e-mail archiving & management
Several years ago, I arranged for a representative from the New York State Archives to provide training in e-mail and document retention for one of my government clients. The trainer did a fantastic job and here are a couple of takeaways she provided:
- Never use your personal e-mail account for official business.
- Never use your government account for personal communications.
- Never, ever send official, intra or inter-agency business e-mail to anyone’s personal account.
This organization also used an e-mail archiving system and was preserving every single e-mail that went in or out of the organization as required by published retention and disposition schedules for different government entities in the state. In other words, hayseed county and municipal governments all over the country have processes and procedures for preserving official, digital communications whereas the federal government seems to be completely lacking in this area.
Let’s take a look at a few examples of our federal government’s complete lack of information governance.
Avoiding FOIA requests
In 2013, the Associated Press reported on top Obama appointees using secret email accounts. Not only were high level appointees guilty of this, the president also engaged in this behavior. This is apparently occurring to some extent in the Trump Administration, as well. The most well-known case, of course, is Mrs. Clinton’s use of her own e-mail server which was used to send and receive classified information and demonstrated gross negligence – a criminal offense. Conveniently, “someone mistakenly deleted Clinton’s archived mailbox from her server and exported files.”
I spent four years in army intelligence during Ronal Reagan’s second term and my colleagues and I might still be breaking big rocks into smaller ones at Leavenworth had we been involved in these sorts of activities. While the high-profile culprits have all gone unpunished, Jake Tapper reported that “the Obama administration has used the 1917 Espionage Act to go after whistleblowers who leaked to journalists…more than all previous administrations combined.”
Then there is the case of two years of missing e-mails for Lois Lerner. Not only did her hard disk crash and need to be sent for destruction, but her Blackberry was mysteriously wiped clean after “congressional staffers began questioning her.” Coincidentally, five other employees who worked closely with Mrs. Lerner also lost e-mail related to the investigation when their hard disks crashed at around the same time. In addition to all this, Mrs. Lerner was also using a personal e-mail account for official business under the name of her dog.
Are you kidding me? You mean to tell me that the IRS has no archiving system or centrally managed mail server with 7 years of backups through which these tragically lost e-mails could have been restored? Had these shenanigans been exposed at a publicly traded company, we would have seen heads rolling and executives doing the perp walk on national television facing up to 20 years in prison under the Sarbanes-Oxley Act.
Missing text messages
Recently, the “premiere law enforcement agency in the world” had to forensically recover five months of missing text messages between investigators in a high-profile investigation. This was the result of a “technical glitch…that affected 10% of the FBI’s employees.” In this particular case, Andrew Napolitano calls for the release of all the raw data to the public; “The government works for us; we should not tolerate its treating us as children.” I completely agree.
Stolen national security documents
Then, there is the case of Sandy Berger, a former National Security Advisor, who stole classified information related to the 9/11 attacks from the National Archives. Don’t worry – he pleaded guilty to a misdemeanor in federal court and was severely punished with 100 hours of community service and a $50,000 fine. A breach of protocol allowed him to remove these documents and there have been a number of other thefts from the National Archives, as well.
In another high-profile case, former CIA Director General Petraeus gave classified information to his mistress/biographer, Paula Broadwell. He pled guilty to a misdemeanor and avoided prison time. In what can only be described as an Inspector Clouseau moment, the CIA boss and Ms. Broadwell were using the draft folder in a shared Gmail account to communicate with each other.
Recent, significant data breaches at federal agencies have included the NSA, IRS, OPM and the USPS.
Information governance by politicians
UK politicians are as clueless as our own when it comes to information security and governance. Apparently, British MPs routinely share login credentials with their staff members.
While the DNC isn’t a government agency, their inexplicable handling of hacked e-mails and the Imran Awan case provides insight into the casual disregard elected officials seem to have for information security and IT management.
In all of the examples I have covered here, the information belongs collectively to us – American citizens. It doesn’t belong to the miscreants who wantonly mismanage or attempt to it hide from us. These people aren’t our leaders, they are our employees and we have a right to know what they are up to. Radical truthfulness and transparency rather than radical secrecy should be the default stance for our well-paid politicians and government employees.
Governance is a top level function
Good information governance comes from the top, which is why ISO standards call for “top management” to be involved in development of governance policies and procedures for information and IT. When can we expect to see this in the federal government?
This article was first published on CIO.com at https://www.cio.com/article/3252850/government-use-of-it/information-governance-in-the-federal-government.html as part of the IDG Contributor Network.
© Copyright Jeffrey Morgan, 2018by
Information security and cybersecurity are huge problem areas in county and municipal governments. In this six-page article on the subject, I cover the information every county and municipal leader should know including a summary of problems, barriers, specific solutions, and resources. The free document is available here. The intended audience is CEO, CAO, CFO, COO, County or city manager, county commissioner, city council member, or other senior management personnel in the public sector. This is a reprint of my two-part article published in CIO.com last year.
Click below to download.
Want to talk about information security in your organization? Click on the link below to e-mail me and schedule a time to talk.
Don’t hesitate to e-mail me. Initial consultation are free.
© Copyright Jeffrey Morgan, 2018by
I loathe the term digital transformation (DX). Implicit in the term is that there is something technological about it, something digital; a one-time event you can buy or outsource.
I think we should start calling it management transformation (MX). If your management team is doing its job well, the digital transformation never stops. The success or failure of a digital project is a testament to management performance, and digital transformation is a naturally occurring byproduct of excellence in management.
What is digital transformation?
Technology is a means to accomplish business goals, not an end in itself. Unfortunately, much of the extant information on digital transformation identifies technology as the goal. I think this is the wrong approach.
The best definition of digital transformation I have encountered appears in a 2014 MIT Sloan Management Review article and defines it as “the use of technology to radically improve performance or reach of enterprises.” For the purposes of the discussion that follows, let’s understand that digital transformation is really about improving performance rather than implementing technology.
Take a look at this county technology plan and you’ll find meaningless slogans like, “to be a digital county – ready for today and prepared for tomorrow.” The document is full of buzzwords and comes up short in terms of addressing specific, clearly defined business objectives. Technology is presented as the goal rather than as a vehicle for achieving business objectives. The language always puts technology first, with a vague objective appearing to be an afterthought.
On the other hand, this solid county business plan demonstrates that its management team has a strong understanding of how to achieve business goals and improve performance through the thoughtful application of technology.
Exacerbating the problem are vendors willing to sell their version of DX before explaining that managers must completely reevaluate all their assumptions and processes in order to make a new business solution really deliver value. In organizations where due diligence isn’t a cultural value, the harsh realities of an initiative only see daylight once an iron-clad contract has been signed.
Successful transformation of any kind requires management transformation first. The digital part is easy; the management part is an enormous challenge because managers rarely see themselves as part of the problem. Organizations that pursue technology rather than measurable business objectives are the ones most in need of management transformation.
Some standard scenarios
In one typical scenario, a senior manager wants to replace his or her antiquated enterprise application suite with a new one. In county and municipal agencies, this may mean replacing a 30-year-old midrange system. The business processes on which the current system is based may have roots in the 1950s or earlier and all the business functions rely on indefensible manual processing.
Other scenarios might include just about anything – a 311 system, highly automated zoning and code enforcement, or even something as mundane as reengineering payroll, AR and AP functions.
You sit down at the kickoff meeting and someone, maybe everyone, says, “We want to do everything exactly the same as we do it now; we just want new software.” This isn’t a transformative vision. If your management team shares this attitude, they are overseeing dysfunction and decline rather than leading. Buying a product and expecting performance gains to magically appear is delusional.
The correct way to approach these projects is to identify the business, management, and process problems first, establish goals and objectives, and then start thinking about technological solutions that can meet the business requirements. Technology should come last, not first.
In addition to avoiding change at any cost, many local government agencies overemphasize the role of technology and IT in transformational projects. Digital transformation isn’t a technology initiative; it is a core business initiative and should be managed appropriately with the board and senior management providing leadership, oversight and accountability.
Digital projects can quickly become quagmires, the $2.1 billion ACA website being a perfect example. The UK’s National Health Service EHR disaster dwarfed that with a £12.7 billion loss. These losses are frequently blamed on technology, but tech is rarely the problem. Digital project failures are management failures.
I recall one agency that had over 50 concurrent initiatives and projects underway in a single department and they weren’t doing any of them well. As a result, they were throwing boatloads of cash at the problems rather than stepping back and changing their approach by thoughtfully analyzing their objectives and business processes and pursuing a shared vision.
How to get started with management transformation
The MIT Sloan article quoted above identifies nine elements of DX in three major groups: transforming the customer experience, transforming operational processes, and transforming business models and the ideas presented might make a good foundation for your transformation. The authors stop short of telling you how to do it, so I provide the following suggestions for embarking on your own transformational project.
Be brutally honest
Total honesty in management teams is rare, but it’s a requirement to pull off a systemic transformation.
Focus on performance improvement and quality rather than technology
Even the best technology won’t inherently improve performance – that’s the role of management. Figure out how to improve quality and performance. Keep experimenting, brainstorming, and rethinking as you work through the project and don’t compromise until it is absolutely necessary.
Take a holistic view of the entire organization
For your transformational efforts to produce quantifiable results, the management team must share a common vision of what DX will look like in your organization. They need to be able to see the whole picture with all the moving parts in place. The best managers know how to do this, but most managers need to work hard to imagine what a completely transformed operation will look like once the initial transformation cycle is complete.
Understand current and future processes before applying technology
Apply technology only after understanding all your processes, goals and objectives. Your ideal business models and processes should drive technology, not the other way around.
Banish assumptions and sacred cows
In order to be truly transformational, give up all your assumptions about how business gets done and don’t leave changing even a single aspect of your processes and operations off the table.
Are you ready?
Is your management team up to the task? If they are, you probably already have digital transformation happening. If not, start working on your management transformation, first.
© Copyright Jeffrey Morgan, 2018
This article was first published in CIO.com at https://www.cio.com/article/3247305/government/digital-transformation-in-the-public-sector.html
The politics of net neutrality
Mention net neutrality in a conversation and you’ll get an instant, visceral reaction full of political talking points. You can usually take a pretty fair guess about where a person resides in the political universe based on their net neutrality stance.
Why is this so? And why do we allow politicians to control the dialogue? If you listen to politicians and most news outlets, you would think there are only two sides to the issue – the democrat and the republican side, the liberal and the conservative side, the enlightened and the stupid side. All of the reporting is delivered in fact-free soundbites based on specious, counterfactual arguments about what might happen if big daddy doesn’t step in and ensure fairness.
In my view, there is only one side to this issue – the economic side. In a free society, products and services, winners and losers are chosen by the market (consumers). In societies with less freedom, politicians and bureaucrats choose who wins – usually their classmates from Harvard or Yale.
The term Net Neutrality is deceptive and reminds me a little of Ministry of Truth. There is nothing neutral about net neutrality. Regulation doesn’t create freedom; regulation, by definition, creates control. Regulations lead to bakers getting arrested for selling brownies. Regulation leads to monopolies and higher prices for consumers while keeping innovators out of the market because bootstrap startups can’t afford the high price of entry. Regulations generally deny the existence of inviolable economic laws.
Consumers pay dearly for regulation.
A free Internet
Most people on all sides of the net neutrality issue claim they want a free Internet. What do you think about the following statement?
“One of the dangers of the internet is that people can have entirely different realities. They can be cocooned in information that reinforces their current biases.”
“The question has to do with how do we harness this technology in a way that allows a multiplicity of voices, allows a diversity of views, but doesn’t lead to a Balkanization of society and allows ways of finding common ground.”
So, the Internet is dangerous, and it has to be harnessed — by politicians — because it reinforces our biases. Hmm. Can you guess who made the statement quoted above? This doesn’t sound like a free Internet to me; it sounds like one that is tightly controlled by the government.
I suspect that most of the people who claim they want a free Internet are sincere but delusional in the belief that government will provide such freedom. The thought process probably works something like this:
My people are in the White House now, and they know what they’re doing. I trust them to do the right thing.
At best, this is naïve and Pollyannaish. What happens when your people aren’t in office anymore? I am a libertarian and my people are never in office. I don’t want your people deciding what my Internet should look like. Let’s keep the government out of it and let consumers and the market decide.
In the twenty years from 1995 through 2015, world Internet use grew from 16 million users to 3.8 billion. In the United States, between 2000 and 2016 the number of Internet users has grown from 121.87 to 283.7 million users. That growth all happened without regulation under Title II of the Communications Act of 1934.
This coming year is my 30th anniversary on the Internet. The net has come a long way since I first hopped on in 1988. Back then, it all happened through university mainframe accounts, CompuServe, and GEnie with modems as slow as 2400 baud using telnet sessions. It was still working just fine in 2015 when the FCC decided to reclassify it. The Internet will continue to work just fine without such classification and it will continue to be driven by innovation as long as we can keep sleazy politicians and busy body bureaucrats from transforming it for their own nefarious ends.
Following are some suggestions for further reading on the subject.
- Net neutrality strengthens monopolies, invites corruption. Ryan McMaken, 7/17/2017, Mises Institute.
- The FCC needs to abolish a lot more than net neutrality. Sam Estep, 12/19/2017, Mises Institute.
- Net neutrality and the problem with “Experts.” Ryan McMaken, 12/11/2017, Mises Institute.
- Does net neutrality spur Internet innovation? Roslyn Layton, 8/23/2017, American Enterprise Institute.
- Net neutrality will be reincarnated as platform regulation. Roslyn Layton, 12/20/2017, American Enterprise Institute.
- Net neutrality 2.0: perspectives on FCC regulation of Internet service providers. Stuart N. Brotman, 5/16, 2017, Brookings Institution.
- AT&T’s monopoly offers a cautionary tale for net neutrality. Robert Tracinski, 11/29/2017, The Federalist.
- Understanding net neutrality. Peter Van Doren and Thomas A. Firey, 12/14/2017, Cato Institute.
- No, scrapping net neutrality laws won’t kill the Internet. Ryan Bourne. 12/19/2017, Cato Institute.
© Copyright Jeffrey Morgan, 2018
This article was first published on CIO.com at https://www.cio.com/article/3245390/net-neutrality/keep-your-dirty-stinkin-hands-off-my-internet.html
J.S. Bach’s sublime “Fugue in C-sharp-minor,” from Book One of Das Wohltemperierte Klavier (BWV 849) was published in 1722. It has five voices and three subjects, so it is a triple fugue. Let’s take a look at what Bach and his excellent work can teach us about building a rock-solid information security program.
1. Keep it simple
The slow and stately four-note subject is simple but pregnant with possibility. Through each iteration and each addition of a new component, the piece becomes a lovely, dense mesh of darkness and light. Ultimately, the thrilling climax can send emotional waves through your body leaving you weeping, emotionally drained and forever changed. Each element is simple in itself, but when combined, an extraordinarily complex web of sound is created.
If your perimeter firewall has 5000 rules, you’re probably doing something wrong, especially if you are a relatively small organization. Likewise, if your policy documents are incomprehensible to the average end user, there is a problem. One IT staff on which I was doing an assessment claimed their policy was secret, and when I finally got hold of it, it turned out it wasn’t a policy at all – it was simply a copy of a federal agency’s policy framework written in govspeak. There was nothing there that would communicate performance and behavioral expectations to management, end users or the IT staff.
Printed music, a score, is simply a set of instructions for a performer. It’s not music until a performer brings it to life. Bach’s scores provide the minimal amount of information required to do just that and they leave a great deal of the interpretation to the performer (assuming good taste and common sense, of course).
Your information security plans and documents are similar; they’re just documents until you bring them to life and put them into practice. In many enterprises, these documents exist only on a shelf and are never used. Dust off those documents if you have them and make sure they have been implemented, followed and enforced. If you don’t have the documents, you had better get to work. Follow Bach’s lead and keep it all as simple as possible. Don’t count on common sense, though.
Bach chose a five-layer framework for this fugue. How many layers does your security program have? Comprehensive policy, procedures, guidelines, technical controls, administrative controls, physical controls, awareness and training are all part of the mix.
The common mistake I have seen in audits is that organizations often depend on only one layer – technical controls. Many security programs, probably in the majority of enterprises, consist of a firewall and some antivirus software but policy, procedure, guidelines and training are often non-existent. If you depend on technical controls alone, your score is 80-90% incomplete.
Musicians learn resilience, often the hard way, as soon as they begin doing recitals. The only way to be prepared for anything is to over-practice and over-rehearse so that no matter what happens, your fingers keep going even if your brain shuts down. You have a great amount of time to prepare, but only one chance to get it right when it actually counts.
Practicing and planning for the inevitable information disaster is the only way to survive it. If you’ve done this well, you can keep performing without anyone but an expert noticing the glitch. If you do it badly, the show is interrupted and you may never get a second chance.
4. Continuous improvement
A good music teacher shows you how to practice using mindfulness rather than rote repetition. Each iteration should be made better than the last by analyzing every aspect of what you’re doing. Walter Giesking wrote about this sort of approach in his book and he might be considered music’s version of W. Edwards Deming.
What sort of program for continuous improvement do you have in place? It doesn’t happen by itself unless you had a great teacher, coach or mentor. Great performers analyze every aspect of every performance and do a root cause analysis so they don’t make the same mistakes again. Well run organizations and great managers do the same, but the majority keeps making the same mistakes over and over again. Public humiliation in front of colleagues and coworkers doesn’t often seem to be a motivating factor in the business world, but it definitely is in the world of musical performance.
Listen to the voice of your network and your end users and pay attention to logs and metrics. Too many IT directors are tone deaf to the voices of their customers and I have seen many organizations that pay no attention to security logs and metrics at all. They can’t distinguish between the sound of a perfectly tuned network and an out-of-tune one. Don’t be that patronizing, know-it-all ass of a CIO – listen to everything and everyone.
If you are unfamiliar Bach’s c-sharp-minor masterwork, you can listen to Hélène Grimaud’s performance in which the fugue begins at about 3:15. For a different approach, Sir András Schiff’s version begins at about 2:40. There is no accounting for taste and everyone has their favorite.
If you are fascinated by the music and want to learn more, my favorite recording of the entire set is Angela Hewitt’s, which is part of my car mix for long trips. If you are new to Bach, it can be a life-changing experience.
If you want to improve your information security program, there are numerous resources from which to choose. IS0/IEC 27000, NIST, and COBIT 5 for Information Security all provide great starting points. Which is your favorite?
© Copyright Jeffrey Morgan, 2017
This article was first published on CIO.com at https://www.cio.com/article/3240972/data-protection/5-things-js-bach-can-teach-you-about-information-security.html
In the Meditations, Marcus Aurelius advised his readers to stay away from public schools, which proves that the writings of dead white guys are still relevant today.
I was fortunate that my parents heeded this advice. My sisters and I never set foot in a public school, except for three unbearably long days in Pompano Beach in 1970. Once you’ve gotten a taste for the private sector version of a thing, the government version will never be tolerable — even if you are only nine years old. No matter how often we moved up and down the east coast during our upbringing, my parents always found decent private schools in which to enroll us.
What those schools all had in common was some sort of Christian affiliation — whether it was Quaker, Episcopalian, Presbyterian, Methodist, and even one Baptist school briefly. There was never an expectation that one become a Christian, but there was always an assumption that students would attend the required religious services and respect the foundational Judeo-Christian values. That doesn’t seem like a lot to ask and plenty of Jewish students as well as the occasional Hindu and Muslim attended as well.
My most vivid memories of those days are of the annual Christmas Pageants. In Christian private schools, those reenactments of the birth of Christ, as told by Luke, take the form of a dramatic oratorio. They were lavish productions that included beautiful costumes, readings from the bible and the singing of hymns and carols. We rehearsed for weeks and everyone participated.
On the night of the pageant, just before Christmas break, the auditorium was full of parents, grandparents, and other relatives dressed in their most respectable attire. There were no cell phones to interrupt, no fights, and no protesters shouting down the performance. There were no victims. Regardless of their race or faith, no one declined to participate because the parents and students all saw the value that a private education with a Judeo-Christian foundation could provide.
Every family valued knowledge, learning, and education. Every family valued work and aspired to a middle class lifestyle, or maybe just a little better. Every parent wanted their children to be better than themselves, and not just financially; they wanted their children to be better people. At that time, and in that society, no one was interested in emulating crude, low-class behavior and such conduct would certainly have been shunned.
As the lights dimmed, and a palpable hush fell over the audience, a spotlight shone on the actors as the narrator read from the bible. Even the babies were quiet. Narration was followed by interludes in which the choir sang ancient European tunes. Singing those hymns, I could feel the connection to my ancient ancestors celebrating the birth of Christ by candlelight, without computers, electricity, plumbing or heat. Those ancient people, Celts in my case, celebrated the joy of life and God, though even the wealthiest of them had nothing by our current standards.
Forty five years later, I can still recall the visceral reaction — the lump in my throat and the tears welling up as the pageant proceeded — with all of us sixth graders in precious costumes reenacting a 2,000 year old event.
The story, so beautifully translated in the King James Version still creates an up welling of emotion in me and I am not a Christian. My best teachers and professors, mostly Catholic and Jewish intellectuals always correctly identified me as a pagan (the small p kind). Although my sisters both adopted Catholicism later in life, I never have. Lack of faith doesn’t diminish the simple beauty of Luke’s Nativity story a bit.
Do they still do Christmas pageants anymore? I don’t know. My children are grown. My baby girl is 25, a soldier, and a jumpmaster in the army. All of my children attended Catholic schools because they were the only private schools available in the rural area in which I raised them. I had to make sure they received an education that would teach them about western civilization and Judeo-Christian values. It was worth every penny.
I feel a little sad for people who will never experience their own connections to their ancestral heritage, western civilization, the world, and the universe because they received a purely secular education. Public education purposely omits such a huge portion of western culture from the curriculum that I fear the recipients can never learn what they need to become truly civilized human beings. While many may get this through church, synagogue or in some other extracurricular venue, a significant part of the population is missing out completely. Without the knowledge that there is something greater, without the understanding that universal truths do exist, how can you ever see life as being anything other than nasty, brutish, and short?
Lacking the sacred point of view, authoritarian rule becomes a necessity and the means to all ends are always justified. Maybe this makes the twentieth century democide of as many as 260,000,000 humans easier to understand. I suspect that secular education is also responsible for the SJW worldview that sees a mostly full glass as completely empty. The angst, anger, vitriol, and downright hate voiced by so many in our society can only be explained as a lack of education and perspective.
The current, rampant rejection and denial of Judeo-Christian culture, especially in universities is also a mystery to me. Across the planet, and especially in the west, we enjoy the highest standard of living ever known. I don’t understand how an educated person can refute the connection between millennia of intellectual achievement and our current prosperity.
From the Old Testament to the New, from Aristotle to Aquinas, and Locke, from Josquin and Palestrina to Bach, from Breughel to Leonardo, Michelangelo, and beyond, this collective knowledge is what has led us to our current understanding of humanity. The shared achievements of western civilization, and particularly of Christianity, have led us to embrace human rights and improve the living conditions of billions of humans. Ultimately, it is what got us to the moon and gave us the IPhone. Is this even debatable?
For better or for worse, Judeo-Christian culture is how we got here – and it seems better to me. The values, ethics, and morals that have been passed on for the last few thousand years have built the incredible standard of living we have today across the globe. Only a few decades ago, this was universally acknowledged, but we seem to have entered a new, dark age where knowledge, culture, and history have been eschewed.
The darkness of totalitarian rule always seems as if it could be upon us at the next turn and the disturbing penchant of millennials for socialism and communism frightens me. To me, the only explanation for this seemingly invincible ignorance is that it is the inevitable result of a poor education, especially in morals, ethics and values.
I don’t have a solution, but a reboot of our education system that includes a return to teaching Judeo-Christian ideas might be a good start.
© Copyright Jeffrey Morgan, 2017by
Consolidating government IT services
If you read my post, Municipal shared services agreements for information technology, you know that I am skeptical about consolidation of multiple county and municipal IT operations. Because they are separate, independent business operations, the potential for unintended consequences, political meddling and perverse incentives is enormous. Another core problems is that very few counties or municipalities operate IT shops using widely accepted standards and frameworks for ITSM (Information Technology Service Management).
State governments, however, more closely resemble large corporate enterprises and there is a strong business case for the consolidation of IT services in such organizations. Elimination of redundant services, lower costs, and a smaller head count are essential goals, but consolidation can also provide uniform governance as well as enhanced quality and customer service if managed correctly.
During Ed Toner’s first week as CIO for the state of Nebraska in June of 2015, he found silos, duplication of tools and services, competition between IT groups and a culture that desperately needed change. A dearth of documentation and metrics presented significant challenges, but his education at Texas A&M in process improvement, ITIL and Six Sigma provided him with the tools to take on this type of task. Moreover, his previous ITSM experience with TD Ameritrade and First Data Corporation gave him the practical experience required for the job.
Ed reports directly to Governor Pete Ricketts and he began his consolidation of the state’s IT services in March of 2016. Six months of analysis lead him to the conclusion that a classic ITIL (IT Infrastructure Library) model was the best approach to lowering the cost of state-level IT services. Ed has taken what he describes as a soft-sell, carrot-without-a-stick approach to the project.
During my research, I discovered that Ed and I have a single, irreconcilable philosophical difference, but I will discuss that at the end. First, let’s take a look at how Ed implemented some essential ITIL components.
The project was rolled out in three phases in the following order:
- IT Infrastructure (Network)
- Server Admins
- Desktop support
In the first phase, the Nebraska OCIO (Office of the CIO) brought everyone into a single domain and in the second phase they migrated 6000 square feet of remote data closets into the data center. Phase three is in progress and will be completed within a few weeks, so Ed has achieved remarkable results in only 16 months.
Enterprise applications were also included in the consolidation. OCIO manages the infrastructure and largely leaves the application functions up to the Line of Business (LoB) to manage. This is an admirable model because it doesn’t put IT in the line of fire for determining and managing LoB application features and functionality.
The service catalog (SC)
Since Ed and his team entered into the project with neither documentation nor metrics, they opted to grow the service catalog organically from incoming calls.
The service level agreement (SLA)
When Ed started, no one could tell him how many IRs (incident records) and SRs (service requests) were coming in, but that has been completely turned around. “In terms of the user community, I think for the first time, they’re seeing that we’re being accountable. We’re posting metrics and we just started sending out surveys.” Ed’s team also publishes statistics on availability and their goal is 99.9 to 99.99.
Ed and his team meet weekly to analyze stats and their internal SLA is to satisfy 80% of IRs within 24 hours. They routinely meet that objective and report the data to the governor on a monthly basis. Their goal for SRs is to complete them within 24 hours 65% of the time.
As they mature, they are working on categorizing and prioritizing different classes of IRs to provide an SLA with resolution of specific IRs within 4 hours or less.
“We are seeing a huge uptick in changes, which means to me that we’re not making more changes in the state, we’re seeing more and more compliance every month.”
In terms of adoption of change management, Ed related, “I can tell you from my vantage point that the state of Nebraska adopted it much more easily than in my past in private industry. If something happens that causes some type of outage, even momentarily, we’re going to come in with problem management. The problem management template we created clearly asks, was this caused by a change? Did you validate? How did you validate? We have built in those fail-safe checkpoints that will indicate if a group has done a change that wasn’t sanctioned.”
Problem management and Root Cause Analysis
Every PR (problem record) is reviewed by the OCIO. ”We have a defined process for escalating issues. Those go into PR and no one wants to have a PR against their group. A problem record means we’re going to have a root cause analysis and were going to find out they made a change that didn’t go through change management. Problem management has helped to enforce change management because they know there’s another level of irritation from my office if the change didn’t go through change management.”
The Nebraska CIO’s office has been able to realize annual savings in excess of $2.8 million on payroll and contracts by eliminating all contractors in infrastructure and desktop support as well as by eliminating staff positions by attrition. “I have no IT infrastructure contractors at the state . . . No contractors doing server admin or desktop support.”
Server consolidation has helped realize $3.2 million annually in hardware savings. For instance, in one division they reduced 90 servers to four virtual servers and have eliminated over 70 physical servers in DHHS so far.
The state initially had three ITSM tools with multiple contracts for those tools, so Ed deployed an unused tool which they were already paying for in their application bundle and eliminated the redundant contracts.
The last word
Nebraska has done all the right things when it comes to building a solid IT service management program. Critical components include executive support and oversight from the CEO, a solid ITSM framework, transparency, and a CIO who is committed to the delivery of exceptional service and quality. Extraordinary managers all have one thing in common – they know that improving quality using rigorous processes reduces costs. How is your state doing?
I told you earlier that Ed and I have one irreconcilable difference of opinion, but it’s a whopper! Ed is an Aggie and I am a Longhorn. Hook ‘em horns, Ed.
© Copyright Jeffrey Morgan, 2017
Security Policy Checkup Service
For county and municipal government.
Is your security policy up to current standards? Here’s how we can help for a low fixed rate:
This fixed-fee service is designed for counties and municipalities and includes:
- Initial web workshop with management and key stakeholders.
- Completion of a survey to identify your organization’s procedures, practices and specific security requirements.
- Review of your security policy and acceptable use policy against best practices and your organization’s requirements.
- Web workshop to discuss results.
- Written report with specific recommendations for improving your policies.
How to get started
- e-mail us for a quote/SOW.
- We’ll send you a Statement of Work with an NDA (Non disclosure agreement). Sign it and return with a purchase order.
- We will promptly schedule a web workshop to gather information.
- We will discuss your concerns and complete a brief survey in order to understand your organization’s requirements.
Who should be involved?
We can perform this study for an authorized executive. However, we believe that working with a cross-functional workgroup consisting of Legal, HR, IT and executive management, and possibly other departments will help build a foundation for a more solid information security program in the long term.
Don’t have a security policy?
We can help. e-mail us to schedule a time to discuss the development of a custom security policy tailored to fit your organization.
Read more about this service at: http://www.e-volvellc.com/security-policy-checkup/
© Copyright Jeffrey Morgan, 2016
Next week, I am scheduled for a semi-annual risk assessment with my dentist. He performs a very specific, highly focused type of risk assessment that is totally worth the $125 it will cost. In addition to performing specialized maintenance (hypersonic cleaning), he will provide a threat assessment (for oral cancer, cavities, periodontal disease and other anomalies). I’ll leave his office confident that my mouth is in a low-risk situation for the next six months as long as I continue to follow best practices and perform daily maintenance procedures. I am only vulnerable to these threats if I fail to follow a daily program of brushing and flossing.
I could always choose to save the small fee for these risk assessments and wait for a major dental disaster to occur. The problem with this approach is that a single incident may cost thousands of dollars if I need a root canal or some other type of procedure. Ten years of checkups are less costly than even a single disaster.
Enterprise IT risk assessments
Unfortunately, in the world of local government and SMBs, the most common approach to risk management is to allow a major catastrophe to occur before realizing the value of an enterprise risk management program.
I am at a loss to explain it. Incidents or problems involving your information and IT infrastructure are far more costly than risk management programs. Data loss, breaches, major downtime, malware, lawsuits and fines for compliance violations may cost hundreds of thousands or millions of dollars. They can permanently shut down your small business or really irritate your board of directors in a corporate environment. In the public sector, constituents pay for major screw-ups through increased taxes while the events are often covered up and the culprits skirt the blame and keep their jobs.
When was your organization’s last risk assessment? Can you put your hands on the report? If you haven’t had a risk assessment recently, it’s a safe bet that your policies are sorely lacking. Defining an organizational policy for risk assessment is an essential component of any comprehensive suite of security policies. Both HIPAA and GLBA require periodic risk assessments, but it is a sound practice for all types and sizes of organizations.
Where to start?
If you haven’t previously conducted an enterprise IT risk assessment you should carefully consider your starting point. For example, if you have few or no security policies, it may be wise to form an IG (information governance) committee and begin by developing of a comprehensive set of policies, procedures, standards and guidelines. On the other hand, your management team may benefit from the kind of wake-up call that a devastatingly thorough risk assessment can produce. A 100-page report that says you suck at security and risk management on every page may be just what you need to get everyone’s attention.
The results of a risk assessment should be used to reduce your organization’s risk exposure, improve CIA (confidentiality, integrity and availability), initiate positive change, and begin building a security culture. While using risk assessments as a punitive device isn’t the best approach, such reports often expose malfeasance and incompetence of proportions so vast that appropriate consequences are in order. In other words, if you have been paying a CIO $200,000 and the assessment uncovers gaping policy, security and privacy holes, you should certainly replace the CIO with one who has the required skill set.
Scope the project carefully
Risk assessments come in a lot of flavors and the specific purpose and scope must be worked out with the auditors in advance. A few years ago, a client of mine released an RFP for a risk assessment after we worked extensively on the development of their information security policies. The proposals ranged from $15,000 to well over $150,000. This can happen even with a pretty clear scope. Big 4 firms, for instance, have hourly rates that may be several times what a local, independent practitioners may charge. NIST SP 800-30 provides valuable information on how to perform risk assessments, including some information on scoping.
Risk assessments may be qualitative or quantitative. You may be able to do some of the quantitative work in-house by gathering cost data for all your assets in advance of the assessment. Regardless of the scope and approach, the auditors will ask to see lots of documentation.
One positive outcome of a risk assessment is that it may force your management team to rethink EVERYTHING – in-house application development, infrastructure support, IT staffing & responsibilities, LOB (line of business) staffing & responsibilities, budgets, and just about everything else related to the manner in which your organization is run.
Risk assessments are way cheaper than disasters, so go schedule your checkup.
© Copyright Jeffrey Morgan, 2017by
In New York State, Governor Andrew Cuomo’s Countywide Shared Services Initiative “requires counties to assemble local governments to find efficiencies for real, recurring taxpayer savings… by coordinating and eliminating duplicative services and propose coordinated services to enhance purchasing power.”[i] New York is currently offering substantial financial incentives to municipal organizations that “create savings.”
According to a 2013 study[ii], about 8 percent of municipalities participate in IT shared services programs. Considering the financial incentives, I suspect that the percentage has increased significantly since that time.
In theory, shared services agreements among municipal entities appear to be a great deal for everyone involved, and especially for taxpayers. In reality? I am not only skeptical; I have seen the negative consequences of such agreements in the form of low-quality IT services that cost far more than similar services delivered by commercial vendors.
One possible scenario
A common scenario for shared IT services might take the form in which a county IT department becomes a service provider for cities, towns and villages in its jurisdiction. This may include email, infrastructure services, help desk services, software, printing of tax bills, break/fix services, hardware procurement and much more.
In this type of scenario, the county’s management may view such a deal as an opportunity to turn their IT operation from a cost center to a profit center. However, the differences in performance and productivity between the private and public sectors can be stark. Running a successful commercial IT services business is a tough, highly competitive undertaking that requires excellent management skills and continuous improvement.
For many municipal managers and elected officials, the one-time financial incentive may blind them to the necessity of examining the long-term consequences of such an arrangement. In other words, they will want to build the airplane in the air and the basis for the deal may be something that is not much more than a handshake deal, devoid of reality and details.
Get it right!
It is possible for a municipal shared services agreement to be successful, but success won’t be accidental. If you are involved in negotiating such an agreement, I provide the following suggestions to ensure that you make the best deal possible.
Use rigorous procurement methodology
A shared services agreement should be treated exactly the same as a deal with a commercial vendor. A few examples of documentation required for the evaluation should include the following:
- Service level requirements. This is a document that precisely defines your requirements. Before entering into any service agreements with outside agencies, your organization should thoroughly understand and document your business needs, goals and objectives.
- Service level agreement. This agreement is an essential part of any professional services contract. It defines requirements, responsibilities and accountability and includes financial penalties if the provider fails to meet agreed-upon service level targets.
- Catalog of services. What is the universe of services offered by your service provider? How much does each service cost, and when are such services available? How do you obtain services not covered in the agreement?
- PSA (professional services automation) system. An automated, auditable system for tracking incidents is a requirement for managed service providers. The system should be configured to send alerts to management and executives when the provider fails to meet agreed-upon service levels. Daily or weekly status reports should be available to the customer.
The agreement framework
Will this be a simple agreement using an MOU (memorandum of understanding) or some sort of BPA (business partnership agreement)? Regardless of the format recommended by your attorney, a clear exit path must be part of the agreement in case the relationship doesn’t work out. Agreements with commercial vendors always spell out how the relationship may be dissolved, but I have seen municipal shared services agreements that have no such escape clauses for the “customer.” Make sure you can get out of the deal if it isn’t working out.
Comingle infrastructure resources carefully
A significant risk of a shared services deal is that IT infrastructure built between the parties may become intertwined to an extent that may be difficult and expensive to unravel. Clear boundaries should be established that will allow the parties to simply unplug if the deal doesn’t work out. Also, who owns infrastructure and data? How do you get your data back once the relationship is dissolved?
Information security, governance and policy
Whose governance policies will apply? Acceptable use policies, security policies, regulatory compliance policies and personnel policies as well as organizational culture should all be considered. How will sanctions for policy violations be addressed between agencies?
Is the provider using best practices for ITSM (information technology service management) and ISMS (information security management systems). Are they in ITIL or ISO 20000 shop? How will security be managed? Do they follow any generally accepted frameworks for information security?
Who will define quality standards? In the commercial world, the customer determines quality. In the public sector, the provider often defines quality — the DMV being a perfect example. What recourse do you have if the provider fails to meet quality standards? With a commercial vendor, you simply terminate the deal. In a shared services scenario, terminating the deal may require political capital that is not available. These arrangements present the real risk that you could be stuck with a bad deal for years or even decades.
These are only a few examples of the processes required to evaluate and negotiate a successful shared services agreement.
The great advantage of democratic local government is that citizens have the ability to address poor municipal management through the democratic process. If we’re not happy with the decisions and actions of management, city council or a county commission, we can simply vote them out of office. The problem with the trend toward regionalization of government functions and services is that we lose that ability to control it through elections. Don’t lose your ability to control your information technology operations by making a bad shared services deal.
References and endnotes
“Shared Services Among New York’s Local Governments,” research brief, Office of the New York State Comptroller, Division of Local Government and School Accountability, November 2009
[ii] “Shared services in New York State: A Reform That Works,” George Homsy, Bingxi Quian, Yang Wang and Mildred Warner, August 2013.
This article first appeared on CIO.com at http://www.cio.com/article/3196248/leadership-management/municipal-shared-services-agreements-for-information-technology.html
© Copyright Jeffrey Morgan, 2017