IT Infrastructure is Key to Growth. Infrastructure nventory.

Transcription

1

2 Introduction. The overall objective of an Information Technology (IT) Assessment is to evaluate whether an enterprise s current IT strategy is tightly coupled to the enterprise plans and challenges. Current and emerging IT technologies should be considered in determining their relevancy to the enterprise s defined goals and business objectives. During an IT Assessment, the high level business operations are examined with its strategies and goals, along with the IT strategy and planning, the currently installed IT infrastructure, and the IT operational processes that are in place to manage and monitor this infrastructure. Also examined are the IT enterprise structure, and the skills and resources assigned to support the entire IT operation and support the needs of the enterprise. A strengths, weaknesses, opportunities and threats (SWOT) analysis associated with the IT enterprise should also be conducted as it provides invaluable information about the effectiveness of IT, and where there is room for improvement. Included in this SWOT analysis should be whether continuous improvement processes are in place to enhance performance levels over time. Below is a chart illustrating how an enterprise needs to use customer requirements as the basis for their offerings, and customer satisfaction as their primary measure of delivering quality end products. IT assessments use this as the fundamental basis in evaluating the effectiveness of IT in providing services to the enterprise. 2

3 IT Infrastructure is Key to Growth. Critical business issues, the competitive marketplace, and the current economy are forcing enterprises to transform themselves. Enterprises need to move towards an environment of improved support for knowledge workers, and a more agile, flexible and responsive IT enterprise to nurture their end goals. A solid, high-performing IT infrastructure can be the key to achieving and facilitating many of the corporate and enterprise goals today. Consideration should always be given to business risks brought on by the use of the IT infrastructure, and the controls and audit framework in place to insure the technology systems have the ability to meet the end user requirements. The challenge is to determine whether an adequate and appropriate set of controls exists for the risks identified. The goal of an IT assessment should be to assure that risk is reduced to an acceptable level such that the goals and objectives of the enterprise can be achieved. Infrastructure nventory. The current infrastructure inventory including servers, storage, and network devices which support the critical business applications and services should be documented and evaluated in terms of their maturity and effectiveness. The competencies within the Information Technology Infrastructure Library (ITIL) processes of Service and Systems Management, Change Management, and Operational and Network Management are examined and analyzed for their quality and effectiveness. Most importantly however, the alignment between the enterprise s business needs and the IT support to help achieve these ends is thoroughly studied to determine whether the IT department is an efficient part of the corporate strategy, and is acting as a facilitator not an inhibitor. The current investment in IT needs to be examined to determine if it positions the enterprise to achieve its strategies, goals, and critical success factors. 3

4 Methodology. A thorough, disciplined and structured consultative methodology must be used in performing IT assessment in order to achieve the desired results. Experienced professionals with extensive backgrounds in IT project planning, IT requirements, and key industry technology trends and directions are also necessary as a backdrop for the information to be gathered. Several facts need to be gathered to provide the findings necessary to draw the proper conclusions, which lead to the required recommendations of an implementable IT plan the enterprise needs to improve their performance, and have the governance necessary to meet today s regulations and compliance required by such laws as Sarbanes-Oxley. The As Is current IT environment is captured, along with the desired target To Be state. This enables a gap analysis to be performed to determine whether the IT department is acting as a full partner within the enterprise. This is essential in order to provide the justification for, and the prioritization of, the recommendations. Industry best practices are considered and incorporated into the analysis to evaluate the maturity of the IT enterprise. Best practices are not always achievable or affordable, which is why the desired state, obtained through interviews with senior management, provides the corporate culture and business strategy necessary to help formulate the proper level of recommendations that are relevant to the enterprise. The question comes down to whether the enterprise is investing in the appropriate information technologies, and how to strike a balance between current IT project funding and the requirement to build a strategic information architecture. Business Strategy. The goal here is to reaffirm the business strategy of the enterprise, and whether there is alignment between the business vision and the technology vision. In other words, is the IT strategy supporting the business strategy? Which IT investments will provide maximum business return, and what is the appropriate priority of these investments? Functional executives and plans, goals and and competitive forces. impact on the business. critical success factor. technical management should be interviewed to review business objectives, critical success factors, targeted business and markets, Emerging technologies should also be discussed that can have an The adequacy of the relationship between IT and the business is a 4

5 Current IT Capabilities. An IT assessment examines the competency of the IT resources and support structure to determine the functional and technical adequacy of the existing infrastructure and systems management. The most critical business applications and services need to be examined, along with their respective Recovery Time Objective (RTO) and Recovery Point Objective (RPO) parameters. The RTO for an application is the goal for how quickly you need to have that application s information back available after an "event" has occurred that stopped the application. The RPO for an application describes the point in time to which data must be restored to successfully resume processing (often thought of as time between last backup and when an event occurred). The RTO and RPO metrics are useful in discussing what technologies, products, processes and procedures are required to meet those objectives, and whether the current business continuity and disaster recovery plan is adequate. Setting objectives should come from looking at the business impact of applications being unavailable, and the business impact of loss of data. Single points of failure in the IT infrastructure should always be avoided, and the analysis should be thorough enough to uncover any instances of these. In order to accomplish this, the complete data path for all critical applications is mapped and followed from the client workstations, to the servers, to data storage through all of the local and wide area networking devices and circuits. Servers, external storage devices and Storage Area Networks are mapped to allow a full understanding of the critical hardware components of the IT infrastructure. Switches, routers, firewalls, and intrusion detection devices are also examined and diagramed to develop a comprehensive understanding of the network connectivity environment. This provides an overview of the enterprise infrastructure in order to evaluate the maturity of the devices, as well as the overall architecture of the IT environment. This basic understanding of the environment is necessary to provide the backdrop for the gap analysis, which will determine the alignment of the IT infrastructure to that of the enterprise s defined business objectives. Risk Management. Risk management can be thought of as the evaluation of what can go wrong to the potential negative outcomes or results of not applying certain control procedures. Controls can be classified as preventive or corrective, and are designed to mitigate risk and allow achievement of three basic principles of risk management: Integrity of information to support the decision-making process Security and protection of the enterprise s information assets (hardware, software and data) Compliance with internal and external procedures and recommendations Management has the ultimate responsibility for ensuring the adequacy of controls. The IT assessment has the mission to evaluate whether the appropriate controls are in place and functioning as designed. Business objectives are a statement of desired accomplishments of the enterprise. Goals are specific targets that are identifiable, measurable, attainable and consistent with objectives. In fact, they should support the objectives. Risks of not achieving the enterprise s goals should be recognized, identified and documented. The system of controls can be thought of as a filtering device that prevents actions or events from leading to enterprise problems. 5

6 Operational Processes. It is not enough to have the latest and greatest IT infrastructure if it is not managed properly. The Information Technology Infrastructure Library (ITIL) is a set of practices for IT service management that focuses on aligning IT services with the needs of business. ITIL describes procedures, tasks and checklists that are not enterprise-specific, used by an enterprise for establishing a minimum level of competency. It allows the enterprise to establish a baseline from which it can plan, implement, and measure. It is used to demonstrate compliance and to measure improvement. The ITIL practices consist of five elements: Service Strategy Service Design Service Transition Service Operation Continual Service Improvement Service Strategy provides guidance on clarification and prioritization of service-provider investments in services. It helps IT enterprises improve and develop over the long term. Service Strategy relies largely upon a market-driven approach. Service Design provides guidance on the design of IT services, processes, and other aspects of the service management effort. Significantly, design within ITIL is understood to encompass all elements relevant to technology service delivery, rather than focusing solely on design of the technology itself. Some of the important aspects of Service Design deal with processes that can directly affect the business such as Service Level Agreements (SLAs) Management, Availability Management, Capacity Management, and Service Continuity Management. Service Transition relates to the delivery of services required by a business into live/operational use, and often encompasses the "project" side of IT rather than BAU (business as usual). This area covers topics such as managing changes to the BAU environment, and includes Transition Planning and Support, Change Management, Configuration Management, and Release and Deployment Management. Service Operation aims to provide best practices for achieving the delivery of agreed levels of services both to end-users and customers. Service Operation is the part of the lifecycle where the services and value is directly delivered. Here the monitoring of problems and balance between service reliability and cost, etc., are considered. The functions include technical, application, and operations management, and encompasses Event Management, Incident Management, Request Fulfillment, Problem Management, and Access Management. Continual Service Improvement aims to align and realign IT services to changing business needs by identifying and implementing improvements to the IT services that support the business processes. The perspective of CSI on improvement is the business perspective of service quality, even though CSI aims to improve process effectiveness, efficiency and cost effectiveness of the IT processes through the whole lifecycle. To manage improvement, CSI should clearly define what should be controlled and measured. A comprehensive IT assessment evaluates an enterprise s compliance with all of these operational ITIL processes. 6

7 Business Continuity Management. Business continuity are activities performed by an enterprise to ensure that critical business functions will be available to customers, suppliers, regulators, and other entities that must have access to those functions. These activities include many of the ITIL processes such as project management, system backups, change control, and help desk. Additionally, business continuity refers to those activities performed daily to maintain service, consistency, and recoverability. The foundation of business continuity are the standards, program development, and supporting policies; guidelines and procedures needed to ensure an enterprise s ability to continue without stoppage irrespective of the adverse circumstances or events. All system design, implementation, support, and maintenance must be based on this foundation in order to have any hope of achieving business continuity, disaster recovery, or in some cases, system support. Business continuity describes a mentality or methodology of conducting day-to-day business. The entire concept of business continuity is based on the identification of all business functions within an enterprise, and then assigning a level of importance to each business function. A Business Impact Analysis (BIA) is the primary tool for gathering this information and assigning criticality, recovery point objectives, and recovery time objectives, and is therefore part of the basic foundation of business continuity. The BIA can be used to identify extent and timescale of the impact on different levels of an enterprise. For instance, it can examine the effect of disruption on operational, functional and strategic activities of an enterprise, along with the effect of disruption on major business changes. The interface between management and information technology is the Service Level Agreement (SLA). This provides a written contract stipulating the expectations of management with regard to the availability of a necessary business function, and the deliverables that information technology provides in support of that business function. 7

8 Disaster Recovery. Disaster recovery is a subset of business continuity, and is the process, policies and procedures related to preparing for recovery or continuation of technology infrastructure critical to an enterprise after a natural or human-induced disaster. While business continuity involves planning for keeping all aspects of a business functioning in the midst of disruptive events, disaster recovery focuses on the IT or technology systems that supports business functions. Disaster recovery began as a result of computer center managers recognizing the dependence of their enterprises on their computer systems. As systems grew from batch to real-time processing, enterprises became increasingly dependent on their IT systems. Another driving force in the growth of disaster recovery awareness was increasing government regulations mandating business continuity and disaster recovery plans for enterprises in various sectors of the economy. With the rapid growth of the use of the Internet for transacting business, enterprises became further dependent on the continuous availability of their IT systems, with many enterprises setting an objective of 99.99% availability of critical systems. This increasing dependence on IT systems, as well as increased awareness from large-scale disasters such as 9/11, contributed to the awareness for the need for formal disaster recovery planning. As IT systems have become increasingly critical to the operations of an enterprise, and arguably the economy as a whole, the importance of ensuring the continued operation of those systems, or the rapid recovery of the systems, has increased. With the rapid growth of the use of the Internet for transacting business, enterprises became further dependent on the continuous availability of their IT systems. It is estimated that most large companies spend between two and four percent of their IT budget on disaster recovery planning, with the aim of avoiding larger losses in the event that the business cannot continue to function due to loss of IT infrastructure and data. As a result, preparation for continuation or recovery of systems needs to be taken very seriously. 8

9 Disasters can be classified in two broad categories. The first is natural disasters such as floods, hurricanes, tornadoes or earthquakes. While preventing a natural disaster is impossible, measures such as good planning, which includes mitigation measures, can help reduce or avoid losses. The second category is manmade disasters. These include infrastructure failure, hazardous material spills, or bio-terrorism. In these instances surveillance and mitigation planning are invaluable towards avoiding or lessening losses from these events. A disaster recovery professional should refer to an enterprise's business continuity plan which should indicate the key metrics of Recovery Point Objective (RPO) and Recovery Time Objective (RTO) for all of the critical business processes, such as the process to run payroll, generate a customer order, etc. The IT assessment maps these metrics specified for the business processes to the underlying IT systems and infrastructure that support those processes. Once the RTO and RPO metrics have been mapped to the IT infrastructure, the disaster recovery professional can determine the most suitable recovery strategy for each system. An important note here, however, is that the business ultimately sets the IT budget, and therefore the RTO and RPO metrics need to fall within budget parameters. While most department heads would like zero data loss and zero time loss, the costs associated with that level of protection may make the desired high availability solutions impractical. The most common strategies for data protection are: Backups made to tape and sent off-site at regular intervals Backups made to disk on-site and automatically copied to off-site disk, or made directly to off-site disk Replication of data to an off-site location, which overcomes the need to restore the data (only the systems then need to be restored or synchronized). This generally makes use of storage area network (SAN) technology High availability systems which keep both the data and system synchronously replicated off-site, enabling continuous access to systems and data In many cases, an enterprise may elect to use an outsourced disaster recovery provider to provide a stand-by site and systems rather than using their own remote facilities. In addition to preparing for the need to recover systems, enterprises must also implement precautionary measures with the objective of preventing a disaster in the first place. These may include: Local mirrors of systems and/or data and use of disk protection technology such as RAID Surge protectors to minimize the effect of power surges on delicate electronic equipment Uninterruptible power supply (UPS), and/or a backup generator Fire preventions alarms, fire extinguishers, etc. Anti-virus software and other security measures 9

10 Summary. A comprehensive IT assessment examines the business strategies, objectives and goals of an enterprise, all aspects of the IT environment, from the hardware and software infrastructure to the operational processes in place to support the infrastructure, and the business continuity and disaster recovery plans in place to minimize the risk of a natural or manmade disaster impacting the ability of the enterprise to carry on its business. IT assessments can be inexpensive insurance that an enterprise is well-positioned with their IT infrastructure relative to risk management, and can provide a prioritized list of recommendations to address any exposures that may have been uncovered during the analysis of the enterprise. Howard Vipler Senior Information Technology Consultant nfrastructure About the author: Mr. Vipler is currently working for nfrastructure, an IT consulting company in Clifton Park, NY. Howard Vipler is a Senior Information Technology Consultant who holds a BS in Electrical Engineering, and MS in Computer Science. He has worked for IBM Corporation for more than 30 years as a Systems Engineer, International Account Manager, Workflow Consultant and Project Manager, for the Sperry Rand Corp., Raytheon, and was a 2nd Lieutenant in the U.S. Army Signal Corps. About nfrastructure: nfrastructure helps large enterprises design, build and operate mission-critical technology infrastructure. Combining proven methods and tools, world-class engineering talent, on-site technical service in every major North American market and tightly integrated low cost remote support, nfrastructure collaborates with customers to deliver sustainable disruptive value. With industry practices in public sector, financial services, retail, healthcare, technology, communications, public safety and energy, nfrastructure works with leading technology hardware and software vendors to provide comprehensive data center, network, security, unified communications, end-point, structured cabling, staffing and outsourcing solutions. 10