Managing Operations

1
Managing Operations

• Shelley Queiser
• Ing Wei Ching

2
Then vs. Now
3
What are Operations? Continued

• The Importance of Good Management
• Whats New in Operations
• Companies Have Cleaned Their Operational House
• More Operations Managers Are Managing Outward
• Operations Are Being Simplified
• Certain Operations Are Being Offloaded

4
What are Operations?

• Why Talk About Operations
• Operations involve more money than any other part
  of the IS organization
• Solving Operational Problems
• 3 solutions
• Operational Measures
• External What the customer sees
• Internal What the IS department sees

5
Outsourcing IS Functions

• Outsourcing means turning over a firms computer
  operations, network operations, or other IT
  function to a provider for a specified time.

6
Outsourcing IS FunctionsContinued

• The Driving Forces Behind Outsourcing
• Two Drivers Focus Value
• Where do we really add value?

7
Changing Customer-Vendor Relationships
8
Outsourcings History

• 1989 - IT Outsourcing
• big bang
• Problems us versus them, culture clash
• 1990s - Transitional Outsourcing
• Legacy systems to Client-server computing
• Y2K

9
Outsourcings HistoryContinued

• Best-of-Breed Outsourcing
• Selective Outsourcing
• Collaborative Outsourcing
• Shared Services
• Insourcing-a shared service organization to
  handle such functions as IT, legal, facilities
  management, finance etc.

10
Outsourcings HistoryContinued

• Business Process Outsourcing outsourcing to all
  or most of a reengineered process that has a
  large IT component

11
Outsourcings HistoryContinued

• E-Business Outsourcing
• Websites
• Outsourcing starts from scratch

12
Managing Outsourcing

• Organizational Structure
• Joint effort between two companies who may have
  different goals
• Joint teams
• Top-level management team
• Operational team
• Special-purpose teams

13
Managing OutsourcingContinued

• Governance
• A contract is set to govern the outsourced
  relationship
• Service Level Agreements
• Metrics

14
Managing OutsourcingContinued

• Day-to-Day Working
• Manage expectations not staff
• Realize that informal ways of working may
  disappear
• Loss of informal ways of working can add rigor
• Integration of the two staffs requires explicit
  actions
• The best way to manage day-to-day is to
  communicate frequently

15
Managing OutsourcingContinued

• Supplier Development
• Production sourcing arena-buying parts and
  services that go into ones own products and
  services
• Honda Motor Company

16
Offshoring

• Near-shoring (for U.S.) outsourcing to Mexican
  or Canadian Companies
• Offshore Ireland, India, European countries,
  etc.
• Lower labor costs
• Decreasing local jobs

17
OffshoringContinued

• Offshoring Options are Broadening
• Both Parties Need Cultural Training to Bridge
  Cultural Differences
• Communication Issues Need to be Addresses from
  the Outset
• Country Laws need to be followed
• Use Offshoring to Advantage

18
OffshoringContinued

• Redefine Services Using Offshoring, Automation,
  and Self-Service
• Understand Customers
• Understand Demographics
• Stay in touch with customers
• Offer end-to-end service
• Dominate the screen

19
Information Security

• A security officer once said
• If I were an e-tailer, I might not call the
  Internet a bad neighborhood, but I would
  certainly watch my back. My equivalent
  brick-and-mortar store would have automatic locks
  on the doors, cameras watching every aisle, and
  only 20 in the safe, because I would never know
  what kinds of thieves might show up or what kinds
  of attacks they might launch from anywhere in
  the world. Furthermore, as an e-tailer, I would
  need more security than a brick-and-mortar store
  manager because customers can get a lot closer to
  the guts of my business.

20
The Threats

• The Computer Security Institute and the San
  Francisco Federal Bureau of Investigation
  Computer Intrusion Squad have conducted an annual
  survey of U.S. security managers to uncover the
  types of computer crimes committed, the
  counter-measures being taken, and other aspects
  of cybercrimes.
• The Spring 2004 shows two key findings relate to
  threats
• The unauthorized use of computers is declining.
• The most expensive cybercrime was denial of
  service.

21
The ThreatsContinued
22
Nine Approaches That Hackers Use

• Cracking the password.
• Tricking someone.
• Network sniffing.
• Misusing administrative tools.
• Playing middleman.
• Denial of service.
• Trojan horse.
• Viruses.
• Spoofing.

23
Information Security

• Five pillars make up todays security techniques,
  says RSA Security Inc., a prominent, long-time
  network security firm.
• 1. Authentication Verifying the authenticity of
  users.
• 2. Identification Identifying users to grant
  them appropriate access.
• 3. Privacy Protecting information from being
  seen.
• 4. Integrity Keeping information in its original
  form.
• 5. Nonrepudiation Preventing parties from
  denying actions they have taken.

24
Authentication

• People can authenticate themselves to a system in
  three basic ways by something they know,
  something they have, and something they are.
• Something they know examples are a password or
  a mothers maiden name.
• Something they have examples are digital
  certificates or tokens.
• Something they are examples are physical
  characteristics such as fingerprint or retinal
  scan.
• RSA recommends choosing two of the three, which
  is called two factor authentication.

25
Identification

• Identification is the process of issuing and
  verifying access privileges, like being issued a
  drivers license.
• You first show proof of identity to get your
  license. Once you received your license, it
  becomes your proof of identity, but it also
  states your driving privileges.
• Therefore, identification is like being certified
  to be able to do certain things.

26
Data Privacy and Data Integrity

• These mean keeping information from being seen
  (privacy) or changed (integrity).
• Both are especially important when information
  travels through the Internet because it is a
  public space where interception is more possible.
• The most common method of protecting data is
  encryption.

27
Nonrepudiation

• This means that neither party in a sale or
  communication of sensitive information can later
  deny that the transaction or information exchange
  took place.
• Nonrepudiation services can prove that someone
  was the actual sender and the other the receiver
  no imposter was involved on either side.

28
Management Countermeasures

• The 2004 CSI/FBI Computer Crime and Security
  Survey had five key findings that relate to how
  companies are managing security and the security
  management policies they have put in place.
• Most organizations evaluate the return on their
  security expenditures.
• Over 80 percent conduct security audits.
• The percentage of organizations reporting
  cybercrimes to law enforcement declined.
• Most do not outsource cybersecurity.
• Most respondents view security awareness training
  as important.

29
Most Organizations Evaluate the Return on Their
Security Expenditures

• A CSI/FBI survey asked how managers quantify the
  costs and benefits of their security
  expenditures.
• On the subject of budgets, 46 percent of the
  respondents spend between 1 and 5 percent of
  their IT budget on security, 16 percent spend
  less than 1 percent, 12 percent spend more than 5
  percent, and 14 percent did not know how much
  their organization spends on security.
• From the survey, they found out that smaller
  firms spent over four times as much as larger
  firms in security expenditures.

30
Over 80 Percent Conduct Security Audits

• The survey found that 82 percent of the
  respondents conduct security audits.
• However, the report authors were surprised that
  this figure was not higher. Because it is such a
  well-known practice, they wonder why the other 18
  percent are not conducting audits.

31
The Percentage of Organizations Reporting
Cybercrimes to Law Enforcement Declined

• From the survey, it is known that although
  organizations may be willing to estimate
  cybercrime losses, they are not so willing to
  make the incidents public.
• Why not report an incident?
• The survey found that 51 percent do not report a
  cybercrime because the negative publicity would
  hurt their stock price or their corporate image.
• 35 percent did not report because they believe a
  competitor will use that information to its
  advantage.
• Only 20 percent see a civil remedy as the best
  course to take.

32
Most Do Not Outsource Cybersecurity

• A new question asked on the 2004 CSI/FBI survey
  was whether organizations outsource their
  cybersecurity function.
• The survey found that 63 percent do not outsource
  any cybersecurity function and only 7 percent
  outsource more than 20 percent of their
  cybersecurity function.

33
Most Respondents View Security Awareness Training
As Important

• Even though most organizations see training as
  being important, a high percentage of respondents
  believe that their organization is not doing
  enough such training.
• They believe that employees especially need
  training with regards to the organizations
  security policy, network security, access control
  systems, and security management.

34
Techinical Countermeasures

• The trend in computer security is toward
  policy-based management defining security
  policies and then centrally managing and
  enforcing those policies via security management
  products and services.
• Three common techniques used by companies to
  protect themselves are
• - Firewalls
• - Encryption
• - Virtual private networks (VPNs)

35
Firewalls

• Firewalls are hardware or software that controls
  access between networks.
• Firewalls are widely used to separate intranets
  and extranets from the Internet, giving only
  employees or authorized business partners access
  to the network.
• Firewalls perform their job by filtering message
  packets to block illegal traffic, where illegal
  is defined by the security policy or by a proxy
  server, which acts as an intermediary server
  between, say, the Internet and the intranet.

36
Encryption

• To protect against sniffing, messages can be
  encrypted before being sent over the Internet.
  Two classes of encryption methods are in use
  today secret key encryption and the public key
  encryption.
• The most common secret key method is the Data
  Encryption Standard (DES). Using this method,
  sender and receiver use the same key to code and
  decode a message.
• The most common public key encryption method is
  RSA. To send an encrypted message using RSA, two
  keys are necessary a public key and a private
  key. The two keys are used to code and decode
  messages a message coded with one can only be
  decoded with the other.

37
Virtual Private Networks (VPNs)

• A VPN runs over a private IP network, so it is
  more affordable than leased lines, and it is
  secure.
• VPNs use tunneling technology and encryption to
  keep data secure as it is transmitted.
• Tunneling creates a temporary connection between
  a remote computer and the ISPs local data
  center, which blocks access to anyone trying to
  intercept messages sent over that link.
• Encryption scrambles the message before it is
  sent and then decodes it at the receiving end.
  While in transit, the message cannot be read or
  changed hence, it is protected.

38
Planning For Business Continuity

• Business continuity is getting a business back up
  and running when a disaster happens.
• Business continuity is a business issue. IT
  disaster recovery is just one component of it.
• Companies essentially have two options for
  disaster recovery use of internal or external
  resources.

39
Using Internal Resources

• Companies use the following approaches to backing
  up their computer systems, data, and
  communication links with company resources.
• - Multiple data centers
• - Distributed processing
• - Backup telecommunications facilities
• - LANs

40
Multiple Data Centers

• Multiple centers can provide emergency backup for
  critical services.
• For backing up data, companies create protected
  disk storage facilities, sometimes called direct
  access data storage, or DASD farms. These farms
  are regularly refreshed with current operating
  data to speed recovery at an alternate data
  center.

41
Distributed Processing

• Organizations use distributed processing to deal
  with disaster recovery.
• They perform critical processing locally rather
  than at a data center so that operations can
  continue uninterrupted when a disaster hits a
  data center.
• Companies that use this approach standardize
  hardware and applications at remote locations so
  that each local processing site can provide
  backup for the others.

42
Backup Telecommunications Facilities

• Apparently, companies handle telecommunications
  backup in two ways
• 1) by utilizing duplicate communications
  facilities
• 2) by using alternate technologies that they
  
• redeploy in case of an emergency
• Before September 11, few IS organizations had
  disaster recovery plans for computers and
  systems.
• After September 11, business no longer relies
  just on data in data center computers. Most of
  the data is also stored in laptops, departmental
  servers, and e-mail.

43
LANs

• Servers on one LAN can be used to back up servers
  for another networks.
• As with mainframe DASD farms, data servers used
  for such backup need to be refreshed regularly to
  keep their data up-to-date.
• Keeping up-to-date is accomplished by linking the
  networks.
• Network master control programs permit the
  designating of alternative devices when primary
  ones fail.

44
Using External Resources

• In many cases, a cost-versus-risk analysis may
  not justify committing permanent resources to
  contingencies. Therefore, companies use the
  services of a disaster recovery firm. The
  services include
• Integrated disaster recovery services
• Specialized disaster recovery services
• Online and off-line data storage facilities

45
Integrated Disaster Recovery Services

• In North America, major suppliers of disaster
  recovery services offer multiple recovery sites
  interconnected by high-speed telecommunications
  lines. Services at these locations include fully
  operational processing facilities that are
  available on fewer-than-24-hours notice. These
  suppliers often have environmentally suitable
  storage facilities for housing special equipment
  for their clients.

46
Specialized Disaster Recovery Services

• Telecommunications firms offer a type of recovery
  service, through network reconfiguration, where
  network administrators at user sites can reroute
  their circuits around lines with communication
  problems.
• There are also other firms that offer data
  communications backup programs, where they will
  store specific telecommunications equipment for
  customers and deliver that equipment to the
  customers recovery site when needed.

47
Online and Off-Line Data Storage

• Alternate locations for storage of data and other
  records have long been a part of disaster
  planning.
• Services generally consist of fire-resistance
  vaults with suitable temperature and humidity
  controls.
• One method uses computer-to-computer transmission
  of data on a scheduled basis.

48
Conclusion

• The subject of managing computer operations is at
  an all-time high because of the emergence of
  e-commerce, the increasing use of outsourcing,
  news-grabbing computer viruses, attacks on major
  Web sites, and terrorism.
• Outsourcing, security, business continuity all
  are important operational issues.
• As enterprises increasingly rely on computing and
  telecommunications to work closely with others,
  they open themselves up to more threats by
  electronic means.

49
THE END