February 15, 2012

IT Accountability

February 15, 2012

Assignment:

Refer to IT Savvy regarding IT accountability and decision making. As a reply to this message, discuss who makes IT decisions in your organization? How are they held accountable? What would you change or do differently?

This is extremely challenging for me because I am not on the IT side of my organization, and I feel like IT decisions are extraordinarly opaque. I'm not sure if this is true for those working on the IT side of things, but having worked in a client facing role for 3 years and now in an operational capacity for a little over 6 months, in my experience there is a wide chasm separating the business and IT. The limited experience I have had working with IT it seems that different projects are handled by different teams, subject to different budgets and different timetables depending how those teams are assigned.

IT principles: I have to imagine that IT principles are set by the CIO and other upper level management figures, as this would make the most sense. Sometimes it does seem that different groups follow different principles, but I suspect this is more related to cultural differences between the departments. Overall the entire firm seems to maintain the same basic principles, and this could only happen if handled at the top.
Enterprise architecture: I think there has been a big shift in enterprise architecture since I have been with the firm. When I started I had to use roughly a dozen different applications to obtain information, and the majority of these did not integrate with each other. Over time one platform has become more and more developed as they try to consolidate the majority of tools into one application. Other applications have slowly changed over time to be more web based, faster and allow for better collaboration - some aspects of integration seem to have improved as well (notes actually transferring between systems, for example). It is also my understanding that many tools which started as 'quick fixes' in the form of macros have slowly been moving over to the mainframe; this allows for instantaneous updating and processing (instead of everything having to go through batch) and means that when tasks have substantial volume they can be completed much easier and with less manual intervention than before.
IT infrastructure: I guess this would primarily refer to the mainframe architecture I mentioned previously.
Business needs and project deliverables: It is very unclear how business needs are prioritized. Based on my limited experience, it seems that each business unit has its own budget and essentially 'hires' IT to complete a project. From what I have seen just in my current department, it is up to that business unit to prioritize their business needs to determine how to spend the budget, then work with IT to do the projects. If our team/department has 15 projects we would like to get done, it is our responsibility to prioritize this within our group and then make requests of IT - so if there is something that needs to be done because of regulatory requirements, it takes priority, and new projects can cause things that have been on the 'wishlist' for years to be deprioritized. I know there's an IT project the team has been trying to fund for at least 3 to 4 years, but it keeps getting pushed back due to more urgent needs.
IT investment and prioritization: I think IT investment and prioritization happen on two levels. There are certain things that are specific to IT - new mainframe systems, the website for clients, back end processing - which are subject to an IT budget and IT management makes prioritization decisions and they use the budget specifically allocated to the IT department to fund these types of things. It seems like everything else is handled by what I mentioned in the previous paragraph - business units have budget that they can allocate to IT, the business prioritizes these investments and works with the IT folks who are assigned to them to create new tools, fix old ones, or upgrade systems. While there may be some benefits to this, it seems to me that this could result in certain departments not being able to accomplish goals that may have a positive impact on a wider basis than their department alone, and in other cases this may actually complicate IT as more and more departments are requesting and funding tools to be built that really only have a one off purpose and while they may make a task easier in the short run, guck up the works in the long term.

Edward Schaefer

February 10, 2012

Vendor Partnering

Edward Schaefer

February 10, 2012

Assignment:

Oftentimes, IT is asked to partner with vendors for a variety of reasons (system support, new technology, procurement, integration, etc.). As a reply to this post, discuss some of the challenges and benefits to vendor partnering, include your own observation and experiences (also refer to The Adventures of an IT Leader). What worked well? What didn’t? What would you recommend for future partnerships?

Vendor partnering is a very complicated topic as there are many benefits and challenges to utilizing vendors when implementing IT infrastructure. Benefits seem to revolve around displacing the construction and maintenance of IT infrastructure to a group of experts. This absolutely makes sense for the aspects of IT that are ubiquitious between industries and competitors in the same industry. If a firm needed word processing software (a simplified analogous example) certainly they could have the IT department develop it themselves, but it would be easier and likely less costly to simply use Microsoft Office or Google Apps to provide this service - they've already developed it and if there are any problems with the software, there is someone to contact who can help instead of the IT department having to spend time and effort to attempt to resolve the issue. When using vendor software, the problem has already been solved, instead of needing to come up with the processes by which to solve a problem, then having to develop these processes into software.

That being said, there is certainly a loss of flexibility when partnering with vendors. When choosing between vendors an organization might choose the one that fits best out of the choices, but it may not be able to conform to the company nearly as well as a custom piece of software. If something goes wrong the organization has to rely on the vendor to provide the tech support and develop a fix for the problem. Depending on the relationship with the vendor, this may be a slow and arduous process. Some vendor software is more flexible and makes it easier for additional services to 'plug in' to the base platform, and while this may allow an organziation to implement tools that will help businesses processes, this makes the system more complex and increases the possibility of something going wrong.

Edward Schaefer

February 8, 2012

Control Points and Decision Making

Edward Schaefer

February 8, 2012

Assignment:

Oftentimes in organizations there can be many complex processes and systems to navigate through. How can IT help leadership within the organization make effective decisions for results (i.e., increased customer response time, increased sales/revenue, or drive efficiencies within these processes, etc.)? Consider the following analogy: Think about how we control our automobiles – instead of trying to monitor all of the systems that are used to run the vehicle, as a driver we generally “check on” or “monitor” a few key control points and very simple to understand measurements (i.e., E = I need to fill my gas tank).

As a reply to this post, consider ways in which IT can simplify the many processes and systems to control points that executive management/leadership can understand and make solid decisions. Include your own observations or experiences.

IT often helps leadership and numerous different levels with various tools depending on the requirements of the area of the company. These tools and resources specific to one area can be broken down and simplified to provide a understandable view for higher level management. As an example my organization has a rather large inbound customer support phone group. The call center must be managed at that level to ensure service levels are being met and clients are being assisted quickly and accurately. IT supports the call center in a number of ways to simplify this process. All reps utilize a software phone that displays the number of calls holding, how many reps are available/busy/unavailable, the current alert level (more calls = higher alert). All of this data goes into a centralized system that shows how long a rep has been on the phone, how long available/busy/unavailable, and this is combined with traffic estimates and actual phone traffic, which is then utilized to determine the alert level. All of this information is extremely important for phone services, and the simplified displays available to reps, their managers, and our traffic department all help in various decision making processes. This information is then distilled down into longer term, average figures, and combined with other metrics (client survey scores, sales figures, etc.) then presented to upper level management. In this way IT is able to provide the needed information in a way that makes sense to various groups who will approach and utilize this information in different ways.

Edward Schaefer

February 7, 2012

Social Computing

Edward Schaefer

February 7, 2012

Assignment:
As a reply to this post discuss the concept of social computing within the business; some considerations you may want to addresss in your discussion: define social computing, the value of it within the business, how to evaluate and select proper technology to fulfill internal/external requirements, and increasing overall usage (after implementation).

Social computing really describes two separate phenomena within computing technology. One of these probably comes to mind first for most people: technology that facilitates being social online. This includes blogs, Twitter, Facebook, Google+ and social search, Foursquare, wikis and any similar Web 2.0 products. These computing solutions allow people to connect more easily, to share more readily and to be social in situations where this would have been difficult or impossible (due to distance, expense, etc.) in the past. The second area of social computing is kind of an extension off the idea of wikis and relates more to businesses: collaboration. New social computing tools make it much easier for groups of people to collaborate on projects, ideas, documents, presentations and more. Email has always been a pretty ineffcient medium for collaboration - say a group is editing a document and then forwarding it to other members on the project, suddenly there are multiple versions of the document floating around, it may be difficult to determine which one is most recent. New edits may be made to an old version, causing things to be disconnected and may lead to challenges for the group. In the past there was often a desire to have people in close proximity to help alleviate these problems, but social computing has made it possible for a group to consist of people from across the country and still be effective. Google Docs provides real time collaboration, numerous open source software projects couldn't exist if it weren't for social computing, and tools like Skype or other video conferencing applications help to make working with others digitally easier and more effective.

Edward Schaefer

February 2, 2012

IT and the Customer Experience

Edward Schaefer

February 2, 2012

Assignment:

Many organizations talk about enhancing or improving the customer experience – whether that is less wait time on the phone, instant chat or even offering customer support via Facebook or You Tube. As a reply to this post, describe and discuss the role of IT in improving and enhancing the customer experience. Include any experience you have encountered either as a customer or within your organization.

I think the role of IT in the customer experience is two fold - one is meeting customer expectations, and the other is making it easier for customers to do business or to accomplish what they want, how they want. As I've previously mentioned I work at a financial services firm, and I was in a direct customer facing role for 3 years so I have a lot of experience with how IT impacts the customer experience.

Expectations are really important, and work in two ways. The first is customers have certain expectations of what technology will do - they want it to provide security, they want the information to be readily available, and they want things to be in a format that makes sense for them. There is a general expectation that things are working, if something is down they expect it to be resolved quickly, but they also expect to get an explanation for why things were down. In my experience, clients do expect there to be testing and maintenance - if things were down and we weren't sure why, clients were pretty upset. If I could tell them it was regularly scheduled maintenance, or testing, or implementing something new - and especially if there was notification on the website ahead of time - most people understood and in some cases were actually happy to know we were taking steps to make improvements or ensure security. Expectations can work to a disadvantage as well, because if primary competitors have implemented something or provided technology that our firm wasn't offering, I wouldn't hear the end of it. As expectations change, IT has the challenge of trying to keep up while ensuring everything fits together and makes sense.

Outside of keeping information secure, customers really only look at technology as a means to an end. It gives them what they want, when they want it. Our call center is open 24/7 every day of the year so they can call us any time they want, but whether a client calls in or uses the website, they want to get access to their information immediately. As changes were made to make it easier for clients to check their balance, place trades, measure account performance, do research, transfer funds, or anything else they wanted to do if some part wasn't working properly, or a particularly unusual transfer couldn't be done online, there would be a lot of complaints about it. Customers want technology to give them the ability to do exactly what they want to do, when they want to do it, and how they prefer to do it. For someone who doesn't mind, or likes calling a support line, this means that the representative they speak with should be able to pull up the requested information or complete the requested task in a timely manner. For someone who wants to use online resources, this means they want to be able to do EVERYTHING themselves, and do it all online without anything else. I've had clients get upset because they can't transfer money to an unrelated account without submitting a signed letter of authorization - even when you explain they why of security concerns, they want to do it online. Clients have gotten upset because the data doesn't update as quickly as they'd like, and I've even had clients get upset because they forgot their password and never set up an online password reset feature (for some reason we don't use email resets) so they had to call in to get assistance resetting their password.

Edward Schaefer

January 25, 2012

IT Sourcing

Edward Schaefer

January 25, 2012

The primary advantages of IT sourcing relate to not having to maintain IT in house. For a small or start-up company this may mean smaller staff and the ability to have more specialized internal hires. It may also be less costly (initially) and allow the company to focus on their business objectives instead of having to worry about technology, and in some cases may provide more flexibility because they don't need to figure out how to integrate or implement IT, but simply discuss their needs with a contractor and get what they want. Additionally when sourcing IT it means the IT firm is concerned with upgrades, training, newly discovered threats and other IT issues. Finally, there is also an expectation of a level of expertise when utilizing IT sourcing that may be hard to measure or determine if an organization were to do the hiring and attempt to build their own IT department.

Disadvantages relate more to specificity. I believe that IT sourcing would generally be more of a "one size fits all" type of system as opposed to being specialized and uniquely developed and implemented to meet the needs of the business. This means an organization might have to choose based on what will cause the fewest issues instead of what works best. It also means the organization likely will not have the ability to make changes as quickly as they would like or have IT integrate as closely as possible.

Depending on the type of organization and data in question, IT sourcing can also pose additional risks. If the third party IT firm were hacked or experienced some type of data breach the primary organization still has to alert customers and will be impacted, even though it was technically not their fault. If the IT sourcing firm were to experience business problems or other issues, the main organization may suddenly have no IT at all which could substantially impact business, and without any internal knowledge or experience it would take some time to get internal IT up and running. Finding a firm that is extremely reputable and ensuring strong service agreements are in place is one potential way to mitigate some of these risks. It may also be possible to find a firm that handles IT at the top level, but essentially hires out staff and services to work for, be paid by, and essentially function as another part of the main organization - this may provide some additional options in the event the IT sourcing firm runs into issues.

I don't have any experience with IT sourcing that I am aware of. I know there are some functions at my firm that are sourced from foreign countries, specifically document processing. Some information about this place was relayed to me by my father (weird coincidence). While on a business trip (I think this is in India, I could be mistaken) to review operations for his organization, he learned that my firm had a floor in the same building and was able to see it. He said it was literally a room of monitors, keyboards and mouses, but nothing else. No desktop towers, printers, no paper or pens. My understanding is that when a client fills out a paper application and mails it to one of our US based operations center, the documentation is scanned into the system and assigned to a foreign worker. This individual then goes through the document and takes the information and types it directly into our database so that new accounts can be set up and other information changes are processed. I suspect this is less expensive than having a US worker do it, but there certainly are still mistakes. I've seen numbers transposed or entered incorrectly (often this is related to poor handwriting on the form, but sometimes not) and also incorrect names - in some cases I think this can be attributed to different cultural expectations and norms, certain names or even formation of letters may be common and easy to recognize here, but pose challenges for others. At the end of the day, the cost savings and ability to have processing occur at times when things on this side of the globe are shut down for the night seem to more than make up for the occassional error that later must be corrected.

Edward Schaefer

January 24, 2012

IT Business Challenges

Edward Schaefer

January 24, 2012

There are a number of issues facing IT organizations today, but there are a few categories that make up the biggest concerns. These include remaining competitive, security and legislation.

Being competitive ties in to the fast paced nature of changes to technology. An organization that had the best website or most impressive tools for customers cannot stay on top if they only perform maintenance on these applications - they must always be looking to the future and finding new technology solutions to be at the forefront of their field. This is costly and time consuming, and in some cases the organization may not see the value in constantly putting resources to developing these solutions; that is until they fall behind their competitors and begin losing business because the competition has better solutions for clients.

Security has always been high on the list of concerns, but has become more and more important as technology becomes more ubiquitous. One of the biggest issues facing IT organizations in terms of security is the growing sophistication of attackers, in conjunction with the increasingly complicated nature of technology. Given the power of easily obtainable hardware, attackers can launch more sophisticated attacks in a larger scale to continually try to find coding errors or other ways to get into a system. Attackers are far more flexible than the IT departments they are up against, and can even hide or obscure their actions so as to go undetected. When developing software or installing hardware IT departments are addressing the problem from the perspective of making things work - it is easy to miss or overlook a vulnerability when that is not the perspective had by the group. Today IT departments need to accept there are going to be vulnerabilities, and take a multi-step approach to limiting and mitigating these as best as possible. They should try to predict what attacks are most common or are most likely to occur, take steps and put systems in place to prevent vulnerabilities or attacks as best as possible, if something does occur there need to be systems in place to detect what has happened, and finally they need to be prepared to respond to anything in terms of locking down systems, limiting access, protecting data and fixing vulnerabilities once they have been discovered.

Finally, legislation is starting to look at IT with a new perspective, and this will be a growing concern in the future. Some of the areas that I believe will become substantial in terms of legislation include privacy, law enforcement, consumer data, and protection of minors. These areas have already been somewhat prominent, but will only become more of a concern as we move forward. There is a discrepancy between maintaining privacy and law enforcement, as has been seen in conjunction with RIM and the encryption on Blackberry in countries such as India. Issues of privacy and consumer data have been brought up in prominent cases such as Facebook changing privacy settings and controls, and Google with the launch of Buzz. And there have been concerns about how to maintain privacy and first amendment rights while attempting to protect minors with legislation being passed and subsequently failing such as the Child Online Protection Act. There are also aspects of legislation that impact IT such as Sarbanes Oxley which change reporting requirements, leading to IT having to make substantial changes in order to comply. Legislation is still dozens of years behind the technology it is trying to impact, which adds additional challenges. In this case, organizations simply have to do everything they can to ensure compliance; the potential costs of fines or the associated impact to public perception of an organization that fails legal compliance could be substantial, not to mention any issues associated with even more specific government oversight (the FTC is auditing Google and Facebook every other year for 20 years following their snafus) makes compliance with legal requirements of utmost importance for most organizations.

Edward Schaefer

January 18, 2012

Cost and Value

Edward Schaefer

January 18, 2012

Assignment:

Refer to The Adventures of an IT Leader and consider some of the challenges Barton is facing with respect to cost and value of IT; as a Reply to this message, please discuss the following:

1. Briefly share your own observations and/or experiences regarding how IT departments, projects, and/or initiatives are funded. Would you do anything different to obtain funding for IT?

2. How can alignment with the business help you articulate or gain funding for IT related projects?

Helpful articles:

Article1: “What CIOs Need to Know About Money” (Kim Gerard) http://www.cio.com.au/article/172451/what_cios_need_know_about_money/

Article2: “Successful CIOs Know What The CFO Really Wants” (Jim Anderson)

http://www.theaccidentalsuccessfulcio.com/alignment/successful-cios-know-what-the-cfo-really-wants

Based on my experience it seems that IT funding happens in one of two ways. There is direct IT spend that relates to IT specific projects, for example the website, a new platform for clients, or backend upgrades that IT is choosing to pursue (part of IT strategy/planning). Then there is IT spend that comes from specific groups or departments for specialized projects. As an example there are a number of changes/systems upgrades on my departments wishlist for the tools we utilize daily, but this specifically depends on OUR budget for IT. So if our IT budget shrinks, or has to be reallocated to a more pressing project, it means we do not have the funding to "hire" IT to work on our project. This has benefits and problems. The biggest benefit is it does create a more aligned strategy between us (the business) and IT - we're working together on the project, explaining what we need and how we use it. This means there is strong collaboration, and the folks in IT will let us try versions of the website/program early, we can contact them directly if we find any bugs or if there is anything unusual or things that don't make any sense. The problems arise, however, when something is rolled out, but then we no longer have funding to keep supporting or maintaining it, so suddenly folks are assigned to something different and bugs end up not getting fixed. This isn't really a problem with IT as much as it's a problem with the way the funding system is designed. That being said for something like our main website that clients use seems to get a tremendous amount of funding and always be in a state of updates or fixes. Presumably this type of project has it's own budget and is a much higher priority for the business, thus even something minor that doesn't necessarily need changing or fixing is still a high priority.

Edward Schaefer

January 17, 2012

IT Governance

Edward Schaefer

January 17, 2012

Assignment:

McKeen et al (2012) discusses the need to distinguish between strategic architecture governance and tactical architecture governance. As a Reply to this message, discuss the concept of these two governance structures and include the following:

1. Define both types of governance and include what they mean both to the organization and IT/IS department.

2. Are both types needed within the organization? Why or why not?

3. How is governance visible in an organization? Provide specific examples and include your own observations/experiences.

Governance is the act of setting policy, expectations or providing oversight for reaching particular goals. Strategic governance is higher level, relates to overall strategy, alignment with business objectives and is usually set by senior executives on both the business and IT sides of an organization; strategic governance is often viewed as being long-term. Tactical governance is more specific, relates to the actual execution of projects/strategy and usually involves individuals in more technical or action-oriented roles as opposed to planning roles; tactical governance is often considered to be more short-term and smaller in scope. Arguably strategic has to do with plans that are more static and will not change relative to external forces or changes while tactical is more flexible and can be modified or changed as the situation necessitates. As a result both strategic and tactical governance are necessary for an organization to be effective. Groups involved in strategic governance are responsible for ensuring that overall planning meets the needs and requirements of the business, and to ensure that planning is track with the objectives of the organization. Tactical governance, on the other hand, is required in order to effectively manage systems, tools or programs within the business, while simultaneously being flexible enough to modify or change plans in order to execute ideas to accomplish objectives given any limitations or changes that would impact technical execution. Governance can be visible in different ways within an organization. In my organization strategic governance is visible in terms of the company keeping the overall objectives and business plans of the organization visible for the entire organization. Tactical governance occurs at virtually every level where plans are executed upon. Even in my role in operations, we have plans and ideas that we would love to accomplish, but these goals must be modified depending on changes in funding, systems, or even low level objectives.

Edward Schaefer

January 12, 2012

What is IT Management?

Edward Schaefer

January 12, 2012

Assignment: Refer to The Adventures of an IT Leader: Barton writes “IT management is about management”. As a Reply to this message discuss the following: Is IT management different from other functions? Is it truly about management (skills, talent management, key contributors) or something else (technology, hardware, software)? What do you think? Justify your answer.

I absolutely agree with the sentiment that IT management is about management - at the end of the day that's really the point. Certainly IT management has it's own unique challenges, and an IT manager may need to be more aware of new technology and have a broader understanding of what those IT personnel he (or she) is managing are responsible for, but at the end of the day it really is about managing relationships between people, and groups, and ensuring that employees have the tools, materials and information they require to successfully perform their jobs. An IT manager doesn't need to know how to write SQL or hook up a router, but they do need to have a broader picture of what the tools are used for, and what is needed for a task to be considered satisfactorily completed. In some ways an IT manager may have a more difficult job that a manager on the business side of an organization - they have to work with people who may be far more intelligent in their specific field, but in many cases a programmer or network admin may not have the experience to understand their role from a broader business perspective. It becomes the responsibility of the IT manager to not only help them to understand how they fit in to the business, but also to help explain why certain aspects of IT may not be as high a priority for the organization as a whole, as it seems for that individual or in the broader scope of IT. These people skills have to be strong and flexible enough to work effectively with IT employees, but also when interacting with the business side of the organization, both to understand the perspective and requirements of the business, but also to help the business side understand the needs and viewpoint of IT.

Edward Schaefer

January 11, 2012

IT Alignment Discussion

Edward Schaefer

January 11, 2012

Assignment: please discuss your own experiences regarding how well IT fits in and aligns with the rest of the organization. Provide an example you are familiar with and can share (change any names as necessary). What seems to work in your organization with business and IT – what does not? Include any recommendations you have for improving what is not working and why.

I think it is ill advised to think of IT needing to "fit in" and "be aligned" with the rest of an organization, because in many cases even individual areas on the business side of an organization fail to be aligned with one another. From my perspective the idea of "being aligned" means that concessions must be made in order for other areas (in this case IT) to fall in line with top level business decisions, which in many cases has the potential to hinder the long term success of an organization. Organizations should look at various areas working together more from a perspective of collaboration, than alignment.

I work at a large financial organization, and depending how you look at it one could argue IT is either very well aligned with business objectives, based on tasks accomplished, or it could be viewed as weak/poor alignment based on core IT issues that will likely never be resolved. For the financial industry, the highest priority task is always to comply with new regulations - these are constantly changing, becoming more stringent or more closely monitored, which means many planned projects have to be put on the back burner and budgets shifted around to meet deadlines and ensure requirements are met. Given that regulatory requirements impact all areas of the business, and require different actions for different groups, in this case alignment simply means when IT is responsible for making changes or updates to meet a requirement - they do so. Where there is a disconnect in alignment comes from objectives the business side of the organization has or wants to meet, and requires IT to make changes, develop software, or find "quick fixes" to meet the businesses target objectives - IT does what is required to meet the needs of the business (seemingly strong alignment) but at the expense of fluidity, ease for future modifications, or overall updates to the system. Dozens of pieces of legacy software are in place that would be virtually impossible to replace or upgrade due to the complicated web of macros, one-off software tools, and MacGyvered connectedness that IT has had to develop over the last 20+ years to 'stay aligned' with business 'needs' that had to be done as quickly as possible. This not only means that in certain areas the business will fall behind because the technology will eventually not be able to keep up with future requirements, but it also means that when something needs to be changed or modified it either (a) takes a long time because no one knows how it was originally developed (b) breaks something else or (c) simply can't be done because the tools aren't up to the task. This leads to tremendous expenses both in time and dollars for maintenance alone.

At this point, I'm not sure if there is any way to resolve this without essentially starting fresh. This would require any 'urgent' business needs to be put on hold while the entire back end of the system is overhauled and updated using modern technology. I highly doubt this will ever happen. It seems that IT attempts to make progress by updating back end systems as they can, one at a time, trying to integrate it into the old systems (which often times breaks or eliminates functionality of something else), but so it is. Personally I feel that if the business side of the organization had looked to collaborate with IT to determine the most effective ways to implement requested changes over time, things would be substantially better than what has occurred with this idea of IT aligning with the needs of the business. Today I still recieve certain reports about things that simply no longer exist, but the spiderweb of systems built on top of one another means there is no easy way to eliminate one thing, or even have certain reports delivered electronically instead of printing out.

It is important that IT understand the needs of the business to ensure applications do not fail to meet basic business needs. However, it is also important for the business to work with IT. If management feels like too much money is being spent on late projects, they likely won't be willing to sit down with IT to hear ideas about reducing a dozen legacy systems down to one if it is going to require even more time and money, especially if it would mean putting smaller projects on hold. Ironically, when a business pushes IT to produce customized solutions to make things easier for an individual department, in actuality the solution (1) increases complexity, (2) increases costs, (3) solves a minor need and (4) if solved ends up barely meeting the requirements. When collaboration occurs IT is able to suggest solutions that may not increase business results in the short term, but have huge benefits in the long term. The potential benefits could be anything from increased speed and efficiency, to a platform that is easier to develop for, to increased flexibility or even a significant competitive advantage.

Edward Schaefer

December 17, 2011

Systems Lifecycle Management

Edward Schaefer

December 17, 2011

The Information Systems Security Lifecycle Management article from TeleCommunication Systems (TCS) provides an overview of lifecycle management. The article expounds upon the business challenges associated with ISSLM from the perspective of an association with the DOD, details about how IA is currently being handled and treated, and provides a recommended approach in the form of a process that can be applied to any area of an organization. As an organization TCS has a relatively narrow focus, but their methodology follows DoD requirements, which can be used as a model for any organization. First a statement of work must be developed that addresses all aspects of information assurance. Next, security engineering must be an integral part of the design of an information system from the beginning, instead of trying to engineer security in at a later point in time that can lead to many issues or insufficient security. A concept of operations must also be considered, taking into account the end user and ensuring that the way a user will utilize the system will not interfere with the security of the system itself. Any formal or standard process used by the organization to ensure that an IS will maintain IA structure through the system’s lifecycle, like DIACAP for the DoD, must be incorporated. Personnel who are working on the system must be qualified and have the appropriate tools and materials. The lifecycle process must also contain strong configuration management procedures, and finally systems must be maintained and updated according to the policies and procedures laid out by the organization. Any organization that sets up their ISSLM in a way that mirrors that followed by the DoD will increase their security effectiveness.

Edward Schaefer

December 11, 2011

IT Security Laws

Edward Schaefer

December 11, 2011

Sarbanes-Oxley

In response to a number of very public corporate and accounting scandals, SOX was enacted July 30, 2002. Public confidence in securities markets was shaken as companies like Enron, Tyco International, Adelphia, Peregrine Systems and WorldCom collapsed and investors lost billions of dollars without warning. As the activities of these companies were examined and better understood, it was clear certain aspects were similar across companies and needed to be addressed and considered as part of the act. These issues include conflicts of interest among auditors, boardroom oversight failures, conflicts of interest among securities analysts, poor banking practices, executive compensation relating to stock options as compensation, issues related to the internet bubble that could happen again, and finally poor rule creation and enforcement by the SEC due to underfunding.

Measuring the impact of SOX is complicated as other factors that influence the stock market are difficult to isolate and remove. Even with significant analysis and research many different conclusions have been reached in regards to the benefits and costs of SOX thus far as well as into the future. Since the primary concern is the accuracy of financial reporting data, under SOX the importance of IT only relates to its ability to make that reporting more reliable. The negative impact primarily revolves around compliance costs, while the goals of the act itself make up the majority of the benefits.

The Sarbanes-Oxley Act is very divisive, making it difficult to determine if the benefits outweigh the costs. No matter the side of the argument, SOX was clearly successful in accomplishing its goal of enhancing the standards for compliance, transparency and accountability. Debate continues to this day, and detractors are one of the biggest potential challenges as the constitutionality of the law has been brought under scrutiny and there has been some pressure to repeal from the financial industry. Perhaps finding a way to simplify compliance without impacting transparency would be an acceptable solution to all.

The Gramm-Leach-Bliley (GLB) Act

The Gramm-Leach-Bliley Act is also known as the Financial Modernization Act and was passed in 1999. GLB specifically impacts financial institutions and companies that provide other financial products or services to consumers. This act contains provisions related to protecting the personal financial information of consumers held by financial institutions. It is made up of the Financial Privacy Rule, the Safeguards Rule, and Pretexting Protection.

The Financial Privacy Rule requires that consumers be given a privacy notice by a financial institution when a relationship is established, then on an annual basis thereafter. This privacy notice must provide an explanation about what consumer information is collected, where or with whom it is shared, how the information is utilized, and what protections are in place for storage and maintenance of the information. Additionally, this notice gives the consumer information about their right to choose to opt out of information sharing with any third party organizations. The Safeguards Rule requires the design, implementation and maintenance of safeguards by financial institutions to ensure personal consumer information is protected both in terms of confidentiality and integrity. This is essentially a requirement for an information security plan demonstrating preparedness, which most organizations should already be doing. Finally, Pretexting provisions relate to an organization putting safeguards in place to protect against phishing or other social engineering attacks. This would likely include a well written plan and regular employee training.

Overall, I believe GLB is fairly successful. It brings to light a number of issues that are tantamount to providing high quality security, and requires organizations to comply with a set of standards. There are many benefits to both companies and consumers, but there are certainly challenges. Consumers may still not read privacy notices, but by being required to send out notices and maintain records of this, an organization has some protection if a consumer fails to review the policy and feels they were tricked or manipulated. Organizations should have already had strong information security plan, but it is possible this was overlooked or underfunded at some organizations, so creating a requirement helps ensure protection as well. Social engineering can be extremely difficult to prevent, but by simply being required to be aware of these types of attacks and implementing safeguards, especially training, helps bring this very common type of attack to the attention of consumers and employees alike, helping to reduce the number of successful attacks.

Electronic Funds Transfer Act

The Electronic Funds Transfer Act was passed in 1978. This act established the responsibilities of parties involved in electronic funds transfer activities in addition to the rights and potential liabilities of consumers. The ability to electronically transfer funds was very new in 1978 and even today mistakes occur, so it was important to establish a set of rules to make consumers and firms more comfortable with utilizing electronic funds transfers.

The act primarily considers ETF errors, consumer liability and the liability of the financial institution. In relation to errors both the consumer and financial institution are held to certain requirements, the first of which is that errors may occur and the customer does have responsibility for reviewing statements regularly to verify an error has not occurred. If the customer notices an error, he or she must contact the financial institution as soon as possible, the notification must be within 60 days from the date of the erroneous statement, explain why it is believed there is an error, and if required by the firm may have to send details in writing. Financial institutions must investigate errors and provide a resolution within 45 days, if there was an error they must recredit the amount in question, and notify customers of the results of the investigation including providing copies of documents related to the investigation if requested by the customer. In terms of liability, the act states that if a card is reported missing before any transaction occur, the customer is not liable for any charges. If, however, the customer does not meet certain criteria they may be liable for unauthorized transactions, specifically related to the amount of time it takes a customer to notify the financial institution. The financial institution must provide information to the client about their liability if a card is lost or stolen, including details of the resolution process and a phone number that can be used to report loss or theft.

The Electronic Funds Transfer Act seems to be very successful since it was enacted. It helps limit the liability of customers, making them feel safer and more confident in their financial providers. It also provides more specific and detailed information about financial institutions in terms of what they must provide to consumers, how research should be done, and even some limits to liability if a customer did not follow proper procedure

Fair and Accurate Credit Transaction Act (FACTA)

The Fair and Accurate Credit Transaction Act was passed in November 2003. This act is an amendment to the Fair Credit Reporting Act. The primary feature is that it allows consumers to obtain a free credit report from each of the three national credit reporting agencies once every twelve months. The act also had provisions related to helping prevent or reduce identify theft.

In relation to the goal of prevention of identity theft, regulations about “fraud alerts” and “active duty alerts” were created. With this act, if a consumer believes that he or she may be or become a victim of fraud or identity theft, they have the ability to place a fraud alert on their file for at least 90 days. Credit reporting agencies are required to offer this ability to customers, and notify other reporting agencies of this fraud alert. There is also the option for a consumer to request an extended fraud alert. The active duty alert allows any active duty member of the military to request the alert which requires that if a reporting agency distributes a list to a third party in relation to the extension of credit or offering other services, that they must the active duty member with this alert. Additionally, the act requires that debit or credit card numbers are truncated on receipts or other documents pertaining to point of sale transactions. Finally, the law established a set of rights for victims of identity theft, including blocking information on a credit report if it was the result of identity theft, establishes general procedures for dealing with and resolving issues of identity theft, and finally requires that corporations have some method by which information regarding consumer complaints about fraud or identity theft is shared across organizations.

The results of this act can be viewed as somewhat mixed. Certainly, on the face it is good to have protections in place for consumers, may help establish better credit by having access to regular credit reports, and helps consumers resolve issues related to identity theft. At the same time, however, there are certainly some potential issues. This seems to put more onus on the financial firms that consumers themselves, which has the potential to lead consumers to feel like they need to take fewer steps to protect themselves. Additionally, in some cases requesting less consumer information when establishing an account may open the door to additional identity theft attempts, or certain consumers may try to take advantage by claiming transactions they completed were actually fraudulent. Also, in my opinion this act does not provide enough in terms of requirements or steps to help a consumer who was the victim of substantial loss or theft to regain their previous credit status in a quick and efficient manner.

Edward Schaefer

December 10, 2011

Role Play

Edward Schaefer

December 10, 2011

TO: John Henry, CEO

FROM: Edward Schaefer, CISO

DATE: December 10, 2011

SUBJECT: IT Legislation Compliance

The state of Massachusetts has one of the most comprehensive and clearly defined data privacy laws known as 201 CMR 17.00: Standards for the Protection of Personal Information of Residents of the Commonwealth. As stated: “The objectives of this regulation are to insure (sic) the security and confidentiality of customer information in a manner fully consistent with industry standards; protect against anticipated threats or hazards to the security or integrity of such information; and protect against unauthorized access to or use of such information that may result in substantial harm or inconvenience to any consumer.” At the most basic level, this requires that all data and information is adequately protected through the use of encryption and other data protection mechanisms.

There are a number of groups whose data must be considered under this policy. Data about Boston Red Sox fans, ticket holders must be stored and maintained in a secure fashion. This will include standard personal information, as well as any financial information used for the purchase of tickets or merchandise. Additionally data for all Boston Red Sox employees, including the players, must be maintained under these standards. This applies to personnel records, information pertaining to employee compensation and retirement plans, in addition to information relating to negotiations with players. Our current policies are mostly compliant, but we will be performing a full audit and examination to locate any areas that need to be updated to be in compliance with the law. Attached is the compliance checklist provided by the commonwealth that will be used to verify compliance.

Edward Schaefer

December 10, 2011

Legislative Trends

Edward Schaefer

December 10, 2011

As the internet becomes more ubiquitous and the use of technology continues to rise, the government must start seriously evaluating ways in which it can provide oversight and create effective legislature, that still allows for privacy and freedom of speech. This paper discusses some of the most prominent issues related to that legislators have been looking at in recent history and will be considering even more seriously in the near future. First, privacy and privacy laws in general are briefly discussed. Next issues related to privacy and law enforcement are examined, followed by concerns of consumer data in relation to ad agencies, and finally a discussion about privacy issues related to minors. Privacy will only continue to grow as a concern, especially as issues related to existing privacy law, lack of legislation, and unexpected or unauthorized breaches in privacy by web companies become more prominent in the headlines.

Edward Schaefer

December 4, 2011

Defense in Depth

Edward Schaefer

December 4, 2011

This paper examines how to optimize security using the Intel white paper “Defenses in Depth Strategy Optimizes Security” as the model for analysis. This paper is written for an IT department both to help better understand the business perspective of time and costs associated with planning and preparation, but also to provide perspective on the risks associated with trying to do too much, instead of taking a streamlined approach to being effective and efficient in handling IT security issues. First the business challenges are discussed, before providing an overview of the methodologies of prediction, prevention, detection and response in order to have solutions for security issues that may arise.

Edward Schaefer

November 20, 2011

Security Policies in the Application Development Process

Edward Schaefer

November 20, 2011

In the Microsoft TechNet Viewpoint article “Security Policies in the Application Development Process,” John Steer discusses the importance of an organization having a well-defined security policy and applying this policy to the application development lifecycle. Examining this from the perspective of a software developer, it is difficult to disagree with his points. It does seem, however, that Steer brushes past a few key reasons why an organization may fail to create secure applications.

Initially the general reasons for why a security policy is in place are discussed. Steer uses ISO17799 to provide a definition for a security policy and rightly points out that a security policy is not created as part of the development process. Instead the security policy provides guidelines so security requirements are known and can be implemented into the software during the development process. He does, however, overlook that a security policy may fail during the development process in a couple of ways. First, if a security policy fails to address some important security consideration it may be worthwhile for those involved in the development process to bring this to the attention of the organization. Second, a security policy will in many cases not be able to address many of the security concerns faced by the development team in terms of actual security issues related to the coding process. It is important for a development team to make their own list of security concerns that are specific to software development.

Next Steer discusses that while many organizations have comprehensive security policies that address both physical and information infrastructure, in many cases this is not extended to software development. He states that in order for security to be a part of the application architecture that developers must understand the requirements stated in the security policy. While this is most certainly true, one of the difficulties may be putting the security policy in terms that make sense to the development process. It is easy to have the security policy say “passwords are required,” but when applied to the development of an application if a simple password is allowed that technically meets the requirement of the security policy but does not conform to the actual meaning behind the policy.

Steer then attempts to provide an answer to why security is overlooked. He says that organizations often place low importance on the development of secure software, and continues that this is often not even realized. By failing to provide security policies during the application design phase, security features are omitted at the application level. He gives another example where security is added later on but implemented without using a corporate policy, stating that when asked one reason he has been given is that policies are not made available to the development staff. He should question if it is really an issue of the development staff not having access to security policies, or if it has more to do with the policies themselves. If individuals with little understanding of software development create the policies, it is easy to imagine the security policies being convoluted and difficult for the development team to understand what is being asked and how this could apply to software development. It is important for someone familiar with software development to be involved in the process of actually creating the security policy. Steer does mention that security is often viewed as being costly and says he disagrees with this assessment. What he fails to address, however, is that often the budget and those outside of the development team set time constraints for software development. If when giving initial estimates and projections the development team fails to mention the importance of strong implementation of security this may be left out of the time table and budget, meaning once this is brought forward as a significant issue to consider it may suddenly be considered too costly or time consuming to implement. It is important for the software development team to not overlook security in the initial stages of a project, and in many cases it is not hard to imagine developers wanting to get right into the ‘meat’ of a project failing to consider steps to implement secure architecture.

Edward Schaefer

November 13, 2011

Risk Management Planning

Edward Schaefer

November 13, 2011

This paper discusses risk management planning. First risk management is explained including a description for the primary components of risk identification, risk assessment and prioritization, and finally risk controls. Controls is broken down into its constituent categories of avoidance, transference, mitigation and acceptance. Next is an overview of risk management from the perspective of a large financial firm. Finally, two key risks, phishing attacks and regulatory requirements, are evaluated by each of the components of risk management and the categories of controls.

Edward Schaefer

November 13, 2011

Intrusion Detection Systems Comparison Table

Edward Schaefer

November 13, 2011

A commonly used category of risk management tool is known as an intrusion detection system (IDS). These can either consist of a physical device or a piece of software. An IDS monitors network traffic, and other network or system activities, to detect malicious activity or policy violations. These systems can be used for real-time monitoring, or can be used to generate reports that can be reviewed by individuals involved in risk management. Some systems will provide alerts and notifications from real-time monitoring so steps can be taken to block or eliminate an intruder as soon as possible.

Intrusion Detection Tool	Snort	Advanced Intrusion Detection Environment (AIDE)	Bro IDS
1. Maturity of Tool	Created in 1998	Created in 1999	Used for over a decade, utilizing over 15 years of research
2. Market Acceptance or Relevance	Most widely deployed IDS/IPS. Millions of downloads, nearly 400,000 registered users. In 2009 entered InfoWorld’s Open Source Hall of Fame.	Used on many UNIX-like systems as baseline control and for rootkit detection.	Use of policy scripts means this software could be effective for any organization/industry as long as the scripts are tailored for a specific use.
3. Licensing Models	Open source; annual subscription, cost per sensor.	Open source only	BSD License – open source
4. Platform Compatibility	Windows, Unix (including OS X and multiple versions of Linux)	Any modern Unix platform	Any modern Unix platform
5. Ease of Installation	Simple to install via executable file.	Code must be compiled to be installed. Database must be created to maintain comparison information	Code must be compiled to be installed.
6. Other Characteristics	Uses a simple command line interface. Performs real-time traffic and packet analysis on IP networks.	File and directory integrity checker. Database is created to provide a baseline to run a direct comparison with current files or directories.	Passively watches network traffic. Policy scripts must be written to create event handlers to automate activities when certain events occur.

Intrusion detection systems are readily available for any organization to utilize. There are a number of open-source solutions that will provide an organization with all the necessary tools to perform intrusion detection. Many of these tools are easily customizable to fit the needs of the specific organization. A downside to using open-source tools for many organizations is the lack of support. Of the IDS tools discussed, only Snort provides support in the form of an annual subscription. The other IDS tools require an organization to implement, maintain and support on their own, which could be inconvenient for some organizations. If that is the case, it make more sense for an organization to pursue a commercial IDS solution.

Edward Schaefer

November 6, 2011

Vulnerability Management

Edward Schaefer

November 6, 2011

This paper addresses some common aspects of vulnerability management. First risk management is briefly described from a general perspective. Next frequently occurring vulnerabilities in the broad categories of software vulnerabilities, physical vulnerabilities and client vulnerabilities are discussed. Software vulnerabilities include those of software and web portals. Physical vulnerabilities contain the topics of security against intruders and naturally occurring disasters. Finally client vulnerabilities covers both internal and external clients in relation to bad passwords, potential for infection from a virus, and social engineering.