Bob Woolley's IT Weblog
Technical architecture and management and delivery of enterprise IT services.


Subscribe to "Bob Woolley's IT Weblog" in Radio UserLand.

Click to see the XML version of this web page.

Click here to send an email to the editor of this weblog.


Monday, April 14, 2003

Recommended Reading

In the process of developing a strategic planning process and a number of strategic plans, I have read a number of books that have some valuable insites into strategic planning and various IT management issues. All of them are available from I will feature several of the best of these titles every few days.

Cokins, Gary. Activity -based cost management: an executive's guide. Wiley Cost Management Series. 2001.

This title is an excellent executive overview of activity based costing principles which are of importance to rate development at service delivery organizations charged with cost recovery.

Allen, Bruce. Building operational excellence: IT people and process best practices with Dale Kutnick. Intel Press and Addison Wesley. 2002.

One of the best overall views of the development of operational excellence within IT service delivery organizations. The authors do an excellent job of identifying operational best practices and methodologoes for application to IT organizations.


9:39:04 AM    

IT Strategic Planning

The Division of Information Technology Services has been engaged in implementing a strategic planning process since late last year. In order to implement the process a number of process documents have been developed. Items that will be discussed include:

Overview of Strategic Planning at ITS

Discussion of Context (External Factors)

These will be followed by a discussion of the actual planning process, planning document relationships, and the relationship with product management, architecture, priority management, project management, engineering, and customer support. An overview of the strategic planning template methodology developed at ITS will also be shared.

Strategic Planning Overview

For a number of years, IT organizations have scrambled to keep up with the need to provide technology solutions to business problems across an ever-increasing array of hardware, software, and network technologies. The advent of distributed computing, coupled with the Internet revolution, has led to highly complex systems composed of hardware, software, people, and operational procedures that frequently span multiple platform and software foundations. Coexistence of so much technology demands interoperability of the components. Interoperability requires a set of overarching strategies to manage touch points and minimize conflicts. These high-level strategies, together with an architectural blueprint for the computing environment, will ensure that when components are assembled into the integrated system, the result is production-worthy, user-responsive, and maintainable.


Information technology strategies at the State of Utah and within the Division of Information Technology Services (ITS) are in a state of unprecedented change. IT organizations within the State are struggling with a multitude of strategies associated with the many different aspects of their information technology business. Many of these strategies are often implicit and spread by word of mouth. Even those documented are rarely set in the context of their association with, and impact on, each other. ITS has an obligation to work with other State IT organizations to keep strategies current with business, technology, and economic requirements.


ITS strategies clearly need revitalizing. ITS needs to align strategic objectives from the ITS Roadmap document with requirements from agencies and stakeholders to form a longer-term planning and implementation window. As computing complexity continues to increase, the pace of business today demands virtually instant turnaround of strategic content. Strategies need to be developed that can survive and take advantage of technological innovations while still enabling business changes and users who demand rapid solutions on increasingly demanding timelines.


Effective strategic planning at ITS needs to meet three overriding criteria:


§         it must be a rapid process,

§         it must produce succinct but very clear output, and

§         it must provide an integrated context from which more detailed planning can take place.


For strategic planning to respond rapidly to the right priorities, it is essential that the process start with prioritization and framing of the strategic questions to be addressed at any given phase or area of planning focus. The strategic output must accomplish a change from the often lengthy, highly detailed, complex white paper, typically developed over several months, to a succinct and pragmatic explanation of the strategic principle, assumptions, scope, implications, actions, timing, interdependencies, and open associated questions produced over a period of weeks or even days.


Finally, to be effective, the output of designated strategic planning teams within ITS should be directly translated into action through alignment with each Sectionís financial, product management, and project implementation process. One additional effort that complements the strategic planning effort is the development of a strategy framework that clearly outlines, in brief segments, the different high-level strategies that the organization needs to operate. This template, in Appendix A, can be populated and modified as needed and made available to a wide audience through information navigation techniques that enable interrelationships to be clearly understood. Each segment may have a different owner within ITS but the Directorís office will assume overall responsibility for the framework itself and preparation of strategic planning documents.


In summary, ITS needs to re-shape its approach to strategic planning to keep pace with customer requirements and the demands of a changing technology landscape. Plans need to focus on setting vision, providing high-level contextual strategies that can be clearly articulated and related to each other, and translating those strategies into action in the form of clear justification and implementation projects. Strategic planning can be effectively implemented within the context discussion and process that follows.


The principal mission of ITS is to provide centrally managed, shared information technology services to State government agencies at the best cost and value, and with service delivery excellence.


ITS views the following as major business objectives:

  • Build and Maintain Infrastructure: Build and operate a stable, secure, and function rich information technology infrastructure for the State and provide responsive, expeditious and reliable customer service. Coordinate and develop statewide-standardized approaches for implementing technologies and services.
  • Align Technologies with Agency Business Needs: Lead and collaborate with other governmental agencies in discovering, assessing, adapting, implementing and utilizing information technologies consistent with agency business needs.
  • Provide Integrated Technologies and Services: Provide integrated technologies and services including voice and data communications, mainframe and desktop computing, local and wide area networks, application development and hosting, and geographic information systems to State government agencies.
  • Provide Services and Technologies at the Best Cost and Value: Provide quality services and technologies to State agencies at or below competitive market prices realizing a net cost savings to taxpayers.


The strategic planning and analysis process envisioned for use at ITS begins with the mission and business objectives of ITS and includes a context or set of drivers including:


  • ITS Roadmap Objectives
  • Governorís Information Technology (IT) Objectives
  • Customer Needs Assessment Data
  • Technology and Market Trends

Examples of some of these external factor drivers include:


ITS Roadmap Objectives

These objectives and associated desired outcome statements have been drawn from the ITS Roadmap document dated November 18, 2002.


Objective #1: Implementation of the Tiered Support Model (TSM). The desired outcome is a more reliable and measurable support process that implements common industry best practices and significantly improves the quality of customer support.


Objective #2: Functional Reorganization of ITS. The desired outcome is to remove organizational barriers to service delivery performance and provide significant improvements to reliability, availability, and serviceability (RAS) to all ITS customers.


Objective #3: Product Plans for ITS Products. The outcome is to have product plans and assessments of product effectiveness for all major ITS product families and related services.


Objective #4: Accounting Tied to Product Families. The outcomes include tying product family expenses to product family revenues together so customer, stakeholder and ITS management goals for rate transparency can be achieved.


Objective #5: Product and Service Performance Measurement. The outcomes are to measure service product performance as a basis for capacity planning and product improvement, and as a performance communication vehicle for ITS staff, stakeholders, and customers.


Objective #6: Benchmark ITS Services. The outcome is to benchmark ITS services against comparable service offerings in other states and in the commercial sector to ensure that ITS service rates are consistently at or below market and represent a strong value to stakeholders and customers.


Objective #7: Single Web Billing System for ITS Services. The outcome is to meet customer and stakeholder requirements for bill presentment for all ITS service billings.


Objective #8: Product Family Roadmap. The outcome is to document the roadmap and associated product lifecycle for the product and service families desired by customers.


Objective #9: Rate Proposals by Product Families. The outcome is to produce a comprehensive rate document that associates rates with services and products for all major product families and directly associates revenues with costs.


Objective #10: Implementation of Quality Assurance (QA). The outcome is to have a well designed QA methodology and process in place for all service products and applications that utilizes QA best practices.


Objective #11: Consistent Operational Performance (RAS). The outcome is to apply process and measurement controls to ensure RAS product delivery for all production ITS service products offered to customers.


Objective #12: Consistent Customer Satisfaction Surveys. The outcome is to consistently implement a customer satisfaction measurement process and communicate the results frequently to ITS staff, customers, and stakeholders.


Objective #13: External Audit of Service Delivery. The outcome is for ITS to provide services that are sufficiently reliable that they can be audited for performance and improvement alternatives by an external third party as feedback improving service delivery.


Objective #14: Reduction in Unit Costs for Services. The outcome is to provide service products with enough efficiency and leverage that cost to customers can be reduced without impacting the quality of service delivery.


Objective #15: Consistent Marketing of ITS Services. The outcome is for ITS to consistently market service products to customers so they can make informed choices on selecting to use ITS service products.


Governorís Performance Goals and Information Technology Objectives


  1. IT must support the business and program priorities of state government.  The Governor has established six performance goals for the state:

§         Providing world-class education.

§         Creating quality jobs and a quality business environment. 

§         Improving government services.

§         Enhancing the quality of life for all Utahns.

§         Fostering self-reliance.

§         Protecting Utahís foundation of community values.


            The Governor has also added as long-range goals for the state, to:


§         Slow the investment in bricks and mortar;

§         Refuel the settlement of rural Utah;

§         Use what we have better;

§         Increase individual responsibility and community values;

§         Become a generation of planners; and

§         Make quality our comparative advantage.


2.       Utah residents will be able to access most state services online, 24 hours a day, seven days a week.


  1. We will implement systems that are integrated across the state enterprise, and in time will be integrated with local governments, other states and key federal agencies.


  1. Our new vision will provide improved customer service and taxpayer savings.


  1. The Division of Information Technology Services (ITS) is responsible for implementing and delivering enterprise IT services.


  1. ITS is charged with providing basic IT services to agencies effectively and efficiently to assist them in achieving their mission.

General Technology Trends


The State is directly impacted by expectations of employees and citizens as customers that are being impacted by general trends in the use of information technology. Technology trends have a direct impact on the information technology strategic planning processes.


  • Ubiquitous web presence: Technology is increasingly providing access from almostanywhere to the Internet, creating a virtual conduit for the individual to connect to a widerange of information as well as to participate indifferent user communities. Additionally, users expect access to high-quality, just-in-time information from expert sources.


  • Rapid connectivity: High-speed networks, remote access, and wireless increasinglyprovide nearly seamless access.


  • Increasing freedom with mobile devices: Users are choosing portable,small, and wireless devices for their computing needs, which helps them realizemobility in information and network access. Additionally, these devices provide more capacity and functionality in a single device.


  • 24/7 Service Expectations: Individuals anticipate service and support assistance to be24 hours a day, seven days a week.

  • Electronic Commerce: Consumers expect the convenience of numerous products andservices to be available via secure online purchase and transaction systems.

  • Sophisticated applications: Customers are expecting easier to use applications with mature and sophisticated functionality.




9:25:13 AM    

Thursday, August 22, 2002

Ethernet Network Site

This site provides extensive information about Ethernet (IEEE 802.3) local area network (LAN) technology. This includes the original 10 Megabit per second (Mbps) system, 100 Mbps Fast Ethernet (802.3u), 1000 Mbps Gigabit Ethernet (802.3z/802.3ab), and 10 Gigabit Ethernet (802.3ae).

2:08:33 PM    

HIPAA and Related Security Common Technical Requirements

In order to provide technical infrastructure and related product services to support HIPAA, IRS, CJIS and other related agency security requirements the State of Utah has identified the following as a preliminary common technical requirements set that encompasses security requirements for seven state agencies and the corresponding Federal requirements. These are technical requirements only and do not addrerss other legal requirements associated with privacy and access to information. These are draft technical requirements and have not received final approval.

Access Control: Access control mechanisms must be employed across all State of Utah networks to ensure a given user has been granted the permission to access a system resource in the manner authorized.


Advanced Authentication: Advanced authentication should be used in cases where un-trusted inbound traffic (with the exception of Internet mail and push broadcasts) is accessing the authorized State of Utah network. Authentication of the unique user identity can be a unique encrypted logon and password combination and/or use of other authentication methods including but not limited to biometrics, smart cards, tokens, digital signatures (such as VeriSign), etc.


Audit Trails: For any State of Utah operated network, functionality should be added for real‑time monitoring of networked and host‑based systems to detect security vulnerabilities and incidents. The minimum amount of information to be captured in an audit record is:


1.   The identity of each user and, where possible, the device having access to the system or attempting to access the system.


2.   The time and date of the access (synchronized with an atomic clock to the nearest 1/10 of a second), time and date of log off.


3.   Any activities which might modify, bypass or negate security safeguards controlled by the computer system.


Authorization: Once authenticated, users must be granted only specific access to the systemís resources that they require to perform their duties.


Encryption: To prevent unauthorized disclosure of sensitive and valuable information, all host access to restricted information to/from the state authorized network from unauthorized networks must be encrypted with no less than 128 bit encryption. File encryption must provide an equivalent level of protection. Examples of encryption mechanisms that provide 128 bit or better encryption are Secured Socket Layer (SSL), Point-to-Point Tunneling Protocol (PPTP), Advanced Encryption Standard (AES), RSA ( Rivest, Shamir & Aldeman) Elliptic Curve Cryptograpy (ECC), etc.


Firewalls: Prior to the deployment of State of Utah firewalls, a list of permissible paths with a justification for each access path must be submitted to ITS. Agency change control will be used to document all changes. Every network connectivity path not specifically permitted must be denied by firewalls. Permission to enable any paths will be granted by the agency security manager only when (1) the paths are necessary for important business reasons, and (2) adequate security measures will be used. State computer/data resource that exists on authorized networks must be protected from unauthorized traffic with the exception of production services designed to be homed in a demilitarized environment (http, internet mail), or where stateful packet inspection is not required. At a minimum, traffic filter firewalls should have the ability to screen and log traffic at the network and transport protocol layers.


Identification: Each individual who is authorized to access sensitive/restricted information must be uniquely identified.


Intrusion Detection: State of Utah locations with hosts containing sensitive /restricted information must include intrusion detection systems. These intrusion detection systems must each be configured according to the specifications defined by ITS security in cooperation with agencies. Intrusion detection systems must notify technical staff in a position to take corrective action. In addition, all State of Utah locations must incorporate virus protection and removal software.


Logging: All transactions with sensitive/restricted information originating from State of Utah networks or access devices must be logged. Furthermore, all suspicious activity, which might be an indication of unauthorized usage or an attempt to compromise security measures must also be logged and reported to ITS Security. The integrity of these logs must be protected. These logs must be promptly removed from the recording systems and stored in a physically protected container for up to 7 years. Access methods to retrieve information from the logs must be provided, and, the logs must be reviewed periodically to ensure that the security standards are being met..


Physical Security: Resources present on state authorized networks must be physically secured from unauthorized persons.


System Design Documentation: Any agency using sensitive/restricted information must develop and maintain written documentation of the overall design and security features of their system.  Overall design and security features must be reviewed, the implementation tested and the test results documented.  In accordance with the intent of this document, results are considered sensitive/restricted information.


 Vulnerability Assessment: Vulnerability checks must be conducted on the design, and periodically after implementation.  Unless otherwise specified by statute or best practice, periodic testing shall occur at least every 12 months.  Results of testing and vulnerability scanning must be documented and accessible only to authorized personnel.

Vulnerability Patching: Acting in cooperation with ITS and the CIOís office, State Agencies are responsible for the application of fixes or measures to stop the exploitation of known vulnerabilities

8:02:29 AM    

HIPAA References


There are a number of useful references for collaborative HIPAA security work going on in other states and related organizations from which the State of Utah can derive benefit. Among them are the following:

Federal Register, 45 CFR Part 142, Security and Electronic Signature Standards; Proposed Rule, 08/12/1998.

Federal Register, 45 CFR Parts 160 and 164, Standards for Privacy of Individually Identifiable Health Information; Final Rule, 12/28/2000.

Fuller, Sandra. Journal of AHIMA, "Implementing HIPAA Security Standards," October 1999.

Hawaii Health Information Corporation.

HIPAA Security Summit.

Idaho Department of Health & Welfare.

Minnesota Center for Healthcare Electronic Commerce.

Nebraska Association of Hospitals and Health Systems.

North Carolina Healthcare Information and Communications Alliance, Inc.

Pilot policies released to the general public by the Hawaii HIPAA Readiness Collaborative.
URL: policy templates.

7:48:50 AM    

Tuesday, August 13, 2002

Technology Organizational Assessment

This site has some interesting suggestions for customers or in our case agencies trying to assess the role of technology in their business

9:24:49 AM    

Click here to visit the Radio UserLand website. © Copyright 2003 Bob Woolley.
Last update: 4/14/2003; 9:45:30 AM.
This theme is based on the SoundWaves (blue) Manila theme.
April 2003
Sun Mon Tue Wed Thu Fri Sat
    1 2 3 4 5
6 7 8 9 10 11 12
13 14 15 16 17 18 19
20 21 22 23 24 25 26
27 28 29 30      
Aug   May