Forrester Infrastructure and Operations Council

Peer Insight - Microsoft Enterprise Agreements

2008-07-30T17:04:00-04:00

Member Context:

Our corporation has entered an Enterprise Agreement with Microsoft some years back. This agreement has been established to cover the Core OS, Core CAL components, MS Office, MS Server, and a variety of other server based products. The EA is up for renewal at an increased cost. At the current time, we are licensed for the current release of all aforementioned products, and are struggling to find the value in renewing the entire EA, and are evaluating alternatives.

Peer Insight Questions:

1 - Have you reviewed moving from an EA to a Selected Agreement, and if so, what were the results (costs, resources, risks, etc.) of the analysis?

2 - Have you reviewed moving to a component based EA (i.e. only licensing specific products under EA), and if so, what were the results?

3 - Are you currently evaluating any open systems platforms as an alternative to Microsoft Products (i.e. Open Office)?

4 - If you are exploring open system alternatives, or would like to explore them, would you be willing to have a discussion regarding this initiative?

Member Response 1:

1 - We are considering an EA because we are adding new services that make it a compelling options. However, we are only considering EA for specific aspects of the MS offerings for specific areas of the business.

2 - We do some of this where it makes sense. If we don't see ourselves assuming an update in the next 3 years, we go this route. We address SA where required for virtual solutions. We have some products within Select.

3 - No.

Member Response 2:

1 - YES. The break even point for us was at the 4 year mark. If you drop the EA, when the time comes to upgrade beyond what you had on the EA at the time you dropped it, then you essentially re-buy the products. We found that the cost to re-purchase versus the cost of the EA intersected at 4 years.

2 - YES. We carry both an EA and a Select agreement. For products that we don't see upgrading any time in the future (For us, this would be things like Maps and Streets, Powerpoint, Visio, among others), we get them on the select agreement. Only the Core OS, CALs, MS Office, MS Server, and SQL are kept on the EA.)

3 - No.

Member Response 3:

1 - We completed a review when we were considering an EA agreement and determined that it was NOT cost effective.

2 - We have not reviewed a component based EA.

3 - No.

Member Response 4:

1 - We have always utilized Select Agreements. Our past analysis as never showed that it would be favorable to move to an EA.

2 - We will be taking a look at EA options vs. Select next year.

3 - Yes, we believe we have a subset of our user population that should be able to use Open Office with no real downside.

4 - Yes

Member Response 5:

1 - We have not reviewed moving to a Select Agreement, yet. Our EA expires next year. We will conduct a review at that time.

2 - We currently have a component based EA. Products we do not have under an EA include the desktop OS and Office. The frequency we upgrade these products prevents us from achieving the necessary ROI for such an investment.

3 - Yes.

4 - Yes.

Member Response 6:

1 - Yes, and we decided to keep an EA and Select in place. A main factor in sticking with the EA was that we have multiple locations, both in the US and other countries, and having an EA in place insures you are covered for whatever version of Office or O/S is installed. Without it, we would be tasked to keep control over which version is used in each location.

2 - Yes we did, looking at multiple scenarios. Based upon that review, we determined which components (O/S, Office, E-CAL, MDOP, and a few other items) would be included.

3 - Not currently.

Member Response 7:

We considered it for about a day, then abandoned it. Our business lacks a robust roadmap management for upgrades, which would be required to do away with Software Assurance benefits that are part of EA. As well, we require some tools that MS only allows EA customers to have access to. That said, we do not keep products such as Visio and Project on the EA...those are Select Agreement based for us since we don't do enterprise wide deployments of the tools.

Member Response 8:

1 - Yes, we went with a blended solution.

2 - Yes, we did not renew software assurance on Office under the EA. We already owned Office 2007 and didn't want to pay for software assurance on Office when we haven't deployed the 2007 version yet. All true-up purchases are under a Select Agreement.

3 - Not current evaluating but will look at this option after Office 2007.

Member Response 9:

1 - We look at this with each renewal. The last time was in 2006 for a 1/1/2007 renewal. At that time with our plans and product delivery schedules we opted to continue with the EA.

2 - We are doing this to some degree. Our Office install base is a blend of Standard and Professional. Based on the split we negotiated a blended price for Office. We're also a Notes shop, so a Core CAL doesn't make sense for us. We split out the CALs we actually need. When we do our review next year for a 1/1/2010 renewal we'll be looking at the potential of removing Office from the EA.

3 - We're not currently evaluating.

4 - Even though we're not currently exploring I would be interested in others'experiences.

Member Response 10:

We have found for a company our size (~2000 employees) it is cheaper to buy the SW licenses we need under a select agreement and not enter into an Enterprise Agreement. The EA guarantees MS a yearly revenue stream but we have many times chosen to skip versions of SW packages. This reduces the migration costs and in the long run saves us money. For example we skipped Office 2003 and went from Office 2000 to Office 2007 this year.

Member Response 11:

1 - No...we have always managed our licenses through a Select Agreement.

2 - We have historically managed our licensing under a Select Agreement and have not had a desire to move toward an Enterprise Agreement. Our organization was recently acquired and we are waiting to find out if we will be included under our parent company's EA.

3 - No, we are not currently evaluating open systems platforms as an alternative to Microsoft. In fact, we are currently in a test pilot for Vista and Office 2007. Open source is being considered in the environment but not as a replacement for Microsoft at this time.

4 - We are in the processing of developing Open Source Guidelines for the organization and would be willing to participate in discussions related to developing guidelines and policies.

Member Response 12:

1 - We have reviewed the EA and Select agreement options and have decided to maintain our existing Select agreement for the time being with the option of entering a component-based EA later.

2 - We are still in negotiations with Microsoft on possible migration to a component-based EA.

3 - No. We are standardizing the end-user experience around the Microsoft stack (SharePoint, OCS, Exchange, XP/Vista, and Office 2007) and we are standardizing our databases on SQL Server.

Peer Insight - Storage and Departmental File Share

2008-07-24T10:44:00-04:00

Member Context:

Our organization manages about 30TB of data. About a third of that data is located on departmental file shares. We have never given users any guidance on placing data on file shares. We don't have any directory or file naming conventions. We don't have any file retention policies. If someone leaves our organization it's almost impossible to find where they have put different files. Needless to say this data is growing at the rate of about 40- 50 % per year. Senior management wants IT to furnish more guidelines to users on best practices for using file shares.

Peer Insight Questions:

1 - What guidelines have people out there given users or departments on the use of file shares?

2 - Are there plans to do so?

3 - Are there other departments who will be (or are) involved in these plans?

Member Response 1:

1 - We limit the amount of space we give to each department. There is not a set amount of disk, it varies by department. When that space is filled, the department is responsible for removing unneeded files to free space. Typically this is done by removing the oldest and or largest files first. We don't give them the option of additional space because if we did, they would never remove files.

2 - We plan to review this next year. There has been discussion of automatically removing files that have not been accessed for a period of time (possibly 1 year).

3 - We will involve other departments, but do not plan to gain "consensus" from all business units. My guess is that our legal department will have the final say along with IT.

Member Response 2:

1 - We have structured shares for our users. Each user has their own "user" directory, a departmental folder, and a shared directory we call "Pool1." The Pool1 directory was intended to be a temporary space for files that were being transferred between groups. We do not have limits on users, but monitor file space. If it is running low, we generate a report and go after the top ten users of the space to clean up their files. We also scan for and delete known problem files like user backups of their hard drives, Outlook *.pst files, and non-business media files. In addition to these efforts, there are clear policies on retention policies and the use of electronic communications. Effectively, we have told users that email is not a storage medium. They have limits in email, but not on their file shares.

2 - We have researched options for classifying unstructured data in the hopes we could automate our retention policies. However, we have not yet been able to build a compelling ROI that would allow us to implement a solution.

3 - All of our efforts to address the explosion of data on our file shares have involved our security, legal, storage, and support teams. Without their support and the sponsorship of a CXO level executive, these initiatives would not work.

Member Response 3:

1 - We have specific shares that get connected during boot-up. Two are for application data, one is for department files, one is for personal files, and the last one is for anyone to put anything they want to share with others.

2 - We have retention schedule for scheduled records. We have recently implemented a process that requires everyone to review dept and personal file locations annual and certify they have disposed of items no longer needed.

3 - Legal got involved because of FRCP changes and e-Discovery

Member Response 4:

We have a similar situation. We are only now beginning to recognize the need for tools that identify the types/ages of files, as well as applying clean up efforts, followed by application of retention policies. Merely in the planning stages now. The business will be expected to clean up their own files, but will rely on IT to help them identify what they have in a consumable way, hence the need for good tools/reports which we'll need to investigate and potentially invest in.

Member Response 5:

1 - We use SharePoint as our primary content management. We have storage limits to sites. Department level Network Shares are created based on request but there are no Guidelines or policies to govern.

2 - Not that I know of.

3 - Not applicable.

Member Response 6:

1 - None - other than general "for business use only" policies.

2 - For critical documents that should be controlled, we are moving to new version of SharePoint.

3 - Yes - for document management system using SharePoint.

General comments:

I think we could all save a non-trivial amount of money by instituting a "Data Janitorial Service" to clean up "file droppings" on Departmental file shares. I see whole install copies for obsolete SW packages, personal pictures, music files and such, even long after employees are gone. This data is being backed up, restored, and there is a cost to doing this.

Member Response 7:

1 - File shares are intended for business data only. There are corporate polices on records retention that cover data in file shares. We have two types of file shares, personal and business shares. Every employee may have one personal share. Personal shares are deleted when an employee leaves the company unless the employees supervisor requests the data. Business shares always have two owners and we have an automated process to review the owners and insure that new owners are assigned when the owners leave the company.

3 - Our legal and Corporate records retention organizations are primarily responsible for data retention policies that are defined for share data.

Member Response 8:

1 - We have no written guidelines. Verbally users have been told to monitor and maintain the fileshares consistently using our company retention guidelines.

2 - Yes, we have a project underway to consider a formal chargeback process. Additionally our Corporate Compliance department will be working with file share owners to make sure that the data stored meets the written company retention guidelines.

3 - Corporate Compliance

Peer Insight: Distribution Lists

2008-07-22T10:13:00-04:00

Member Context:

We are continuously reacting to issues with distribution lists from our user community. The issues primarily revolve around incomplete and inaccurate membership of the lists as well as the need for additional lists to satisfy a particular groups perceived need for a new list. I would like to know if other I&O Council members have faced similar issues and how/what approach they have taken to resolve\address the issue

Peer Insight Questions:

1 - Is your IT branch responsible for distribution list management? If so, what process is used to ensure that IT is kept informed of all organizational changes?

2 - Has your department faced issues pertaining to distribution list management and how what approach they have taken to resolve\address the issue?

3 - Do you have a distribution list policy outlining when a distribution list would be created? Does it address an approach to the structure of distribution lists? As an example, are they based upon logical groupings, physical locations, branch\departments?

4 - Is distribution list management a manual or automated process? If automated, what tools do you use?

Member Response 1:

1 - Yes. We have a manual set of processes with a dedicated "new hire facilitator" within my IT organization. In addition, we work very closely with our Administrative Services group who also has people (receptionists) focused on new hires and transfers. Finally, each business unit has a Business Manager and uses their administrative assistants to handle the highly tactical aspects of this process. We are now in the process of implementing workflow through our Remedy (BMC
product) software.

2 - Yes. This was the #1 issue handled by our Help Desk and we implemented a product called "Distribution List Manager" from a Imanami. This has shifted the responsibility to the user wanted to join a list and to individuals (users) who are now responsible for maintenance of their own list. There are public lists and private lists and some lists allow people to just join without approval, and some require approval of the list owner. In answer to your first question, our Human Resources department owns the "All Employee" list and that is where new hires are placed (the "authoritative source" for new hire information in my firm is HR).

3 - No

4 - See answer #2

Member Response 2:

1 - Only for our own lists. Each business department manages their own lists. HR manages the large corporate lists.

2 - Each distribution list has it's own access control list for permissions. Therefore only people who need access to change it are granted access, anyone can use any distribution list to send email (except personal address book lists).

3 - Yes, only certain individuals can create lists, but then they are assigned to the requestor to manage. Beyond this, no other policies exist.

4 - Entirely manual.

Member Response 3:

1 - It is maintained by the staff that supports Exchange. They are located within IT. We base most all request off of data provided from our HR system. In other words we use the department, facility, and other data captured in the HR system to create and maintain list.

2 - We do not allow any other group to create global list for the organization. They can only create personal list.

3 - We do not have an official policy, but rather practices established over time. We maintain list based on some authority - in our case it is our Lawson HR system. That is 90% of the distribution list we have. The list are both work unit based as well as geographical. There are a few (less than 20) distribution list that are specifically request by executive administration that we maintain. Changes to those list are sent to our support staff via our request process from the executive or their secretary.

4 - We do automate the process for the 90% that come from our HR system. This is an in-house written interface that also populates our enterprise directory. We run the process nightly and pick up changes then.

Note: Historically we have been in geographic groups. With the expanded adoption of SharePoint it has become more important to create security groups around teams. It has been within the last 3 years that we have focused on keeping those groups cleaned up and really moved them to security groups within Exchange and not just mail distribution list. When we did that there were always one or two more people that the group wanted to add under specific circumstances. We successfully communicated the problems with that kind of logic and have asked individuals to use the define groups from HR and either create local distribution lists with the other user or in the case of SharePoint, grant the odd individual user rights.

Member Response 4:

1 - Partially, IT is responsible for insuring ownership of lists. Lists are managed by individual business owners. Changes that result in an owner being removed from a list are managed during the termination process. All terms are checked to determine if a new owner needs to be found for a list.

2 - Yes. A process and supporting tools were developed to address the issues. The process established a method for requesting lists, standards for documenting the ownership of the list, training on how the owner can maintain the lists, and a procedure to ensure all lists have owners.

3 - Yes and Yes. Lists are divided into categories based on their size and purpose. There are standard lists for logical groupings as well as lists to support special purposes or projects.

4 - Both. We use dynamic lists for anything that is based on attributes of a user, like location, title, or job function. These lists are kept up to date by an automated import of HR information into Active Directory. Lists that are not dynamic must have an owner who is responsible for maintaining the list membership.

Member Response 5:

1 - Yes, we are responsible for updating the list. All staffing changes are sent to a distribution list that includes all of the systems administrators to ensure changes are made.

2 - We experienced issues with knowing who should be in the management distribution lists. Sometimes a title doesn't reflect management duties. We started a new procedure where this information comes to us from HR during the new hire process.

3 - We create lists as needed, but we have a policy against creating and using a list that includes all employees. We have a hidden "all employees" list that only HR and VP of IT can use.

4 - Manual

Member Response 6:

1 - Yes, my team is responsible for DL management. We recently completed a project to revamp all our DLs. We introduced Query-based DLs for any group that could be defined by AD attributes. For groups not based on job title, location, etc., we setup specific owners (group of owners). In the NOTES of the DL, we list who to contact to be added to that DL (e.g. the DL owner). We delegate the group membership to a defined small group of owners.

If it is a QBDL, we summarize the filter used in the query.

2 - It took a full-blown project (90 days) to define a naming convention, and standards.

3 - Yes. Where possible, we try to group by department first/only. If the DL is more geographic in nature, or there’s a specific need to indicate a group/department/location, we include this in the description.

4 - Today, it is 95% automated and/or handled by end-users (who own the DL). The main place it isn’t automated is requests for new ones, which are relatively few. We did have to do some custom development on our ERP system/on-boarding process. Our ERP system is Lawson. We wrote custom code that automatically generates an AD account and mailbox for new hires. In addition, this process keeps employee attributes in Lawson in synch with AD (e.g. employee title, location, phone number, cost center, manager, direct reports). This gives us several attributes we can use to generate QBDLs.

The only other ‘manual’ effort we have is when some QBDL-dependent attribute is changed in Lawson. We have to coordinate this with HR to update the QBDL. One HUGE draw-back to QBDLs is if you use SharePoint and you are leveraging email distribution lists for permissions (e.g. audiences or WSS site access). QBDLs will NOT work. This is a huge issue because a large group like All US Employees is a perfect candidate for QBDL. But then this group cannot be used for permissions in SharePoint. We’ve had several meeting with Microsoft on this, and they are aware of this limitation. They do not have a good answer for this problem now.

Member Response 7:

1 - Only for very high level distribution lists. For example, all employees at plant x or all contractors at plant x. We have a template that includes those distribution lists in it and correct the one that doesn't pertain.

2 - When a distribution list is requested we require that an Owner be named who is responsible for updating the distribution list. We will create the "bare" list and then require them to populate it. There are times when our tools can help populate the list and we will do so. We are still working with a couple of the plants to follow this procedure. They are used to creating and maintaining these lists and changing them has been difficult.

3 - No

4 - Manual excepting the use of templates within Active Directory.

Member Response 8:

Right now distribution list management is manual at our company. We rely on users to notify our helpdesk for updates and changes. There are several lists that are updated as part of our new hire process / termination process but there is nothing in place to update the lists without being asked to do so. We do not consider this our preferred end state. We suffer many issues when trying to communicate to specific segments of the company or the whole company.

We have a three part plan to address this issue long term.

1. Our business analysts are currently working with the business to identify people who will become responsible for list maintenance. This is a stop-gap measure because all it achieves is to push the burden to another part of the organization and does not add real value.

2. We are in the final stages of deploying the infrastructure for an Identity Management platform. This platform is connected to our SAP HR system and will automatically receive location data, cost center data, employee grade / role and reporting structure data. This data will be used to enable automated list maintenance. Since adds, changes, deletions will be reflected in the employee's payroll status, we believe this to be an effective way to manage basic list maintenance.

3. Our IDM initiative will culminate in a provisioning and workflow portal that will provide employees with a self service tool to maintain this data. Workflow will facilitate an approval process around any requests for access to restricted groups.

Our IDM initiative uses Novell's eDir at it's core along with the IDM workflow / designer tools. We are linking it into a global Active Directory deployment

Member Response 9:

1 - Distribution lists are created by our Service Desk and assigned an owner. Once the owner is assigned, it is the owner's responsibility to have the group updated.

2 - We found the process to be cumbersome and felt that the user community should be responsible for its membership.

3 - We have no official policies sounding what distribution lists.

4 - We use both for our larger lists we use PeopleSoft to generate lists that update AD. For our smaller groups it is manual.

Member Response 10:

1 - Yes, IT is responsible. We have tried numerous times to get the needed communication from HR, but found that we could not rely on that 100% of the time. We utilize IBM Directory Integrator, which allows changes in our ERP system's HR records to trigger changes to Active Directory, groups, really any directory in the network, etc. This automated process works well in most cases.

2 - As above.

3 - We have no policy. We create them on demand.

4 - Automated - IDI.

Member Response 11:

Where feasible we delegated that authority and responsibility to the Business Units by assigning an Owner in the Distribution Lists on the Exchange Server.

Member Response 12:

1 - Yes, for most lists. Some lists are managed by the list owner. IT is notified of terminations so the ID is moved to a No Access Group. Distribution lists are not automatically updated. When the list is used there will be a delivery error on the terminated ID that would prompt the distribution list user to request an update to the list.

2 - Not many issues. Process is well defined.

3 - We don't really have a policy. Just guidelines on if a group list is more than 5 people or is used often. Most groups are based on logical groups, such as project teams, and departments.

4 - It is a manual request process.

Member Response 13:

1 - We are not responsible for maintaining the distribution lists. Our HR department manages them as they are notified of all organization changes from a payroll perspective. We found that people are incented to get the payroll changes in on a timely basis.

2 - No.

3 - While there is not a specific policy for when distribution lists are created, HR does try to limit the number of them because of the maintenance effort involved.

4 - It is a manual process.

Member Response 14:

1 - Organization changes are announced through our PR dept. Upon notice of re-org, a work order is created in our Helpdesk system to follow up with new dept heads to ensure AD group and e-mail distro group changes are made timely and correctly. Every other time a distro group change is needed, a Helpdesk work order is required. Committee groups and alerts for various notices are valid requirements for a GAL distro group. Every other kind of group must be created within a user's contact list.

2 - No issues

3 - Departments, committees, and alerts.

4 - Manual, via work order system.

Member Response 15:

1 - LotusNotes/Domino mail groups are used for distribution regarding HR notices, IT changes, and Help Desk announcements. Various groups are maintained by dept. (ex. HR has been given the ability to update the HR distribution lists, IT distribution list updates have been assigned to IT Admins. in a separate IT address book that merges into our company address book,Claims Dept. distribution list updates have been assigned to Claims Admins. in a separate Claims address book that merges into our company address book) Everything else is forwarded and handled by the IS Operations Staff.

2 - IT IS creates and maintains the distribution lists for all other incidents except where noted above. And we also allow for individuals to create their own distribution lists within their personal LotusNotes address book. This is not maintained or secured by IS.

3 - Policy currently does not exist, however process is in place:
1. manager approved request by e-mail
2. IS reviews content of request and creates based on the department and company requesting. So yes, they are based on logical groupings and physical locations.

4 - It is ALL Manual.

Member Response 16:

1 - Yes, to an extent. The process today is incomplete. At the employee level changes are automatically updated as part of our on and off boarding processes. As far as the general management and organization of DLs go there are gaps. The DL owners do not always keep the lists accurate so we deal with the same issues.

2 - Yes, typically requires a manual and time consuming "clean-up" effort

3 - Yes, we do. In the policy, there is a best practices section that states the following:

--DLs should be populated according to common interest or purpose of the users. For example, a DL could be based on all users of a particular application; users in a specific location; users with the same job function.
--Use of DLs for very small groups should be discouraged. Because creation and maintenance of DLs is largely a manual process, the number of DLs should be limited in order to avoid high administrative overhead. A minimum of 15 users should be set as a threshold for creation of a DL; for numbers below this minimum, users should send individual emails or create their own personal distribution list, using Outlook.
--Nesting of DLs should be avoided. Nesting of these groups within other groups makes it difficult to trace how a given user received a particular email.

4 - Manual

Member Response 17:

1 - Yes, the ownership of the process is with communication managers of our companies and they are responsible for informing us of changes to the organization. If distribution lists are not updated, they are held accountable. They are managers of the lists for small changes or exceptions, but have to call our helpdesk to request changes. A helpdesk ticket is logged using a template to gather the appropriate information. However, a phone call back is usually necessary to confirm or verify change.

2 - Yes, the above process has a few problems. Sometimes the tickets are bigger work efforts then a ticket and not all requirements are captured in the ticket, so we have to rework the request with the requester until it is right. Other times we are not notified in a timely fashion and have to work on the request immediately to stay in front of a communication plan using the requested list. Our next process improvement to address our issues is to use SharePoint and InfoPath to streamline the request process, gather all the requirements, visible workflow, and make distribution lists available for review (audits) by the communications managers.

3 - Yes, Yes, mostly we create dlists on various organizational hierarchies and branch/departments, but other logical groupings are created.

4 - We try to make most of the dlists automated using Microsoft Identity Integration Server (MIIS). However there are some manual lists created.Each list has an owner assigned and is responsible for its management. We are in the process of auditing our lists and making improvements like retiring old ones. We have automated the population of lists with MIIS, but we are working automating the lifecycles of the lists.

Member Response 18:

1 - Typically, static distribution lists are created by IT Operations upon user's requests where the maintenance is then turned over to the user. IT Operations is responsible for the creation of Dynamic lists as well as the ongoing maintenance based on information received from HR regarding criteria behind the dynamic lists.

2 - Yes, we often not notified when lists are no longer needed which clutters the GAL with useless lists. However, we are moving to a Quarterly review cycle for static lists that will force users to perform a review and retire unneeded lists.

3 - We do not have a policy on when a distribution list is created. Distributions are created on a needed basis. Dynamic distributions are created based on various grouping types residing in AD. HR systems automatically update AD fields via an corporate repository process. The fields vary from department, location to employee status for example.

4 - Both. Some are dynamic and are created using Microsoft’s Active directory and Exchange Server. As mentioned before, some AD fields are updated via a custom process originating from HR.

Member Response 19:

1 - The problem we are trying to solve is having up-to-date distribution lists to communicate to end-users regarding planned and un-planned downtime for a given service. I'm not concerned with other distribution lists (i.e. people to be invited to an operations meeting). Currently most processes to generate these lists are manual with some linkages to data from HR and Active Directory.

2 - Manual list management is a losing proposition. We are implementing an Identity management system that will provision new accounts and delete old ones and will help manage access rights and roles for a given user on a given application. The database this system will maintain will enable us to have real-time, up-to-date distribution lists for a targeted group of users that we might need to communicate to.

3 - There are policies on the naming conventions for mailing lists. Groupings -for the lists I care about- are more related to users of a service. (could be geographic, departmental, and so on)

4 - See #2 above.

Peer Insight: PCI Compliance

2008-07-08T09:43:00-04:00

Member Context:

We have been plugging away with our PCI compliance. Our team wanted to get a sanity check ffrom other council members regarding their PCI efforts. Even though we would all choose to ignore PCI Compliance.

Peer Insight Questions:

1 - How far along are you towards PCI compliance (in percentage terms)?

2 - How long will it or did it take for your organization to become PCI compliant?

3 - What are the three top PCI remediation efforts you are addressing?

4 - How much have you spent on PCI remediation? Has that been difficult to quantify?

5 - What percentage of your annual capital budget is spent on PCI remediation? Is it closer to 5% or 50%?

6 - Have you had your PCI plan shortened by your Merchant Acquirer and/or a member of the Card Association?

7 - For decentralized companies, are individual business entities being held accountable for PCI compliance or has a project management office been set up to educate and lead remediation planning?

Member Response 1:

1 - We are compliant - passed the test this past Feb.

2 - About a year and 1/2 with ALL hands on deck, and lots of consulting dollars as well.

3 - We are only responding now to monthly scans from TrustWave and any areas of risk that they identify.

4 - Keeping track in firestorm mode was very difficult, and we ended up going back through lots of invoices after the fact and categorizing them. We spend about 3 and 1/2 million to get there, but we were starting from a position of weakness.

5 - Now that the processes and systems are in place, the costs are not as high, I would say 5% to stay compliant each year, as long as the processes are followed and audited all along the way as a regular part of business going forward.

6 - No.

7 - It is a mix - we have Franchisees, and they are responsible for their systems, etc. being complaint. However, anywhere that they touch our network or at points of entry and exit for their data, we take responsibility.

Member Response 2:

1 - 100%

2 - 3 years

3 - Network, encryption within applications, two-factor access.

4 - $40 million.

5 - Closer to 5%

6 - No

7 - Individual entities held accountable through a PMO that has tracked progress and intervened for key projects/deliverables.

Member Response 3:

1 - 75%

2 - Still working on getting compliant, hope to finish by end of this year.

3 - Determine just what compliance means, internet facing servers in the DMZ (using Qualys to test for compliance), and identifying all the credit card touch points and the existing security at each touch point.

4 - We have several departments outside of Security doing the work to get the problems fixed. I don't know how much time is spent by each department as we assign problems to them. In the Infrastructure Security department we are using about 25% of an FTE to get our quarterly reports completed.

5 - 5%

6 - I don't completely understand the question. Nothing has been shortened, in fact we have seen new requirements each quarter.

7 - N/A

Member Response 4:

1 - We are a Tier 1 org and either we are compliant or we are not. The fines are very stiff - $10k 1st month, $20k 2nd month, $30k 3rd month, etc. - if we are not compliant. We have passed our compliance audit the last three years but it gets tougher to comply each year. The problem comes with "compensating controls". What may have been acceptable as a compensating control last year may not be this year.

2 - Each year is something new to work on to be compliant but it has gotten easier with each year. We spent approximately two years getting compliant but that was before they made it clear they would start fining us if we weren't compliant (though they were always threatened). We have also had to address problems that were things we knew would not be acceptable next year. A lot of our early work centered on writing procedures to provide compensating controls. Luckily we had already started implementing Host Based and Network Based Intrusion Detection so that cost was already being addressed. We also had a lot of experience utilizing VLANs for firewalling. By isolating systems that were required to be compliant, it saved us a lot of cost and time. Penetration & Vulnerability testing created lots of new issues that in hind sight we are glad we implemented the process.

3 - The toughest was encryption. Luckily we were replatforming so the system could be rewritten to be semi-usable even though the index was encrypted. We had a couple of other applications that we were able to mask the numbers to take them out of the evaluation process. We also replatformed some of it to SAP but had already implemented a bolt-on that included encryption for light credit card processing. That was good enough. In the early days, the technology just wasn't there to do it effectively so we implemented a lot of compensating controls. Those were acceptable then but would not be now as the technology is better - not good but better.

Pen and Vulnerability testing. The tests themselves were relatively easy to implement by using outside parties, it is the patch management and vulnerability repairs that were, and still can be, painful. Since we started early our InfoSec has since bought tools that allow them to do interim testing as well.

Changing processes. For example, putting a LOT more control around ROOT. Even though you segregate compliant platforms, there are still some things that come out of the audit that can effect you on an enterprise basis, or at least did for us.

Adding contract language and approval with outsourcers mid-contract. I added this fourth one because it wasn't an I.T. problem but it was a real problem towards getting compliant.

4 - I don't have any way to really quantify the cost since it has been ongoing, utilizing current tools, and, for the most part, utilizing in-house expertise to implement the "fixes". The external auditors we have utilized for the "Audits" are buried within Audits' budget. PCI compliance audits have, up to now at least, but somewhat different than normal audits in that the Auditors will make recommendations to help comply. Having a good Auditor can be very helpful. They won't let you slide but they can be very helpful on implementing compensating controls that are allowed.

5 - I would say 0% for the last couple of years.

6 - Currently, the deadline is the deadline. In the early days, we were given some leniency by the Merchant but they wanted regular updates on progress on open items and pushed back on time estimates they thought too long.

7 - We are centralized, at least as it relates to PCI compliance.

Member Response 5:

1 - 80-90%

2 - Less than 1 year

3 - Security, removing credit card data, using Billing ID vs Credit Card Number

6 - No

Peer Insight: VMware Licensing

2008-06-16T11:35:00-04:00

Member Context:

Our company has established technical deployment designs, engaged with VMware and has made a decision on VMware as the virtualization solution. ESX, Virtual Center, Life Cycle Manager, Lab Manager, and Recovery manager technology are all in scope and all have significant cost on a unit basis. We are moving to next phase of the project - VMware licensing.

Peer Insight Questions:

1 – Do you have a relationship with VMware, or in the midst of negotiating?

2 - How has your experience been with VMware’s licensing activities including cost and strategies?

3 - How about your experience with VMware’s software and support?

4 – Do you have any experience in executing an Enterprise License with cap levels or open? How many licenses of VM ESX are being acquired?

5 – Would you be willing to discuss these experiences further on a call?

Member Response 1:

1 - Yes, we have a corporate enterprise agreement with EMC

2 - No issues, agreement was negotiated corporately, procurement is not an issue

3 - Excellent experience with VMware, heavily utilized in efforts to centralize and reduce server count

4 - No

5 - Yes, from the perspective of implementation of VM.

Member Response 2:

1 – Existing relationship with VMWare about 1 year old now

2 - Very positive experience, we are realizing a significant ROI. We achieved an all you can use ESX lic, Lab Manager , and about 50 VDI lic for approx $440K with 19% maint renewal.

3 - Very positive so far, solid technical feet on the street

4 – Yes , make sure you get an open all you can eat lic. they try to price it by anticipated demand, so state that you will not be virtualizing the entire shop , this will save money on the ELA.

5 – Yes

Member Response 3:

1 - Yes, we have a relationship with VMWare.

2 - They are expensive, but products work as advertised.

3 - Excellent software, spotty support.

4 - We're a small shop, no plans for Enterprise Licensing yet. We have two ESX licenses.

5 - Yes

Member Response 4:

1 - Current Customer

2 - We currently purchase licenses based based on what we have and we project. We allocate cost to the annual budget to provide us with additional licenses for the following year. We have had conversation with VMWare on enterprise licenses however they have not been able to provide us with a price point breakdown.

3 - First couple of people you talk to do not seem to be very knowledgeable. It takes a few follow up calls before you get to high level technicians.

4 - 86 ESX licenses

5 - Sure

Member Response 5:

1 – Yes, we have a current relationship.

2 - We have not pursued any strategy beyond buying as needed.

3 - Overall, the software has been very good but the support has been just "good". The support organization needs to be more responsive.

4 – No experience with this.

Member Response 6:

1 – We have a direct relationship with vmware account manager and tech sales engineer. We are taking a preliminary look at a enterprise licensing but are not actively negotiating.

2 - Preliminary EL proposal in progress. Nothing to report. Previous licenses purchased through Dell.

3 - Experience with software and support has been very good. No significant functional issues and support has been responsive and engineers capable.

4 – Preliminary EL proposal in progress. Nothing to report.

5 – Potenitally after we have conducted further evaluation of a final vmware EL proposal.

Member Response 7:

1 – Yes we have a direct relationship with VMware.

2 - In the beginning it was difficult to deal with VMware. We believe this was due to them having the best product on the market and no real competition. Since the release of MS Server 2008 and the announcement of MS Server 2008 R2 with the improved hyper-visor, VMware has changed their approach to way they handle our account. They are much more involved and “interested” in what we are doing from a technology perspective. Cost continue to be high but I believe there is acceptable value delivered by their products. Licensing is difficult to manage particularly as we grow and have to make licenses concurrent on renewal.

3 - We have licenses that were bought from HP bundled with hardware and licenses that were bought through a reseller. We’ve found that HP consistently provides better support than VMware does. Our resident VCP would much rather deal with HP on support issues. We believe this may be related to VMware wanted to push people to their “Platinum” support or reduce their level one support. Either way, VMware level one support is not as talented as HP’s level one support.

4 – No experience with EA from VMware.

5 – Yes.

Member Response 8:

1 – Yes

2 - Overall experience has been good. There seems to be a big gap between individual server licensing and Enteprise licensing.

3 - Quality of software has been excellent. I don't recall any quality issues that had any impact on our operations. Support has been very good. We had some complex issues with an IBM SAN and VMware that VMware and IBM worked together to successfully resolve.

4 – We are currently considering Enterprise Licensing.

5 – Yes

Member Response 9:

1 - Somewhat, but more with the resellers, and we are not in the midst of a Vmware negotiation currently.

2 - Painful and difficult. We spent far too much time trying to confirm our licenses and rights based upon different orders submitted to different vendors, and to get them co-termed for future support.

3 - On a scale of 1-10, 10 being HIGH I would rate VMware support as a 10. Technically their support staff understand the ins and outs of VMware and their depth of knowledge has given me invaluable information on common settings VMware customers usually implement. In the past we subscribed to a 3rd party VMware support group which really lacked the depth and expertise for issues I encountered. Procurement and maintenance issues have been problematic.

4 - No.

5 - Not at this time.

Member Response 10:

1 - We current have a relationship with VMWare.

2 - It has been good. There was one occasion where VMWare was confused about the number of licenses we owned. Also, they were confused about a skew number that allowed customers to buy third party support rather than using VMWare. Overall, there have been few problems. License are easy to manage through the Virtual Center console.

3 - We get our support through IBM. It has been fantastic. The VMWare software itself has been very stable. We have had very few problems.

4 - We currently have 18 dual processor licenses.

5 - Yes.

Peer Insight - IT Asset Management Vendors

2008-06-11T10:56:00-04:00

Member Context:

"For IT Asset Management purposes, our company is using Maximo now and it is very difficult to use. We are considering changing vendors but do not know who might be a good replacement."

Peer Insight Questions:

1 - Are you currently using a vendor for your IT Asset Management function?

If so,
A)    Which vendor are you using?
B)    Why did you go with that vendor?
C)    What other vendors did you consider

2 - If you are not currently using a vendor for this function, have you examined this option and the vendors?

If so,
A) Why did you decide against using a vendor?
B) What vendors did you consider?

3 - Have you changed your IT Asset Management Vendor recently? If so, do you have any advice or words of wisdom?

4 - Would you be willing to discuss this topic further on a conference call?

Member Response 1:

1 - No

2 - See Below:

A) Cost
B) HP Peregrine and Remedy

4 - Yes

Member Response 2:

1 - We are not using a vendor's solution today, we are using a "home-grown" SQL database.

2 - We have been in the process of evaluating vendor solutions to replace our homegrown legacy IT Asset Management solution.

A) As indicated, we have been in the process of evaluating vendor solutions.
B) We evaluated Alteris, CA, BMC, Landesk and Microsoft. We are considering Landesk and Microsoft as the optimal solutions to meet our needs from an integrated IT service solution (which includes IT Asset Management).

3 - We have not changed vendors recently, but recommend that you determine up front what the desired end state is from an asset management system (software license management, software metering/ reconciliation, hardware asset tracking, integration of purchasing systems of record, integration of vendor asset records).

4 - Yes

Member Response 3:

Our current system is an internally developed system that is used predominantly for PCs, Servers and laptops.

Peer Insight - "Email Storage Quotas"

2008-06-05T16:51:00-04:00

Member Context:

"We are proposing email storage quotas across the firm and I was looking for input as to what other firms have done in this space."

Peer Insight Questions:

1 - What is the largest message size (message + attachments) you allow a user to send or receive?

2 - At what mailbox size do you warn the user that they are about to go over their quota?

3 - At what mailbox size do you limit the sending and/or receiving of emails? If you do not allow the user to receive emails, what message do you transmit to the sender of the email (that you prevented from getting to the user)?

4 - Do you use the standard Microsoft Exchange warning message or have you implemented a custom message?

5 - Any pointers you might have for communication/adoption would be welcome.

Member Response 1:

1 - 25 MB

2 - Only a small subset of users are quota enforced, of that subset the warning message is sent at 200 MB.

3 - Only a small subset of users are quota enforced of that subset we prohibit sending e-mail at 310 MB and no restriction on receiving. There are many one off exceptions made to this policy as well.

4 - Currently standard but looking and customizing to incorporate instructions for moving items into Enterprise Vault instead of Microsoft's standard response of archiving to .pst files.

5 - Turn on a custom warning message only, with no send/receive restriction and run it nightly. Customize the warning to alert the user of their current mailbox size and offer corporate sponsored alternatives to storing items in the mailbox, such as moving items to a .pst file or archiving items into Enterprise Vault. You could further customize the warning to provide brief instructions on the work around solution and how to contact the Help Desk for additional assistance.

Member Response 2:

1 - 2mb

2 - When someone gets within 10mb of upper limit, a standard sys admin message is received. This can get irritating as every new message received will generate this message when within 10mb.

3 - We do not ever limit receiving messages, but no messages will be sent once the mailbox size reaches the full size limit.

4 - We use the standard messages.

5 - This is a huge cultural change. You need upper management support to enforce this.

Member Response 3:

1 - 10meg

2 - No limit

3 - No limit

4 - Use Lotus Notes no limits and no message

5 - Our legal department requires that we keep all emails.

Member Response 4:

1 - 10 Meg

2 - 80 Meg

3 - 90 Meg users can no longer send mail and receive a message, at 125 meg, which is the quota, they can no longer receive or send mail.

4 - Standard message

5 - Try to be as uniform as consistent as possible with enforcing the quotas. It helped that we initiated these policies when we first went to Exchange several years back.

Member Response 5:

1 - Unlimited.

2 - At 75%, mailbox sizes are variable, but start at 50mb, and vary depending on an individuals role, and their ability to negotiate.

3 - Sending/receiving is not limited, they get a warning with each, and saving of the sent email is restricted if they are beyond the quota.

4 - Standard Lotus Notes messages.

5 - Use Lotus Notes. Seriously, investigate and implement archiving as soon as possible, and make sure that it is searchable.

Member Response 6:

1 - We allow sends of 50M and receives of 100M

2 - We warn at 500M, yell at 750M and put a hard limit at 1G.

3 - We limit at 1G.

4 - Custom message.

Member Response 7:

1 - Internal mail is 50 mb on send and receive. External is 50 on send and not limited on receive.

2 - The quotas are set at 100M, 250M, and 500M depending on the type of location. We warn users when they reach 90% of their limit.

3 - At 100% we stop sending but never stop receiving.

4 - Standard MS warning message.

5 - We implemented these policies in conjunction with our legal department several years ago. We worked with them to publish a policy, then sent communications to every employee announcing the new policies and the changes that were coming to their email accounts. The communications attempted to point out the enormous amount of space used to house emails. We described the space in terms of the number of floppy disks or CDs needed to store the information. Of course, this was several years ago, so floppies were quite common. We also described the legal and financial implications of keeping everything forever. In addition to this, we created an exception process that allowed for users to request additional space through our security department. All exceptions had to receive CIO approval.

Member Response 8:

1 - 10MB

2 - 90MB

3 - Send limit: 100 MB; Send and Receive limit: 200 MB

4 - Standard Exchange warning

Member Response 9:

1 - We have a 16MB limit for outbound mail. No limit for internal mail or inbound

2 - We warn users at 65MB (or 5 MB below their current quota)

3 - We never stop the flow of mail

4 - We use a standard Lotus Notes warning message

5 - Have strict quota policies with a exception process that requires appropriate business justification.

Member Response 10:

1 - Default user message size is set to 10MB. Our infrastructure size limit is set to 20MB (we can increase an individual size limit to the 20MB limit if needed)

2 - Our default mailbox size limits:

Warning - 140MB
Prevent Sending - 150MB
No prevent receiving limit set

3 - See Answers to question 2

4 - We use a custom message

5 - We have always had quotas so we have no first-hand experience in rolling this out. Stating the obvious reasons why is the best approach - reduce storage costs, reduce legal risks with limiting the amount of information/data, ease of administration, etc. If possible prevent PST files as well (or at a minimum restrict their size).

Member Response 11:

1 - Largest message size outbound is 10 MB to external recipients, granted recipient server has to accept this file size also. Internal recipients the limit 25 MBs..

2 and 3 - By default all mailboxes are 300 MB. The system send warning at 280 MB, at 290 MB the user can't send and when the limit of 300 MBs is reached the mailbox is locked out user can't send or receive. There are some exceptions for EMT, legal and some other VPs.

4 - We use the standard messages provided by Exchange

5 - We have found that users to get around quotas on the Exchange server often will setup local pst files. The organization needs to decide if this is a practice that they want to limit.

Member Response 12:

1 - Send Limit = 20MB
Receive Limit = 20MB

2 - Issue Warning = 59MB (Standard). We have one store setup that defines high level managers (12 users) with Issue Warning = 800MB

3 - Prohibit Send = 64MB (Standard). We have one store setup that defines high level managers (12 users) with Prohibit Send = 1GIG
Receive Limit = Unlimited, all users will continue to receive messages.

User will continue to receive messages after their mailbox quota is reached.

4 - We use the standard Microsoft Exchange warning messages.

Peer Insight: Thin Client Business Case

2008-06-03T17:25:00-04:00

Member Context:

"We are considering building a thin client environment; focusing on building a business case. Our company would like to understand where thin client is used among the membership, associated costs, and any advice the membership has on building a business case."

Peer Insight Questions:

1 – Are you currently running a thin client environment?

If so,

A.) For what purpose are you currently using thin client?
B.) Is this usage growing in your company, and where do you see future growth?

2 – If you are utilizing this environment, can you provide any information on the following costs:

A.) Transition and implementation costs
B.) Ongoing “keep-it-running” costs

3 – Do you have any other suggestions, advice, or best practices regarding building a business case for supporting a thin-client environment?

Member Response 1:

1 – Yes, on a limited basis.

If so,

A.) Remote access to deal with client server applications
B.) Ideally we would like thin clients anywhere but will not be pioneers. Looked at a number of options Citrix, terminal Server and boot from SAN that did not make sense based on scale and cost.

2 – See Below

A.) costs Not readily available
B.) costs Not readily available

3 – Use on a limited basis where remote access requires it and for application compatibility

Member Response 2:

1 - Yes

If so,

A.) We have deployed about 40 thin clients in our Stores department for warehouse workers.
B.) We don't see this growing substantially but do expect to have perhaps 100 units live in the future.

2 - See Below:

A.) Our main cost was setting up a separate Terminal Services farm for these units.
B.) Ongoing costs to maintain the thin clients has been reduced from desktops.

3 - The reason we replaced the desktop computer with a thin client was due to constant tampering with the computers. These computers are in a warehouse with many people sharing them and this caused problems with screen savers being changed, desktops being changed, inappropriate pictures, damage, etc. These workers are mobile and can use many different computers throughout the warehouse to do their job but this caused problems as they had to logoff one computer to use another. All of these problems have been solved with Thin Clients and Terminal Services. We don't have the improper use problems and they have profile roaming. Not to mention a reduced unit cost.

Member Response 3:

1 - Yes, Remote users are running Citrix clients. Currently investigating a VDI solution.

If so,

A.) 1) Remote access via Citrix (current)
2) Remote access and internal thin clients via VDI (planned)

B.) Anticipate significant growth in VDI and applications virtualization as well.

2 - Have numbers from past experience, however nothing current until analysis is complete.

3 - VMWare and other vendors provide flexible VDI calculators.
These provide the ability to input server costs, software licensing costs, break/fix costs, desktop costs, thin client costs, etc. and perform a relatively accurate comparison. I have one from VMWare however it is marked confidential. You can probably find something on the web, or request one from your VMWare rep.

Member Response 4:

1 - Yes. All our mission critical applications are Browser-based.

If so,

A.) Customers self-service. Consistency among our Sales/Service/Claims counselors and customers facing applications
B.) Yes, We are in the process of migrating our legacy thick client applications to browser-based applications.

3 - The internet has become a robust platform for delivering rich, user-friendly applications with the aid of technologies such as DHTML, AJAX & JSF. Time-to-Market and Agility are the drivers of the browser-based environments where businesses can serve efficiently to the targeted customers. Web 2.0 will most likely be superseded by Web 3.0 with symantec.

Peer Insight - IT Data Center Staff and Overtime Costs

2008-05-27T09:17:00-04:00

Member Context:

"We have 40 I&O staff running a data center with approximately 400 servers (virtual and physical) including production and development, an IBM z9 mainframe with two different SAN storage providers. These staff numbers do include Server, DBMS, Network, Telephony, Data Center and Infrastructure roles but do not include Help Desk or Desktop support. We maintain approximately 24 critical custom developed applications, and many smaller off the shelf pieces of software. We put approximately 1700 changes through our change management system every year. We are currently operating our overtime at approximately 6.6% of our salary related costs (not including benefits)."

Peer Insight Questions:

1 – How many I&O staff members are running your Data Center(s)?

2 – Does your staff have similar responsibilities as mentioned above?

3 – What % of your salary related costs is overtime?

Member Response 1:

1 - Three

2 - Yes

3 - 0%, all are salaried employees

Member Response 2:

1 - 10 people for 110 servers, an IBM i-series mini, and 2 different SAN platforms, plus several appliances and Exchange.

2 - Yes, almost identical.

3 - None - all of these staff members are salaried. Only help desk and admin positions are paid by the hour and eligible for OT.

Member Response 3:

1 – We have about 60 staff members for a farm of 1000 Windows server instances, 285 Unix server instances, and 800 usable TB of storage.

2 – Our staff does all operational and engineering work for server platforms and storage, as well as the physical data center support (cabling, etc).
We don't do any database support, application support, or network support. Our mainframe and AS400 is outsourced.

3 – Our staff is virtually all exempt so we have almost no overtime. I believe our tape operator is the only non-exempt position.

Member Response 4:

1 - In the context of responsibilities listed above, we have 143 personnel dedicated to the I&O staff for our organization.

2 - Yes, but this would be a portion of our 'Technical Services' team under the Chief Technologies Officer.

3 - None. All of these personnel are salaried and not hourly. A fraction of our Command Center Help Desk (Level I and Level II) support are hourly.

Member Response 5:

We have 26 staff members that run the data center. This includes servers, network, storage, scheduling and operators. We have a z9 and 150TB of SAN storage, 560 wintel servers and 11 AIX boxes and support the network for 6 different locations and subsidiaries. The only overtime that is paid is to our shift operators and that equates to 2.8% of our salary not including benefits.

Member Response 6:

1 - We have a total of 75 employees between our Data and Network centers which encompass the areas you have described.

2 - Yes however our environment is much larger.

3 - Very little as we run shifts and the majority of employees are salaried.

Member Response 7:

1 - About 90 people including managers and supervisors.

2 - This group has the same responsibilities that you list above and some additional duties. The additional duties are: Production Control, which develops all job scheduling (currently maintains about 11,000 unique batch jobs) and manages the release management process for all Infrastructure and application changes; the ERP SAP Basis technicians (the DBA's and the SAP Basis technicians are under the same manager); desktop engineering and 3rd tier support; DR planning and Infrastructure Security; and the storage management and engineering functions.

This group supports about 800 servers - 250 are at remote sites, no mainframe, 8,000 PC's, 600 data circuits, 200 of the remote sites have WiFi, 2 data centers - one is DR, test and QA and the other is production only and we process about 4,400 changes per year; about 80 applications, SAP is almost 80% of the application load.

3 - Almost no overtime. The majority of the people are salaried.

Member Response 8:

1 - 13

2 - Yes

3 - 5% but this includes standby support For after hours.

Member Response 9:

1 - We have 37 FTEs combined on our Server, DBMS, Network, Telephony and Data Center groups. 4 of which are union position and the restmanagement (non-union).

2 - Based on the description above, our shop is close to the same size and our group has similar responsibilities.

3 - We only pay overtime to the union staff. As a result, our overtime is less than 1% of payroll. Based on the time that has been reported in our project management tool, we can tell that the average management person works between 40 and 45 hours per week. Again, the time in excess of 40 hours is not reflected as overtime in our payroll because we do not pay overtime to our exempt employees.

Member Response 10:

1 – We have 29 associates providing first level monitoring and second level support for data center activities. We also have 10 associates staffing our service desk that take level 1 calls. We also have second level teams support fordesktop and collaborative technologies. There are approximately 25
associates in these roles.

2 – Yes, the breakdown you describe is very similar to our environment in terms of the roles. In addition to the staff already mentioned, we have approximately 65 associates in engineering or third level support roles. We have several hundred custom written and purchased software packages that
are supported.

3 – For the 2008 budget year, our overtime costs are 3.4% of our total salary budget. This is down from 4.0% in 2007.

Member Response 11:

1 - 30 I&O staff members

2 - Responsibilities are similar to those described below.

3 - With the exception of the Computer Operator staff, which are hourly, the support staff is exempt. No overtime cost is paid. However, the weekend work, extended upgrade work and extensive off-hours support is compensated via commensurate time off (but not 1:1). The comp time cost would be about 4% of the direct salary (not including benefits impact).

Member Response 12:

1 - See Below

- 15 in Application development production support (support over 60 shared service applications including PPSFT and ADP)
- 10 in Network and Data Security
- 11 in Database Administration
- 16 in Infrastructure Application support (messaging/sharepoint/project server/BES, etc.) and application migrations
- 32 in Data Center Operations (3 data centers running ~2100 servers + hot DR site)

2 - Yes

3 - All except 7 staff are salaried. We do not track overtime for salaried individuals. Computer Operators running ~5% OT.

Member Response 13:

We outsourced our IT infrastructure. For the areas described, I have 3-4 employees acting as 'service managers' who ensure that the outsourced staff do their job - with outsourced staff providing the actual support and management so have limited knowledge/visibility (nor do I neccessarily care) how much overtime the outsourced staff perform.

Member Response 14:

1 - We have 21 FT staff across 2 data centers at which there are ~ 700 physical servers, many Operating Systems (RedHat & Debian Linux, Solaris, Irix, Windows), a large SAN consisting of 7 frames including a Hitachi Tagmastore and apx 700 TB of spinning disk, a somewhat complex WAN involving OC-3 and OC-12 links, an Avaya S8700 plus some remote S8300s, two large tape libraries (several thou=sand slots and over 70 tape drives), but no mainframe. We staff a 24x7 operations center which is responsible for the entire infrastructure as well as the monitoring of key business applications (~ 50).

2 - Yes.

3 - All of our staff are salaried so no overtime.

Peer Insight – Dashboard/Scorecard Metrics Reporting Model

2008-05-12T09:02:00-04:00

Member Context:

"Our company is establishing a Dashboard/Scorecard metrics reporting model to measure and report on efficiencies and performance of overall IT Operations and Support (inclusive of all typical infrastructure support components)."

Peer Insight Questions:

1 - Do you currently use a Dashboard/Scorecard metrics reporting model? If so, what do you use to house the captured data and reporting?

2 - What metrics are reported? Are they for internal IT use or customer or both?

3 - Do you do any comparative analysis with others within or outside your market vertical?

4 - Would you be willing to discuss your efforts?

Member Response 1:

1 - We use various tools, primarily our monitoring platform, to port data into a sophisticated series of spreadsheets. Ultimately, we would like to move to a Sharepoint based dashboard. We use a series of metrics at various levels. The deeper into the organization, the more granular the metrics.

The breakdown is typically:
CIO Level Metrics
      - Availability (server / network)
      - Change Management
      - Helpdesk Metrics (first call resolution, call volumes, etc.0
      - Financial (staffing, budget adherence, etc.)

The Infrastructure team has a package as well drilling into additional details. Managers within the infrastructure team have even more detailed metrics tracked monthly.

2 - Primarily internal to IT. CIO metrics are reported to the Executive Team.

3 - Yes.

4 - Yes.

Member Response 2:

2 - Please see #4 (below) to describe what my report covers. I am not sure whether the IT Quality team shares any part of their scorecard with customers. My report is shared only internally.

3 - I am not aware of any comparative analysis.

4 - The Technical Services Performance Report (TSP Report) is a weekly collection of detailed information, data, and system/device/application availability, which displays/compares performance results over a large span of time (weekly, Monthly, Quarterly, and Annually). The TSP report enables Tech Services Business units to measure how they perform against specified target goals, SLAs, and SLOs. The report also includes expended efforts from Tech Services staff addressing problem tasks and problem ticket updates that address problem resolution for major events/incidents as well as reoccurring issues.

Member Response 3:

1 - No, we currently capture the information from various sources and present in a month end report.

2 - For internal IT only at this time although we would like to get to customer SLA's at which time we would report back to them.

3 - Yes, we compare ourselves to industry best practices as well as with other organizations in the area.

4 - Sure.

Member Response 4:

1 - Just starting on Dashboards - Currently Excel focus, moving to Cognos Dashboards.

2 - Both - Business Units are using the same Dashboard methods, so it's a natural location for sharing of current metrics.

3 - No

4 - Still too early.

Member Response 5:

1 - We publish metrics monthly in a dashboard. The data is housed in different location depending on who is responsible for the metric. Most of it is manipulated in Excel and published in PowerPoint.

2 - Metrics include the following and are for IT management (We track many other metrics at the department level):

- Help Desk - Average Speed to Answer and Customer Satisfaction
- PC Services - Customer Satisfaction
- Primary Production availability to the end user
- Primary Production Hardware Uptime
- Exchange Availability
- Development - Effort and schedule deviation
- QTY of critical tickets not resolved in 4 days

3 - We have benchmarked the Help Desk Metrics

4 - Yes

Member Response 6:

1 - Yes, TSC currently enter the Sev 1 and 2 events metrics in the Balanced Scorecard that is maintained by the Project Management Office. It is loaded in an Excel spreadsheet. The primary source of the metrics is produced in a Crystal report generated from the database of our Altiris Incident Management
(helpdesk) software.

There is a secondary report that is distributed to all IT staff that contains statistics from our helpdesk call center tool, Altiris tickets, Change management and SPAM. This information comes from various sources and IT deparments other than TSC.

2 - See # 1. These metrics are sent to IT staff only.

3 - There is a company yearly report for which we submit metrics around call volume, users supported, and satisfaction survey results.

4 - Yes.