JSR IT Processes

Document Sample
JSR IT Processes Powered By Docstoc
					            BT-450 A
Lecture 3: IT Processes

        Instructor: Rajeev Dwivedi
          rdwivedi@stevens.edu
           Phone: 201-216-8508
     Desk-7A, Library Admin (3rd Floor)
                Library Building
  Stevens Institute of Technology, NJ-07030

         Venue: Kidde-380
  Time: 06:15-08:45PM (Tuesday)
1.    Business Strategic Planning
2.    Architecture Scanning & Definition
3.    IT Strategic planning and Control
4.    Application Planning
5.    Data Planning
6.    Systems Planning
7.    Network Planning
8.    Project Planning
9.    Service Level Planning & Management
10.   Business Continuity Planning
11.   Security Planning & Management             BT 450
12.   Audit Planning & Management
13.   Capacity Planning & Management
14.   Skills Planning & Management
15.   Budget Planning & Value Management         SMC Projects
16.   Vendor Planning & Management
17.   Management Systems Planning & Monitoring
18.   Project Definition
19.   Project Scheduling
20.   Project Controlling
21.   Project Requirements Control
22.   Project Evaluating
23.   Change Control
24.   Asset Management
25.   Production and Distribution Scheduling
26.   Problem Control
27.   Service Evaluating
28.   Software Procurement
29.   Software Upgrade
30.   Hardware Procurement and Upgrade
31.   Systems Maintenance
32.   Tuning and System Balancing
33.   Financial Performance
34.   Education and training
35.   Staff Performance
36.   Hiring, Retention
37.   Production
38.   Service Marketing
 (11)Security Planning & Management

Using individual requests, this process builds an overall plan to
ensure the agreed levels of security for the systems and services
will be met.
1.Consolidates security requirements of all service
      agreements.
2.Define business and IT security operating environment.
3.Identify variances between operating environment and
        agreements.
4.Develop overall security plan.
Most companies don’t spend as much money on protecting data as
they do spend on coffee for employees. Less than 0.0025 percent of
corporate revenue is present on corporate information-technology
protection.
Our adversaries, be they run-of-the-mill hackers or devoted members of
terrorists cells, have the same training and much the same access to
technology as we do. “Our future enemies understand out technology at
least as well as we do”
Most of the nation’s critical infrastructure-the power grid, voice networks,
and water supplies-are vulnerable. You’ll find computers at the heart of
all these systems. Terrorists have a wide range of technology targets,
not all of them in cyberspace


                                                         Richard Clarke
                                           White House Special Advisor
                                                  On Cyber Security Issues
             How many vendor’s products have you
                  currently deployed for….
         Antivirus                          43%                 30%                 27%

                 VPN                                57%               27%           17%

           Firewall                                      67%            23%         10%

Network IDS            10%                               57%           20% 7% 7%

      Two-factor                23%                                   63%      10%
   authentication
Personal firewall                     33%                      40%    10%      13%

         Host IDS                             50%                     37%      7%

Single sign-on                                     60%                 27%           7%

       0 venders        1 venders      2 venders         3+ venders         Don’t know

Ref: Forrester
What is the single greatest threat to your
company’s enterprise network security?
Trojans, viruses and malicious code
                                                                                                 31%
Employee error (unintentional)
                          13%
Internet worms
                   10%
Spyware
              7%
Hackers
           6%
Sabotage by employee or partner
       5%
Application vulnerabilities
       5%
Spam
      4%
Cyberterrorism
 2.5%
Government regulations
 2%
Other
                             15%
                                                                                Base: 606 respondents
SOURCE: IDC. “WORLDWIDE IT SECURITY SOFTWARE, HARDWARE, AND SERVICES 2004-2008 FORECAST.” 2004
         BAD BUG BYTES 2000



            HIT BY HACKER

HACKER ENTERED THE SITE AND COPIED 15,700 CUSTOMER
CREDIT-CARD & DEBIT-CARD NUMBERS.


CUSTOMERS WERE TOLD TO GET NEW CREDIT-CARDS AND
ACCOUNT NUMBERS.
         BAD BUG BYTES 2003



            HIT BY HACKER

HACKER ENTERED THE SITE AND GOT HOLD OF CUSTOMER
SATISFACTION SURVEY. THEY LEAKED OUT ALL NEGATIVE
COMMENTS TO ANALYSTS AND PRESS.
             BAD BUG BYTES 2003



        Data Processing International
                  HIT BY HACKER

MASTERCARD IMPACTED 2.2 MILLION CREDIT-CARD NUMBERS
VISA IMPACTED 3.4 MILLION CREDIT-CARD NUMBERS
AMERCIAN EXPRESS & VISA ALSO EFFECTED
     HIT BY INSIDER June 2004




A former employee was charged with stealing the Internet
provider's entire subscriber list -- over 30 million consumers,
and their 90 million screen names -- and selling it to a
spammer.
1
2
Bank of America Corp. lost digital tapes
containing the credit card account records
of 1.2 million federal employees including
60 U.S. senators, when shipping backup
tapes to offsite storage.
Security addresses all elements of e-business

             Employees, Vendors, Suppliers, Customers


                    E-business Transactions

            e-business infrastructure Assets and Networks


   Assess        Protect      Detect     Recover          Manage




       Deliberate          Accident            Natural
        Attack                                 Disaster
            Deployment Security

 Security is about managing risk, not

  eliminating it
   Eliminating risk is nearly impossible
   Reducing risk to an acceptable level is possible
              e.g., credit card fraud


  Security is a process, not just products

  Software cannot resolve people problems
Annual Internet security incidents reported
  15000




 12000




  9000




  6000




  3000




      0   2000   2001   2002               2003
                         Ref: Computer Emergency Response Team (CERT).
 Newly documented Win32 worms and viruses
5000




4000




3000




2000




1000




   0
       1H 2001   2H 2001   1H 2002   2H 2002   1H 2003   2H 2003     1H 2004
                                                               Ref: Symantec Corp.
   Software and network holes continue to plague IT security
1500




1200




 900




 600




 300




   0
       1H 2001   2H 2001   1H 2002   2H 2002   1H 2003   2H 2003     1H 2004
                                                               Ref: Symantec Corp.
           Types of Attack or Misuse
                                                                      PERCENTAGE OF
                                                                       RESPONDENTS
VIRUS
                                                                         82%
INSIDER ABUSE OF NETWORK ACCESS
                                                                         80%
LAPTOP
                                                                         59%
UNATUTHORIZED ACCESS BY INSIDERS
                                                                         45%
DENIAL OF SERVICE
                                                                         42%
SYSTEM PENETRATION
                                                                         36%
SABOTAGE
                                                                         21%
THEFT OF PROPRIETARY INFO
                                                                         21%
FINANCIAL FRAUD
                                                                         15%
TELECOM FRAUD
                                                                         10%
TELECOM EAVESDROPPING
                                                                         6%
ACTIVE WIRETAP
                                                                         1%
                                   RE: CSI/FBI 2003 COMPUTER CRIME AND SECURITY SURVEY
                          INFECTIOUS MESSAGES

                   Email Attachment                                                      56%

                 Diskette from home                              25%
       Diskette (other sources such
                    as sales demos)
                                                       13%

                 Download (External)                  11%
                       Web Browsing          3%

        Download (Internal Systems)         2%

                          Don’t Know             7%

                                       0                 0.2               0.4           0.6
              69% of U.S. companies have been hit by a computer virus -- FBI
                   Note: Multiple answers permitted. Sample: 300 enterprise organizations.



Source: International Computer Security Association’s Computer Virus Prevalence Survey
     Cybersecurity Strains
                         Reported                            Worldwide cost                         Average corporate
                      virus incidents                     of worms and viruses                     IT-security budgets

                                 130,000+
                                                                     $180                                         10%
Number of incidents




                                                                                  % of IT budget
                                             $ Billions



                                                                                                    2.5%
                                                             $45
                        21,000


                        2000      2003                       2000     2003                          1998         2003
                          Virus attacks                    …and the cost of the                      …but security
                      are up dramatically…                damage is exploding…                       budgets aren’t
                                                                                                     keeping pace
                                                                                                     Ref: Good Harbor Consulting LLC
          Of Companies hit by Viruses and Espionage, most
               can’t estimate the value of the damage

                          Damage Unknown
                          58%
                                                                            Under $100,000 15%
                                                       Above $ 100,000 1%




                                                                                          Damage Unknown
Under $ 100,000       Over $ 100,000                                                      84%
40%                   2%




             Hit                  Not hit                      Hit
             51%                  49%                          38%              Not hit
                                                                                62%



              Micro Viruses                                     Industrial Espionage
                                                             Respondents = 627 US IT Professionals


Data: Information Week/Ernst & Young Security Survey
   What was the most severe impact of the
   security breaches your company has
   experienced?
                                   total
                                           72.%
We were inconvenienced and lost   73.2%    75.2%
productivity

We lost tangible assets (data,              2.1%
                                                   Under 1,000 employees
                                  1.9       1.7
revenue)
                                                   Over 1,000 employees

Customers/vendors were unable              9.1%
                                  7.7
to retrieve information                    6.0



Publicly embarrassed              17.2     16.8%
                                           17.1




Ref: CIOINSIGHT
                      VIRUS IMPACT
         How have viruses affected your company?
            Loss of productivity

             PC was unavailable

                   Corrupted files

          Loss of access of data

                        Lost data

        Loss of user confidence

          Interference or lockup

         Unreliable applications

            Trouble reading files

            Trouble saving files

                    System crash

                  Trouble printing

               Threat of job loss

                                     10   20   30    40      50    60   70   80
                                                % of respondents
Data: ICSA Labs
                                     WORST SECURITY OUTBREAKS EVER
    Name, Year                                                                     Worldwide Impact *
  1. Love Bug, 2000                                                                        $8.75 billion
       Hopelessly lonely recipients think they are getting a real love letter in their e-mail.

  2. MyDoom, 2004                                                                          $4.75 billion
       At its peak, infects one in 12 e-mails on the internet.

  3. Sasser, 2004                                                                          $3.5 billion
       German cybercops nab its teenage author, Sven Jaschan. An IT security firm then offers him a job.

  4. NetSky, 2004                                                                          $2.75 billion
       One of its variants disguises itself as a Harry Potter computer game.

  5. SoBig, 2003                                                                           $2.75 billion
       Hits a week after Blaster (No. 8, below), helping cause a summer of pain for computer users and Microsoft.

  6. Code Red, 2001                                                                        $2 billion
       Give the phrase “denial of service” new meaning.

  7. Slammer, 2003                                                                         $1.5 billion
       Targets small businesses running Microsoft programs most didn’t even know they had.

  8. Blaster, 2003                                                                         $1.5 billion
       Shuts down Maryland DMV for a day. Famous for twitting Billing Gates: “Stop making money and fix your software.”

  9. Klez, 2002                                                                            $1.5 billion
        Randomly spews files of its victims everywhere as e-mail attachments.

  10. Nimda, 2001                                                                          $1.5 billion
        Striking the week after 9/11, this combination virus and worm triggers three FBI investigations.

SOURCE: FORTUNE, October 18, 2004.                                                                      *Estimated cost to corporations
                     Dollar Amount of Losses by Type
Theft of Proprietary Info                                                               $120,827K

       Financial Fraud                                         $115,753K

     Insider Net Abuse                         $50,099,000

                  Virus                        $49,979,000

      Denial of Service             $18,371K

              Sabotage              $15,134K

   System Penetration          $13,055K

          Laptop Theft         $11,766,500

        Telecom Fraud         $6,015K

Unauth. Insider Access      $4,03K

Telecom Eavesdropping       $364K
                                                             Source: Computer Security Institute, CSI/FBI
                Low Confidence in Net Privacy
    Users who are very or somewhat worried about interception of:



                       E-Mail


        Telephone Call


                           Fax


                    US Mail

                                0                  20   40   60



Source: Louis Harris for Privacy & American Business
www.digdirt.com
                              Internet Detective 5.0
                      The Easy Way to Find Out the Truth About Anyone
                         Instant Unlimited Searches! In the privacy of your
                         own home. Right on your own personal computer.
                                        Find out ANYTHING:
                                        People Search
                                     Motor Vehicle Records
                                     Background Searches
                                        Court Searches

                               Phone numbers and Addresses
                                        Credit records
                             Social security numbers and records
                                 Current or past employment
                                            < order>
   Net DetectiveIs an amazing new tool that allows you to find out "EVERYTHING you
  ever wanted to know about your friends, family, neighbors, employees, and even your
 boss!" You can even check out yourself. It is all completely legal, and you can do it all in
the privacy of your own home without anyone ever knowing. It's even better than hiring a
                                    private investigator.
 NetDetective5.0® self installs and is compatible with all Internet-related software If you
  have a credit card you can save by ordering direct, only $29.00 ($49.50 - retail price).
  With our INSTANT DELIVERY system your copy will be running on your computer in
                                   less than 3 minutes.

                                       IT'S AMAZING!
          The Feds Are Watching
The three enforcement actions – which provide a road
map for what other companies should do – are described
at the following Web address:
 www.ftc.gov/opa/2003/06/guess.htm
 www.ftc.gov/opa/2002/02/elililly.htm
 www.ftc.gov/opa/2002/08/microsoft.htm


In addition, the FTC provides a security checklist at:
 www.ftc.gov/bcp/conline/pubs/buspubs/security.htm
       How will your enterprises arm itself to address increasing
                           information risk?


                       Information Security Hierarchy

                          Layer 5
                                      Auditing, Monitoring, Investigating

                          Layer 4

     Layer 6                  Information security Technologies & Products
     Validation           Layer 3
                                    Information security Awareness and Training

                          Layer 2
                                    Information security Architecture & Processes

                          Layer 1
                                    Information security Policy & Standards



Source:Gartner Group
     Which of the following are hurdles in your efforts to improve data-protection capability?


                        Funds are not available for
                          building a better system                                            66%
              Business managers do not perceive
                     the value of data protection                 33%
                 We lack the human resources to
                maintain or manage our capability               31%
                      Our business processes are
                             changing constantly          23%
                     We lack the ability to test and
                   validate alternative approaches        23%
                                                          23%

        Options and vendor claims are confusing         21%
                 Our data is growing faster than is
                            our ability to protect it   20%
     We don’t have any specific disaster-recovery
       or data-protection competency in our staff
Data protection is not a centralized function; every
department or business unit has its own approach
           We have trouble making data-protection
           technology work with our infrastructure

                                                Other

                                                        Ref: Network Computing E-mail Poll, 623 respondents
                                    Top Security Obstacles
                                   Need to get hit to change


    Inadequate budget


  Lack of HR Support


    Lack of awareness


               Lack of tools



                                                    % of respondents
Note: total exceeds 100% because multiple responses were permitted.Respondents = 530 U.S. IT managers and professional




DATA: INFORMATION WEEK/ ERNST & YOUNG SECURITY SURVEY
          e-business Security Threats
  We Think About:
     Hackers
     Terrorists
     Foreign Governments
     Organized Crime
     Nature

 But Don’t Forget:
    Competitors
    Unethical Insiders
    Human Error
      DO YOU HAVE A FIREWALL??? % Offenders Occupations

                       Application programmers                                18
                       Clerical personnel                                     14
                       Other system users                                     14
                       Students                                               12
                       Managers                                               11
                       System analysts                                         6
                       Machine operators                                       6
                       Top executives                                          4
                       Other EDP staff                                         3
                       Data entry staff                                         3
                       Systems programmers                                     3
                       Consultants                                             3
                       Accountants                                             2
                       Security officers                                        1
                       Controllers                                              0
                       Auditors                                                0
            “Other” stands for a general category of nonclerical and nonmanagerial users



         30%                                                      Motivations for Abuse

         20 %

         10 %

         0%
                    Personal Gain           Ignorance of          Misguided           Maliciousness
                                            Proper Conduct        Playfulness
FBI
      Who’s Breaking Into Your Systems?
                                           6%
                                                5%
                                                     2%
                                                      5%




                                     82%




         Disgruntled existing and former employees and contractors
         Organized crime (extortion,money-laundering,insider trading)
         Cybercriminals (fraud and information reselling)
         Kids and teen-agers
         Other (including governments)


SIM
                                THE ENEMY WITHIN
                    Employee theft has overtaken workplace violence as the top
                    corporate security concern, while fraud and white collar crime
                    have rocketed up from seventh place to third.

                             RANKING POTENTIAL SECURITY THREATS

                                                Employee theft
                                                Workplace violence

                                                Fraud, white-collar crime

                                                Careless employee selection

                                                Hardware & software theft




Source: Pinkerton's, Inc., Encino Calif..
           Base: 147 corporate security directors at Fortune 1,000 companies; 137 corporate security directors at Fortune 1,000 companies
               Top Tips for Preventing Insider Attacks

    1. Do not give employees access to system they don’t need or allow them
       continued access when they no longer need it.
    2. Tie identity management and password provisioning systems directly to
       your HR systems, including payroll.
    3. Establish basic policies. For example, no user should have unfettered
       access to both accounts payable and accounts receivable.
    4. Establish clear consequences for inappropriate employee behavior,
       such as looking at unauthorized material after hours.
    5. Enforce the use of strong passwords, virus protection software, and
       personal firewalls for employees who work from home.
    6. Perform a risk analysis on your key data assets to identify their value
       and potential damage from a loss, and to determine their vulnerability.
    7. Use redundant logging systems to deter malicious behavior. Keep all
       logs.

Sources: IBM, Symantec, Netegrity
         THE AVERAGE INTELLECTUAL PROPERTY THIEF IS AN
         EDUCATED 42-YEAR-OLD WHITE MAN WITH NO PRIOR
               CRIMINAL HISTORY. SOUND FAMILIAR?
          DEFENDANTS ARE INCREASINGLY
          YOUNGER AND MORE EDUCATED.
                                                                                             1998      2002
  characteristics


                           EDUCATION at least some                                             42%     49.6%
                           college

                           AGE 25 – 34 years                                                24.1%      32.1%

                                     35 – 50 years                                          50.4%      44.8%

                           GENDER male                                                      83.2%      92.5%

                           U.S. CITIZENSHIP                                                 65.9%      78.4%

                           NO PRIOR CRIMINAL HISTORY                                        75.7%      76.1%


Sources: U.S. DEPARTMENT OF JUSTICE, U.S. SENTENCING COMMISSION, EXECUTIVE OFFICE FOR U.S. ATTORNEYS
How to be sure your company is prepared to handle a security
breach:

>> Establish clear definitions of what constitutes a security breach and
       ways to detect them

>> Identify a single point of contact in the event that a breach occurs

>> Know local and federal law-enforcement officials

>> Know legal requirements with which your company must comply

>> Consider encrypting database records that hold financial information

>>Audit for proper security controls and procedure

>> Educate employees on procedures in the event of a security breach

>> Check that third parties handling your customers’ data have
      adequate security
    Activities Included in Job descriptions for
          Information Security Managers
 Developing, presenting, and managing the dissemination of information security awareness and training materials.
 Evaluating the effectiveness, efficiency of, and compliance with existing information security control measures.
 Recommending control measures to improve information security (including evaluating and selecting products and
  services.
 Monitoring developments in the information security and information processing fields to identify new opportunities and
  new risks.
 Interpreting information security requirements emanating from external bodies, such as government agencies and
  standards-setting groups.
 Investigating alleged information security beaches and, if necessary, assisting with disciplinary and legal matters
  associated with such breaches.
 Developing security policies, standards, guidelines, procedures, and other elements of an infrastructure to support
  information security.
 Coordinating and monitoring information security activities throughout the organization, including the preparation of
  periodic status and progress reports.
 Serving as a liaison between various groups dealing with information security matters (e.g., with the legal department
  and the insurance department).
 Preparing implementation plans, security product purchase proposals, staffing plans, project schedules, budgets, and
  related information security management materials.
 Representing the organization on information security matters to external groups (e.g., participating in meetings to
  establish technical standards).
 Providing information security system administrative support (e.g., to maintain data bases for password access control
     systems).
 Performing research on new and improved ways to properly protect the organization's information research assets.
 Providing consulting assistance on implementing information security controls (e.g., encryption system deployment and
  secure application system development procedures).
    Guidelines for Good Passwords
DON’TS:
× DON’T choose a password that uses public information about you, such as
      your social security number, credit card or ATM card number, birth
      date, driver’s license and so on.
× DON’T choose a password that uses public information about your family or
      friends.
× DON’T choose a password that is composed of any word or words that could
      be found in a dictionary, in any form or combination.
× DON’T reuse old passwords or ones that are similar to old password.
× DON’T use your user ID, or any variation on your user ID, as your password.

DO’S:
 DO choose a password that has no easily discerned significance to you.
 DO choose a password that is six to eight characters long.
 DO memorize your password. Never write it down.
 DO use a password that has atleast two alphabetic characters (a-z, A-Z) and
      at least one numeric (0-9) or special (punctuation) character.
 DO use both uppercase and lowercase characters. Passwords are case
      sensitive.
        Which technologies consume the bulk of your security
        dollars? (multiple responses accepted)

                                  Firewalls
                                 Encryption
                      Digital Certificates
                                                                                Now
                        Remote Access
                                                                                In two years
                                Labor
                 Consulting & Services
     Security awareness & Training
                   Policy Systems
                    Authentication
                          Threat Analysis
                            Maintenance
                                   Other

                                                  0         20        40   60         80       100



Source: Forrester Research, Cambridge, Massachusetts, forrester.com
   Which of the following Security Vendors do you expect to
   purchase more software from in the next 12 months?
                     Cisco                  48%
                     Symantec               34%
                     Check Point            30%
                     Verisign               22%
                     McAfee                   20%
                     Computer Associates      18%
                     IBM                      18%
                     WebSense                 16%
                     NetIQ                    12%
                     Trend Micro              12%
                     WatchGuard               10%
                     RSA Security              8%
                     Internet Security Systems 4%
                     NetScreen                 4%
                     BMC Software              2%
                     Netegrity                 2%

Ref: Merrill Lynch
   HONEYPOT SECURITY
LURES INTRUDERS TO WHAT THEY
   THINK IS A SENSITIVE AREA
Current Authentication
Authenticators and their Subtypes: Biometrics
 Stable Biometric Signal                        Alterable Biometric Signal
   fingerprint               iris
                                                                            voice

                                                                            472839…

                    retina

                                                                            Random
                                                                            challenge-
                                                                            response
             face
                                    hand                             formants
                                    geometry   P(f)




                                                      f0   f1   f2     f3




                    O’Gorman, “Securing Business’s Front Door”
Body                                                                                                       Use
            Type            How it works              Advantages             Disadvantages
Part                                                                                                       Examples
         Face            Face recognition           Suitable for          Prone to errors caused by      Identification (law
         Recognition     captures characteristics   identification        environmental influences       enforcement) uses
 Face


                         of a face either from      applications;         (e.g. light),                  as well as identity
                         video or still image and   relatively            Sunglasses, facial hair,       authentication
                         translates them into       unobtrusive           etc. Expensive                 uses
                         digital form

         Retina          Captures unique pattern    Secure and accurate   Expensive; requires perfect    Suitable for high
         Scanning        of blood vessels. It is                          alignment: usually the user    security
                         extremely secure and                             must look in monocular or      applications in
 Eyes




                         accurate.                                        binocular receptacle           controlled
                                                                                                         environment
         Iris Scanning   Captures unique patterns   Secure; does not      Expensive; sensitive to
                         of an iris                 need physical         environmental conditions
                                                    contact and non-
                                                    intrusive

         Voice           Captures unique            Easy to use and       Sensitive to background        Automated call
 Voice




         Recognition     characteristics of voice   understand; non-      conditions such as noises      centers
                                                    intrusive


         Hand            Captures up to 90 unique   Easy to use and       Balky and sensitive to         Access control,
         Geometry        hand characteristics       inexpensive           environment                    computer access
 Hands




         Fingerprintin   Uses unique patterns       Easy to use,          Less reliable than retina or   Access control,
         g               known as loops, arches,    inexpensive;          iris scanning                  computer access
                         and whorls.                fingerprints                                         control.
                                                    databases are
                                                    already available



           Human Body and Types of Biometric Technologies for Security
                    Top Barriers to IT Security

                        1        Limited budget
                        2        Limited staff dedicated to security
                        3        Limited or no time to focus on
                                 security
                        4        Limited or no security
                                 training/awareness
                        5        Complex technology infrastructure
                        6        Limited support from executives


Ref: IDC, Framingham, Mass., December 2004
             When was the last time your company’s emergency
             response plan was reviewed or updated?



                   Within the last 30 days            25%
                 In the last 1 to 3 months            11%
                  In the last 4 to 6 months           23%

                In the last 7 to 12 months            14%

               More than 12 months ago                11%

                                    never              2%




Source: InfoWorld security survey
      What % of your overall IT Budget is
           dedicated to Security?
                70%




                        22%



                                      4%


             0 – 5%   6 – 10%      11 – 20%


Ref: Merrill Lynch
                                              Industry Security
                                What percent of your company’s IT budget goes to
                                              information security?


                      Banking

                    Computer

     Telecommunications

                 Government

                    Insurance

                    Education

                  Health care

    Professional services

              Manufacturing

                                                  3              6                9              12                15
                                                                       % of IT budget

Data: InformationWeek Research Global Information Security Survey of 8,100 technology and security professionals
         Staff Assigned to Information Security

                               Other
                        Health Care
             Transport/Distribution
                   Retail/Wholesale
                     Manufacturing
                          Education
                             Utilities
                 Financial Services
               Computers/Telecom
                       Government
               Aerospace/Defense
                                         0      2         4            6   8   10   12   14   16

                                                         Information Security workers
                                                         for every 10,000 employees



Data: Computer Security Institute Survey of North American Companies
      IS YOUR IT SECURITY BUDGET HIGHER
          OR LOWER THAN LAST YEAR’S?



                                                 34%
                                47.9%
                                                 FLAT
                                HIGHER


                                            18.1%
                                            LOWER




                 Base: 257 data center managers surveyed earlier this year


Source: AFCOME’S DATA CENTER INSTITUTE. ORGANCE, CALIF.
Three Components of a Balance Approach to Organizational Security



                                               Organization
                                             • Structure
                                             • Business Environment
                                             • Culture and Politics
                                             • Standard Operating
                                               Procedures
                                             • Education, Training,
                                               Awareness
                                              Management
                                            • Asset Identification
                                            • Risk Management and
                                            Assessment
                                               - CIP
                                               - Organization
                 Critical                      - Technical             Technology
             Infrastructures                • Control Environment
                                            • Operational Balance     • Firewalls
        • Critical Infr. Protection (CIP)                             • Intrusion detection
        • Govt. Industry                                              • Password Layering
          Collaboration                                               • Public key encryption, escrow,
        • Management’s Role in CIP                                      and authentication
                                                                      • Secure Servers, VPNs
    Remote Access Security Reference Materials
 NCSA News, The Journal of the National Computer Security Association, NCSA
 (10 South Courthouse Ave., Carlisle PA 17013). (717) 258-1816
 INFO Security News, MIS Training Institute Press 498 Concord St., Framingham
 MA 01701-2357. (508) 879-9792
 CERT Coordination Center, Software Engineering Institute, Carnegie Mellon
    University, Pittsburgh PA 15213-3890. E-mail: cert@cert.org. (412) 268-7090
    24-hour hotline
 National Infrastructure Protection Center, www.nipc.gov
 The Firewalls mailing list Send e-mail to majordomo@greatcircle.com with the
   following as the first and only line of text in the body:   subscribe firewalls (your
 address)
 Various online World-Wide Web resources include:
    catless.ncl.ac.uk/risks
    http://www.tansu.com.au/info/security/html
    http://www.tis.com
    http://www.alw.nih.gov/WWW/security.html
 The COM-SEC BBS, (415) 495-4642 modem, (415) 495-1811 ext. 10 voice

 Computer Security Institute, 600 Harrison St., San Francisco CA 94107(415)
    905-2626 voice
  IT Security Resources
                                                          Internet Security
Cert Coordination             SANS Institute
                                                          Alliance
Center
                              www.sans.org
                                                          www.isalliance.org
www.cert.org
                               Research, education and
                                                            A forum for sharing
 A center of internet        training on IT security
                                                           information on security
security expertise at the     issues.
                                                           issues.
Software Engineering
                              Center for Internet
Institute, a federal funded                                Information Security
                              Security
research and development                                   Forum
center operated by            www.cisecurity.org
                                                           www.securityforum.org
Carnegie Mellon
                               Methods and tools to
University. Information and                                 An international
                              improve, measure,
training on protecting your                                corporate membership
                              monitor and compare the
system, reacting to current                                organization whose
                              security status of Internet-
problems and predicting                                    members share
                              connected systems and
future problems.                                           information about security
                              applications.
                                                           issues.
   Big Names in Identity                         From modular components to full-
   fledged suites, the top vendors in the identity management space offer a
   range of tools to strengthen the security of your network.

Vendor            Solutions                                                          Platforms

IBM Tivoli        Access Manager, Directory Integrator, Directory Server, Identity   AIX, HP-UX,
ibm.com           Manager, Privacy Manager for e-business, Risk Manager, Security    Linux, Solaris,
                  Compliance Manager                                                 Windows
Microsoft         Identity Integration Server 2003                                   Windows
microsoft.com
Netegrity         eProvision, IdentityMinder, SiteMinder, TransactionMinder          HP-UX, Linux,
netegrity.com                                                                        Solaris, Windows
Novell            iChain, Nsure                                                      AIX, Linux,
novell.com                                                                           NetWare, Solaris,
                                                                                     Windows
Oblix             CorelD, ShareID, CoreSV                                            AIX, HP-UX,
oblix.com                                                                            Linux, Solaris,
                                                                                     Windows
openNetwork       Universal IdP                                                      AIX, Solaris,
opennetwork.com                                                                      Windows
RSA Security      I&AM (Identity and Access Management)                              AIX, Solaris,
Rsasecurity.com                                                                      Windows
    Which, if any, of the following security vendors does your
    company use for intrusion detection and/or prevention?

                  Cisco Systems                                                  55%

                          Symantec                                         48%

Network Associates/McAfee                                      29%

  Internet Security Systems                              15%

             Juniper/NetScreen                      7%

                             Sophos                5%
                          Enterasys                5%

                     Tipping Point            3%

                    Sana Security            2%

                       Source fire           2%
                                       0%          10%   20%   30%   40%   50%   60%

Ref: InfoWorld; Note: Multiple responses allowed
         Which, if any, of the following vendors do you trust to
            provide companywide enterprise OS security?


                          Microsoft                                                        38%

                                 IBM                                                 33%

                               Novall                                   23%

                             Red Hat                               20%


             Sun Microsystems                                     19%


                      Other Linux                                 18%

 Don’t know/Not applicable                                                     30%
                                       0%          5%   10%   15% 20% 25%     30%   35%    40%

Ref: InfoWorld; Note: Multiple responses allowed
  (12)Audit Planning & Management

Using individual requests, this process builds an overall plan to
ensure that the agreed levels or auditability for the systems and
services will be met.
1.Consolidate audit requirements of standards and service
      agreements.
2.Define business and IT audit operating environment.
3.Identify variances between operating environment and
  agreements.
4.Develop overall audit plan.
           THE AUDIT MISSION

 OBJECTIVE & INDEPENDENT (who?) REVIEW OF
  OPERATIONS or BENCHMARK
 EVALUATE ADEQUACY OF INTERNAL SYSTEM OF
  CONTROLS
 REVIEW COMPLIANCE WITH LAWS-LEGISLATION
 BE ALERT TO POSSIBILITIES OF FRUAD, BRIBERY
  ….ILLEGAL TRANSACTIONS
 REPORT FINDINGS TO MANAGEMENT
     Fair Information Practices Principles

1. There should be no personal record systems whose existence is
       secret.
2. Individuals have rights of access,inspection, review, and
        amendment to systems that contain information about them.
3. There must be no use of personal information for purposes other
       than those for which it was gathered without prior consent.
4. Managers of systems are responsible and can be held accountable
      and liable for the damage done by systems for their reliability
      and security.
5. Governments have the right to intervene in the information
      relationships among private parties.
GLBA in a nutshell
                          Gramm-Leach-Bliley Act, Title V
                          Ensure the security and privacy of customer information and maintain the safety and
  Why
                          soundness of financial institutions
 Where                   Banks and financial institutions under the regulation and supervision of the
                         Treasury Department, FDIC and Federal Reserve
  When                   July 1, 2001 (but for some service providers July 1, 2003)

  IT impact              Requires financial institutions to have written comprehensive security policy to
                         protect the security and confidentiality of a customer’s nonpublic, personal
                         information
  Penalties              Actions to enforce the regulations by individuals will not exceed damages of $1,000;
                         damages to a class of individuals are available up to $500,000. Each agency can
                         enforce its regulations under any authority conferred on the agency by law.
 GLBA Source Code

  Law                                                                             Public Law 106-102 (1999);
                                                                                  12 U.S. Code Section 1811
 Regulations
   Department of the Treasury
     Office of the comptroller of Currency                                       12 CFR Part 30
     Office of Thrift Supervision                                                12 CFR Parts 568 and 570
  Federal Reserve System                                                         12 CFR Parts 208, 211,
                                                                                 225 and 263
 Federal Deposit Insurance Corporation                                           12 CFR Parts 308 and 364

Source: www.nwc.com, 7.10.2003, Networking Computing
HIPAA in a nutshell
 What                 The Health Insurance Portability and Accountability Act of 1996 (HIPAA)
                      Combat fraud and abuse in health care and improve health-care systems by
 Why
                      encouraging the electronic transfer of health-care information
 Where                Health plans, health-care clearinghouses and certain health-care providers

                      April 14, 2003 Privacy; All covered entities except small health plans
 When
                      April 14, 2004 Privacy: Small health plans
                      April 21, 2005 Security Standards: All covered entities except small health plans
                      April 21, 2006 Security Standards: Small health plans
 IT Impact            Ensure the security and privacy of health-care information
 Penalties            Up to $100 for each such violations; the total amount imposed for all violations of a
 General              identical requirement during a calendar year may not exceed $25,000

 Wrongful             (1) Fine not more than $50,000, imprisonment not more than one year, or both.
 disclosure of
                      (2) (2) If the offense is committed under false pretenses, fine not more than
 individual
                          $100,000,
 identifiable
 health               (3) If the offense is committed with the intend to sell, transfer or use individually
 information              identifiable health information for commercial advantage, personal gain or
                          malicious harm, fine not more than $250,000, imprisonment not more than 10
                          years, or both.
 HIPAA Source Code
 Law               Public Law 104-191 (1996)
Regulations
  Privacy             45 CFR Parts 160, 164
  Security            45 CFR Parts 160, 162, 164
Sarbox in a Nutshell
 What                     Sarbanes-Oxley Act of 2002
                          Fight corporate corruption
  Why

 Where                   Publicly traded companies and their auditors, attorneys

  When                   April 15, 2005


  IT Impact               More stringent reporting requirements, mandating internal controls on financial
                          reporting systems

 Penalties                Corporate officer who knowingly certifies a false financial report can be fined up to $1
                          million or face up to 10 years in prison, or both. If done willfully, up to $5 million in
                          fines or 20 years in prison, or both.

  Sarbanes-Oxley Source Code

 Law                     Public Law 107-204 (2002)

 Regulations
    Implementing Sections           17 CFR PATRS 210, 228, 229, 240

   404,406,407                      249,270 and 274


Source: www.nwc.com, 7.10.2003, Networking Computing       Some companies averaged $35M
                 SARBANES-OXLEY Info
 Details: Securities and Exchange Commission: www.sec.gov/rules/final/33-
 8177.htm & www.sec.gov/spotlight/sarbanes-oxley.htm
 Dedicated site: www.sarbanes-oxley.com

Gartner Discussion: sox.weblog.gartner.com/weblog/index.php?blog=11
 FAQs:
 •Five things IT Needs To Know about Sarbanes-Oxley Compliance,” AMR
 Research:
 www.amrresearch.com/content/view.asp?pmillid=15951&docid=10387
 • Association for Information Management Professional:
 www.arma.org/legislative/sarbanes_oxley.fcm
 • Financial Managers Society: www.fmsinc.org/cms/?pid=3253
 • The N.Y State Society of CPAs: www.nysscpa.org/oxleyact2002.htm
 • Pricewaterhouse Coopers Barometer Survey:
 www.barometersurveys.com
 WebLinks 1-2
Related Stories
“Complying With the Feds,” www.nwc.com/1410/140fl4.html
“Secure to the Core,” www.nwc.com/1401/1401f1.html
“Managing Your Digital Rigghts,” www.nwc.com/1319/1319ws1.html
“Employee Provisioning,” www.nwc.com/1317/1317f1.html
HIPAA Web Resources
Department of Health and Human Services, aspe.os.dhhs.gov/adminsimp
Health Provacy Project (State Law Health Provacy), www.healthprovacy.org
HIPPA.org, www.hippa.org
Startergic National Implementation Process (SNIP), www.wedi.org/snip
GLBA Web Resources
EPIC, www.epic.org/provacy/glba
FTC on GLBA, www.ftc.gov/provacy/glbact
CERT Coordination Center, www.cert.org
Federal Computer Incident Response Center, www.fedcirc.gov
National Infrastrure Protection Center, www.nipc.gov
NIST Computer Resource Security Center, www.csrc.nist.gov
SANS Institute, www.sans.org
Do you anticipate your company will spend more, less, or about the same
    amount this year to be compliant with government regulations?




                                                                                        71% More
         27% About the
                same




                                              2% Less


Data: InformationWeek Media Network Compliance study of 650 business-technology professionals
 WHEN WAS YOUR ORGANIZATIONS POLICY
            LAST UPDATED?

                                                            Don't
                                                            know
              Within the last                               9%
              three months 26%                                      Never
                                                                    3%

                                                                            More than 2 years
                                                                            ago
                                                                            11%




        Four to 12                                                          One to two years
        months ago                                                          ago
        35%                                                                 16%




Data: Information Week research survey of 200 IT Managers
Which department created the data policy?


                          IT


                     Legal

                      Other
                                                  .
               Don’t Know

 An industry standard Policy
          adopted

                               0   10   20   30   40   50   60

                                   % of respondents
       Top ten factors that could trigger workers to act
                    unethically or illegally
                         1.   Balancing work and family
                         2.   Poor internal communications
                         3.   Poor leadership
                         4.   Work hours, work load
                         5.   Lack of management support
                         6.   Need to meet sales, budget or profit
                                goals
                         7.   Little or no recognition of    Should HR be
                                achievements                 Involved too?
                         8.   Company politics
                         9.   Personal financial worries
                         10. Insufficient resources
REF: IBM & Marrist College
Ten Tips for Taming the E-mail Problem
1.  Create a reasonable and enforceable policy.
2.  Spell out privacy expectation clearly.
3.  Require that each employee sign the policy. Issue frequent policy
    reminders.
4.  When the policy is broken, consult the legal department and have an
    immediate conversation with the employee, accompanied by a
    human resources representative.
5.  Don’t limit employee training to policy issues. Also include etiquette,
    proper use of group mailing lists, and information about recognizing
    scams and urban legends.
6.  Limit employee mailboxes to an appropriate size (CIOs interviewed
    for this article recommended a range from 15MB to 150MB
    depending on the type of work).
7.  Consider your potential legal liability in determining how long to store
    messages.
8.  Consider filtering tools, but be aware of the limitations.
9.  Install two different antivirus software packages (one for servers, one
    for the desktops).
10. Teach users to distrust all attachments, particularly unexpected ones.
                                                                 .
    Steps in developing Responsibility Audit
      1   Gain CEO Commitment
      2   Appoint a steering committee to guide the audit

      3   Appoint an auditing team(auditors, key managers, and organizational development
          experts) that will develop questions to be used in examining the firm
      4   Diagnose the corporate culture and investigate designated functional areas, such
          as employee relations and human rights, community relations (the company’s
          social impact), quality programs, and environmental practices.
      5   Analyze the mission statement, and look for circumstances when the stated
          mission/goals and actual company performance do not coincide
      6   Seek fundamental or underlying reasons that performance and goals are not
          consistent.
      7   Collect relevant industry information, existing benchmark studies, and available
          information on competitors and industry standards in each designated functional area

      8   Interview relevant stakeholders who are involved in each functional area (e.g.
          customers, employees, federal and local environmental officials, local community
          officials) about their perceptions of the firm’s socially responsible performance
      9   Compare internal data and external stakeholder perceptions

     10 Write final report for company managers and the audit steering committee
Source: Waddock, Smith, Sloan Management Review Winter 2000
(13) Capacity Planning & Management

Using the forecast load from new projects or from the
evolution of existing services,this process defines in a
capacity plan how resources will cover the demand.It also
proposes alternatives to management (number of
shifts,decreased services,changes in systems plan….)
1.Translate service requirements into a load forecast of
      hardware,network,software,facilities and supplies.
2.Define capacity of existing and planned resources
       (hardware,network software,facilities and supplies)
3.Compare load forecast against this defined capacity
4.Identify,evaluate and propose alternate load forecasts and
       capacity
5.Document capacity plan
             Why is Capacity Planning
                   Important ?

      User            Productivity           Budgetary
 dissatisfaction                                                 Stability
                       decrease              constraints



Proper capacity    If your systems        With proper         By identifying
planning can       cannot handle the      capacity planning   potential problem
help identify      expected peak          upgrades can be     areas and
potential bottle   throughput,            budgeted ahead of   capacity
necks before       productivity will      time                limitations,
they occur,        suffer. Employees                          stability problems
preventing most    may spend a                                can be avoided,
performance        significant portion                        or at the very
related            of their day waiting                       least predicted
problems           for results from a
                   query
CAPACITY PLANNING PROCESS
• - A process which combines the monitoring of current resources
with forecasting of future service requirements and growth if
existing system.
•- The data gathered is compared against existing capacity and
needs and translated into a projection of future demands for I/T
services
•-Implications for organizations include:
 - Budgets
 - Disaster Recovery /Business continuation
 - Service level agreements
 - Effective User of Resources
 - Business Growth
 - New Services
 - Performance Management
 - Integration
 Don’t you think they would have been better prepared?


Delta Airlines: advertised new discount fairs & incentives to book
       online tickets

Red Cross: tsunami relief

Amazon: pre Christmas volumes

Walgreen: pre Christmas volumes

Hallmark: Valentines Day online requests
CAPACITY PLANNING RATIONALE
• The cost of capacity planning is high especially in the highly complex
distributed environments of today
• The value of the investment depends largely on the maturity of the
process.
• There are 5 levels of organizational process maturity according to
Gartner Group:                  Where is your organization?
 Level 1 - reactive,firefighting
 Level 2 - efficient ,professional and sophisticated firefighting
 Level 3 - fewer,fires,analysis of problems,start of process
           improvement
 Level 4 - process includes procedural improvement
 Level 5 - process becomes self-correcting
   CAPACITY MANAGEMENT
‘THE IDENTIFICATION PLANNING, AND ACQUISITION OF IT
RESOURCES TO MEET CURRENT AND FUTURE SERVICE
OBJECTIVES.’

 High




                             $
   CAPACITY




 Low

              Faster   RESPONSE TIME        Slower
CAPACITY MANAGEMENT
                   FUTURE DEMAND
CAPACITY




                                         EOP




               today
                       TIME (MONTHS)
           When should the order be placed???
         CAPACITY PLANNING
LOW         COST      COMPLEXITY    ACCURACY         HIGH




 RULES                                           BENCH
         LINEAR        ANALYTIC
 OF                                 SIMULATION   MARKING
         PROJECTION    TECHNIQUE
 THUMB




                       INCREASING
         ACCURACY          VALUE      COST




  How select Pentium? How select Merced?
                         Planning Capacity
            Network planning and simulation tools enhance
            the performance of E-business applications

        Vendor               Product                Function

        CACI                 Application Profiler   Simulates app
                                                    performance on enterprise
                                                    networks
        Comdisco             Managed Network        Adds capacity planning to
                             Services               suite services

        Network Associates   Sniffer Predictor      Gathers performance data


        Optimal Networks     Application Vantage    Identifies trouble spots



DATA : INFORMATIONWEEK
             (23) Change Control
Using the change requests, this process selects, coordinates, groups
and monitors all changes to the I/S resources and procedures in such
a way that there is either minimal impact on the I/S operations or
minimal risk.It triggers resource and data inventory updates. Further
discussion with Organization and Culture.
1. Record change requests.
2. Prioritize and group changes based on a technical assessment.
3. Prioritize and group changes based on a business assessment.
4. Schedule defer or reject changes.
5. Monitor test
6. Monitor install
7. Report and control the status of all recorded changes.
                                       Originator submits change
                                       request
                                         Submitted

                                  Evaluator performed impact analysis
                                                                         CCB decided not
                                           Evaluated                     to make the            Rejected
                                                                         change

                                    CCB decided to make the change
                                    and assigned it to a modifier

                                                                          Change was cancelled
                                           Approved
Verification
                                       Modifier has made the change
Failed
                                       and requested verification           Change was
                                                                            cancelled
                                        Change Made                                             Cancelled

                                   Verifier has confirmed the
                                   change
                                                                         Change was cancelled
   No verification
required Modifier has
                                            Verified
installed product
                                                                        Originator - Someone who submits change
                                      Modifier has installed                             request
                                      product                           CCB - Change Control Board
                                             Closed                     Modifier - Person responsible for making
                                                                                     changes
                                                                        Verifier - Person responsible for determining
               State - transition diagram for a change request -
                                                                                    if the change was made correctly
               Wiegers
 Who’s involved in planning, developing, and executing your
 company’s change-management efforts?



              CEO/president
Business-division leaders
          CIO/SVP of IT
                              CFO
               HR executives

Employee representatives
                   Consultants
                                                     20            40             60           80
                                                          % of Respondents

 NOTE: Multiple responses allowed
 DATA: Optimize Research’s change-management survey of 100 business-technology professionals
        How much are your critical business partners, such
        as key suppliers or distributors, involved in your
        change-management efforts?


                          Not at all



                     Kept abreast


                     Provide input



    Have significant influence

                                                               20                           40   60
                                                                    % of respondents

Note: Multiple of respondents allowed
DATA: Optimize Research’s risk-management survey of 100 business-technology professionals
               Sample Job Description for Change Control Coordinator

Overview of Responsibilities
  •Analyzes each change request to ensure that no conflicts exist with other requests
  •interacts with IS personnel to develop a scheduled date for each change request
  •Monitors all change requests to ensure timely implementation
  •Is a member of, and reports any conflicts to ,the change control committee
  •Is responsible for the maintenance of change files and production libraries

Detailed Responsibilities
      •Coordinates all changes in the production environment concerning online and batch systems through the
        use of appropriate forms
      •Monitors and logs progress of changes to ensure that scheduled dates are met;if a scheduled date cannot be
       met ,ensures that all affected areas are notified of any schedule changes
      •Reviews all change requests to ensure that the requested dates are feasible;schedules requests that have
       little impact on the production environment;reports to the change control committee for scheduling of those
       changes that conflict with other requests or that significantly affect the production environment
      •Maintains the change file to ensure that all historical data is correct and upto date
      •Ensures that all change request entries are removed from the change file when implemented
      •Provides special reports to the change control committee or management on request
      •Moves all test programs to production libraries on the scheduled date and controls the production libraries
        passwords
      •Forwards to the change control committee all problem reports resulting from a previous change request
      •Interacts with the technical standards group(if one exists)when a change request warrants a technical
       announcement bulletin.



Qualifications
   •Ability to communicate and work effectively with all levels of IS,communications,and user personnel
   •Strong oral and written communication skills
   •Three to five years experience in information systems,including atleast one year of hands-on JCL experience
   •Working knowledge of procedures for maintaining computerized files and databases
   •Understanding of the user community and its use of ,and dependence on,computing services
                                                Change Request Form

Document Preparation Information (To be completed by preparer)

 Change Request/Problem Log Number:                       Prepared by: Phone:              Date Prepared:

Change Information (To be completed by preparer)
Proposed Change:

Business Purpose:  - Easier to do Business with Chubb               - Reduce/Manage Expenses
                   - Domestic/Overseas Growth                       - Better/More Timely
                   - Increase Productivity                           - Reduce Losses or Loss Expenses
                   - Employee Skill/Knowledge Improvement            - Regulatory Mandates
                   - New Market/New Products                         -Senior Management Directive
                   - Competitive Position                            - Other (explain)
Reason for Change/Description of Problem:



Request Implementation Date: /Priority

Change Impact Assessment (To be completed by the I/T)
Describe the impact of the Change on     Quality effort: days, weeks, months:    Impact assessed by:
the Project, including all components
affected (Design, Database design;
System, Subsystem, or process
impact; conversion, etc.) as well as
any organizational impacts.



Provide Release and/or date this
change could be implemented

Approval for Impact Assessment
Change Request Control Number            Client Project Representative/Date      Project Manager or I/T
(Provided by Project Manager)            Approved                                Representative/Date Approved

Assigned to
Assigned to                              Date Assigned                           Date Completed

QA testing
Assigned to :                            Date Assigned                           Outcome/Sign off date:

Approval for Implementation
Date and Release Number for              Date Approved                           Date implemented to production:
Delivery
 Change Management
       Expert




    Logout
To view Tasks, click
ONCE on the Action
       Icons
FILL IN THE BLANKS Change Management Expert’s from
Applied Innovation Management, two-pane interface shows
operations on the left and forms on the right
        CHANGE MANAGEMENT

                              USER SATISFACTION
                                    WHY???




TYPICAL CHANGES        TIME
HARDWARE
SYSTEMS SOFTWARE
APPLICATION PROGRAMS
PERSONNEL
           (24) ASSET MANAGEMENT



Using change information , this process builds and manages
inventories of all the IT resources. (including personnel and
financial )
1. Identify system, application,data,personnel,supplies,and
         financial resources.
2. Update inventory status.
3. Maintain security of these resources.
4. Administer access of these resources (including data set space
       allocation and password administration).
5.Report and control status of inventory.
            Asset Management Practices
  Requisition     Procurement     Deployment         Maintenance      Retirement


Architecture &    Budgeting &                                Network & Performance
Standards         Financial                                  Mgmt.
                  Management
                                      Asset Tracking         Systems Management
 Capacity         Backup &
 Planning         Recovery            Procurement           Technology         Config
                                      Management            Change Mgmt        Mgmt
 Security         Application
                  Management                                 Software          Technical
                                         Contracts
                                                             Distribution      License
                                         database
                                                                               Mgmt

                                                            Application Management

  Management Domain               Integrated Asset           Technology Domain
  (Business/End User)             Management System          (Information Systems)

 Organizational     Inventory    Portfolio        Training Asset    End User
 Change             Management   Asset            Management        Support
 Management                      Management                         Function

Gartner
                        Shared IS/Business Practices
                    Which asset-management activities
                    do you track and measure?
                        Software/hardware
                       License compliance
                                                                      75%
                              Component
                             configuration
                                                                48%

                             Depreciation
                      planning/scheduling
                                                            45%
                              Maintenance
                                 Planning                 37%
                             Ad hoc asset
                             maintenance
                                                          35%
                              Spare parts
                             management               31%
                             Facility/space
                                 utilization          27%

                         Lease compliance           19%
                                     Other
                                               6%
Multiple responses allowed
Source: Network Computing
      IT Asset Management Implementation (1 OF 2)
                       Seven Ways to Save

  1. Software Volume Licenses
                         •Aids implementing standards
                         •increase discounts by 10 percent to 15 percent
                         •Savings of 25 percent


  2.Consolidated Procurement
                         •Reduce the number of buying centers
                         •Acquire equipment faster
                         •Save as much as 10 percent annually

  3. Maintenance Contracts
                         •Differentiate user profiles for maintenance contracts
                         •Save 10 percent to 20 percent on per-seat maintenance
                         payments
  4.Property Tax
                        •Accurate inventory reduce tax bills
                        •Savings may reach 20 percent of property tax
                        bill


Source :Garner Group
      IT Asset Management Implementation (2 OF 2)
                             Seven Ways to Save

    5. Help Desk
                         •Inventory reduces diagnosis and response time
                         •Cut technician time by 50 percent
                         •Savings as high as 57 percent over worst case


    6. Electronic Software Distribution

                         •Save 2,000 hours labor
                         •Invest $100,000 first year
                         •Save 55 percent on software distribution costs



    7.Software Metering
                         •Most effective when on current use is at 20 percent to 40
                         percent
                         •Invest $50,000 first year
                         •Save 27 percent on PC software budget


Source : Gartner Group
                                Fate of Old PCs
    This year, what percentage of your retired PCs will be :

      Donated to schools,nonprofits or charity      39%

      Handed down within your organization          34%

      Sold or given to employees       31%

      Thrown out             17%

                  9%     Sent to a recycler

                  9%     Warehoused or stored

               8%        Sold to a remarketer

             7%        Traded in to a PC maker



Base: 102 IT managers; multiple responses allowed
SOURCE: COMPUTER WORLD SURVEY
                                    Recycling your desktop
            Here are some of the ways computer components are recycled:
  Monitor                                                                            Tower
  A monitor contains lead - to strengthen the glass tube and shield the user         Recycling methods: The components within the computer case are
  from radioactive rays - as well as cadmium, phosphorous, and mercury. The          disassembled and stripped of circuit boards, which are recycled in the
  materials are sealed inside the tube along with gas. If the glass breaks, the      same manner as the monitor. Metal frame and the other metals are
  tube can implode, spraying lead particles. If it happens in a landfill, the lead   crushed, melted, and recycled. The system’s lithium batteries are
  can leach into the ground water. If the tube breaks during trash collection,       removed and sent a hazardous waste facility. The hard drive is removed
  sanitation workers may breathe lead-laden air.                                     and tested. If it works and is sufficiently large, the drive is installed in
  Recycling methods: Plastic shell is melted down and the glass is melted                                     another computer or possibly sold.Those that do not
  down and the glass screen or “tube” is punctured and                                                        work are stripped and the metal frames melted. Other
  melted. The recycled glass is used to make                                                                  components such as the floppy drive,CD-Rom drive,
  more tubes. Copper wire is pulled out and                                                                   memory modules, and system board can sometimes
  recycled. Metals such as aluminum, brass,                                                                   be reused. If not, parts of each can be recycled.
  and steel are crushed and recycled. Circuits
  boards are ground down and melted and
  precious metals such as gold, silver, platinum,
  and paladium are extracted and sold. These
  metals can also be picked out of the boards
  by hand.




                                                                                                                        Mouse
                                                                                                                        Recycling methods: A mouse is
                                                                                                                        tested to see it functions and is still
                                                                                                                        usable. If not, the plastic casing, cable,
                                                                                                                        and tiny circuit boards are recycled for
  Keyboard                                                                                                              other computer components.
  Recycling methods: The keyboard is
  made mainly of plastic, which is recycled.
  It also includes connecting plugs with
  gold and silver, which is extracted.




Source: Summit Metals Recovery Corps; Advanced Recovery Inc
     WAYS TO PROTECT YOURSELF
1    LEASE EQUIPMENT so that the title          6   INCLUDE CONTRACT WORDING
     to the equipment transfers to the              that prohibits the recycling vendor or
     leasing company at the end of the              its subcontractors from exporting
                                                    equipment to developing countries
     term- along with the disposition issues.       that lack environmental regulations.
2    DISPOSE OF IT EQUIPMENT when
     it’s removed from service.                 7   REQUIRE A FULLY DOCUMENTED
3    BUNDLE DISPOSAL COSTS into new                 AUDIT TRAIL that shows what
                                                    happened to each IT asset through its
     purchases by including the disposition         final disposition, whether sold,
     of old IT assets in the RFP for                recycled or destroyed.
     equipment that replaces it.
4    EMPTY THE IT CLOSETS: Dispose of           8   CONDCT A DUE DILIGENCE
     unused, stored equipment                       background check on the recycling
                                                    vendor and its practices that includes
     immediately. This equipment incurs             an on-site visit.
     storage costs and property taxes plus
     disposal costs that are likely to          9   CONSIDER DISPOSITION
     increase over time.                            SERVICES from IBM, HP, Dell or
5    INCLUDE A COPY OF THE                          other major IT equipment vendors.
                                                    They charge more than smaller
     OPERATING SYSTEM when donating                 recyclers, but they have reputations to
     equipment. Machines without an                 protect and deeper pockets if liability
     operating system are likely to be              issues arise.
     discarded or shipped overseas.
SOURCES: RECYCLING VENDORS, PRODUCT MANUFACTURERS AND CORPORATE USERS
         What are the chief hurdles to effective
         enterprise asset management?

                             Lack of personnel or
                             budgetary resources                64%

                     Isolated management of
                         different asset types
                                                          46%

             Inability or expense of entering
                             initial asset data           45%

                 Latency of asset status and
                          performance data          33%

                         Inadequate executive
                visibility and involvement in       32%
                           asset management



Multiple responses allowed
Source: Network Computing
         What tools do you use to track and
         manage assets?
                               Spreadsheet
                                application                     64%

                              Paper system                32%

               Computerized maintenance
                    management system                23%

                           Enterprise asset
                        management system           21%

                               Asset-centric
                        procurement system     9%


                                      Other    14%

Multiple responses allowed
Source: Network Computing
  Real-world LABS REPORT CARD                                        Asset-Management Software
                                                                   Computer
                                                        Altiris    Associates                         NetSimplicity
                                             LANDesk     Asset      Unicenter                         Visual Asset
                                               Asset  Management     Asset      NetSupport ManageSoft   Manager
                                             Manager 8 Suite 6.0 Management 4.0  DNA 1.01     7.2         2004

INTIAL DATA LOADING
 Autodiscovery (15%)                           5           4             5           2           2          2
 Bulk import ( 5%)                             3           3             4           2           3          1
FEATURES
Out-of-date systems/upgrade reporting(10%)     4           4             4           3           4          2
End-of-life management (5%)                    4           4             4           4           3          2
Lease management (5%)                          3           3             3           3           2          2

MANAGEMENT AND CONFIGURATION
Configuration and agent deployment (10%)       4           3             3           3           4          2
Rights management/security (5%)                3           4             3           2           2          3
Tracking of related assets (5%)                4           4             3           3           4          4
Price (20%)                                    4           2             1           3           2          5
RESOURCE TRACKING AND REPORTING
Asset reporting (10%)                          4           4             3           4           4          1
Hardware-resource management (5%)              5           3             4           4           3          3
Software-license management (5%)               4           4             4           4           3          3
TOTAL SCORE (100%)                            4.05        3.35         3.20         2.95        2.90       2.70


  A≥4.3, B≥3.5,C≥2.5, D≥1.5,F<1.5 A-C
                                              B+          C+           C+           C           C          C
  Grade includes + or – in their ranges.
  Total scores and weighted scores
  Are based on a scale of 0-5.



www.nwc.com
Selected Systems Management Software(1 OF 6)
Vendor              Product                  Price                 Device              Management/ analysis
                                                                   management          tools

BindView            NOSadmin for NT and      Starts at: $695 per   Server,             Hardware inventory,
800-813-5869        Novell Netware           managed server,       workstation         asset and configuration
www.bindview.com                             $1,595 per managed                        management,
                                             user                                      performance analysis,
                                                                                       usage monitoring.
BMC Software        Resolve                  Contact vendor
800-841-2031
www.bmc.com
Callisto Software   Orbiter 3.5              $5,000 per server,    Workstation,        Hardware inventory,
630-682-8200                                 $150 per client       notebooks           asset, remote and
www.callisto.com                                                                       configuration
                                                                                       management, DMI 2.0

Cisco Systems       CiscoWorks Windows 5.0   $1995                 Server,             Device diagnostics,
800-462-4726                                                       workstation,        SNMP, remote and
www.cisco.com                                                      printer, hubs,      configuration
                                                                   routers, switches   management, topology
                                                                                       mapping, traffic and
                                                                                       performance analysis,
                                                                                       usage monitoring,
                                                                                       RMON
                    CiscoWorks2000           $10,000
                    Campus Bundle                                                      Hardware inventory,
                                                                                       asset, remote and
                                                                                       configuration
                    Routed WAN               $14,995                                   management, device
                    Management Solution
                                                                                       Diagnostics, SNMP,
                                                                                       traffic, performance and
                                                                                       protocol analysis, RMON
                (26) Problem Control

This process receives problems (including performance problems) and
monitors their resolution by requesting bypass actions and/or projects
(maintenance or tuning).It informs the service evaluating process of the
service impact of the problems.
1.Recognize problem
2.Reporting problem
3.Determine nature, impact and true extent of the problem.
4.Select predefined bypass and recovery procedures.
5.Initiate action to resolve the problem
6.Report and control status of all problems in hand.
         PROBLEM MANAGEMENT
‘Minimizing the impact of problems on IT services by focusing
attention and responsibilities on identifying problems.’




                  •Fewer shorter outrages
                  •improved I/S-user relations
                  •Enhanced productivity
                  •Environment for growth
                  •Management control
                                                  What Can Go
                           Environment
                              Disaster
                                                   Wrong???
                              •Natural
                              •Unnatural

                                               Hardware Failure
        Operator Error
                                               Power Failure
            Accidents
                                               Network Failure
                                                                  Devices
        Vendor Failure
Processes                                      Software Failure

                                Theft
                             Vandalism
                         Corporate Espionage
                           Intentional Data
                             Corruption



                               People
                 Business Recovery Drivers
• Most business experience 2 hours of downtime per week
• Approximately 30% of computer users spend one week
           per year reconstructing lost data
• 52.2% of U.S. Companies had business operations
            interrupted due to computer hardware problems
• 43.1% of U.S. Companies had business operations
           interrupted due to computer software problems
• 46% of U.S. Companies have had business operations
           because telecommunications failure
From “What Can We Learn From The September 11th Attacks? Are You Prepared In The Event Of A Disaster?” by Mark
T.Edmead. This article was originally published in the Insight Newsletter of the Internet Security Conference
(http://www.tisc2001.com/insight.html), and has been posted with permission by TISC, LLC.
                       CAUSE OF UNPLANNED
                      APPLICATION DOWNTIME

                             Operator          Technology
                             errors            failures

                                                    20 %
                                        40 %
                                                 40 %




                                                Application Errors



Source : Comdisco Vulnerability Study
        RELATIVE OCCURRENCE OF OUTAGE
                   INCIDENTS
                                     5% - software error   Other 2%

                         1% - Service Failure

                       8% - Hardware Error                                        Power Outage
                                                                                         27%
                  2% - Human Error

                      10% - Flood


                                                                                    Burst water pipe - 1%
           2% - Network Outage
                                                                                   Bombing - 7%

                  12% - Storm Damage                                          Employee Sabotage - 3%
                                                                           Power Surge/Spike - 3%
                                                                       Hurricane - 6%
                                     Earthquake - 6%       Fire - 6%



REF : Contingency Planning Research, Inc.
Based on 5,320 incidents
Fundamentals of autonomic
      computing

      ▪ Self-configuring
      ▪ Self-healing
      ▪ Self-optimizing
      ▪ Self-protecting
                        Evolving to autonomic operations
   BASIC              MANAGED              PREDICTIVE          ADAPTIVE             AUTONOMIC
   LEVEL 1            LEVEL 2              LEVEL 3             LEVEL 4              LEVEL 5

   • MULTIPLE        • CONSOLIDATION      • SYSTEM             • SYSTEM             • INTEGRATED
     SOURCES OF        OF DATA THROUGH      MONITORS             MONITORS,            COMPONENTS
     SYSTEM            MANAGEMENT           CORRELATES, AND      CORRELATES, AND      DYNAMICALLY
     GENERATED         TOOLS                RECOMMENDS           TAKES ACTIONS        MANAGED BY
     DATA                                   ACTIONS                                   BUSINESS
                                                                                      RULES/POLICIES

   • REQUIRES         • IT STAFF          • IT STAFF           • IT STAFF MANAGES   • IT STAFF FOCUSES
     EXTENSIVE,         ANALYZES AND        APPROVES             PERFORMANCE          ON ENABLING
     HIGHLY             TAKES ACTIONS       AND INITIATES        AGAINST SLAs         BUSINESS NEEDS
     SKILLED IT                             ACTIONS
     STAFF


                                           • REDUCED           • IT AGILITY AND     • BUSINESS POLICY
                     • GREATER SYSTEM
                                             DEPENDENCY          RESILIENCY WITH      DRIVES IT
                       AWARENESS
                                                                 MINIMAL HUMAN        MANAGEMENT
                                           • FASTER AND          INTERACTION
                     • IMPROVED                                                     • BUSINESS AGILITY
                                             BETTER DECISION
                       PRODUCTIVITY                                                   AND RESILIENCY
                                             MAKING


                                                                                         AUTONOMIC
  MANUAL


From IBM Global Services and Autonomic Computing, IBM White Paper, October 2002;
see http://www-3.ibm.com/autonomic/pdfs/wp-igs-autonomic.pdf.
How many calls does the help desk get ?
                                                               EXAMPLE
                                                       HELP DESK CALLS
1000                                                                               943

 900
 800                                             742
                                                                                                 737
                                                                                         697
 700                                                                 657
                                                               627      622                649
                                                                                                                          605
600                                        600           594               596
                                                                                                          549
                                                                                                                545                   548
                                       531         543                                                                   534    543
                                                                             467                                   525                      # of calls
500                            435
                                                                                                         491
                                                                                                   454
400                        400       410

                   315
                         339
300         251
                  252
200       170
       150
100
  0
                                                                 Month
        •Calls are 83% software, 17% hardware
EXAMPLE:Who calls the HELP desk?

500                                                 464
                                                                                      448

400
            311
300
                                              233                                           Calls
                                                                     202                    YTD:2333
200
                                                                           144
      118                               118               120
                                                                92
100
                           42                                                    40

  0
            Reagent MFG.


                           Instr. MFG




                                                                                      R&D
EXAMPLE:What are the calls for ?

900                                   830

800
700
600
500
       394           391
400
300                             252
               208
200
100                        34                  37      25   43
                                                                 13
  0

                                            Software
      AS/400




                                            install
     Helping the help desk
     In its Service Management Strategies report, Meta Group
     analyzed some key characteristics of help desk usage

      15% to 35% of help desk call volumes are password
       resets
      25% to 35% of call volume is from new service requests
       or status checks
      Average number of calls to help desk, per end-user:
       1.75 calls per month
       In 2003: Three calls per month (20% annual increase)
      Help Desk queries via internet: 6%
       By 2003/2004:20%

      By next year, 40% of IT help desks will migrate to IT
       customer service centers
By
   *** PROBLEM REPORTING FORM ***
OPENED BY------------------------------------->
DATE OPENED--------------------------------->
PROBLEM TITLE------------------------------>
REQUIRED CLOSE DATE------------------->
SUGGESTED ASSIGNED PERSON-------->
SCHEDULED ACTIVITY IMPACTED----->
DESCRIPTION OF PROBLEM-------------->




                                   Problem reporting form
Paying Less for Passwords
PART I: Costs of employees calling help desk                 EXAMPLES      YOUR
                                                                          COMPANY
A   Number of employees at company                                5,000
B   Average salary (fully burdened)                             $71,500

C   Weeks each employee works, on average, per year                 48

D   Average hourly cost of a non-technical employee                $37
    (assuming a 5-day,40-hour work week,48-week year)
    B÷(C×5×8)
E   Cost per minute of employee time D ÷ 60                       $0.62

F   Number of help desk calls placed per year at 1.75           105,000
    calls per employee per Month (Meta Group estimate).
    A × 1.75 × 12
G   Length of average help-desk call in minutes (Meta               12
    Group estimate)
H   Total minutes per year spent on help0desk calls     F×    1,260,000
    G
PART II : Cost of help-desk staff fielding calls                                        EXAMPLES        YOUR COMPANY
 J    Average salary of help-desk worker (fully burdened)                                    $61,910
 K    Weeks worked, on average, per hour                                                           48
 L    Average hourly cost of a help-desk support staffer ( assuming a 5-day, 40-hour             $32
      work week, 48-week year) J ÷ ( K × 5 × 8 )
 M    Cost per minute of a help-desk staffer       L ÷ 60                                      $0.53
 N    Total number of minutes per year spent on the phone with employeesF × G               1,260,000
 O    Cost of help-desk time for technical staff       M×N                                  $667,800
PART III: Cost of password-related calls
 P    Total cost of the time both technicians and employees spend on                       $1,449,000
      help-desk calls I + O
 Q    Percentage of calls attributable to password issues                                       17%
      (Help Desk Institute survey)
 R    Total cost of password-related calls   P×Q                                            $246,330
PART IV : Cost of password-automation software
 S    Cost of password-automation software for each employee                                     $10
 T    Hours to install on Web server, application servers                                          16
 U    Cost of implementation     L×T                                                            $512
 V    Total cost of software   ( A×S)+U                                                      $50,512
PART V: Benefits

W     Gross savings: Two-thirds the cost of each call, from using password-automation       $162,578
      software (HDI estimate)     R × .66
 X    Net savings after cost of software & implementation        W–V                        $112,066


SOURCES: HELP DESK INSTITUTE’S 2004 PRACTIVES SURVEY (WWW.THINKHDI.COM) , AVATIER CORP.,BASELINE RESEARCH
            (27) Service Evaluating
Using the performance status and the problem impacts,this
process translates them into user terms and compares them
with service agreements.It also identifies and reports any
variances to users and management.
1.Translate & integrate operational data (production,
distribution, performance & problem ) into service level terms.
2.Assess user rating of service
3.Evaluate compliance to service agreements
4.Identify and report reasons for variance.
5.Report service status and new service requests.
6.Learn and improve.
        The Service Desk Toolkit Integrates:


                                           Problem Management



                                           Critical Evaluation Criteria
                                                     Integration
                                                      Internet
                                             Scalability / performance
                        Inventory /           Vendor Stability/Vision     Change
                        Configuration          Platform/Client Support
                                                                          Management
                        Management               Database Support
                                                 Knowledge Bases
                                                   Expert Systems
                                                Services and Support
                                                  Robust Reporting




                                        Call Tracking/Management




Source: Gartner Group
   How effective would you rate your PMO(s) at improving
         process integration in your organization?

                     Chemicals and energy
                       19%           48%    33%
                      Manufacturing
                      18%            55%    27%

                     Technology and telecom
                       16%           67%    16%   Very Effective

                                                  Reasonably effective
                      Finance and insurance
                                                  Ineffective
                      16%            55%    29%

                      Distribution
                      14%            56%    31%

                      Services
                       12%           66%    22%

Source: Forrester Research Inc.,
               Systems Management Tools

                                 4.8 % HP OpenView

                                 10.6 % BMC Software




                                 17.3 % IBM/Tivoli




                                 23.3 % Computer Associates

                                 44 % Other




REF : GARTNER GROUP/ DATAQUEST
               (29) Software Procurement
Within the framework of a project,this process procures and modifies
applications,operating systems software,other supporting software and all
the related documentation.It controls the basic “buy” cycle.
1.Define detailed requirements for ideal system
2.Review, integrity and performance of available offerings including
       promised vendor modifications.
3.Negotiate compromises with users
4.Confirm or amend “buy” decision and select system.
5.Define system recovery for operating environment.
6.Generate system and execute provided tests.
7.Publish instructions for integrating into operating environment.
8.Integrate and test application/Software including supplied modules.
9.Install application software
              1.   Create the vision, strategy & objective
              2.   Create a prioritized feature/function list
              3.   Create a software candidate list
              4.   Narrow the field to four to six serious candidates
 Steps in     5.   Create the Request For Proposal (RFP)
              6.   Review the proposals
Selecting a   7.   Select two or three finalists
              8.   Meet with customers
 Vendor       9.   Select the winner
              10. Justify the investment
              11. Negotiate the contract
              12. Run a pre-implementation pilot
              13. Validate the justification
              14. Share lessons learned
     Factors influencing CIOs when buying software


                                                           Average ranking on a five-point scale

                                  Functionality                                              4.04

                 Total cost of ownership                                                  3.64

Compatibility with existing systems                                               3.10

      Ease/speed of implementation                                             2.83

                            New technology                                 2.40

                                                       0         1         2          3          4   5



Ref: survey of 500 CIOs by Salomon Smith Barney Inc.
                   Software Contract Elements 1 of 2
1. The right to assign the software license to a new corporate entity resulting from the merger,
      consolidation, acquisition, or divestiture.
2. The right to use the software for the benefits of a business unit formerly within your corporate
      organization has been sold.
3. The right to assign the software license to or allow the software to be used by an outside entity if you
      outsource your data processing operations.
4. The right to make and own derivative works (i.e., code changes, translations, adaptations) based
      upon the software.
5. The right to port the software to any platform supported by the vendor at no or minimum charge.
6. License that permit unlimited use within your corporate organization (i.e., “enterprise-wide”
      licenses).
7. In situations other than enterprise-wide licenses, the right to transfer the software to other equipment
      and operating systems at no cost.
8. In situations other than enterprise-wide licenses, the right to use the software for the benefit of other
     entities (e.g., parent, subsidiary, division)within your corporate organization at no cost.
9. In situations other than enterprise-wide licenses, the right to transfer the software license to an
     existing entity (e.g., parent, subsidiary, division) within your corporate organization at no cost.
10. Limited liability for breach of your obligations under the software license agreement.
11. Prohibition against devices in the software that control your compliance with the software license.
            Software Contract Elements 2 of 2
12. The right to customize the duration of the software acceptance period.
13. The right to define software acceptance as occurring only upon your written notice.
14. Specific remedies for vendors non performance.
15. Incentives to licensors to reward the performance in providing services.
16. A remedy for consequential damages that you suffer.
17. Use of your own form in place of the licensors form for licensing contracts.
18. Contractually defined differences between
            i) enhances, release, versions,etc., that you receive by subscribing to software support
            ii)Those the vendor insists are a new product requiring a new license.
19. Vendors responsibility to meet the cost of procuring alternatives third-party support if the vendor fails to
       provide adequate and timely service.
20. A cap on future maintenance prices.
21. Permissions to exempt individuals-employee, contractors from signing documents that acknowledge
       confidentiality of software or to bind them to terms of the license.
22. Avoidance of partial payments to vendors based on check points.
23. Contractual assurances regarding forward compatibility of software which changes in operating systems.
24. Contractual assurances regarding forward compatibility of software which changes in hardware.
25. Contractual assurances regarding forward compatibility of software which changes in other software
from the same vendor.
     To get better software & service and pressure the
              industry to reform its practices:

• Refuse to pay in full for a license up front. Instead, negotiate a contract with
         your vendor that allows you to pay a percent of the total cost up front
         and then the remainder six months to a year later if the product and
         services is acceptable.
• Adopt open-source technologies. Open source provides CIOs with the
          flexibility to custom-build applications under their own control.
• Seek out vendors that offer renewable and subscription licenses.
• If you’re having continual problems with an application, go directly to the
           developer rather than to the tech support staff or salesperson. The
           person who has worked on the application may have some pride of
           ownership.
• Network with your vendor’s other customers to find out if they too are
           experiencing problems with the software. If so, band together and plan
           a tag-team meeting with the vendor. There really is strength in
           numbers.
• If all else fails, take your vendor to court.
    SW Product Assessment Criteria
•Community adoption and Experience
•Ease of Use
•Features/Function
•Flexibility
•Future Direction
•Integration
•Installation effort
•Maintenance
•Maturity
•Methods
•Performance
•Politics
•Price
•Response Time
•Security
•Service/Support
• Skills
•Tools
•User Growth
•Vendor Financial Relationship
•Vendor History
•Vendor Reference
•Vendor Reputation
    (30) Hardware Procurement and Upgrade

Within the framework of a project,this process selects, Installs,
removes, modifies and upgrades I/S hardware /facilities.
1.Define detailed requirements
2.Select hardware/network/facility
3.Layout physical planning.
4.Define hardware/network/facility recovery.
5.Test new unit.
6.Test complete system.
7. Install hardware/network/facility.
 Vendor List
                 Vendor Screening Process
Data Sources           Determine
                    Screening Criteria
 Publications
                • Vendor Size
                • Product Technology
 Trade Show     • Geographic Presence
                • Industry Focus                                                                                  Screen for
                • Functional Coverage                                                                          Primary Criteria
   Peer
 Companies                                                                                                     • Vendor Size
                                                                                                               • Functionality                      List of
                        Master Vendor                                                                          • Technology       Determine       Vendors/
 Consultants             Inventory &                                                                                               Vendor         Options
                          Selection                                                                              Screen for       Approach         for Due
                           Criteria                                                                              Secondary                        Diligence
Web Search       DECISION STATEMENT :
                                                                                                                  Criteria
                                                                                                                                • Full Coverage
                               ALTERNATIVES
                                 A     B    C    D     E     F      G     H     I     J     K     L     M

                                  WT WT WT WT WT WT WT WT WT WT WT WT WT
                 OBJECTIVES WT SC SC SC SC SC SC SC SC SC SC SC SC SC SC SC SC SC SC SC SC SC SC SC SC SC SC   • Industry Focus • Best-of-Breed
                                                                                                               • Geographic     • High-Custom
  Vendors                                                                                                      Presence

                 TOTAL
                 WEIGHTED
                 SCORE



  Financial
  Analysts

  Research
   Firms
    HW Product Assessment Criteria
•Community Adoption and Experience
•Ease of Use
•Features/Function
•Flexibility
•Future Direction
•Installation effort
•Integration
•Maintenance
•Maturity
•Methods
•Performance
•Politics
•Price
•Response Time
•Security
•Service/Support
• Skills
•Tools
•User Growth
•Vendor Financial Relationship
•Vendor History
•Vendor Reference
•Vendor Reputation
                                     SAME AS SW
                       Decision Analysis Worksheet


DECISION STATEMENT :
              ALTERNATIVES
                A     B      C   D    E     F      G     H     I     J     K     L     M

                 WT    WT    WT    WT    WT    WT    WT    WT    WT    WT    WT    WT    WT
OBJECTIVES WT SC SC SC SC SC SC SC SC SC SC SC SC SC SC SC SC SC SC SC SC SC SC SC SC SC SC




TOTAL
WEIGHTED
SCORE
       Price Is Your Top Factor in Choosing a Vendor



           52%

                     38%

                                     28%                25%              24%




           Price   Expertise in    Integration    Qualifications of   Service level
                   my particular   Capabilities   customer service    agreements
                     industry                      representatives


Ref: IDC
    What’s the most important value of a premiere or platinum
         level service and support agreement for PCs?


              Volume price discounts

             Custom PC configuration
 PC warranties of more than 1 year

   On-site services: 4hours or less

        Dedicated technical support

   On-time delivery of PC systems

                                       Other
                                                0      5         10      15       20       25

                                                           % of respondents



Data: Information Research survey of 150 IT Managers          Base: 64 premiere support customers
     How important are these attributes of hardware service
     providers, and how satisfied are you with their delivery?
                                        Importance       Satisfaction


                Getting correct part

          Knowledge of technician
            Meeting contracted for
              response time
         Fast resolution of problem

    Overall on - site service quality

  On - site service during warranty

       Depot repair service quality

     Telephone Technical Support


                                           1         2     3            4             5
                                 Not at all                                 Extremely
                            important or satisfied                          important or
                                                                            satisfied
DATA: DATAQUEST SURVEY OF 211 IT HARDWARE MANAGERS
                       Room for Improvement
In which areas would you like to see improvement from your hardware service providers?


             On - site response time
             Technical product skills
                    Parts availability
Price charged for the value received
            Problem resolution time
  Telephone support response time
      Customer - relationship skills
 Multivendor capabilities and skills
      Number of products serviced
    Adequate geographic coverage
  Simplified contract administration
         Electronic remote support


                                         0   10   20    30      40        50   60   70
                                                       % of respondents
Note : Multiple responses allowed
DATA: DATAQUEST SURVEY OF 211 IT HARDWARE MANAGERS
 Approaches to Contracting

                Competitive                Non Competitive
              Purchase cards
              Borrow funds or petty cash
Simplified   Auctioning                   Purchase agreements




              Sealed bidding
              Two-step sealed bidding
Formal       Competitive proposals
              Competitive negotiations     Sole-source negotiation
                                           Single-source negotiation
 Contract Categories and Types


              Fixed-Price             Cost-                 Time- and-
                                      Reimbursement         Materials or
                                                            Unit Price
            Firm-fixed-price        Cost-reimbursement    Time-and-
                                                          materials
Types of    Fixed-price with Eco-   Cost-plus-a-
            nomic price adjust-     percentage-of-cost    Unit-price
Contracts   ment
                                    Cost-plus-fixed fee
            Fixed-price incentive
                                    Cost-plus-incentive
                                    fee

                                    Cost-plus-award fee
Types of Lock-In and Associated
       Switching Costs

Type of Lock                Switching Costs
Contractual commitments     Compensatory or liquidated damages

Durable purchases           Replacement of equipment; tends to
                            decline as the durable ages
Brand-specific training     Learning a new system, both direct costs
                                            ;
                            and lost productivity tends to rise over
                            time
Information and Databases   Converting data to new format; tends to
                            rise over time as collection grows
Specialized suppliers       Funding of new supplier; may rise over
                            time if capabilities are hard to
                            find/maintain
Search costs                Combines buyer and seller search costs;
                            includes learning about quality of
                            alternatives
Loyalty programs            Any lost benefits from incumbent supplier,
                            plus possible need to rebuild cumulative
                            use
    Do most IT salespeople                                         Has an IT salesperson
    understand your                                                used hard sell or overly
    business?                                                      aggressively tactics?


                                              SOME 5%




                                                                       YES        NO
              NO                   YES                                 55%
              73%                                                                 45%
                                   22%




Source: Computer Information Management Group, Framingham, Mass.
                Get to Know Your Vendor
1. Who are some of their customers?
2. What is their previous experience in our industry?
3. Can they provide data on recently completed projects?
4. What is their fiscal calendar?
5. Can our CFO meet their CFO?
6. How big is their workforce, and what portion is onshore vs.
   off-shore?
7. What’s their corporate hierarchy?
8. What if…?
9. Who is our account manager?
10. What is their business plan?
FOUR WAYS NOT TO PERSUADE

They attempt to make their case with an up-front, hard
     sell.

They resist compromise


They think the secret of persuasion lies in presenting
     great arguments

They assume persuasion is a one-shot effort.
        Tips for dealing with IT sales
              representatives:
Establish ground rules up front
Keep it simple
Bring in your procurement officers and negotiators as early as
     possible
Establish a single point of contact for the salesperson and stick to it
If they go over your head, respond by going over theirs and ask to
     meet with their supervisor
Have them first meet with technical staff members who can
     evaluate their products
Keep it competitive - But reduce the number early
Insist on testing the product within your own environment
Don't let them take control of the sales process. Focus on your
     objectives
Don't let them pressure you into a sale. (As in, "Act now before our
     prices go up.") Chances are they're just trying to land a quick
     deal to make their quarterly quota
Identify the issues to be negotiated
Establish a "Bottom Line”, Walk Away
Leave room to negotiate back to the “bottom line"
Offer sound business justification for your position
            Vendor Negotiating
• Negotiate each point separately
• Keep at least two vendors in the mix
• Don’t single-source the negotiation
• Timing is everything
• Keep talking to current and prospective customers
• Don’t compare apples to oranges
• Nominate a “bad cop” for your team in advance
• Ensure that the vendor must close the deal
• Employ “bogeys” to force reciprocal concessions
• Check the contract for liability limitations
• Know when to disappear
• Know when to say when
• Watch the licensing terms

•Do not be afraid to ask
                           Power up to Persuade

                   Do Use:                                     Don’t Use:

     •Affirmative language-”when”           •Phrases that call your integrity into question-
               instead of “if”                        ”To be perfectly honest..”
     •Words that convey                     •Ineffective intensifiers -”very”, “definitely” and
               acceptance of                          “surely” -or hesitation and fillers.
               responsibility-”I'll         •Tag questions at the end of sentences-”…
               help you myself”                       don’t you think?”-that convey
     •Win-win phrasing-”Let’s talk                    uncertainty
               it through and see           •Disclaimers-”I’m not an expert but…”-that
               where we end up”                       invites the listener to disagree with or
     •Decisive phrases that get to                    challenge you.
               the point-”This will fit     •Hedges and qualifiers-”sort of” or “perhaps”
               your needs exactly”          •Apologies for situations over which you lack
                                                      control



Source: Artful Persuasion: How to command
RELATIVE IMPORTANCE OF STANDARD COMPUTER
          CONTRACT PROVISIONS

  Most Important              Less Important     Least Important

  Scope of the software       Governing law       Events of Default
    license                   Venue               Amendments to
  Warranty                    Term of the            contract
  Exclusion or limitations      Agreement        Waiver of
       of warranties                                  contract
                              Assignability of        provisions
  Limitation of user's          the Agreement    Notice
      remedies                Period of               requirements
  Limitation of user's          limitations      Survivability of
    right to damages                                   clauses
  Price                                          Severability
  Ownership of Intellectual
       property rights
  Return of property at
    conclusion of agreement

                                         PICK YOUR FIGHTS!!!
    17 Ways to Bust a Deadlock

   Brainstorm creative alternatives.
   Look for an outside standard or precedent.
   Go off the record.
   Have the principals work it out.
   Take a break.
   Get a mediator or arbitrator.
   Try a procedural solution (e.g., draw lots; flip a coin-one cuts, the
     other chooses).
   Appeal to someone with more authority.
   Set a time limit.
   Speed up.
   Slow down.
   Crack a joke.
   Set up a meeting or a conference call.
   Change the negotiators.
   Spend more time studying the problem.
   Bring in an expert.
   Do nothing.
   WIN-WIN WILL KILL YOUR DEAL
Start with “no”
Develop your mission & purpose
The dangers of Needness
The Columbo effect
Ask questions (who, what, where, when, where, why, how, which)
Think about how to say it
   • Nurturing
   • Reversing
   • Connecting
   • Telling 3 times
   • Strip line before hooking
   • Find an opportunity to say “Wow this is bad. I don’t know if we can
     recover from this”

No expectations, no assumptions, do your homework
Know their pain
The importance of time, money, energy, emotion
Be sure to know the real decision makers
              Negotiation Tactics and Countertactics
            Tactics                                                                          Countertactics
   Attacks (personal insults, emotional reactions, professional insults)                    Disclose the attack
                                                                                             Strike back
                                                                                             Give in
                                                                                             Break off
                                                                                             Explore alternatives

   Tricks (false data, no authority to negotiate)                                           Know the truth (have the right data, establish in writing who has authority)
                                                                                             Escalate

   Arbitrary deadlines                                                                      Agree with deadline
                                                                                             Counter the offer with compromise schedule
                                                                                             Refuse to change schedule

   Limited availability                                                                     Coordinate schedules in advance
                                                                                             Counter with your limited availability
                                                                                             Be flexible
                                                                                             Escalate

   Third-party scapegoat (third-party approval required, pretending that such approval is   Escalate to third party
    required) Giveaways                                                                      Compromise
                                                                                             Disclose them as giveaways
                                                                                             Exchange giveaways

   Good guy-bad guy                                                                         Counter with bad guy-good guy
                                                                                             Escalate

   Prolonging the negotiation                                                               Take a break or have a caucus
                                                                                             Maintain silence

   Delays (submission of data, start of negotiation, return from breaks)                    Start on time
                                                                                             Claim limited availability
                                                                                             Leave or create greater delays

   Diversions (questions, telephone calls, fax messages, personal breaks)                   Keep things on track (refocus the team, have no phones in the room, allow no
                                                                                                      interruptions)
                                                                                             Take a break
   Stonewall ("take it or leave it," "I shall not move")
                                                                                             Give in
                                                                                             Say "Yes, and......"
                                                                                             Walk away
                                                                                             Escalate

   End-of-quarter or end-of-year negotiation pressure [management wants to spend money      Settle next quarter or next year (do not let time pressure you into a bad
    now (buyer) or get the deal now (seller)]                                                         deal)




     …the ability to be on the dance floor and in the balcony at the same time.
                            Crafting Your Behavior
• Slow down the conversation
• Listen and think
• Maintain a buffer between your brain and your mouth.
     Consider your response carefully in light of your new
     guiding principles
• Ask questions to get relevant information
• Catch the cue(s)
• Ask for time-out (that is, postpone your response) if need
  be
• Prepare for, and reflect on, interactions
• Think ahead to conversations and interactions
• Reflect back on conversations and interactions
Ref: The set-up-to-fail syndrome by Jean-
Francois Manzoni & Jean-Louis Barsoux
                                                                                                          (1 of 2)
              Charismatics        Thinkers                Skeptics                Followers            Controllers


Description   Charismatics        Thinkers account        Skeptics account for    Followers            Controllers
              account for 25%     for 11% of the          19% of the executives   account for 36%      account for 9%
              of all the          executives we           we polled. They tend    of all the           of the
              executives we       surveyed and can        to be highly            executives we        executives we
              polled. They are    be the toughest         suspicious of every     surveyed. They       interviewed.
              easily intrigued    executives to           data point presented,   make decisions       They abhor
              and enthralled by   persuade. They are      especially any          based on how         uncertainty and
              new ideas, but      impressed with          information that        they’ve made         ambiguity, and
              experience has      arguments that are      challenges their        similar choices in   they will focus
              taught them to      supported by data.      worldview. They often   the past or on       on the pure
              make final          They tend to have       have an aggressive,     how other trusted    facts and
              decisions based     a strong aversion       almost combative        executives have      analytics of an
              on balanced         to risk and can be      style and are usually   made them. They      argument.
              information, not    slow to make a          described as take-      tend to be risk-
              just emotions.      decision.               charge people.          averse.


Typical       Enthusiastic,       Cerebral,               Demanding,              Responsible,         Logical,
Characteri-   captivating,        intelligent, logical,   disruptive,             cautious, brand-     unemotional,
stics         talkative,          academic                disagreeable,           driven, bargain-     sensible, detail
              dominant                                    rebellious              conscious            oriented,
                                                                                                       accurate,
                                                                                                       analytical


Prominent     Richard Branson,    Michael Dell,           Steve Case,             Peter Coors,         Jacques
Examples      Lee Iacocca,        Bill Gates,             Larry Ellison,          Douglas Daft,        Nasser, Ross
              Herb Kelleher       Katharine Graham        Tom Siebel              Carly Fiorina        Perot, Martha
                                                                                                       Stewart
                                                                                                            (2 of 2)
              Charismatics          Thinkers             Skeptics             Followers              Controllers


Buzzwords     Results, proven,      Quality, academic,   Feel, grasp,         Innovate, expedite,    Details, facts,
to use        actions, show,        think, numbers,      power, action,       expertise, similar     reason, logic,
              watch, easy, clear,   intelligent, plan,   suspect, trust,      to, previous           power, handle,
              focus                 expert, proof        demand, disrupt                             physical, grab, just
                                                                                                     do it


Bottom line   When trying to        Have lots of data    You need as much     Followers tend to      Your argument
              persuade a            ready. Thinkers      credibility as you   focus on proven        needs to be
              charismatic, fight    need as much         can garner. If you   methods;               structured and
              the urge to join in   information as       haven't              references and         credible. The
              his excitement.       possible,            established          testimonials are       controller wants
              Focus the             including all        enough clout with    big persuading         details, but only if
              discussion on the     pertinent market     a skeptic, you       factors. They need     presented by an
              results. Make         research,            need to find a way   to feel certain that   expert. Don’t be
              simple and            customer surveys,    to have it           they are making        too aggressive in
              straightforward       case studies,        transferred to you   the right decision –   pushing your
              arguments, and        cost-benefit         prior to or during   specifically, that     proposal. Often,
              use visual aids to    analyses, and so     the meeting- for     others have            your best bet is to
              stress the            on. The want to      example, by          succeeded in           simply give him
              features and          understand all       gaining an           similar initiatives.   the information he
              benefits of your      perspectives of a    endorsement from                            needs and hope
              proposal.             given situation.     some-one the                                that he will
                                                         skeptic trusts.                             convince himself.
             Negotiating the Contract Checklist
     - Use only a few vendor providers or consider using a "general
                                                                       - Include a 30 or 60-day "escape clause" for the
     contractor" which will coordinate other activities of other
                                                                       benefit of the institution
     vendors
     - Clearly identify the institution's negotiation strategies and   - Include annual renewal provisions coupled with
     goals prior to beginning negotiations                             price adjustments

     - Fully understand the scope of the outsourcing proposal before   - Collect fines      for   non-compliance     and    non-
     negotiations begin                                                performance
     - Insure that risks are assigned to vendors rather than the       - Don't be afraid to confront the vendor
     institution
                                                                       - Have an agreed structure for conflict resolution
     - Use outsourcing experts and good attorneys who are
     experienced in outsourcing agreements to insure a "level          - Go to the top when necessary
     playing field" during negotiations
                                                                       - Set up governing boards and meet regularly
     - Clearly document all discussions and decisions
                                                                       - Clearly specify procedures for problem and change
     - Discard the service provider's standard contract                management, as well as escalation procedures
     - Do not sign incomplete contracts                                leading to penalties for failure to resolve problems
                                                                       within the agreed-upon timeframes
     - Retail institutional approval over the vendor's account and
     service teams members                                             - Clearly define training programs for internal staff
                                                                       It institution staff are replaced, specify training and/or
     - Conduct comprehensive reference checks, especially for other    outplacement services
     higher educational customers
                                                                       - Continuously adapt to business conditions and
     - Develop service level measures
                                                                       business volume
     - Measure everything during the baseline period
                                                                       - Include a termination clause
     - Clearly identify the pricing model(s) to be used
                                                                       - Beware of 'change of character' clauses e.g. support
     - Reduce potential avenues for cost overruns                      for new technologies
     - Include price adjustment clauses based on the market cost of
                                                                       - Maintain continuity of management
     acquiring or managing specific technologies during the life of
     the agreement                                                     - Do not force a bad fit
     - Clearly identify transition plans at the beginning and end of
     the outsourcing relationship

Source: Lacity & Herscheim
Managing Vendor Access to Your Business

  •Coordinate efforts

  •Set up a vendor management capability

  •Develop an internal “consumer reports”

  •Work with the purchasing department

  •Establish consequences for inappropriate vendor

        behavior

  •Reward appropriate behavior
LAST CHART; THE CHARTS
FOLLOWING ARE BACK-UPS
       (2) Architecture Scanning &
                 Definition
Using the information obtained in the Strategic Planning
process and considering the whole enterprise, this process
defines in IT terms the goals towards which all further action
should be taken. Technology Scanning is defined in a
subsequent class.
1.Define data, information, knowledge architecture for the
       enterprise.
2.Define application architecture for the enterprise.
3.Define IT technology (e.g., networks, computers)
       architecture for the enterprise.
4.Integrate architectures.
DEVELOPING AN IT ARCHITECTURE
  •Knowledge, Information and Data storage
  - Accessibility                Viability              Accuracy

  •Security
  •Network Communications & Data Transport
  - Obtaining
  - Exchanging
  - Client Server

  •Computer Systems
  •Interfaces
  •Application / Data Transformation
  - Traditional / 3rd Generation / 4th Generation        - ERP
  - CASE             - OOPS                              - ASP
  - KBS              - Virtual Reality              - Internet/Intranet/Extranet
DEVELOPING AN IT ARCHITECTURE
• DO WE HAVE THE RIGHT TECHNOLOGIES? ARE
      THEY INTEGRATED APPROPRIATELY ?
•WHAT LEVELS OF INFORMATION ACCESS,
     SHARING & SECURITY SHOULD WE
     SUPPORT?
•WHICH APPLICATIONS WILL WE DEVELOP, &
     WHICH WILL WE BUY?
•WHO WILL MAINTAIN &UPGRADE TOOLS, DATA,
     & APPLICATIONS?
•WHO WILL ASSESS WHETHER OUR HORIZONTAL
     ARCHITECTURE IS MEETING THE FIRM’S
     NEEDS?
•ARE STANDARDS DEFINED, COMMUNICATED, &
      ADHERED TO?
             Platform Decision Makers

       A user department when   The CFO because it is a
       it buys a package        money decision




The Data center based                      The Boss based
on its capabilities                        on politics




     Application Developers      The CIO based on
     based on their skills?      enterprise goals
Technology Domains
           Tiered Systems Architecture
                          INTERNET


                                         WEB BROWSERS
        CLIENTS



M
A   S   LOAD BALANCING                   IP LOAD
N   E                                    BALANCERS
A   C
G   U
E   R
M   I
E   T   APPLICATION
        SERVERS                          WEB SERVERS
N   Y
T


        DATA RESOURCES                   CLUSTERS
                        Integrating Architectures By Network
                                                              Internet

                     Border Router                                                                          Border Router
                                            MCI Worldcom                              IUUNET
Perimeter Network




    Local Director                                Local Director
                                 Failover
                                                                                                                                     Intrusion
                                                                                                                                     Detection
                                                                                                                                     System
   Front End Router                                                                  Front End Router




                                                                          CC Auth       Order Entry
           Your
           Bubble                                                                                                                   DNS   SMTF
                                                                                                            TNG   Epro
           Goes
           Here                                                                                                          Firewall


                                               Back-End                        Back-End Router
                                               Router                          (Shared Services)                  Back-End Router
                                                                                                                    (DSM)



  Interior Network                                                                                                                         Firewall
                                                               Firewall                               Firewall

                                                             Production Test                          Corporate                 Business
                                                             Center                                   Network                   Partners
                           SECURITY ARCHITECTURE
Access
• Abuse of controls
                                                             Accidental errors in
                                                             processing storage
 Viruses
                                                                                   Local Area Network

                Firewall
                                Database                 Hardware                           Systems Software                         Application
     Denial of services
                           •Unauthorized access       • Failure of protection                                                        Programmer
                                                      mechanisms                        • Failure of protection mechanisms
                           • Copying                                                                                            • Programming of
  Internet                                                                              • Information leakage                   applications to behave
                           • Theft                    • Contribution to software
                                                      failure                           • Installing unauthorized software      contrary to specification
                                                      • Installation (use) of
                                                      unauthorized hardware
                                                                                                                                     Tap
                                                                                                                             Terminals
                 Database                                                                          Crosstalk
                                                                      Processor                                              • Located in insecure
                                                                                                                             environment
               Access rules
                                         Radiation
                                                                       Systems Programmer                                     PCs
                              Operator
                              • Duplication of confidential reports    • Bypassing security mechanisms                       • Fraudulent
                                                                                                                             identification
                              • Initializing insecure system           • Disabling security mechanisms
                                                                                                                             • Illegal leakage of
                              • Theft of confidential material         • Installing insecure system                          authorized information
                                                                                                                             • Viruses (on disks)
 Authorizer                                                                                                                  • Physical theft
                                                                          External Environment
 • Incorrect specification of security                                    • Natural disasters
 policy
                                                                          • Malicious attacks
                                                                          • Unauthorized access to computer center
                                                                          • Illegal or illicit use of computing resources
                                                                          • Electronic theft
                                                                          • Fraud
                                                  Web Services Architecture
Web Services
Directory (Public)
                                                                                                           Partners’




                                                                                                                                                                    Internet
                       External
                                        Marketplaces                        Internet                        Sites
                        Web
                       Services
           UDDI


                                                                     Loadbalancer




                                                                                                                                                             Infrastructure
            Firewall                                                                                                                 DMZ




                                                                                                                                                                  Web
                                                    HTTP Server        HTTP Server        HTTP Server

                                                                                                        Enterprise Trusted Network
                                                                       Service Bus (WSDL)
                      UDDI




                                                                                                                                               Application
 Web Services Directory                                                        (SOAP)




                                                                                                                                                 Server
 (Public)
                      CRM                  Data Mgmt.               Security            Content Mgmt.          Business         User Profile




                                                                                                                                                              Infrastructure
                                                                                                                                                              Web Services
                    Services                Services                Services              Services             Services          Services

                                                                               Service Broker
                              ODBC/JDBC                   Message Brokers                   Other Middleware                  Native APIs’




Third Party Systems
                                  Collaboration
                                    Services                                            Enterprise




                                                                                                                                                             Infrastructure
                                   Email, Chat,                                          Systems




                                                                                                                                                               Enterprise
                                       etc

                                                        Legacy Data                                             Open System Database

                     Data Mgmt.      Security          Hosting/DR            System Mgmt.             Network             Transaction Mgmt.

  Based on Web services standards
Ref: RCG Information Technology; ‘White Paper on Web Services Architecture’ By Rasesh Trivedi, Senior Manager - RCG IT
www.rcgit.com/company/whitepapers/WebServicesArchitectureModelsWPv1.pdf
  ARCHITECTED DATA WAREHOUSING SYSTEM
 Parent Legacy
    Systems




                                          Data
                                          Mart
                                                  Web
                                                 Enabled



                                          Data
          Transformation      Data
                                          Mart
             Cleansing     Ware house
              Process


                                          Data
                                          Mart
                            Archive
                                                     Strategic
Operational
                                                     Reporting
 Systems

                              Meta Data
                Integrating Architectures By Applications
                                   Customers   • Partners   •   Sales Force   • Call Center   • Employees




                                                                 Firewall


        Single Sign On

        Entitlement

        Personalization

        Workflow

        Common UI


        Globalize




                                                    Integrated Development Environment
                           XML                 Legacy systems         ERP         EDI         CRM
                        Adaptors
Source: Asers Systems
                                                                   CRM ARCHITECTURE


                                       SALES                                     DELIVERY                             AFTER-SALES
                                                                            Order                                                     Customer
                                 Marketing          Sales                                    Delivery                   Billing        Service
                                                                          Management
      LOW
Degree of integration for CRM




                                 (i) Completely disparate systems, no interface, no information sharing




                                (ii) Separate systems, some interfaces, some information sharing, a partial view of the customer over the
                                life cycle (plus optionally a data warehouse not shown)




                                (iii) Full information sharing, full view of the customer over the life cycle, interfaces to back-office systems
      HIGH




                                (plus a data warehouse – not shown)
        Business Architecture
Business Architecture
                                     Business Strategy & Organization


                                            Business Process Model
Information
                 Data Architecture



Architecture                                                                     Applications
                                                                                 Architecture
                                          APPLICATIONS PORTFOLIO

                                       Applications Technical Design Standards

                                                 Technology Plan

                                         Operations $ Service Delivery Model

Infrastructure Architecture
      IT Standards Documentation, Communication, and Update Process
                                                       Analyze Current
                                                          Platform

                                                            Analyze
                   Set                                      current
                Standards                                   platform

                 Scope and                               Develop and
                    set                                     execute
                 standards                                appropriate
                                                         migration plan
                                                                            Steady-State
                Document                                                    Management
                standards                                 Document/
               and rationale                               manage              Periodic
                                                          exceptions          standards
                  Refine                                                    update/review
                standards
                                                           Update
                based in IT
                                                          Processes
                   input

               Communicate                                   Update
               to IT Steering                             procurement
                 Committee                                 processes
                 and refine
                                                        Communicate
                                                          standards
                                                        corporate wide


Ref: The Executives Guide to Information Technology by Baschab & Jon Piot
Systems Integration in the Global Enterprise

                              Strategic Business         Current interfaces,
       Key Factors                  Units              problems and issues
                               (Data Collection)          across SBUs
                                                            Centralized human
     Organizational Culture         Narrative
                                                             resources?
                                    Primary
     Language Barriers             Secondary
                                                       Screen language differences?

                              Primary Denominators
     Currency Translation     Auxiliary Denominators
                                                              Multicurrency?

     Local Government                                       Value-added tax?
                                 Statutory Laws
       Requirements                                             Privacy?

         Autonomy                Corporate Links
                                                          Local Area Networks?
       Decentralization                                   Wide Area Networks?

    Measurement Systems          Business Rules          Activity-Based Costing?

                                 Model Numbers
         Core Products                                  Part Numbers Consistent?
                                Model Descriptions
        Suppliers /              Customer Files        Supplier / Customer numbers
       Customers                  Vendor Files                consistent?
REF:Zachman, IBM Systems Journal 1987
       Notable Standards Efforts
• Central Computing and Telecommunications Agency (CCTA)
  Methodology -            IT Infrastructure Library (ITIL)
  http://www.exin.nl/itil/itinf/home


• Service Level Agreement (SLA) Working Group created          by the
  Distributed Management Task Force (DMTF)
  http://www.dmtf.org


• The Appl MIB by the Internet Engineering Task Force (IETF)
      http://www.ietf.org


• Application Resource Measurement (ARM)
            INFRASTRUCTURE MANAGEMENT TOOLS

Fenway                                                    Silk Performer
Starts at $15,000 to $30,000                              Starts at $25,000
Dirig Software Inc.
Nashua, N.H.                                              Silk Test
www.dirig.com                                             Starts at $6,500
                                                          Segue Software Inc.
HP Open View                                              Lexington, Mass.
Starts at $23,900 for Operations console, $230 per node   www.segue.com
Hewlett-Packard Co.
www.hp.com                                                SiteScope
                                                          $995 for 25 monitors
Patrol                                                    Freshwater Software Inc.
Separate Predict and Perform versions for Oracle ($290    Boulder, Colo.
and $390 per server, respectively) and Unix ($395 and     www.freshwatersoftware.com
$875); Storage Resource Manager (starts at 40,000);
Service Level Management (starts at $5,000 plus $195      Tivoli enterprise Console
per managed node; Windows versions start at $815)         Approximately $300 per node
                                                          Tivoli systems Inc.
Site Angel                                                Austin, Texas
Starts at $900 per year                                   www.tivoli.com
BMC Software Inc.
Houston                                                   Unicenter TNG
www.bmc.com                                               Starts at $2,500
                                                          Computer Associates
Peakstone eAssurance                                      International Inc.
$48,000 plus $4,800 annually per Web server CPU           Islandia,
Peakstone Corp.                                           N.Y.
Sunnyvale, Calif.                                         www.ca.com
www.peakstone.com
The US standard railroad gauge (distance between the rails) is 4 feet, 8.5 inches.
That is an exceedingly odd number. Why was that gauge used? Because that is the
way they built them in England, and English expatriates built the US railroads. Why
did the English build them like that? Because the first rail lines were built by the
same people who built the pre railroad tramways, and that is the gauge they used.
Why did "they" use that Gauge then? Because the people who built the tramways
used the same jigs and tools that they used for building wagons, which used the
same wheel spacing. Okay! Why did the wagons have that particular odd wheel
spacing? Well, If they tried to use any other spacing, the wagon wheels would
break on some of the old, long distance roads in England, because that's the
spacing of the wheel ruts.
So who built those old rutted roads? Imperial Rome built the first long distance
roads in Europe (and England) for their legions. The roads have been used ever
since. And the ruts in the roads? Roman war chariots formed the initial ruts, which
everyone else had to match for fear of destroying their wagon wheels. Since the
chariots were made for (or by) Imperial Rome, they all had the same wheel
spacing. The United States standard railroad gauge of 4 feet, 8.5 inches is derived
from the original specification for an Imperial Roman war chariot. Specifications and
bureaucracies live forever. So the next time you are handed a specification and
wonder what horses' behind came up with it, you may be exactly right. This is
because the Imperial Roman war chariots were made just wide enough to
accommodate the back ends of two war-horses.
Now, the twist to the story... There is an interesting extension to the story about
railroad gauges and horses' behinds. When we see a Space Shuttle sitting on its
launch pad, there are two big booster rockets attached to the sides of the main fuel
tank. These are solid rocket boosters, or SRBs. Thiokol makes the SRBs at their
factory at Utah. The engineers who designed the SRBs might have preferred to
make them a bit fatter, but the SRBs had to be shipped by train from the factory to
the launch site. The railroad line from the factory happens to run through a tunnel
in the mountains. The SRBs had to fit through that tunnel. The tunnel is slightly
wider than the railroad track, and the railroad track is about as wide as two horses'
behinds.
So, a major design feature of what is arguably the world's most advanced
transportation system was determined over two thousand years ago by the
width of a horses behind!
                 Think?
• Which processes are most important?
• Who owns each of these process
  containers?
• How much resource will be applied to
  each process?
• How effective are each of these processes
  today?
• What priority should be placed on
  improving each of these processes?

				
DOCUMENT INFO
Shared By:
Categories:
Tags:
Stats:
views:2
posted:2/8/2012
language:
pages:173