IT Infrastructure

Planning and Implementation

Dr. Gita A. Kumta

School of Business Management
NMIMS (Deemed University)
1

The Impact of IT on Businesses

Technology is redefining the business model,
and creating major opportunities for
companies positioned to take advantage.
The IT infrastructure is now so intimately
enmeshed with business processes, that it
effectively dictates the pace of change.
Growing dependence of businesses on
Information Technology.

IT as a Financial Responsibility
How should IT investments be designed and
managed to ensure alignment with corporate
strategy
What other components are required to realize
the full potential of IT?
What are the risk implications of these
investments?
How can the value of IT investments be
managed over time?

The Four Ares

Alignment
Are we doing
the right
things?

Are we doing
them the right way?

Integration

Benefits
Are we getting
the benefits?

Are we getting
them done well?

Capability/Efficiency
The Information Paradox: John Thorp

Purpose of IT Management
Reduce duplication of effort
Ensure adherence to standards
Enhance the flow of information throughout an
information system
Promote adaptability necessary for a changeable
environment
Ensure interoperability among organizational and
external entities
Maintain effective change management policies
and practices

Managing IT

Components of IT
Management

Application Software

Understanding Requirements
Evaluating Solutions & Options
Identifying the gap
Deploying the solutions

ICT Infrastructure

Hardware
System Software
Network
Data Management

IT Systems Management
Technology: software, hardware, storage and
networks
Policies and Procedures: setting methods
and strategies for maintaining stability,
reliability and maximum utilization
Creating an Organisational Structure:
putting together the resources and skills
needed to achieve systems management goals.
To be managed as a PROJECT

Business Perspective
Collection of best practices suggested to address some of the
issues often encountered in understanding and improving IT
service provision.

Business Continuity Management

Surviving Change. IT infrastructure changes can impact

the manner in
which business is conducted or the
continuity of business operations.

Transformation of business practice through radical

change.

Partnerships and outsourcing.

What do we need to do?

Manage
Development
Deployment

Capacity & Connectivity

Operations & Facility

Ensure Business Continuity

Infrastructure Management
Processes
Design and Planning
Deployment
Change Management
Operations
Technical Support

Maintenance Of Information
Systems
Systems maintenance is the on-going maintenance of a
system after it has been placed into operation.
Systems maintenance can be categorized into four groups.
Each of these four categories can affect an organization's
information
strategy plan in different ways:
Corrective Maintenance
Customized Maintenance
Enhancement Maintenance
Preventive Maintenance

Change
No matter where you are in the system life
cycle, the system will change, and the desire
to change it will persist throughout the life
cycle.
Bersoff, et al, 1980

What is a Change?
Change in the configuration of Hardware /
software on the desktop
Change in the functionality of the system
Change in the configuration of Hardware /
software on the server
Change in the Network configuration
Change in the storage requirements
Change in the location
Change in the Profile
Change in the Business Process
Dr. Gita A Kumta, NMIMS

Change Management
Plan or Manage the Change so that users
and System are ready at the same time and
expectations on both sides are matched
Theres no change, no matter how awful, that
wont benefit some people, and no change, no
matter how good, that wont hurt some.
( Verblens Principle (Weinberg and Gause 1989)

Components of Change
Management
Strategies for awareness, acceptance &
incorporation of change into the organizations
environment
Systems Administration of hardware and
software components
Version and Change Request Control
Conducting business differently (Business
Process Reengineering).
Changes in Roles: requires knowledge transfer
and skill development.

Change Management Processes

Change
Manager

Development
Project
Team

Prepare Users

Prepare System

Convergence

Key Principles of Change

Management
Steering Committee Must Have Product and Process
Champions or Stakeholders
Communication needs to multi-channeled (up is as valued
as down)
Conflict resolution and knowledge acquisition are
collaborative (information sharing not hoarding)
Implementation Team (change management team) has a
structure and roles of individuals are defined
Resistance to Change is always there but may be hard to
detect until after Go Live (Be Proactive)

Who initiates a Change in the

Application?

End- user
Application developer
System Administrator
Database Administrator
Project Manager
AMC Vendor

Change Management
A Process to control & Coordinate all changes to
an IT production environment
Control involves:
Requisition
Prioritization
Approval

Coordination involves:

Collaborating
Scheduling
Communicating
Implementing changes

Several flavours of change management

Scope Change Control

Request: submit a change proposal
to a reviewing board
Prioritize: specify priority of change
based on criteria already agreed
upon
Approve: recommend for
implementation or defer

Storage Management
Optimizing involves ensuring :
Maximum amount of usable data is written &
read at acceptable rate of response
Availability of adequate amount of storage
space

Protecting integrity implies:

Data will always be accessible to authorized
users & it will be changed only by them
Reliable backups are available for recovery in
the event of loss of data

Backup and Recovery

Backup - an exact copy of a systems
information
Recovery - the ability to get a system up and
running in the event of a system crash or failure
and includes restoring the information backup

Major Backup Considerations

Backup window
Restore times
Expiration dates
Retention periods
Recycle period
Generation data groups
Offsite retrieval times
Tape density, format, packaging
Shelf life
Automation techniques

Types of Data Back-up

Physical backup: copying the data as it
resides physically on the disk without regard
to database structures or logical organization
Three categories:
Full backup:
Incremental backup
Online backup

What is a Disaster?
Any unplanned event that requires immediate redeployment of limited
resources

Natural Forces
Fire
Environmental
Hazards
Flood / Water
Damage
Extreme
Weather

Technical Failure
Power Outage
Equipment Failure
Network Failure
Software Failure

Human
Interference
Criminal Act
Human Error
Loss of Users

Disaster Recovery System/

Business Continuity Planning
Disaster Recovery System (DRS)
Process, policies and procedures related to preparing for recovery or
continuation of technology infrastructure critical to an organization
after a natural or human-induced disaster.

DRS covers planning for resumption of applications, data,

hardware, communications (such as networking) and other
IT infrastructure.
It is a subset of a larger process known as Business
Continuity Planning (BCP)

Disaster Recovery/ Business

Continuity Planning
Disaster Recovery Planning
The strategic and detailed
planning for the timely
restoration of information
technology, network and
telephony following a
disaster.

Business Continuity Planning

The strategic and detailed
planning for the timely
restoration of vital business/
support functions following a
disaster.

Business Continuity Planning (BCP)

A plan for how an organization will
recover and restore partially or
completely
interrupted
critical
function(s) within a predetermined
time after a disaster or extended
disruption.

Why Business Continuity?

The Cost Of Downtime
LEGAL/REGULATORY
Contractual Requirements
SLAs
Regulatory Requirements

PRODUCTIVITY
Loss Of Productivity
Employees Impacted @ X
Burdened Hourly Rate

REVENUE

FINANCIAL
PERFORMANCE

REPUTATION

Direct Loss
Lost Future Revenue
Billing Losses
Investment Losses

Customers
Suppliers
Financial Markets
Banks
Business Partners
Etc.

OTHER EXPENSES

Temporary employees,
Equipment Rental,
Overtime,
Extra Shipping Costs,
Travel Expenses,
Etc.

Lost Market Share

Revenue Recognition
Cash Flow
Payment Guarantees
Stock Price
Credit Rating

Creating BCP/DRP
Identify the scope and boundaries of business
continuity plan. It provides an idea for limitations
and boundaries of plan.
Conduct a Business Impact Analysis (BIA).
In case of disaster, each department has to be
prepared for the action.
The BCP project team must implement the plan.
National Institute of standards and Technologies has
published tools which can help in creating BCP.

Disaster Recovery

DRS Strategies
Prior to selecting a disaster recovery strategy, a
disaster recovery planner should refer to their
organization's business continuity plan.
organization's business continuity plan should
indicate the key metrics of
Recovery Point Objective (RPO) and
Recovery Time Objective (RTO)

for various business processes (such as the process to

run payroll, generate an order, etc).

Disaster Recovery Site

Hot site - a separate and fully equipped
facility where the company can move
immediately after a disaster and resume
business
Cold site - a separate facility that does not
have any computer equipment, but is a
place where employees can move after a
disaster

Disaster Recovery
Disaster Recovery Plan - a detailed process
for recovering information or an IT system in
the event of a catastrophic disaster such as a
fire or flood
Disaster Recovery Cost Curve
Cost of the unavailability of information and
technology
Cost of recovering from a disaster over time.

Perspective on Capacity Planning

A server operating at 60% capacity is good
news for performance tuning specialist but a
matter of concern for financial analyst who
views the 40% as unused resources and
wasted costs

Capacity Planning
A process to predict the types, quantities, and timing
of critical resource capacities that are needed within
an infrastructure to meet accurately, forecasted
workloads and ensure adequate capacity.
Ensuring adequate capacity involves:
Types of resource capacities required such as servers, disk
space, or bandwidth
Size or quantity of resource in question
Exact timing of when the capacity is needed
Thorough forecasts of anticipated workload demands

Capacity Planning and

Capacity Management
Capacity Planning is a Strategic activity
Focuses on the future - based on workload
forecasts
Capacity Management is a Tactical activity
Focuses on the present- involves optimising
the utilisation and performance of the
infrastructure resources

Resources to be Considered

Network bandwidth
Centralized disk space
Centralized processors in servers
Channels
Tape drives, cartridges, etc.
Centralized memory in servers
Centralized printers
Desktop processors
Desktop disk space
Desktop memory

Workload Forecast Worksheet

Item

Total users
Concurrent users

Transactions per day

Disk space required (GB)
Expected response time (sec)
Print requirements (pages/day)
Backup requirements
Desktop processing requirements
Desktop disk requirements
Desktop print requirements
Remote network requirements

Current
Forecast
Status 6
1
2
months year
years

Network Management Process Integration

An effective network management process will
have strong relationship with the following six
system management processes:
Availability
Performance & tuning
Change management
Problem management
Capacity planning
Security

Incidence Handling
Response by a person or organization to an attack.
An organized and careful reaction to an incident

Sequence of steps that need to be followed

Preparation
Identification of Attack
Containment of Attack
Recovery and Analysis

What are Problems?

Problem with desktop
- Not booting
- PC hangs
- Office software does not work
Production service interruption
- Inability to access the network
- Extremely slow response to online applications
- Functionality problem within applications

Problems, Changes & Requests

Changes may cause problems or can be a
result of a problem
Problem may cause a change or may be the
result of a change
Requests applies to individuals requesting
services or enhancements
Initial input may be similar but managing
each will vary significantly

Developing a Problem Management

Process
Select an executive sponsor & assign a
process owner
Assemble a cross-functional team
Establish a priority & escalation scheme
Design call handling process
Select & implement a call-tracking tool
Negotiate service levels
Review metrics continually to improve
process

Sample Priority & Escalation Scheme

Priority
Levels

Examples

Response
Time

Critical
database
corrupted

Immediate 30 minutes

Serious (impacts a
Major system or
system or functionality) application failure

Billing
centre
down

1 hour

Daily

Moderate (some impact Some system or

on system or
application failure
functionality

Individual
desktop
problems

4 hours

Daily

Low (minimal impact

Some peripheral
on business operations) failure

Report
format
problems

As able

Weekly

Critical (impacts
business & systems)

Description

Total system or
application failure or
loss of availability

Escalation
Time

Problem Management
Opening of problems: registering problems.
Properly opened tickets can lead to quick closing
of problems or escalation
Closing of problems: customers confirmation that
the problem resolution activity was satisfactory &
that there is no recurrence
Closing a problem is distinct from resolving a
problem
A problem is closed only when the customer is
satisfied

Data Security and Compliance

Common Questions
Where is my confidential data?
Where is my data going?
Who is using data?
How can I protect it?
What is the impact of loosing crucial data ?

How do I get started?

How much does it cost?

Common Types of Attacks

Organizational
Attacks

Attackers

Automated
Attacks

Restricted Data

Accidental
Breaches
In Security

Viruses,
Trojan Horses,
and Worms

DoS
Connection Fails
Denial of
Service (DoS)

Layers of Security

Physical Security
Personal Security
Operational Security
Communications Security
Network Security
Information Security

Security Model
Protection = Prevention + (Detection + Response)
Detection

Prevention

Access
controls

Firewall
Encryption
Anti
Viruses

Audit Logs
Intrusion
Detection
System
Anti
Viruses

Response

Backups
Incident
Response
teams
Computer
Forensics

Information Security Criteria

Authentication:
Authorization:
Confidentiality & reliability:
Monitoring & tracking:
Backup & recovery:
Physical security:
Change Management:
Legal Requirements:
Training & awareness:
Contingency planning:

Who r u?
What can you do?
Privacy & dependability
What did you do?
Rebuilding the system
Locking the others out
Protecting the business process
What the law expects
What you need to know?
What if?

Security Management
Data & programs are critical corporate assets to
be protected through policies that are
developed, approved, implemented & enforced.
A process designed to safeguard the
availability, integrity, & confidentiality of
designated data & programs against
unauthorized access ,modification, or
destruction.

Corporate Information Security

Management-Process Flow
CORPORATE INFORMATION SECURITY MANAGEMENT PROCESS
Development

Develop
Corporate
Information
Security Policy
Develop
Controlling
Framework
Develop Support
system
Framework

Monitoring

Monitor &
Review
Information
Security Policy
Awareness
Monitor &
Review
Information
Security Level for
the Servers &
Desktops (PC,
Notebook, and
else)

Measurement

Measurement of
compliance to ISO
27001 & COBIT
Analysis of
system
vulnerabilities
Analysis on
Information
Security incidents
Review of
existing policies

Improvement
Maximize the use
of all application
of information
security
management
Sharing good
practice in
information
security
management across
business units
Improvement of
existing policies
54

Policies, Standards & Procedures

Policies Formulated by Senior Management.
Standards are built on sound policies.
Practices, Procedures and Guidelines.
Detailed rules / steps required to meet
standards.

Contents of Policy Documents

Data Classification: Defines data security categories,
ownership and accountability
Acceptable Usage Policy: Describes permissible
usage of IT equipment/resources
End-User Computing Policy: Defines usage and
parameters of desktop tools
Access Control Policies: Defines how access
permission is defined and allocated.
After policy documents are created, they must be
officially reviewed, updated, disseminated, and tested
for compliance.

Security Architect: Control Analysis

Do controls fail secure or fail open?
Is restrictive or permissive policy
(denied unless expressly permitted
or vice versa?)
Does control align with policy
& business expectation?

Where are controls located?

Are controls layered?
Is control redundancy needed?

Policy Placement
Implementation

Efficiency

Does control protect

broadly or one application?
If control fails, is there a
control remaining?
(single point of failure)
If control fails, does appl. fail?

Have controls been tested?

Are controls self-protecting?
Do controls meet control
Effectiveness
objectives?
Will controls alert security
Are controls reliable?
personnel if they fail?
Do they inhibit productivity?
Are control activities logged
Are they automated or manual?
and reviewed?
Are key controls monitored in real-time?

Are controls easily circumvented?

Customer Service
Elements of good customer service
- Identifying your key customers
- Identifying key services of key customers
- Identifying key processes that support key services
- Identifying key suppliers that support key processes.

Know Whos using What and How its being

supplied.

Key Customers of IT Services

Someone whose success critically depends
on the services you provide.
Someone who frequently uses, or whose
organization uses, your services.
Someone who has significant impact on
your organisation. Some one who, when
satisfied, helps assure your success as an
organization.

Key Services of Key Customers

IT Professionals normally agree to Project
schedules that cannot be met, Availability levels that
cannot be reached, Response times that cannot be
obtained and accept Budgets that cannot be
enhanced.
Negotiating and Managing
Expectations.

Realistic Customer

- Face-to-face interviews with key customers

- Explain nature & cause of the problem, what is
being done to resolve and prevent it in future

Points that undermine Good

Customer Service
Presuming your customers are satisfied
because they are not complaining
Presuming that you have no customers

Measuring only what you want to measure to

determine customer satisfaction
Presuming that written SLAs will solve
problems, and ensure great customer service

The Universal Truth

An

unreasonable
expectation,
rigidly
demanded
by
an
uncompromising customer and
naively agreed to by a wellintentioned supplier, is one of the
major causes of poor customer
service.

People Management
No matter how well you design and
implement the IT management
function and processes, they are likely
to fail if adequate attention is not given
to the 'people issues'.

Acquiring Executive Support

Build a Business Case: Cost-Benefit Analysis

Highlight application of Cost effective

technology rather than Tech itself.
Educate Executives on the value of Systems
Management.
Managers love alternatives, hate surprises and
appreciate meaningful business metrics.

Business Case for

System Management Function
Value to Business -Cost-Benefit Analysis

Software enhancement

Software maintenance

Hardware upgrades

Hardware maintenance

Scheduled outages

Recruiting

Training

Office space

Information Systems Organization

System Management groups need to evolve
their organizational structures so as to succeed
in delivering the service levels required by the
organization.
Most companies start with a structure, which
has three basic functions
- Application development & maintenance
- Operations
- Infrastructure management

Organization of IT System Function

IT Manager/
CIO

Systems
development

Operations

Technical
support

Analysis and
Design

Production
support

Systems
administration

Programming

Data entry

Database
administration

Documentation

Computer
operations

Data
Communications

User training

Security Professionals and the Organization

Chief Information Officer (CIO)

Translates the strategic plans of the organization as a whole
into strategic information plans for the Information Systems.

Chief Information Security Officer (CISO)

Assessment, management and implementation of securing the
information in the organization.

Staffing of Systems Management

Functions
Skill sets and Skill levels

Basic Characteristics
Attitude, Aptitude, Applicability, Experience
Process of selection of staff
Retention of staff

Training, counseling, job enrichment

Implementing IT System
Management
Every IT organization wants to be known
for its proactive monitoring and automated
Service Level Management.
Cost to Manage

Hardware, Software, & Maintenance.

Facilities building, cooling, electricity,
access control, disaster recovery sites.
People design, operations, support.

Supporting Systems
Asset Management: If you know what
resources you have used in the past, you can
better plan for the future.

Analysis: identifying potential problems before

they happen.

Reporting: Quick notification gives a jump to

the technical team who repairs the service.

Knowledge Management: Repository of
failures and resolutions- effective training tool.

How does one manage IT

Infrastructure?
Information Technology Infrastructure
Library (ITIL) is the most widely accepted
approach.
Developed by the United Kingdom's Central
Computer and Telecommunications Agency
(CCTA).
ITIL is currently maintained and developed by
the Office of Government Commerce (OGC).

IT Infrastructure Library (ITIL)

ITIL is a set of best practices standards for
Information Technology (IT) service management.
Provides businesses with a customizable
framework of best practices to achieve quality
service.
Consists of a series of books giving guidance on
the provision of quality IT services and the
facilities needed to support IT.
ITIL framework: Eleven disciplines, two sections
- Service Support
- Service Delivery

ITIL Service Support Model

The Business, Customers or Users
Monitoring
Tools

Difficulties
Queries
Enquiries

Communications
Updates
Work-arounds

Incidents
Incidents

Customer

Service
Desk
Survey reports

Incident
Management

Customer
Survey
reports

Problem
Management

Service reports
Incident statistics
Audit reports

Problem statistics
Problem reports
Problem reviews
Diagnostic aids
Audit reports

Incidents

Changes

Releases
Change
Management

Change schedule
CAB minutes
Change statistics
Change reviews
Audit reports

Problems
Known Errors

Release
Management
Release schedule
Release statistics
Release reviews
Secure library
Testing standards
Audit reports

Changes

CMDB

Configuration
Management
CMDB reports
CMDB statistics
Policy standards
Audit reports

Releases

Cls
Relationships

ITIL Service Delivery Model

Business, Customers and Users
Communications
Updates
Reports

Queries
Enquiries

Availability
Management
Availability plan
AMDB
Design criteria
Targets/Thresholds
Reports
Audit reports

Service Level
Management
Capacity
Management
Capacity plan
Targets/thresholds
Capacity reports
Schedules
Audit reports

Requirements
Targets
Achievements
Financial
Management
For IT Services
Financial plan
Types and models
Costs and charges
Reports
Budgets and forecasts
Audit reports

Management
Tools

Alerts and
Exceptions
Changes

SLAs, SLRs OLAs

Service reports
Service catalogue
Exception reports
Audit reports

IT Service
Continuity
Management
IT continuity plans
Risk analysis
Requirements defn
Control centers
DR contracts
Reports
Audit reports

Executives are asking tougher questions..

The past

Today

CEO

Am I sure that my business

can keep going in a crisis or
emergency?

Do we have service
level agreements with
our users?

CIO

Are we building
operational excellence into
our IT service?

If the system fails, how

quickly can it recover?

IT
Manager

Do we really need a
disaster recovery plan?

How can we get the right levels

of security & availability in our
new system from day one?
76

Need for Value Management

Focus Areas Constituting IT

Governance

Strategic alignment
Value delivery
Resource management
Risk management
Performance measures

IT Governance: CobiT 4.1

Consists of the leadership, organizational structures
and processes that ensure that the enterprises IT
sustains and extends the organizations strategies
and objectives.

COBIT structure: COBIT covers four domains

Plan and Organize
Acquire and Implement
Deliver and Support
Monitor and Evaluate

What is Val IT
Primarily targeted at IT-enabled business
investments in sustaining, growing or
transforming the business with a critical IT
component.
Provides a comprehensive, structured and
proven-practice based source, including the
overall governance framework and supporting
processes to maximize the return on ITenabled investments.

What does Val IT do?

Fosters the partnership between IT and the rest of the
business
Assists the board and executive management in
understanding and carrying out their roles related to
IT-enabled business investment
Helps enterprises make better decisions on where to
invest in business change
Provides a common language for executives, business
management and IT professionals to ensure IT-related
investments are in line with business strategy