47
Managing Operations

Managing Operations. Outline 1111 1111 3333 3333 2222 2222 Outsourcing IS Functions Information Security What Are Operations?

Embed Size (px)

Citation preview

Page 1: Managing Operations. Outline 1111 1111 3333 3333 2222 2222 Outsourcing IS Functions Information Security What Are Operations?

Managing Operations

Page 2: Managing Operations. Outline 1111 1111 3333 3333 2222 2222 Outsourcing IS Functions Information Security What Are Operations?

Outline

1111

3333

2222 Outsourcing IS Functions

Information Security

What Are Operations?

Page 3: Managing Operations. Outline 1111 1111 3333 3333 2222 2222 Outsourcing IS Functions Information Security What Are Operations?

Introduction (1)

Systems operations, if not properly managed, could lead to the shutdown of the company's business

A shift in viewpoint Traditionally, managing

inward One's own operations staff

Page 4: Managing Operations. Outline 1111 1111 3333 3333 2222 2222 Outsourcing IS Functions Information Security What Are Operations?

Introduction (2)

Today, managing outward The company's

relationships with IT ESPs

Page 5: Managing Operations. Outline 1111 1111 3333 3333 2222 2222 Outsourcing IS Functions Information Security What Are Operations?

Why Emphasizing Operations? A Typical MIS Department Budget:

33% Systems and Programming 70% Maintenance 30% New Development

10% Administration and Training 57% Operations

Involve more money than any other part of the IS department

Very involved (difficult), challenging and rewarding area

Page 6: Managing Operations. Outline 1111 1111 3333 3333 2222 2222 Outsourcing IS Functions Information Security What Are Operations?

Solving Operational Problems Three strategies to improve operations:

Buy more equipment Continuously fight fires and rearrange priorities Continually document and measure what you are

doing Find out the real problems, not just the apparent ones.

Then set standards and manage to them.

Page 7: Managing Operations. Outline 1111 1111 3333 3333 2222 2222 Outsourcing IS Functions Information Security What Are Operations?

Operational Measures

External measures What the customer sees, relating to customer

satisfaction System and network uptime, response time, turnaround time,

program failures Internal measures

Of interest to IS people Computer utilization as percentage of capacity, disk storage

used etc.

Problems reported by external measures can be explained by deviations in internal measures

Page 8: Managing Operations. Outline 1111 1111 3333 3333 2222 2222 Outsourcing IS Functions Information Security What Are Operations?

The Importance of Good Management Skills of an operations manager is similar to

that needed in e.g. a factory Only here the "factory equipment" is the disk

drives, DB servers, network gateways etc

The key to managing operations is the same as in any management job Set standards Then manage to those standards by finding an

outstanding operations manager

Page 9: Managing Operations. Outline 1111 1111 3333 3333 2222 2222 Outsourcing IS Functions Information Security What Are Operations?

What’s New in Operations?

Companies have "cleaned their operational house" Y2K problem moved company from a survival mode to a

planning mode More operations managers are managing outward

CIOs does not relinquish responsibility for operations Ensure their people are properly managing relationships

Operations are being "simplified" Centralizing applications in one place rather than distribute

them on PCs Server based computing

Certain operations are being offloaded e.g. Microsoft offloaded webcasts to Netpodium

Page 10: Managing Operations. Outline 1111 1111 3333 3333 2222 2222 Outsourcing IS Functions Information Security What Are Operations?

Outline

1111

3333

2222 Outsourcing IS Functions

Information Security

What Are Operations?

Page 11: Managing Operations. Outline 1111 1111 3333 3333 2222 2222 Outsourcing IS Functions Information Security What Are Operations?

Outsourcing IS Function

Outsourcing means turning over a firm's computer operations, network operations, or other IT function to a vendor for a specified time

The focus of CIOs in operations is changing In the past, ensuring they had the in-house expertise

to keep systems and networks up and tuning Now, determining where best to perform the various

kinds of operations In house or with a third party and manage it accordingly

Page 12: Managing Operations. Outline 1111 1111 3333 3333 2222 2222 Outsourcing IS Functions Information Security What Are Operations?

The Driving Forces Behind Outsourcing 70% of US economy had global competition in

1970s Companies had to focus on core business, which led

to huge amount of merger and acquisition activity Companies were priced based on their shareholder

value

Focus and value Management must stress value, they must consider

outsourcing in all their nonstrategic functions

Page 13: Managing Operations. Outline 1111 1111 3333 3333 2222 2222 Outsourcing IS Functions Information Security What Are Operations?

Changing Customer-Vendor Relationships (1) Relationships have expanded from buying

professional services, to buying products and transactions, to integrating systems, to outsourcing

In this evolution: IS management has increasingly lost control Providers take on more risks Provider's margins increase Choosing the right provider becomes more

important

Page 14: Managing Operations. Outline 1111 1111 3333 3333 2222 2222 Outsourcing IS Functions Information Security What Are Operations?

Changing Customer-Vendor Relationships (2)

Page 15: Managing Operations. Outline 1111 1111 3333 3333 2222 2222 Outsourcing IS Functions Information Security What Are Operations?

Outsourcing's History (1)

In 1989 only full IT outsourcing was available Essentially began with "big-bang" deals. The goal was purely financial. Problems occurred

Us VS them Culture clash

Until that time, companies only outsourced poorly run IS operations Kodak outsourced its well-run IS operations in 1989 to

become a more competitive company

Page 16: Managing Operations. Outline 1111 1111 3333 3333 2222 2222 Outsourcing IS Functions Information Security What Are Operations?

Outsourcing's History (2)

Early 1990s: transitional outsourcing One of two routes in outsourcing

Maintenance of their legacy systems, hence staff concentrated on building new client server systems

C/S development to specialists & kept maintenance of legacy systems in-house

Mid to late '90s: best-of-breed outsourcing Selective outsourcing began "Collaborative outsourcing": one prime contractor

and some secondary external service providers

Page 17: Managing Operations. Outline 1111 1111 3333 3333 2222 2222 Outsourcing IS Functions Information Security What Are Operations?

Outsourcing's History (3)

Shared services "In-sourcing" to an internal shared service group Improved efficiencies & saved money (scale of

economy) Business Process Outsourcing (BPO)

As IT outsourcing matured it became a commodity service, profit margins dropped and competitors rose

ESPs moved to specific functional areas with higher margins

Handling specific business processes as well as their as their IT underpinnings: BPO

Page 18: Managing Operations. Outline 1111 1111 3333 3333 2222 2222 Outsourcing IS Functions Information Security What Are Operations?

Outsourcing's History (4)

Page 19: Managing Operations. Outline 1111 1111 3333 3333 2222 2222 Outsourcing IS Functions Information Security What Are Operations?

Outsourcing's History (5)

E-business outsourcing With the arrival of business use of the Internet,

outsourcing has been one way that companies can quickly get Websites up and handling business

In dot-coms and Internet-based operations, outsourcing all or most of the IS function has been preferred mode of operation Allows a company to move faster Companies can remain flexible Do not tie up a firm's funds in computer and networking

equipment

Page 20: Managing Operations. Outline 1111 1111 3333 3333 2222 2222 Outsourcing IS Functions Information Security What Are Operations?

Outsourcing's History (6)

Utility Computing Also known as on-demand computing, virtual data

centers and grid computing The idea is computing power can be treated like

electricity: You plug in and only pay for what you use Numerous vendors, especially IBM, HP and Sun are

promoting access rather than ownership Turning clients' fixed IT costs into variable costs

Page 21: Managing Operations. Outline 1111 1111 3333 3333 2222 2222 Outsourcing IS Functions Information Security What Are Operations?

Managing Outsourcing

Numerous aspects to managing outsourcing need to be handled well to create a successful working relationship Organizational structures Governance Day-to-day working Supplier development

Page 22: Managing Operations. Outline 1111 1111 3333 3333 2222 2222 Outsourcing IS Functions Information Security What Are Operations?

Organizational Structure

Managing outsourcing is different from managing internal staff It is a joint effort between parties that may not have the

same goals Typically, parties establish layers of joint teams

Top-level team: final word in conflict resolution Operational team: oversees day-to-day functioning Joint special purpose teams: created from time to time to

solve pressing issues Standing committees: oversee the use of formal change

management procedures

Relationship managers: look after the "relationship"

Page 23: Managing Operations. Outline 1111 1111 3333 3333 2222 2222 Outsourcing IS Functions Information Security What Are Operations?

Governance

The foundations of governing an outsourcing relationship are laid in the (LARGE) contract(s) Service Level Agreement (SLA)

Responsibilities, performance requirements, penalties, bonuses

Another important component of SLAs is metrics. An SLA needs to be measurable to be of use

Most parties in strong relationships put the contract in the drawer and work from trust and agreed-upon rules It is only when trust in one another breaks down that

they turn to the contract

Page 24: Managing Operations. Outline 1111 1111 3333 3333 2222 2222 Outsourcing IS Functions Information Security What Are Operations?

Day-to-day Working

Recommendations to manage day-to-day interactions: Manage expectations, not staff

Facilitation becomes the mode of working Realize that informal ways of working may disappear Loss of informal ways of working may add rigor Integration of the two staffs requires explicit actions The best way to manage day-to-day is communicate

frequently Preferably "face to face"

Page 25: Managing Operations. Outline 1111 1111 3333 3333 2222 2222 Outsourcing IS Functions Information Security What Are Operations?

Supplier Development

A topic that is receiving increased attention Buying parts and services that go into one's own

products and services Assisting one's suppliers to improve their product

and services by generally improving their processes

Page 26: Managing Operations. Outline 1111 1111 3333 3333 2222 2222 Outsourcing IS Functions Information Security What Are Operations?

Offshoring

Offshore outsourcers became a desirable choice in late 1990s A tight labor market due to Y2K Lower cost and an ample supply of educated people

India, Ireland, Philippines, China

White-collar work going offshore Application maintenance and development, call

centers, customer service, back office processing, BPO, claims processing etc.

Page 27: Managing Operations. Outline 1111 1111 3333 3333 2222 2222 Outsourcing IS Functions Information Security What Are Operations?

Outline

1111

3333

2222 Outsourcing IS Functions

Information Security

What Are Operations?

Page 28: Managing Operations. Outline 1111 1111 3333 3333 2222 2222 Outsourcing IS Functions Information Security What Are Operations?

Information Security Management

--- A Definition Information security management defines the controls we must implement to ensure we sensibly manage computer related risks Not just technology, but people and processes too An ongoing, continuous activity, you don't just

"do" security as a one-off event

Page 29: Managing Operations. Outline 1111 1111 3333 3333 2222 2222 Outsourcing IS Functions Information Security What Are Operations?

Information Security Management

---A Growing Concern Today even CEOs need to know something about information security Need to understand Internet-based threats and

countermeasures and continuously fund security work to protect their businesses

Since 1996 the Computer Security Institute (CSI) and FBI have conducted an annual survey of US security managers

Page 30: Managing Operations. Outline 1111 1111 3333 3333 2222 2222 Outsourcing IS Functions Information Security What Are Operations?

Types of Attacks or Misuse (1)

In 2004

Page 31: Managing Operations. Outline 1111 1111 3333 3333 2222 2222 Outsourcing IS Functions Information Security What Are Operations?

Types of Attacks or Misuse (2)

In 2006

Page 32: Managing Operations. Outline 1111 1111 3333 3333 2222 2222 Outsourcing IS Functions Information Security What Are Operations?

Dollar Amount of Losses by Type (1)In 2004

Page 33: Managing Operations. Outline 1111 1111 3333 3333 2222 2222 Outsourcing IS Functions Information Security What Are Operations?

Dollar Amount of Losses by Type (2)

In 2006

Page 34: Managing Operations. Outline 1111 1111 3333 3333 2222 2222 Outsourcing IS Functions Information Security What Are Operations?

The Threats---Hackers

The 'hacker community' has become a 'public club'

Approaches hackers use: Cracking the password Tricking someone Network sniffing Misusing administrative tools Playing middleman Denial of service Trojan horse Viruses Spoofing

Page 35: Managing Operations. Outline 1111 1111 3333 3333 2222 2222 Outsourcing IS Functions Information Security What Are Operations?

Security's Six Pillars

A secure system should provide: Nonrepudiation – a transaction cannot be denied by any of

the parties to it Confidentiality – data or services are protected from

unauthorized access Integrity – data or services are delivered as intended Assurance – (authentication) the parties to the transaction

are who they say they are Availability - the system will be available for legitimate use;

no DOS. Auditing – the system tracks activities within it at levels

sufficient to reconstruct them

Page 36: Managing Operations. Outline 1111 1111 3333 3333 2222 2222 Outsourcing IS Functions Information Security What Are Operations?

Security---Technical Countermeasures Security tactics can be divided into three

groups Resisting attacks

(locking your doors) Detecting attacks

(having a motion detector) Recovering from attacks

(having homeowner's insurance)

Page 37: Managing Operations. Outline 1111 1111 3333 3333 2222 2222 Outsourcing IS Functions Information Security What Are Operations?

Resisting Attacks (1)

Authenticate users – assuring that a user or remote computer is actually who it says it is Passwords One-time passwords Digital certificates Biometric identification ……

Authorize users – ensuring that a user has the right to access/modify data or services Access control by privileges or by roles

Page 38: Managing Operations. Outline 1111 1111 3333 3333 2222 2222 Outsourcing IS Functions Information Security What Are Operations?

Resisting Attacks (2)

Maintain data confidentiality – data should be protected from unauthorized access Encryption of data and communication links

Symmetric key: DESAES Public-key encryption: RSA SSL (Secure Sockets Layer) VPN – virtual private networks

Maintain integrity – assure data is delivered as intended; no modification Checksums, Hash codes Digital signatures, digital watermark

Page 39: Managing Operations. Outline 1111 1111 3333 3333 2222 2222 Outsourcing IS Functions Information Security What Are Operations?

Resisting Attacks (3)

Limit exposure Attacks typically exploit a single weakness on a host to get

access to all of its data The architecture can minimize risk by allocation of

services/data to hosts to limit exposure on each host

Limit Access Firewalls (source, destination port)

But it is not always possible to limit access to known sources. e.g. a public Web site.

DMZ – demilitarized zone; access to web but not to the rest of the LAN

Page 40: Managing Operations. Outline 1111 1111 3333 3333 2222 2222 Outsourcing IS Functions Information Security What Are Operations?

DMZ

Internet

Firewall

Web server

Web server

Modem pool

LA

N

Host

Host

Host

DB server

DMZ

Page 41: Managing Operations. Outline 1111 1111 3333 3333 2222 2222 Outsourcing IS Functions Information Security What Are Operations?

Virtual Private Networks (VPN) Maintains data security as it is transmitted by

using: Tunneling: creates a temporary connection

between a remote computer and the CLEC's or ISP's local data center. Blocks access to anyone trying to intercept messages sent over that link

Encryption: scrambles the message before it is sent and decodes it at the receiving end

Page 42: Managing Operations. Outline 1111 1111 3333 3333 2222 2222 Outsourcing IS Functions Information Security What Are Operations?

Detecting Attacks

Detection of attacks typically either done manually or with the help of an intrusion detection system (IDS) Typically compare the patterns of network traffic

to historical patterns to identify problems E.g. Denial of Service attacks (DOS)

The packets must be filtered to make comparison: on IP addresses and ports, TCP flags, packet sizes

Page 43: Managing Operations. Outline 1111 1111 3333 3333 2222 2222 Outsourcing IS Functions Information Security What Are Operations?

Recovering from Attacks

Tactics to restore data and system: Restoring data

Backups Passive redundancy (from availability) Checkpoints (again)

Attacker identification Audit trails for

Rolling back to checkpoint Help identify intruder and support non-repudiation Should be protected/hidden

Page 44: Managing Operations. Outline 1111 1111 3333 3333 2222 2222 Outsourcing IS Functions Information Security What Are Operations?

The Balance Between Security and Risk Information Security is a balancing act between

ease of access to information and protecting that information from increasing threats

The Information Security Manager must Constantly bear in mind the organization's appetite for

risk Assess where the "appropriate" balance lies Be prepared to press their case "strenuously" when

they believe the risk is not within acceptable bounds.

Page 45: Managing Operations. Outline 1111 1111 3333 3333 2222 2222 Outsourcing IS Functions Information Security What Are Operations?

Planning for Business Continuity Business continuity is broader than disaster

recovery, it includes Safeguarding people during a disaster Documenting business procedures Giving employees the tools and space to handle

personal issues first so that they can then concentrate on work

In short, it is a business issue and IT disaster recovery is just one component

Page 46: Managing Operations. Outline 1111 1111 3333 3333 2222 2222 Outsourcing IS Functions Information Security What Are Operations?

Using Internal Resources

Organizations that rely on internal resources for IT disaster recovery generally see this planning as a normal part of systems planning and development Multiple data centers

Do not have all computing in one location Distributed processing Backup telecommunication facilities Local area networks

Servers on one LAN can be used to backup servers for other networks

Page 47: Managing Operations. Outline 1111 1111 3333 3333 2222 2222 Outsourcing IS Functions Information Security What Are Operations?

Using External Resource

Cost Vs. risk may not justify permanent resources so companies use the services of a disaster recovery firm Integrated disaster recovery services Specialized disaster recovery services Online and off-line data storage facilities