 37% 7%
Single sign-on 60% 27% 7%
0 venders 1 venders 2 venders 3+ venders Don’t know
What is the single greatest threat to your
company’s enterprise network security?
Trojans, viruses and malicious code
Employee error (unintentional)
Sabotage by employee or partner
Base: 606 respondents
SOURCE: IDC. “WORLDWIDE IT SECURITY SOFTWARE, HARDWARE, AND SERVICES 2004-2008 FORECAST.” 2004
BAD BUG BYTES 2000
HIT BY HACKER
HACKER ENTERED THE SITE AND COPIED 15,700 CUSTOMER
CREDIT-CARD & DEBIT-CARD NUMBERS.
CUSTOMERS WERE TOLD TO GET NEW CREDIT-CARDS AND
BAD BUG BYTES 2003
HIT BY HACKER
HACKER ENTERED THE SITE AND GOT HOLD OF CUSTOMER
SATISFACTION SURVEY. THEY LEAKED OUT ALL NEGATIVE
COMMENTS TO ANALYSTS AND PRESS.
BAD BUG BYTES 2003
Data Processing International
HIT BY HACKER
MASTERCARD IMPACTED 2.2 MILLION CREDIT-CARD NUMBERS
VISA IMPACTED 3.4 MILLION CREDIT-CARD NUMBERS
AMERCIAN EXPRESS & VISA ALSO EFFECTED
HIT BY INSIDER June 2004
A former employee was charged with stealing the Internet
provider's entire subscriber list -- over 30 million consumers,
and their 90 million screen names -- and selling it to a
Bank of America Corp. lost digital tapes
containing the credit card account records
of 1.2 million federal employees including
60 U.S. senators, when shipping backup
tapes to offsite storage.
Security addresses all elements of e-business
Employees, Vendors, Suppliers, Customers
e-business infrastructure Assets and Networks
Assess Protect Detect Recover Manage
Deliberate Accident Natural
Security is about managing risk, not
Eliminating risk is nearly impossible
Reducing risk to an acceptable level is possible
e.g., credit card fraud
Security is a process, not just products
Software cannot resolve people problems
Annual Internet security incidents reported
0 2000 2001 2002 2003
Ref: Computer Emergency Response Team (CERT).
Newly documented Win32 worms and viruses
1H 2001 2H 2001 1H 2002 2H 2002 1H 2003 2H 2003 1H 2004
Ref: Symantec Corp.
Software and network holes continue to plague IT security
1H 2001 2H 2001 1H 2002 2H 2002 1H 2003 2H 2003 1H 2004
Ref: Symantec Corp.
Types of Attack or Misuse
INSIDER ABUSE OF NETWORK ACCESS
UNATUTHORIZED ACCESS BY INSIDERS
DENIAL OF SERVICE
THEFT OF PROPRIETARY INFO
RE: CSI/FBI 2003 COMPUTER CRIME AND SECURITY SURVEY
Email Attachment 56%
Diskette from home 25%
Diskette (other sources such
as sales demos)
Download (External) 11%
Web Browsing 3%
Download (Internal Systems) 2%
Don’t Know 7%
0 0.2 0.4 0.6
69% of U.S. companies have been hit by a computer virus -- FBI
Note: Multiple answers permitted. Sample: 300 enterprise organizations.
Source: International Computer Security Association’s Computer Virus Prevalence Survey
Reported Worldwide cost Average corporate
virus incidents of worms and viruses IT-security budgets
Number of incidents
% of IT budget
2000 2003 2000 2003 1998 2003
Virus attacks …and the cost of the …but security
are up dramatically… damage is exploding… budgets aren’t
Ref: Good Harbor Consulting LLC
Of Companies hit by Viruses and Espionage, most
can’t estimate the value of the damage
Under $100,000 15%
Above $ 100,000 1%
Under $ 100,000 Over $ 100,000 84%
Hit Not hit Hit
51% 49% 38% Not hit
Micro Viruses Industrial Espionage
Respondents = 627 US IT Professionals
Data: Information Week/Ernst & Young Security Survey
What was the most severe impact of the
security breaches your company has
We were inconvenienced and lost 73.2% 75.2%
We lost tangible assets (data, 2.1%
Under 1,000 employees
Over 1,000 employees
Customers/vendors were unable 9.1%
to retrieve information 6.0
Publicly embarrassed 17.2 16.8%
How have viruses affected your company?
Loss of productivity
PC was unavailable
Loss of access of data
Loss of user confidence
Interference or lockup
Trouble reading files
Trouble saving files
Threat of job loss
10 20 30 40 50 60 70 80
% of respondents
Data: ICSA Labs
WORST SECURITY OUTBREAKS EVER
Name, Year Worldwide Impact *
1. Love Bug, 2000 $8.75 billion
Hopelessly lonely recipients think they are getting a real love letter in their e-mail.
2. MyDoom, 2004 $4.75 billion
At its peak, infects one in 12 e-mails on the internet.
3. Sasser, 2004 $3.5 billion
German cybercops nab its teenage author, Sven Jaschan. An IT security firm then offers him a job.
4. NetSky, 2004 $2.75 billion
One of its variants disguises itself as a Harry Potter computer game.
5. SoBig, 2003 $2.75 billion
Hits a week after Blaster (No. 8, below), helping cause a summer of pain for computer users and Microsoft.
6. Code Red, 2001 $2 billion
Give the phrase “denial of service” new meaning.
7. Slammer, 2003 $1.5 billion
Targets small businesses running Microsoft programs most didn’t even know they had.
8. Blaster, 2003 $1.5 billion
Shuts down Maryland DMV for a day. Famous for twitting Billing Gates: “Stop making money and fix your software.”
9. Klez, 2002 $1.5 billion
Randomly spews files of its victims everywhere as e-mail attachments.
10. Nimda, 2001 $1.5 billion
Striking the week after 9/11, this combination virus and worm triggers three FBI investigations.
SOURCE: FORTUNE, October 18, 2004. *Estimated cost to corporations
Dollar Amount of Losses by Type
Theft of Proprietary Info $120,827K
Financial Fraud $115,753K
Insider Net Abuse $50,099,000
Denial of Service $18,371K
System Penetration $13,055K
Laptop Theft $11,766,500
Telecom Fraud $6,015K
Unauth. Insider Access $4,03K
Telecom Eavesdropping $364K
Source: Computer Security Institute, CSI/FBI
Low Confidence in Net Privacy
Users who are very or somewhat worried about interception of:
0 20 40 60
Source: Louis Harris for Privacy & American Business
Internet Detective 5.0
The Easy Way to Find Out the Truth About Anyone
Instant Unlimited Searches! In the privacy of your
own home. Right on your own personal computer.
Find out ANYTHING:
Motor Vehicle Records
Phone numbers and Addresses
Social security numbers and records
Current or past employment
Net DetectiveIs an amazing new tool that allows you to find out "EVERYTHING you
ever wanted to know about your friends, family, neighbors, employees, and even your
boss!" You can even check out yourself. It is all completely legal, and you can do it all in
the privacy of your own home without anyone ever knowing. It's even better than hiring a
NetDetective5.0® self installs and is compatible with all Internet-related software If you
have a credit card you can save by ordering direct, only $29.00 ($49.50 - retail price).
With our INSTANT DELIVERY system your copy will be running on your computer in
less than 3 minutes.
The Feds Are Watching
The three enforcement actions – which provide a road
map for what other companies should do – are described
at the following Web address:
In addition, the FTC provides a security checklist at:
How will your enterprises arm itself to address increasing
Information Security Hierarchy
Auditing, Monitoring, Investigating
Layer 6 Information security Technologies & Products
Validation Layer 3
Information security Awareness and Training
Information security Architecture & Processes
Information security Policy & Standards
Which of the following are hurdles in your efforts to improve data-protection capability?
Funds are not available for
building a better system 66%
Business managers do not perceive
the value of data protection 33%
We lack the human resources to
maintain or manage our capability 31%
Our business processes are
changing constantly 23%
We lack the ability to test and
validate alternative approaches 23%
Options and vendor claims are confusing 21%
Our data is growing faster than is
our ability to protect it 20%
We don’t have any specific disaster-recovery
or data-protection competency in our staff
Data protection is not a centralized function; every
department or business unit has its own approach
We have trouble making data-protection
technology work with our infrastructure
Ref: Network Computing E-mail Poll, 623 respondents
Top Security Obstacles
Need to get hit to change
Lack of HR Support
Lack of awareness
Lack of tools
% of respondents
Note: total exceeds 100% because multiple responses were permitted.Respondents = 530 U.S. IT managers and professional
DATA: INFORMATION WEEK/ ERNST & YOUNG SECURITY SURVEY
e-business Security Threats
We Think About:
But Don’t Forget:
DO YOU HAVE A FIREWALL??? % Offenders Occupations
Application programmers 18
Clerical personnel 14
Other system users 14
System analysts 6
Machine operators 6
Top executives 4
Other EDP staff 3
Data entry staff 3
Systems programmers 3
Security officers 1
“Other” stands for a general category of nonclerical and nonmanagerial users
30% Motivations for Abuse
Personal Gain Ignorance of Misguided Maliciousness
Proper Conduct Playfulness
Who’s Breaking Into Your Systems?
Disgruntled existing and former employees and contractors
Organized crime (extortion,money-laundering,insider trading)
Cybercriminals (fraud and information reselling)
Kids and teen-agers
Other (including governments)
THE ENEMY WITHIN
Employee theft has overtaken workplace violence as the top
corporate security concern, while fraud and white collar crime
have rocketed up from seventh place to third.
RANKING POTENTIAL SECURITY THREATS
Fraud, white-collar crime
Careless employee selection
Hardware & software theft
Source: Pinkerton's, Inc., Encino Calif..
Base: 147 corporate security directors at Fortune 1,000 companies; 137 corporate security directors at Fortune 1,000 companies
Top Tips for Preventing Insider Attacks
1. Do not give employees access to system they don’t need or allow them
continued access when they no longer need it.
2. Tie identity management and password provisioning systems directly to
your HR systems, including payroll.
3. Establish basic policies. For example, no user should have unfettered
access to both accounts payable and accounts receivable.
4. Establish clear consequences for inappropriate employee behavior,
such as looking at unauthorized material after hours.
5. Enforce the use of strong passwords, virus protection software, and
personal firewalls for employees who work from home.
6. Perform a risk analysis on your key data assets to identify their value
and potential damage from a loss, and to determine their vulnerability.
7. Use redundant logging systems to deter malicious behavior. Keep all
Sources: IBM, Symantec, Netegrity
THE AVERAGE INTELLECTUAL PROPERTY THIEF IS AN
EDUCATED 42-YEAR-OLD WHITE MAN WITH NO PRIOR
CRIMINAL HISTORY. SOUND FAMILIAR?
DEFENDANTS ARE INCREASINGLY
YOUNGER AND MORE EDUCATED.
EDUCATION at least some 42% 49.6%
AGE 25 – 34 years 24.1% 32.1%
35 – 50 years 50.4% 44.8%
GENDER male 83.2% 92.5%
U.S. CITIZENSHIP 65.9% 78.4%
NO PRIOR CRIMINAL HISTORY 75.7% 76.1%
Sources: U.S. DEPARTMENT OF JUSTICE, U.S. SENTENCING COMMISSION, EXECUTIVE OFFICE FOR U.S. ATTORNEYS
How to be sure your company is prepared to handle a security
>> Establish clear definitions of what constitutes a security breach and
ways to detect them
>> Identify a single point of contact in the event that a breach occurs
>> Know local and federal law-enforcement officials
>> Know legal requirements with which your company must comply
>> Consider encrypting database records that hold financial information
>>Audit for proper security controls and procedure
>> Educate employees on procedures in the event of a security breach
>> Check that third parties handling your customers’ data have
Activities Included in Job descriptions for
Information Security Managers
Developing, presenting, and managing the dissemination of information security awareness and training materials.
Evaluating the effectiveness, efficiency of, and compliance with existing information security control measures.
Recommending control measures to improve information security (including evaluating and selecting products and
Monitoring developments in the information security and information processing fields to identify new opportunities and
Interpreting information security requirements emanating from external bodies, such as government agencies and
Investigating alleged information security beaches and, if necessary, assisting with disciplinary and legal matters
associated with such breaches.
Developing security policies, standards, guidelines, procedures, and other elements of an infrastructure to support
Coordinating and monitoring information security activities throughout the organization, including the preparation of
periodic status and progress reports.
Serving as a liaison between various groups dealing with information security matters (e.g., with the legal department
and the insurance department).
Preparing implementation plans, security product purchase proposals, staffing plans, project schedules, budgets, and
related information security management materials.
Representing the organization on information security matters to external groups (e.g., participating in meetings to
establish technical standards).
Providing information security system administrative support (e.g., to maintain data bases for password access control
Performing research on new and improved ways to properly protect the organization's information research assets.
Providing consulting assistance on implementing information security controls (e.g., encryption system deployment and
secure application system development procedures).
Guidelines for Good Passwords
× DON’T choose a password that uses public information about you, such as
your social security number, credit card or ATM card number, birth
date, driver’s license and so on.
× DON’T choose a password that uses public information about your family or
× DON’T choose a password that is composed of any word or words that could
be found in a dictionary, in any form or combination.
× DON’T reuse old passwords or ones that are similar to old password.
× DON’T use your user ID, or any variation on your user ID, as your password.
DO choose a password that has no easily discerned significance to you.
DO choose a password that is six to eight characters long.
DO memorize your password. Never write it down.
DO use a password that has atleast two alphabetic characters (a-z, A-Z) and
at least one numeric (0-9) or special (punctuation) character.
DO use both uppercase and lowercase characters. Passwords are case
Which technologies consume the bulk of your security
dollars? (multiple responses accepted)
In two years
Consulting & Services
Security awareness & Training
0 20 40 60 80 100
Source: Forrester Research, Cambridge, Massachusetts, forrester.com
Which of the following Security Vendors do you expect to
purchase more software from in the next 12 months?
Check Point 30%
Computer Associates 18%
Trend Micro 12%
RSA Security 8%
Internet Security Systems 4%
BMC Software 2%
Ref: Merrill Lynch
LURES INTRUDERS TO WHAT THEY
THINK IS A SENSITIVE AREA
Authenticators and their Subtypes: Biometrics
Stable Biometric Signal Alterable Biometric Signal
f0 f1 f2 f3
O’Gorman, “Securing Business’s Front Door”
Type How it works Advantages Disadvantages
Face Face recognition Suitable for Prone to errors caused by Identification (law
Recognition captures characteristics identification environmental influences enforcement) uses
of a face either from applications; (e.g. light), as well as identity
video or still image and relatively Sunglasses, facial hair, authentication
translates them into unobtrusive etc. Expensive uses
Retina Captures unique pattern Secure and accurate Expensive; requires perfect Suitable for high
Scanning of blood vessels. It is alignment: usually the user security
extremely secure and must look in monocular or applications in
accurate. binocular receptacle controlled
Iris Scanning Captures unique patterns Secure; does not Expensive; sensitive to
of an iris need physical environmental conditions
contact and non-
Voice Captures unique Easy to use and Sensitive to background Automated call
Recognition characteristics of voice understand; non- conditions such as noises centers
Hand Captures up to 90 unique Easy to use and Balky and sensitive to Access control,
Geometry hand characteristics inexpensive environment computer access
Fingerprintin Uses unique patterns Easy to use, Less reliable than retina or Access control,
g known as loops, arches, inexpensive; iris scanning computer access
and whorls. fingerprints control.
Human Body and Types of Biometric Technologies for Security
Top Barriers to IT Security
1 Limited budget
2 Limited staff dedicated to security
3 Limited or no time to focus on
4 Limited or no security
5 Complex technology infrastructure
6 Limited support from executives
Ref: IDC, Framingham, Mass., December 2004
When was the last time your company’s emergency
response plan was reviewed or updated?
Within the last 30 days 25%
In the last 1 to 3 months 11%
In the last 4 to 6 months 23%
In the last 7 to 12 months 14%
More than 12 months ago 11%
Source: InfoWorld security survey
What % of your overall IT Budget is
dedicated to Security?
0 – 5% 6 – 10% 11 – 20%
Ref: Merrill Lynch
What percent of your company’s IT budget goes to
3 6 9 12 15
% of IT budget
Data: InformationWeek Research Global Information Security Survey of 8,100 technology and security professionals
Staff Assigned to Information Security
0 2 4 6 8 10 12 14 16
Information Security workers
for every 10,000 employees
Data: Computer Security Institute Survey of North American Companies
IS YOUR IT SECURITY BUDGET HIGHER
OR LOWER THAN LAST YEAR’S?
Base: 257 data center managers surveyed earlier this year
Source: AFCOME’S DATA CENTER INSTITUTE. ORGANCE, CALIF.
Three Components of a Balance Approach to Organizational Security
• Business Environment
• Culture and Politics
• Standard Operating
• Education, Training,
• Asset Identification
• Risk Management and
Critical - Technical Technology
Infrastructures • Control Environment
• Operational Balance • Firewalls
• Critical Infr. Protection (CIP) • Intrusion detection
• Govt. Industry • Password Layering
Collaboration • Public key encryption, escrow,
• Management’s Role in CIP and authentication
• Secure Servers, VPNs
Remote Access Security Reference Materials
NCSA News, The Journal of the National Computer Security Association, NCSA
(10 South Courthouse Ave., Carlisle PA 17013). (717) 258-1816
INFO Security News, MIS Training Institute Press 498 Concord St., Framingham
MA 01701-2357. (508) 879-9792
CERT Coordination Center, Software Engineering Institute, Carnegie Mellon
University, Pittsburgh PA 15213-3890. E-mail: email@example.com. (412) 268-7090
National Infrastructure Protection Center, www.nipc.gov
The Firewalls mailing list Send e-mail to firstname.lastname@example.org with the
following as the first and only line of text in the body: subscribe firewalls (your
Various online World-Wide Web resources include:
The COM-SEC BBS, (415) 495-4642 modem, (415) 495-1811 ext. 10 voice
Computer Security Institute, 600 Harrison St., San Francisco CA 94107(415)
IT Security Resources
Cert Coordination SANS Institute
Research, education and
A forum for sharing
A center of internet training on IT security
information on security
security expertise at the issues.
Center for Internet
Institute, a federal funded Information Security
research and development Forum
center operated by www.cisecurity.org
Methods and tools to
University. Information and An international
training on protecting your corporate membership
monitor and compare the
system, reacting to current organization whose
security status of Internet-
problems and predicting members share
connected systems and
future problems. information about security
Big Names in Identity From modular components to full-
fledged suites, the top vendors in the identity management space offer a
range of tools to strengthen the security of your network.
Vendor Solutions Platforms
IBM Tivoli Access Manager, Directory Integrator, Directory Server, Identity AIX, HP-UX,
ibm.com Manager, Privacy Manager for e-business, Risk Manager, Security Linux, Solaris,
Compliance Manager Windows
Microsoft Identity Integration Server 2003 Windows
Netegrity eProvision, IdentityMinder, SiteMinder, TransactionMinder HP-UX, Linux,
netegrity.com Solaris, Windows
Novell iChain, Nsure AIX, Linux,
novell.com NetWare, Solaris,
Oblix CorelD, ShareID, CoreSV AIX, HP-UX,
oblix.com Linux, Solaris,
openNetwork Universal IdP AIX, Solaris,
RSA Security I&AM (Identity and Access Management) AIX, Solaris,
Which, if any, of the following security vendors does your
company use for intrusion detection and/or prevention?
Cisco Systems 55%
Network Associates/McAfee 29%
Internet Security Systems 15%
Tipping Point 3%
Sana Security 2%
Source fire 2%
0% 10% 20% 30% 40% 50% 60%
Ref: InfoWorld; Note: Multiple responses allowed
Which, if any, of the following vendors do you trust to
provide companywide enterprise OS security?
Red Hat 20%
Sun Microsystems 19%
Other Linux 18%
Don’t know/Not applicable 30%
0% 5% 10% 15% 20% 25% 30% 35% 40%
Ref: InfoWorld; Note: Multiple responses allowed
(12)Audit Planning & Management
Using individual requests, this process builds an overall plan to
ensure that the agreed levels or auditability for the systems and
services will be met.
1.Consolidate audit requirements of standards and service
2.Define business and IT audit operating environment.
3.Identify variances between operating environment and
4.Develop overall audit plan.
THE AUDIT MISSION
OBJECTIVE & INDEPENDENT (who?) REVIEW OF
OPERATIONS or BENCHMARK
EVALUATE ADEQUACY OF INTERNAL SYSTEM OF
REVIEW COMPLIANCE WITH LAWS-LEGISLATION
BE ALERT TO POSSIBILITIES OF FRUAD, BRIBERY
REPORT FINDINGS TO MANAGEMENT
Fair Information Practices Principles
1. There should be no personal record systems whose existence is
2. Individuals have rights of access,inspection, review, and
amendment to systems that contain information about them.
3. There must be no use of personal information for purposes other
than those for which it was gathered without prior consent.
4. Managers of systems are responsible and can be held accountable
and liable for the damage done by systems for their reliability
5. Governments have the right to intervene in the information
relationships among private parties.
GLBA in a nutshell
Gramm-Leach-Bliley Act, Title V
Ensure the security and privacy of customer information and maintain the safety and
soundness of financial institutions
Where Banks and financial institutions under the regulation and supervision of the
Treasury Department, FDIC and Federal Reserve
When July 1, 2001 (but for some service providers July 1, 2003)
IT impact Requires financial institutions to have written comprehensive security policy to
protect the security and confidentiality of a customer’s nonpublic, personal
Penalties Actions to enforce the regulations by individuals will not exceed damages of $1,000;
damages to a class of individuals are available up to $500,000. Each agency can
enforce its regulations under any authority conferred on the agency by law.
GLBA Source Code
Law Public Law 106-102 (1999);
12 U.S. Code Section 1811
Department of the Treasury
Office of the comptroller of Currency 12 CFR Part 30
Office of Thrift Supervision 12 CFR Parts 568 and 570
Federal Reserve System 12 CFR Parts 208, 211,
225 and 263
Federal Deposit Insurance Corporation 12 CFR Parts 308 and 364
Source: www.nwc.com, 7.10.2003, Networking Computing
HIPAA in a nutshell
What The Health Insurance Portability and Accountability Act of 1996 (HIPAA)
Combat fraud and abuse in health care and improve health-care systems by
encouraging the electronic transfer of health-care information
Where Health plans, health-care clearinghouses and certain health-care providers
April 14, 2003 Privacy; All covered entities except small health plans
April 14, 2004 Privacy: Small health plans
April 21, 2005 Security Standards: All covered entities except small health plans
April 21, 2006 Security Standards: Small health plans
IT Impact Ensure the security and privacy of health-care information
Penalties Up to $100 for each such violations; the total amount imposed for all violations of a
General identical requirement during a calendar year may not exceed $25,000
Wrongful (1) Fine not more than $50,000, imprisonment not more than one year, or both.
(2) (2) If the offense is committed under false pretenses, fine not more than
health (3) If the offense is committed with the intend to sell, transfer or use individually
information identifiable health information for commercial advantage, personal gain or
malicious harm, fine not more than $250,000, imprisonment not more than 10
years, or both.
HIPAA Source Code
Law Public Law 104-191 (1996)
Privacy 45 CFR Parts 160, 164
Security 45 CFR Parts 160, 162, 164
Sarbox in a Nutshell
What Sarbanes-Oxley Act of 2002
Fight corporate corruption
Where Publicly traded companies and their auditors, attorneys
When April 15, 2005
IT Impact More stringent reporting requirements, mandating internal controls on financial
Penalties Corporate officer who knowingly certifies a false financial report can be fined up to $1
million or face up to 10 years in prison, or both. If done willfully, up to $5 million in
fines or 20 years in prison, or both.
Sarbanes-Oxley Source Code
Law Public Law 107-204 (2002)
Implementing Sections 17 CFR PATRS 210, 228, 229, 240
404,406,407 249,270 and 274
Source: www.nwc.com, 7.10.2003, Networking Computing Some companies averaged $35M
Details: Securities and Exchange Commission: www.sec.gov/rules/final/33-
8177.htm & www.sec.gov/spotlight/sarbanes-oxley.htm
Dedicated site: www.sarbanes-oxley.com
Gartner Discussion: sox.weblog.gartner.com/weblog/index.php?blog=11
•Five things IT Needs To Know about Sarbanes-Oxley Compliance,” AMR
• Association for Information Management Professional:
• Financial Managers Society: www.fmsinc.org/cms/?pid=3253
• The N.Y State Society of CPAs: www.nysscpa.org/oxleyact2002.htm
• Pricewaterhouse Coopers Barometer Survey:
“Complying With the Feds,” www.nwc.com/1410/140fl4.html
“Secure to the Core,” www.nwc.com/1401/1401f1.html
“Managing Your Digital Rigghts,” www.nwc.com/1319/1319ws1.html
“Employee Provisioning,” www.nwc.com/1317/1317f1.html
HIPAA Web Resources
Department of Health and Human Services, aspe.os.dhhs.gov/adminsimp
Health Provacy Project (State Law Health Provacy), www.healthprovacy.org
Startergic National Implementation Process (SNIP), www.wedi.org/snip
GLBA Web Resources
FTC on GLBA, www.ftc.gov/provacy/glbact
CERT Coordination Center, www.cert.org
Federal Computer Incident Response Center, www.fedcirc.gov
National Infrastrure Protection Center, www.nipc.gov
NIST Computer Resource Security Center, www.csrc.nist.gov
SANS Institute, www.sans.org
Do you anticipate your company will spend more, less, or about the same
amount this year to be compliant with government regulations?
27% About the
Data: InformationWeek Media Network Compliance study of 650 business-technology professionals
WHEN WAS YOUR ORGANIZATIONS POLICY
Within the last 9%
three months 26% Never
More than 2 years
Four to 12 One to two years
months ago ago
Data: Information Week research survey of 200 IT Managers
Which department created the data policy?
An industry standard Policy
0 10 20 30 40 50 60
% of respondents
Top ten factors that could trigger workers to act
unethically or illegally
1. Balancing work and family
2. Poor internal communications
3. Poor leadership
4. Work hours, work load
5. Lack of management support
6. Need to meet sales, budget or profit
7. Little or no recognition of Should HR be
achievements Involved too?
8. Company politics
9. Personal financial worries
10. Insufficient resources
REF: IBM & Marrist College
Ten Tips for Taming the E-mail Problem
1. Create a reasonable and enforceable policy.
2. Spell out privacy expectation clearly.
3. Require that each employee sign the policy. Issue frequent policy
4. When the policy is broken, consult the legal department and have an
immediate conversation with the employee, accompanied by a
human resources representative.
5. Don’t limit employee training to policy issues. Also include etiquette,
proper use of group mailing lists, and information about recognizing
scams and urban legends.
6. Limit employee mailboxes to an appropriate size (CIOs interviewed
for this article recommended a range from 15MB to 150MB
depending on the type of work).
7. Consider your potential legal liability in determining how long to store
8. Consider filtering tools, but be aware of the limitations.
9. Install two different antivirus software packages (one for servers, one
for the desktops).
10. Teach users to distrust all attachments, particularly unexpected ones.
Steps in developing Responsibility Audit
1 Gain CEO Commitment
2 Appoint a steering committee to guide the audit
3 Appoint an auditing team(auditors, key managers, and organizational development
experts) that will develop questions to be used in examining the firm
4 Diagnose the corporate culture and investigate designated functional areas, such
as employee relations and human rights, community relations (the company’s
social impact), quality programs, and environmental practices.
5 Analyze the mission statement, and look for circumstances when the stated
mission/goals and actual company performance do not coincide
6 Seek fundamental or underlying reasons that performance and goals are not
7 Collect relevant industry information, existing benchmark studies, and available
information on competitors and industry standards in each designated functional area
8 Interview relevant stakeholders who are involved in each functional area (e.g.
customers, employees, federal and local environmental officials, local community
officials) about their perceptions of the firm’s socially responsible performance
9 Compare internal data and external stakeholder perceptions
10 Write final report for company managers and the audit steering committee
Source: Waddock, Smith, Sloan Management Review Winter 2000
(13) Capacity Planning & Management
Using the forecast load from new projects or from the
evolution of existing services,this process defines in a
capacity plan how resources will cover the demand.It also
proposes alternatives to management (number of
shifts,decreased services,changes in systems plan….)
1.Translate service requirements into a load forecast of
hardware,network,software,facilities and supplies.
2.Define capacity of existing and planned resources
(hardware,network software,facilities and supplies)
3.Compare load forecast against this defined capacity
4.Identify,evaluate and propose alternate load forecasts and
5.Document capacity plan
Why is Capacity Planning
User Productivity Budgetary
Proper capacity If your systems With proper By identifying
planning can cannot handle the capacity planning potential problem
help identify expected peak upgrades can be areas and
potential bottle throughput, budgeted ahead of capacity
necks before productivity will time limitations,
they occur, suffer. Employees stability problems
preventing most may spend a can be avoided,
performance significant portion or at the very
related of their day waiting least predicted
problems for results from a
CAPACITY PLANNING PROCESS
• - A process which combines the monitoring of current resources
with forecasting of future service requirements and growth if
•- The data gathered is compared against existing capacity and
needs and translated into a projection of future demands for I/T
•-Implications for organizations include:
- Disaster Recovery /Business continuation
- Service level agreements
- Effective User of Resources
- Business Growth
- New Services
- Performance Management
Don’t you think they would have been better prepared?
Delta Airlines: advertised new discount fairs & incentives to book
Red Cross: tsunami relief
Amazon: pre Christmas volumes
Walgreen: pre Christmas volumes
Hallmark: Valentines Day online requests
CAPACITY PLANNING RATIONALE
• The cost of capacity planning is high especially in the highly complex
distributed environments of today
• The value of the investment depends largely on the maturity of the
• There are 5 levels of organizational process maturity according to
Gartner Group: Where is your organization?
Level 1 - reactive,firefighting
Level 2 - efficient ,professional and sophisticated firefighting
Level 3 - fewer,fires,analysis of problems,start of process
Level 4 - process includes procedural improvement
Level 5 - process becomes self-correcting
‘THE IDENTIFICATION PLANNING, AND ACQUISITION OF IT
RESOURCES TO MEET CURRENT AND FUTURE SERVICE
Faster RESPONSE TIME Slower
When should the order be placed???
LOW COST COMPLEXITY ACCURACY HIGH
OF SIMULATION MARKING
ACCURACY VALUE COST
How select Pentium? How select Merced?
Network planning and simulation tools enhance
the performance of E-business applications
Vendor Product Function
CACI Application Profiler Simulates app
performance on enterprise
Comdisco Managed Network Adds capacity planning to
Services suite services
Network Associates Sniffer Predictor Gathers performance data
Optimal Networks Application Vantage Identifies trouble spots
DATA : INFORMATIONWEEK
(23) Change Control
Using the change requests, this process selects, coordinates, groups
and monitors all changes to the I/S resources and procedures in such
a way that there is either minimal impact on the I/S operations or
minimal risk.It triggers resource and data inventory updates. Further
discussion with Organization and Culture.
1. Record change requests.
2. Prioritize and group changes based on a technical assessment.
3. Prioritize and group changes based on a business assessment.
4. Schedule defer or reject changes.
5. Monitor test
6. Monitor install
7. Report and control the status of all recorded changes.
Originator submits change
Evaluator performed impact analysis
CCB decided not
Evaluated to make the Rejected
CCB decided to make the change
and assigned it to a modifier
Change was cancelled
Modifier has made the change
and requested verification Change was
Change Made Cancelled
Verifier has confirmed the
Change was cancelled
required Modifier has
Originator - Someone who submits change
Modifier has installed request
product CCB - Change Control Board
Closed Modifier - Person responsible for making
Verifier - Person responsible for determining
State - transition diagram for a change request -
if the change was made correctly
Who’s involved in planning, developing, and executing your
company’s change-management efforts?
CIO/SVP of IT
20 40 60 80
% of Respondents
NOTE: Multiple responses allowed
DATA: Optimize Research’s change-management survey of 100 business-technology professionals
How much are your critical business partners, such
as key suppliers or distributors, involved in your
Not at all
Have significant influence
20 40 60
% of respondents
Note: Multiple of respondents allowed
DATA: Optimize Research’s risk-management survey of 100 business-technology professionals
Sample Job Description for Change Control Coordinator
Overview of Responsibilities
•Analyzes each change request to ensure that no conflicts exist with other requests
•interacts with IS personnel to develop a scheduled date for each change request
•Monitors all change requests to ensure timely implementation
•Is a member of, and reports any conflicts to ,the change control committee
•Is responsible for the maintenance of change files and production libraries
•Coordinates all changes in the production environment concerning online and batch systems through the
use of appropriate forms
•Monitors and logs progress of changes to ensure that scheduled dates are met;if a scheduled date cannot be
met ,ensures that all affected areas are notified of any schedule changes
•Reviews all change requests to ensure that the requested dates are feasible;schedules requests that have
little impact on the production environment;reports to the change control committee for scheduling of those
changes that conflict with other requests or that significantly affect the production environment
•Maintains the change file to ensure that all historical data is correct and upto date
•Ensures that all change request entries are removed from the change file when implemented
•Provides special reports to the change control committee or management on request
•Moves all test programs to production libraries on the scheduled date and controls the production libraries
•Forwards to the change control committee all problem reports resulting from a previous change request
•Interacts with the technical standards group(if one exists)when a change request warrants a technical
•Ability to communicate and work effectively with all levels of IS,communications,and user personnel
•Strong oral and written communication skills
•Three to five years experience in information systems,including atleast one year of hands-on JCL experience
•Working knowledge of procedures for maintaining computerized files and databases
•Understanding of the user community and its use of ,and dependence on,computing services
Change Request Form
Document Preparation Information (To be completed by preparer)
Change Request/Problem Log Number: Prepared by: Phone: Date Prepared:
Change Information (To be completed by preparer)
Business Purpose: - Easier to do Business with Chubb - Reduce/Manage Expenses
- Domestic/Overseas Growth - Better/More Timely
- Increase Productivity - Reduce Losses or Loss Expenses
- Employee Skill/Knowledge Improvement - Regulatory Mandates
- New Market/New Products -Senior Management Directive
- Competitive Position - Other (explain)
Reason for Change/Description of Problem:
Request Implementation Date: /Priority
Change Impact Assessment (To be completed by the I/T)
Describe the impact of the Change on Quality effort: days, weeks, months: Impact assessed by:
the Project, including all components
affected (Design, Database design;
System, Subsystem, or process
impact; conversion, etc.) as well as
any organizational impacts.
Provide Release and/or date this
change could be implemented
Approval for Impact Assessment
Change Request Control Number Client Project Representative/Date Project Manager or I/T
(Provided by Project Manager) Approved Representative/Date Approved
Assigned to Date Assigned Date Completed
Assigned to : Date Assigned Outcome/Sign off date:
Approval for Implementation
Date and Release Number for Date Approved Date implemented to production:
To view Tasks, click
ONCE on the Action
FILL IN THE BLANKS Change Management Expert’s from
Applied Innovation Management, two-pane interface shows
operations on the left and forms on the right
TYPICAL CHANGES TIME
(24) ASSET MANAGEMENT
Using change information , this process builds and manages
inventories of all the IT resources. (including personnel and
1. Identify system, application,data,personnel,supplies,and
2. Update inventory status.
3. Maintain security of these resources.
4. Administer access of these resources (including data set space
allocation and password administration).
5.Report and control status of inventory.
Asset Management Practices
Requisition Procurement Deployment Maintenance Retirement
Architecture & Budgeting & Network & Performance
Standards Financial Mgmt.
Asset Tracking Systems Management
Capacity Backup &
Planning Recovery Procurement Technology Config
Management Change Mgmt Mgmt
Management Software Technical
Management Domain Integrated Asset Technology Domain
(Business/End User) Management System (Information Systems)
Organizational Inventory Portfolio Training Asset End User
Change Management Asset Management Support
Management Management Function
Shared IS/Business Practices
Which asset-management activities
do you track and measure?
Ad hoc asset
Lease compliance 19%
Multiple responses allowed
Source: Network Computing
IT Asset Management Implementation (1 OF 2)
Seven Ways to Save
1. Software Volume Licenses
•Aids implementing standards
•increase discounts by 10 percent to 15 percent
•Savings of 25 percent
•Reduce the number of buying centers
•Acquire equipment faster
•Save as much as 10 percent annually
3. Maintenance Contracts
•Differentiate user profiles for maintenance contracts
•Save 10 percent to 20 percent on per-seat maintenance
•Accurate inventory reduce tax bills
•Savings may reach 20 percent of property tax
Source :Garner Group
IT Asset Management Implementation (2 OF 2)
Seven Ways to Save
5. Help Desk
•Inventory reduces diagnosis and response time
•Cut technician time by 50 percent
•Savings as high as 57 percent over worst case
6. Electronic Software Distribution
•Save 2,000 hours labor
•Invest $100,000 first year
•Save 55 percent on software distribution costs
•Most effective when on current use is at 20 percent to 40
•Invest $50,000 first year
•Save 27 percent on PC software budget
Source : Gartner Group
Fate of Old PCs
This year, what percentage of your retired PCs will be :
Donated to schools,nonprofits or charity 39%
Handed down within your organization 34%
Sold or given to employees 31%
Thrown out 17%
9% Sent to a recycler
9% Warehoused or stored
8% Sold to a remarketer
7% Traded in to a PC maker
Base: 102 IT managers; multiple responses allowed
SOURCE: COMPUTER WORLD SURVEY
Recycling your desktop
Here are some of the ways computer components are recycled:
A monitor contains lead - to strengthen the glass tube and shield the user Recycling methods: The components within the computer case are
from radioactive rays - as well as cadmium, phosphorous, and mercury. The disassembled and stripped of circuit boards, which are recycled in the
materials are sealed inside the tube along with gas. If the glass breaks, the same manner as the monitor. Metal frame and the other metals are
tube can implode, spraying lead particles. If it happens in a landfill, the lead crushed, melted, and recycled. The system’s lithium batteries are
can leach into the ground water. If the tube breaks during trash collection, removed and sent a hazardous waste facility. The hard drive is removed
sanitation workers may breathe lead-laden air. and tested. If it works and is sufficiently large, the drive is installed in
Recycling methods: Plastic shell is melted down and the glass is melted another computer or possibly sold.Those that do not
down and the glass screen or “tube” is punctured and work are stripped and the metal frames melted. Other
melted. The recycled glass is used to make components such as the floppy drive,CD-Rom drive,
more tubes. Copper wire is pulled out and memory modules, and system board can sometimes
recycled. Metals such as aluminum, brass, be reused. If not, parts of each can be recycled.
and steel are crushed and recycled. Circuits
boards are ground down and melted and
precious metals such as gold, silver, platinum,
and paladium are extracted and sold. These
metals can also be picked out of the boards
Recycling methods: A mouse is
tested to see it functions and is still
usable. If not, the plastic casing, cable,
and tiny circuit boards are recycled for
Keyboard other computer components.
Recycling methods: The keyboard is
made mainly of plastic, which is recycled.
It also includes connecting plugs with
gold and silver, which is extracted.
Source: Summit Metals Recovery Corps; Advanced Recovery Inc
WAYS TO PROTECT YOURSELF
1 LEASE EQUIPMENT so that the title 6 INCLUDE CONTRACT WORDING
to the equipment transfers to the that prohibits the recycling vendor or
leasing company at the end of the its subcontractors from exporting
equipment to developing countries
term- along with the disposition issues. that lack environmental regulations.
2 DISPOSE OF IT EQUIPMENT when
it’s removed from service. 7 REQUIRE A FULLY DOCUMENTED
3 BUNDLE DISPOSAL COSTS into new AUDIT TRAIL that shows what
happened to each IT asset through its
purchases by including the disposition final disposition, whether sold,
of old IT assets in the RFP for recycled or destroyed.
equipment that replaces it.
4 EMPTY THE IT CLOSETS: Dispose of 8 CONDCT A DUE DILIGENCE
unused, stored equipment background check on the recycling
vendor and its practices that includes
immediately. This equipment incurs an on-site visit.
storage costs and property taxes plus
disposal costs that are likely to 9 CONSIDER DISPOSITION
increase over time. SERVICES from IBM, HP, Dell or
5 INCLUDE A COPY OF THE other major IT equipment vendors.
They charge more than smaller
OPERATING SYSTEM when donating recyclers, but they have reputations to
equipment. Machines without an protect and deeper pockets if liability
operating system are likely to be issues arise.
discarded or shipped overseas.
SOURCES: RECYCLING VENDORS, PRODUCT MANUFACTURERS AND CORPORATE USERS
What are the chief hurdles to effective
enterprise asset management?
Lack of personnel or
budgetary resources 64%
Isolated management of
different asset types
Inability or expense of entering
initial asset data 45%
Latency of asset status and
performance data 33%
visibility and involvement in 32%
Multiple responses allowed
Source: Network Computing
What tools do you use to track and
Paper system 32%
management system 23%
management system 21%
procurement system 9%
Multiple responses allowed
Source: Network Computing
Real-world LABS REPORT CARD Asset-Management Software
Altiris Associates NetSimplicity
LANDesk Asset Unicenter Visual Asset
Asset Management Asset NetSupport ManageSoft Manager
Manager 8 Suite 6.0 Management 4.0 DNA 1.01 7.2 2004
INTIAL DATA LOADING
Autodiscovery (15%) 5 4 5 2 2 2
Bulk import ( 5%) 3 3 4 2 3 1
Out-of-date systems/upgrade reporting(10%) 4 4 4 3 4 2
End-of-life management (5%) 4 4 4 4 3 2
Lease management (5%) 3 3 3 3 2 2
MANAGEMENT AND CONFIGURATION
Configuration and agent deployment (10%) 4 3 3 3 4 2
Rights management/security (5%) 3 4 3 2 2 3
Tracking of related assets (5%) 4 4 3 3 4 4
Price (20%) 4 2 1 3 2 5
RESOURCE TRACKING AND REPORTING
Asset reporting (10%) 4 4 3 4 4 1
Hardware-resource management (5%) 5 3 4 4 3 3
Software-license management (5%) 4 4 4 4 3 3
TOTAL SCORE (100%) 4.05 3.35 3.20 2.95 2.90 2.70
A≥4.3, B≥3.5,C≥2.5, D≥1.5,F<1.5 A-C
B+ C+ C+ C C C
Grade includes + or – in their ranges.
Total scores and weighted scores
Are based on a scale of 0-5.
Selected Systems Management Software(1 OF 6)
Vendor Product Price Device Management/ analysis
BindView NOSadmin for NT and Starts at: $695 per Server, Hardware inventory,
800-813-5869 Novell Netware managed server, workstation asset and configuration
www.bindview.com $1,595 per managed management,
user performance analysis,
BMC Software Resolve Contact vendor
Callisto Software Orbiter 3.5 $5,000 per server, Workstation, Hardware inventory,
630-682-8200 $150 per client notebooks asset, remote and
management, DMI 2.0
Cisco Systems CiscoWorks Windows 5.0 $1995 Server, Device diagnostics,
800-462-4726 workstation, SNMP, remote and
www.cisco.com printer, hubs, configuration
routers, switches management, topology
mapping, traffic and
Campus Bundle Hardware inventory,
asset, remote and
Routed WAN $14,995 management, device
traffic, performance and
protocol analysis, RMON
(26) Problem Control
This process receives problems (including performance problems) and
monitors their resolution by requesting bypass actions and/or projects
(maintenance or tuning).It informs the service evaluating process of the
service impact of the problems.
3.Determine nature, impact and true extent of the problem.
4.Select predefined bypass and recovery procedures.
5.Initiate action to resolve the problem
6.Report and control status of all problems in hand.
‘Minimizing the impact of problems on IT services by focusing
attention and responsibilities on identifying problems.’
•Fewer shorter outrages
•improved I/S-user relations
•Environment for growth
What Can Go
Processes Software Failure
Business Recovery Drivers
• Most business experience 2 hours of downtime per week
• Approximately 30% of computer users spend one week
per year reconstructing lost data
• 52.2% of U.S. Companies had business operations
interrupted due to computer hardware problems
• 43.1% of U.S. Companies had business operations
interrupted due to computer software problems
• 46% of U.S. Companies have had business operations
because telecommunications failure
From “What Can We Learn From The September 11th Attacks? Are You Prepared In The Event Of A Disaster?” by Mark
T.Edmead. This article was originally published in the Insight Newsletter of the Internet Security Conference
(http://www.tisc2001.com/insight.html), and has been posted with permission by TISC, LLC.
CAUSE OF UNPLANNED
Source : Comdisco Vulnerability Study
RELATIVE OCCURRENCE OF OUTAGE
5% - software error Other 2%
1% - Service Failure
8% - Hardware Error Power Outage
2% - Human Error
10% - Flood
Burst water pipe - 1%
2% - Network Outage
Bombing - 7%
12% - Storm Damage Employee Sabotage - 3%
Power Surge/Spike - 3%
Hurricane - 6%
Earthquake - 6% Fire - 6%
REF : Contingency Planning Research, Inc.
Based on 5,320 incidents
Fundamentals of autonomic
Evolving to autonomic operations
BASIC MANAGED PREDICTIVE ADAPTIVE AUTONOMIC
LEVEL 1 LEVEL 2 LEVEL 3 LEVEL 4 LEVEL 5
• MULTIPLE • CONSOLIDATION • SYSTEM • SYSTEM • INTEGRATED
SOURCES OF OF DATA THROUGH MONITORS MONITORS, COMPONENTS
SYSTEM MANAGEMENT CORRELATES, AND CORRELATES, AND DYNAMICALLY
GENERATED TOOLS RECOMMENDS TAKES ACTIONS MANAGED BY
DATA ACTIONS BUSINESS
• REQUIRES • IT STAFF • IT STAFF • IT STAFF MANAGES • IT STAFF FOCUSES
EXTENSIVE, ANALYZES AND APPROVES PERFORMANCE ON ENABLING
HIGHLY TAKES ACTIONS AND INITIATES AGAINST SLAs BUSINESS NEEDS
SKILLED IT ACTIONS
• REDUCED • IT AGILITY AND • BUSINESS POLICY
• GREATER SYSTEM
DEPENDENCY RESILIENCY WITH DRIVES IT
MINIMAL HUMAN MANAGEMENT
• FASTER AND INTERACTION
• IMPROVED • BUSINESS AGILITY
PRODUCTIVITY AND RESILIENCY
From IBM Global Services and Autonomic Computing, IBM White Paper, October 2002;
How many calls does the help desk get ?
HELP DESK CALLS
627 622 649
600 600 594 596
531 543 534 543
467 525 # of calls
400 400 410
•Calls are 83% software, 17% hardware
EXAMPLE:Who calls the HELP desk?
118 118 120
EXAMPLE:What are the calls for ?
100 34 37 25 43
Helping the help desk
In its Service Management Strategies report, Meta Group
analyzed some key characteristics of help desk usage
15% to 35% of help desk call volumes are password
25% to 35% of call volume is from new service requests
or status checks
Average number of calls to help desk, per end-user:
1.75 calls per month
In 2003: Three calls per month (20% annual increase)
Help Desk queries via internet: 6%
By next year, 40% of IT help desks will migrate to IT
customer service centers
*** PROBLEM REPORTING FORM ***
REQUIRED CLOSE DATE------------------->
SUGGESTED ASSIGNED PERSON-------->
SCHEDULED ACTIVITY IMPACTED----->
DESCRIPTION OF PROBLEM-------------->
Problem reporting form
Paying Less for Passwords
PART I: Costs of employees calling help desk EXAMPLES YOUR
A Number of employees at company 5,000
B Average salary (fully burdened) $71,500
C Weeks each employee works, on average, per year 48
D Average hourly cost of a non-technical employee $37
(assuming a 5-day,40-hour work week,48-week year)
E Cost per minute of employee time D ÷ 60 $0.62
F Number of help desk calls placed per year at 1.75 105,000
calls per employee per Month (Meta Group estimate).
A × 1.75 × 12
G Length of average help-desk call in minutes (Meta 12
H Total minutes per year spent on help0desk calls F× 1,260,000
PART II : Cost of help-desk staff fielding calls EXAMPLES YOUR COMPANY
J Average salary of help-desk worker (fully burdened) $61,910
K Weeks worked, on average, per hour 48
L Average hourly cost of a help-desk support staffer ( assuming a 5-day, 40-hour $32
work week, 48-week year) J ÷ ( K × 5 × 8 )
M Cost per minute of a help-desk staffer L ÷ 60 $0.53
N Total number of minutes per year spent on the phone with employeesF × G 1,260,000
O Cost of help-desk time for technical staff M×N $667,800
PART III: Cost of password-related calls
P Total cost of the time both technicians and employees spend on $1,449,000
help-desk calls I + O
Q Percentage of calls attributable to password issues 17%
(Help Desk Institute survey)
R Total cost of password-related calls P×Q $246,330
PART IV : Cost of password-automation software
S Cost of password-automation software for each employee $10
T Hours to install on Web server, application servers 16
U Cost of implementation L×T $512
V Total cost of software ( A×S)+U $50,512
PART V: Benefits
W Gross savings: Two-thirds the cost of each call, from using password-automation $162,578
software (HDI estimate) R × .66
X Net savings after cost of software & implementation W–V $112,066
SOURCES: HELP DESK INSTITUTE’S 2004 PRACTIVES SURVEY (WWW.THINKHDI.COM) , AVATIER CORP.,BASELINE RESEARCH
(27) Service Evaluating
Using the performance status and the problem impacts,this
process translates them into user terms and compares them
with service agreements.It also identifies and reports any
variances to users and management.
1.Translate & integrate operational data (production,
distribution, performance & problem ) into service level terms.
2.Assess user rating of service
3.Evaluate compliance to service agreements
4.Identify and report reasons for variance.
5.Report service status and new service requests.
6.Learn and improve.
The Service Desk Toolkit Integrates:
Critical Evaluation Criteria
Scalability / performance
Inventory / Vendor Stability/Vision Change
Configuration Platform/Client Support
Management Database Support
Services and Support
Source: Gartner Group
How effective would you rate your PMO(s) at improving
process integration in your organization?
Chemicals and energy
19% 48% 33%
18% 55% 27%
Technology and telecom
16% 67% 16% Very Effective
Finance and insurance
16% 55% 29%
14% 56% 31%
12% 66% 22%
Source: Forrester Research Inc.,
Systems Management Tools
4.8 % HP OpenView
10.6 % BMC Software
17.3 % IBM/Tivoli
23.3 % Computer Associates
44 % Other
REF : GARTNER GROUP/ DATAQUEST
(29) Software Procurement
Within the framework of a project,this process procures and modifies
applications,operating systems software,other supporting software and all
the related documentation.It controls the basic “buy” cycle.
1.Define detailed requirements for ideal system
2.Review, integrity and performance of available offerings including
promised vendor modifications.
3.Negotiate compromises with users
4.Confirm or amend “buy” decision and select system.
5.Define system recovery for operating environment.
6.Generate system and execute provided tests.
7.Publish instructions for integrating into operating environment.
8.Integrate and test application/Software including supplied modules.
9.Install application software
1. Create the vision, strategy & objective
2. Create a prioritized feature/function list
3. Create a software candidate list
4. Narrow the field to four to six serious candidates
Steps in 5. Create the Request For Proposal (RFP)
6. Review the proposals
Selecting a 7. Select two or three finalists
8. Meet with customers
Vendor 9. Select the winner
10. Justify the investment
11. Negotiate the contract
12. Run a pre-implementation pilot
13. Validate the justification
14. Share lessons learned
Factors influencing CIOs when buying software
Average ranking on a five-point scale
Total cost of ownership 3.64
Compatibility with existing systems 3.10
Ease/speed of implementation 2.83
New technology 2.40
0 1 2 3 4 5
Ref: survey of 500 CIOs by Salomon Smith Barney Inc.
Software Contract Elements 1 of 2
1. The right to assign the software license to a new corporate entity resulting from the merger,
consolidation, acquisition, or divestiture.
2. The right to use the software for the benefits of a business unit formerly within your corporate
organization has been sold.
3. The right to assign the software license to or allow the software to be used by an outside entity if you
outsource your data processing operations.
4. The right to make and own derivative works (i.e., code changes, translations, adaptations) based
upon the software.
5. The right to port the software to any platform supported by the vendor at no or minimum charge.
6. License that permit unlimited use within your corporate organization (i.e., “enterprise-wide”
7. In situations other than enterprise-wide licenses, the right to transfer the software to other equipment
and operating systems at no cost.
8. In situations other than enterprise-wide licenses, the right to use the software for the benefit of other
entities (e.g., parent, subsidiary, division)within your corporate organization at no cost.
9. In situations other than enterprise-wide licenses, the right to transfer the software license to an
existing entity (e.g., parent, subsidiary, division) within your corporate organization at no cost.
10. Limited liability for breach of your obligations under the software license agreement.
11. Prohibition against devices in the software that control your compliance with the software license.
Software Contract Elements 2 of 2
12. The right to customize the duration of the software acceptance period.
13. The right to define software acceptance as occurring only upon your written notice.
14. Specific remedies for vendors non performance.
15. Incentives to licensors to reward the performance in providing services.
16. A remedy for consequential damages that you suffer.
17. Use of your own form in place of the licensors form for licensing contracts.
18. Contractually defined differences between
i) enhances, release, versions,etc., that you receive by subscribing to software support
ii)Those the vendor insists are a new product requiring a new license.
19. Vendors responsibility to meet the cost of procuring alternatives third-party support if the vendor fails to
provide adequate and timely service.
20. A cap on future maintenance prices.
21. Permissions to exempt individuals-employee, contractors from signing documents that acknowledge
confidentiality of software or to bind them to terms of the license.
22. Avoidance of partial payments to vendors based on check points.
23. Contractual assurances regarding forward compatibility of software which changes in operating systems.
24. Contractual assurances regarding forward compatibility of software which changes in hardware.
25. Contractual assurances regarding forward compatibility of software which changes in other software
from the same vendor.
To get better software & service and pressure the
industry to reform its practices:
• Refuse to pay in full for a license up front. Instead, negotiate a contract with
your vendor that allows you to pay a percent of the total cost up front
and then the remainder six months to a year later if the product and
services is acceptable.
• Adopt open-source technologies. Open source provides CIOs with the
flexibility to custom-build applications under their own control.
• Seek out vendors that offer renewable and subscription licenses.
• If you’re having continual problems with an application, go directly to the
developer rather than to the tech support staff or salesperson. The
person who has worked on the application may have some pride of
• Network with your vendor’s other customers to find out if they too are
experiencing problems with the software. If so, band together and plan
a tag-team meeting with the vendor. There really is strength in
• If all else fails, take your vendor to court.
SW Product Assessment Criteria
•Community adoption and Experience
•Ease of Use
•Vendor Financial Relationship
(30) Hardware Procurement and Upgrade
Within the framework of a project,this process selects, Installs,
removes, modifies and upgrades I/S hardware /facilities.
1.Define detailed requirements
3.Layout physical planning.
4.Define hardware/network/facility recovery.
5.Test new unit.
6.Test complete system.
7. Install hardware/network/facility.
Vendor Screening Process
Data Sources Determine
• Vendor Size
• Product Technology
Trade Show • Geographic Presence
• Industry Focus Screen for
• Functional Coverage Primary Criteria
Companies • Vendor Size
• Functionality List of
Master Vendor • Technology Determine Vendors/
Consultants Inventory & Vendor Options
Selection Screen for Approach for Due
Criteria Secondary Diligence
Web Search DECISION STATEMENT :
• Full Coverage
A B C D E F G H I J K L M
WT WT WT WT WT WT WT WT WT WT WT WT WT
OBJECTIVES WT SC SC SC SC SC SC SC SC SC SC SC SC SC SC SC SC SC SC SC SC SC SC SC SC SC SC • Industry Focus • Best-of-Breed
• Geographic • High-Custom
HW Product Assessment Criteria
•Community Adoption and Experience
•Ease of Use
•Vendor Financial Relationship
SAME AS SW
Decision Analysis Worksheet
DECISION STATEMENT :
A B C D E F G H I J K L M
WT WT WT WT WT WT WT WT WT WT WT WT WT
OBJECTIVES WT SC SC SC SC SC SC SC SC SC SC SC SC SC SC SC SC SC SC SC SC SC SC SC SC SC SC
Price Is Your Top Factor in Choosing a Vendor
28% 25% 24%
Price Expertise in Integration Qualifications of Service level
my particular Capabilities customer service agreements
What’s the most important value of a premiere or platinum
level service and support agreement for PCs?
Volume price discounts
Custom PC configuration
PC warranties of more than 1 year
On-site services: 4hours or less
Dedicated technical support
On-time delivery of PC systems
0 5 10 15 20 25
% of respondents
Data: Information Research survey of 150 IT Managers Base: 64 premiere support customers
How important are these attributes of hardware service
providers, and how satisfied are you with their delivery?
Getting correct part
Knowledge of technician
Meeting contracted for
Fast resolution of problem
Overall on - site service quality
On - site service during warranty
Depot repair service quality
Telephone Technical Support
1 2 3 4 5
Not at all Extremely
important or satisfied important or
DATA: DATAQUEST SURVEY OF 211 IT HARDWARE MANAGERS
Room for Improvement
In which areas would you like to see improvement from your hardware service providers?
On - site response time
Technical product skills
Price charged for the value received
Problem resolution time
Telephone support response time
Customer - relationship skills
Multivendor capabilities and skills
Number of products serviced
Adequate geographic coverage
Simplified contract administration
Electronic remote support
0 10 20 30 40 50 60 70
% of respondents
Note : Multiple responses allowed
DATA: DATAQUEST SURVEY OF 211 IT HARDWARE MANAGERS
Approaches to Contracting
Competitive Non Competitive
Borrow funds or petty cash
Simplified Auctioning Purchase agreements
Two-step sealed bidding
Formal Competitive proposals
Competitive negotiations Sole-source negotiation
Contract Categories and Types
Fixed-Price Cost- Time- and-
Reimbursement Materials or
Firm-fixed-price Cost-reimbursement Time-and-
Types of Fixed-price with Eco- Cost-plus-a-
nomic price adjust- percentage-of-cost Unit-price
Types of Lock-In and Associated
Type of Lock Switching Costs
Contractual commitments Compensatory or liquidated damages
Durable purchases Replacement of equipment; tends to
decline as the durable ages
Brand-specific training Learning a new system, both direct costs
and lost productivity tends to rise over
Information and Databases Converting data to new format; tends to
rise over time as collection grows
Specialized suppliers Funding of new supplier; may rise over
time if capabilities are hard to
Search costs Combines buyer and seller search costs;
includes learning about quality of
Loyalty programs Any lost benefits from incumbent supplier,
plus possible need to rebuild cumulative
Do most IT salespeople Has an IT salesperson
understand your used hard sell or overly
business? aggressively tactics?
NO YES 55%
Source: Computer Information Management Group, Framingham, Mass.
Get to Know Your Vendor
1. Who are some of their customers?
2. What is their previous experience in our industry?
3. Can they provide data on recently completed projects?
4. What is their fiscal calendar?
5. Can our CFO meet their CFO?
6. How big is their workforce, and what portion is onshore vs.
7. What’s their corporate hierarchy?
8. What if…?
9. Who is our account manager?
10. What is their business plan?
FOUR WAYS NOT TO PERSUADE
They attempt to make their case with an up-front, hard
They resist compromise
They think the secret of persuasion lies in presenting
They assume persuasion is a one-shot effort.
Tips for dealing with IT sales
Establish ground rules up front
Keep it simple
Bring in your procurement officers and negotiators as early as
Establish a single point of contact for the salesperson and stick to it
If they go over your head, respond by going over theirs and ask to
meet with their supervisor
Have them first meet with technical staff members who can
evaluate their products
Keep it competitive - But reduce the number early
Insist on testing the product within your own environment
Don't let them take control of the sales process. Focus on your
Don't let them pressure you into a sale. (As in, "Act now before our
prices go up.") Chances are they're just trying to land a quick
deal to make their quarterly quota
Identify the issues to be negotiated
Establish a "Bottom Line”, Walk Away
Leave room to negotiate back to the “bottom line"
Offer sound business justification for your position
• Negotiate each point separately
• Keep at least two vendors in the mix
• Don’t single-source the negotiation
• Timing is everything
• Keep talking to current and prospective customers
• Don’t compare apples to oranges
• Nominate a “bad cop” for your team in advance
• Ensure that the vendor must close the deal
• Employ “bogeys” to force reciprocal concessions
• Check the contract for liability limitations
• Know when to disappear
• Know when to say when
• Watch the licensing terms
•Do not be afraid to ask
Power up to Persuade
Do Use: Don’t Use:
•Affirmative language-”when” •Phrases that call your integrity into question-
instead of “if” ”To be perfectly honest..”
•Words that convey •Ineffective intensifiers -”very”, “definitely” and
acceptance of “surely” -or hesitation and fillers.
responsibility-”I'll •Tag questions at the end of sentences-”…
help you myself” don’t you think?”-that convey
•Win-win phrasing-”Let’s talk uncertainty
it through and see •Disclaimers-”I’m not an expert but…”-that
where we end up” invites the listener to disagree with or
•Decisive phrases that get to challenge you.
the point-”This will fit •Hedges and qualifiers-”sort of” or “perhaps”
your needs exactly” •Apologies for situations over which you lack
Source: Artful Persuasion: How to command
RELATIVE IMPORTANCE OF STANDARD COMPUTER
Most Important Less Important Least Important
Scope of the software Governing law Events of Default
license Venue Amendments to
Warranty Term of the contract
Exclusion or limitations Agreement Waiver of
of warranties contract
Assignability of provisions
Limitation of user's the Agreement Notice
remedies Period of requirements
Limitation of user's limitations Survivability of
right to damages clauses
Ownership of Intellectual
Return of property at
conclusion of agreement
PICK YOUR FIGHTS!!!
17 Ways to Bust a Deadlock
Brainstorm creative alternatives.
Look for an outside standard or precedent.
Go off the record.
Have the principals work it out.
Take a break.
Get a mediator or arbitrator.
Try a procedural solution (e.g., draw lots; flip a coin-one cuts, the
Appeal to someone with more authority.
Set a time limit.
Crack a joke.
Set up a meeting or a conference call.
Change the negotiators.
Spend more time studying the problem.
Bring in an expert.
WIN-WIN WILL KILL YOUR DEAL
Start with “no”
Develop your mission & purpose
The dangers of Needness
The Columbo effect
Ask questions (who, what, where, when, where, why, how, which)
Think about how to say it
• Telling 3 times
• Strip line before hooking
• Find an opportunity to say “Wow this is bad. I don’t know if we can
recover from this”
No expectations, no assumptions, do your homework
Know their pain
The importance of time, money, energy, emotion
Be sure to know the real decision makers
Negotiation Tactics and Countertactics
Attacks (personal insults, emotional reactions, professional insults) Disclose the attack
Tricks (false data, no authority to negotiate) Know the truth (have the right data, establish in writing who has authority)
Arbitrary deadlines Agree with deadline
Counter the offer with compromise schedule
Refuse to change schedule
Limited availability Coordinate schedules in advance
Counter with your limited availability
Third-party scapegoat (third-party approval required, pretending that such approval is Escalate to third party
required) Giveaways Compromise
Disclose them as giveaways
Good guy-bad guy Counter with bad guy-good guy
Prolonging the negotiation Take a break or have a caucus
Delays (submission of data, start of negotiation, return from breaks) Start on time
Claim limited availability
Leave or create greater delays
Diversions (questions, telephone calls, fax messages, personal breaks) Keep things on track (refocus the team, have no phones in the room, allow no
Take a break
Stonewall ("take it or leave it," "I shall not move")
Say "Yes, and......"
End-of-quarter or end-of-year negotiation pressure [management wants to spend money Settle next quarter or next year (do not let time pressure you into a bad
now (buyer) or get the deal now (seller)] deal)
…the ability to be on the dance floor and in the balcony at the same time.
Crafting Your Behavior
• Slow down the conversation
• Listen and think
• Maintain a buffer between your brain and your mouth.
Consider your response carefully in light of your new
• Ask questions to get relevant information
• Catch the cue(s)
• Ask for time-out (that is, postpone your response) if need
• Prepare for, and reflect on, interactions
• Think ahead to conversations and interactions
• Reflect back on conversations and interactions
Ref: The set-up-to-fail syndrome by Jean-
Francois Manzoni & Jean-Louis Barsoux
(1 of 2)
Charismatics Thinkers Skeptics Followers Controllers
Description Charismatics Thinkers account Skeptics account for Followers Controllers
account for 25% for 11% of the 19% of the executives account for 36% account for 9%
of all the executives we we polled. They tend of all the of the
executives we surveyed and can to be highly executives we executives we
polled. They are be the toughest suspicious of every surveyed. They interviewed.
easily intrigued executives to data point presented, make decisions They abhor
and enthralled by persuade. They are especially any based on how uncertainty and
new ideas, but impressed with information that they’ve made ambiguity, and
experience has arguments that are challenges their similar choices in they will focus
taught them to supported by data. worldview. They often the past or on on the pure
make final They tend to have have an aggressive, how other trusted facts and
decisions based a strong aversion almost combative executives have analytics of an
on balanced to risk and can be style and are usually made them. They argument.
information, not slow to make a described as take- tend to be risk-
just emotions. decision. charge people. averse.
Typical Enthusiastic, Cerebral, Demanding, Responsible, Logical,
Characteri- captivating, intelligent, logical, disruptive, cautious, brand- unemotional,
stics talkative, academic disagreeable, driven, bargain- sensible, detail
dominant rebellious conscious oriented,
Prominent Richard Branson, Michael Dell, Steve Case, Peter Coors, Jacques
Examples Lee Iacocca, Bill Gates, Larry Ellison, Douglas Daft, Nasser, Ross
Herb Kelleher Katharine Graham Tom Siebel Carly Fiorina Perot, Martha
(2 of 2)
Charismatics Thinkers Skeptics Followers Controllers
Buzzwords Results, proven, Quality, academic, Feel, grasp, Innovate, expedite, Details, facts,
to use actions, show, think, numbers, power, action, expertise, similar reason, logic,
watch, easy, clear, intelligent, plan, suspect, trust, to, previous power, handle,
focus expert, proof demand, disrupt physical, grab, just
Bottom line When trying to Have lots of data You need as much Followers tend to Your argument
persuade a ready. Thinkers credibility as you focus on proven needs to be
charismatic, fight need as much can garner. If you methods; structured and
the urge to join in information as haven't references and credible. The
his excitement. possible, established testimonials are controller wants
Focus the including all enough clout with big persuading details, but only if
discussion on the pertinent market a skeptic, you factors. They need presented by an
results. Make research, need to find a way to feel certain that expert. Don’t be
simple and customer surveys, to have it they are making too aggressive in
straightforward case studies, transferred to you the right decision – pushing your
arguments, and cost-benefit prior to or during specifically, that proposal. Often,
use visual aids to analyses, and so the meeting- for others have your best bet is to
stress the on. The want to example, by succeeded in simply give him
features and understand all gaining an similar initiatives. the information he
benefits of your perspectives of a endorsement from needs and hope
proposal. given situation. some-one the that he will
skeptic trusts. convince himself.
Negotiating the Contract Checklist
- Use only a few vendor providers or consider using a "general
- Include a 30 or 60-day "escape clause" for the
contractor" which will coordinate other activities of other
benefit of the institution
- Clearly identify the institution's negotiation strategies and - Include annual renewal provisions coupled with
goals prior to beginning negotiations price adjustments
- Fully understand the scope of the outsourcing proposal before - Collect fines for non-compliance and non-
negotiations begin performance
- Insure that risks are assigned to vendors rather than the - Don't be afraid to confront the vendor
- Have an agreed structure for conflict resolution
- Use outsourcing experts and good attorneys who are
experienced in outsourcing agreements to insure a "level - Go to the top when necessary
playing field" during negotiations
- Set up governing boards and meet regularly
- Clearly document all discussions and decisions
- Clearly specify procedures for problem and change
- Discard the service provider's standard contract management, as well as escalation procedures
- Do not sign incomplete contracts leading to penalties for failure to resolve problems
within the agreed-upon timeframes
- Retail institutional approval over the vendor's account and
service teams members - Clearly define training programs for internal staff
It institution staff are replaced, specify training and/or
- Conduct comprehensive reference checks, especially for other outplacement services
higher educational customers
- Continuously adapt to business conditions and
- Develop service level measures
- Measure everything during the baseline period
- Include a termination clause
- Clearly identify the pricing model(s) to be used
- Beware of 'change of character' clauses e.g. support
- Reduce potential avenues for cost overruns for new technologies
- Include price adjustment clauses based on the market cost of
- Maintain continuity of management
acquiring or managing specific technologies during the life of
the agreement - Do not force a bad fit
- Clearly identify transition plans at the beginning and end of
the outsourcing relationship
Source: Lacity & Herscheim
Managing Vendor Access to Your Business
•Set up a vendor management capability
•Develop an internal “consumer reports”
•Work with the purchasing department
•Establish consequences for inappropriate vendor
•Reward appropriate behavior
LAST CHART; THE CHARTS
FOLLOWING ARE BACK-UPS
(2) Architecture Scanning &
Using the information obtained in the Strategic Planning
process and considering the whole enterprise, this process
defines in IT terms the goals towards which all further action
should be taken. Technology Scanning is defined in a
1.Define data, information, knowledge architecture for the
2.Define application architecture for the enterprise.
3.Define IT technology (e.g., networks, computers)
architecture for the enterprise.
DEVELOPING AN IT ARCHITECTURE
•Knowledge, Information and Data storage
- Accessibility Viability Accuracy
•Network Communications & Data Transport
- Client Server
•Application / Data Transformation
- Traditional / 3rd Generation / 4th Generation - ERP
- CASE - OOPS - ASP
- KBS - Virtual Reality - Internet/Intranet/Extranet
DEVELOPING AN IT ARCHITECTURE
• DO WE HAVE THE RIGHT TECHNOLOGIES? ARE
THEY INTEGRATED APPROPRIATELY ?
•WHAT LEVELS OF INFORMATION ACCESS,
SHARING & SECURITY SHOULD WE
•WHICH APPLICATIONS WILL WE DEVELOP, &
WHICH WILL WE BUY?
•WHO WILL MAINTAIN &UPGRADE TOOLS, DATA,
•WHO WILL ASSESS WHETHER OUR HORIZONTAL
ARCHITECTURE IS MEETING THE FIRM’S
•ARE STANDARDS DEFINED, COMMUNICATED, &
Platform Decision Makers
A user department when The CFO because it is a
it buys a package money decision
The Data center based The Boss based
on its capabilities on politics
Application Developers The CIO based on
based on their skills? enterprise goals
Tiered Systems Architecture
A S LOAD BALANCING IP LOAD
N E BALANCERS
E T APPLICATION
SERVERS WEB SERVERS
DATA RESOURCES CLUSTERS
Integrating Architectures By Network
Border Router Border Router
MCI Worldcom IUUNET
Local Director Local Director
Front End Router Front End Router
CC Auth Order Entry
Bubble DNS SMTF
Back-End Back-End Router
Router (Shared Services) Back-End Router
Interior Network Firewall
Production Test Corporate Business
Center Network Partners
• Abuse of controls
Accidental errors in
Local Area Network
Database Hardware Systems Software Application
Denial of services
•Unauthorized access • Failure of protection Programmer
mechanisms • Failure of protection mechanisms
• Copying • Programming of
Internet • Information leakage applications to behave
• Theft • Contribution to software
failure • Installing unauthorized software contrary to specification
• Installation (use) of
Processor • Located in insecure
Systems Programmer PCs
• Duplication of confidential reports • Bypassing security mechanisms • Fraudulent
• Initializing insecure system • Disabling security mechanisms
• Illegal leakage of
• Theft of confidential material • Installing insecure system authorized information
• Viruses (on disks)
Authorizer • Physical theft
• Incorrect specification of security • Natural disasters
• Malicious attacks
• Unauthorized access to computer center
• Illegal or illicit use of computing resources
• Electronic theft
Web Services Architecture
Marketplaces Internet Sites
HTTP Server HTTP Server HTTP Server
Enterprise Trusted Network
Service Bus (WSDL)
Web Services Directory (SOAP)
CRM Data Mgmt. Security Content Mgmt. Business User Profile
Services Services Services Services Services Services
ODBC/JDBC Message Brokers Other Middleware Native APIs’
Third Party Systems
Email, Chat, Systems
Legacy Data Open System Database
Data Mgmt. Security Hosting/DR System Mgmt. Network Transaction Mgmt.
Based on Web services standards
Ref: RCG Information Technology; ‘White Paper on Web Services Architecture’ By Rasesh Trivedi, Senior Manager - RCG IT
ARCHITECTED DATA WAREHOUSING SYSTEM
Cleansing Ware house
Integrating Architectures By Applications
Customers • Partners • Sales Force • Call Center • Employees
Single Sign On
Integrated Development Environment
XML Legacy systems ERP EDI CRM
Source: Asers Systems
SALES DELIVERY AFTER-SALES
Marketing Sales Delivery Billing Service
Degree of integration for CRM
(i) Completely disparate systems, no interface, no information sharing
(ii) Separate systems, some interfaces, some information sharing, a partial view of the customer over the
life cycle (plus optionally a data warehouse not shown)
(iii) Full information sharing, full view of the customer over the life cycle, interfaces to back-office systems
(plus a data warehouse – not shown)
Business Strategy & Organization
Business Process Model
Applications Technical Design Standards
Operations $ Service Delivery Model
IT Standards Documentation, Communication, and Update Process
Scope and Develop and
and rationale manage Periodic
based in IT
to IT Steering procurement
Ref: The Executives Guide to Information Technology by Baschab & Jon Piot
Systems Integration in the Global Enterprise
Strategic Business Current interfaces,
Key Factors Units problems and issues
(Data Collection) across SBUs
Organizational Culture Narrative
Language Barriers Secondary
Screen language differences?
Currency Translation Auxiliary Denominators
Local Government Value-added tax?
Autonomy Corporate Links
Local Area Networks?
Decentralization Wide Area Networks?
Measurement Systems Business Rules Activity-Based Costing?
Core Products Part Numbers Consistent?
Suppliers / Customer Files Supplier / Customer numbers
Customers Vendor Files consistent?
REF:Zachman, IBM Systems Journal 1987
Notable Standards Efforts
• Central Computing and Telecommunications Agency (CCTA)
Methodology - IT Infrastructure Library (ITIL)
• Service Level Agreement (SLA) Working Group created by the
Distributed Management Task Force (DMTF)
• The Appl MIB by the Internet Engineering Task Force (IETF)
• Application Resource Measurement (ARM)
INFRASTRUCTURE MANAGEMENT TOOLS
Fenway Silk Performer
Starts at $15,000 to $30,000 Starts at $25,000
Dirig Software Inc.
Nashua, N.H. Silk Test
www.dirig.com Starts at $6,500
Segue Software Inc.
HP Open View Lexington, Mass.
Starts at $23,900 for Operations console, $230 per node www.segue.com
$995 for 25 monitors
Patrol Freshwater Software Inc.
Separate Predict and Perform versions for Oracle ($290 Boulder, Colo.
and $390 per server, respectively) and Unix ($395 and www.freshwatersoftware.com
$875); Storage Resource Manager (starts at 40,000);
Service Level Management (starts at $5,000 plus $195 Tivoli enterprise Console
per managed node; Windows versions start at $815) Approximately $300 per node
Tivoli systems Inc.
Site Angel Austin, Texas
Starts at $900 per year www.tivoli.com
BMC Software Inc.
Houston Unicenter TNG
www.bmc.com Starts at $2,500
Peakstone eAssurance International Inc.
$48,000 plus $4,800 annually per Web server CPU Islandia,
Peakstone Corp. N.Y.
Sunnyvale, Calif. www.ca.com
The US standard railroad gauge (distance between the rails) is 4 feet, 8.5 inches.
That is an exceedingly odd number. Why was that gauge used? Because that is the
way they built them in England, and English expatriates built the US railroads. Why
did the English build them like that? Because the first rail lines were built by the
same people who built the pre railroad tramways, and that is the gauge they used.
Why did "they" use that Gauge then? Because the people who built the tramways
used the same jigs and tools that they used for building wagons, which used the
same wheel spacing. Okay! Why did the wagons have that particular odd wheel
spacing? Well, If they tried to use any other spacing, the wagon wheels would
break on some of the old, long distance roads in England, because that's the
spacing of the wheel ruts.
So who built those old rutted roads? Imperial Rome built the first long distance
roads in Europe (and England) for their legions. The roads have been used ever
since. And the ruts in the roads? Roman war chariots formed the initial ruts, which
everyone else had to match for fear of destroying their wagon wheels. Since the
chariots were made for (or by) Imperial Rome, they all had the same wheel
spacing. The United States standard railroad gauge of 4 feet, 8.5 inches is derived
from the original specification for an Imperial Roman war chariot. Specifications and
bureaucracies live forever. So the next time you are handed a specification and
wonder what horses' behind came up with it, you may be exactly right. This is
because the Imperial Roman war chariots were made just wide enough to
accommodate the back ends of two war-horses.
Now, the twist to the story... There is an interesting extension to the story about
railroad gauges and horses' behinds. When we see a Space Shuttle sitting on its
launch pad, there are two big booster rockets attached to the sides of the main fuel
tank. These are solid rocket boosters, or SRBs. Thiokol makes the SRBs at their
factory at Utah. The engineers who designed the SRBs might have preferred to
make them a bit fatter, but the SRBs had to be shipped by train from the factory to
the launch site. The railroad line from the factory happens to run through a tunnel
in the mountains. The SRBs had to fit through that tunnel. The tunnel is slightly
wider than the railroad track, and the railroad track is about as wide as two horses'
So, a major design feature of what is arguably the world's most advanced
transportation system was determined over two thousand years ago by the
width of a horses behind!
• Which processes are most important?
• Who owns each of these process
• How much resource will be applied to
• How effective are each of these processes
• What priority should be placed on
improving each of these processes?