secure technology innovation securing business ...of innovation as a core value in managing...

Wireless SecurityPage 6

Making Web-based Data Repository Applications Work

1

Planning for Disasters

Page 18

An Evolvent Strategy for Requirements Management and Service Assurance

Page 35

SECURE TECHNOLOGY INNOVATION

EVOLVENTMAGAZINE VOLUME 1, 2007

SECURING BUSINESS INTELLIGENCE

EVOLVENTMAGAZINE FALL 2005

Making a Difference in iT

VOLUME I | 2007 3

28

24

11

IN THIS ISSUE:Page 6 Wireless Security Guy Sherburne, Vice President, Evolvent

Page 11 Making Web-based Data Repository Applications Work An Evolvent White Paper

Page 18 Planning for Disasters Guy Sherburne, Vice President, Evolvent

Page 24 Evolvent’s Management and Technology Consulting Practice Elizabeth Obenchain, Vice President, Evolvent

Page 28 Creating a Security Savvy Workforce A Symantec White Paper

5 An Evolvent Strategy for Requirements Management and Service Assurance An Evolvent White Paper

Page 41 A New Era for Expert Systems Paul Dimitruk, Founder and CEO, PortBlue Corporation

Evolvent Magazine

Volume I, 2007

Editor-in-Chief

Paul Ramsaroop

Editors

Jennifer Cupka

Stella Ramsaroop

•

Contributing Writers

Bill Oldham

Guy Sherburne

Elizabeth Obenchain

Paul Dimitruk

Symantec

•

Design

[email protected]

Evolvent Magazine, published by Evolvent Press

•

Statements contained herein may constitute forward-looking

statements that involve risks and uncertainties. Due to such uncertainties and risks, readers

are cautioned not to place undue reliance on such statements.

Copyright © Evolvent, 2007 All rights reserved.

18

6

41

35

4 Evolvent Magazine

Bill W. OldhamChairman & CEO, Evolvent

Falls Church, Virginia

Making a Difference in IT, Secure Technology InnovationWelcome to the new Evolvent Magazine! We hope you find interesting perspectives and valuable content as you read through this issue, which we’ve focused on technologies, and processes our leaders believe will make a difference for your organization. Our writers explore technologies, processes, and management tools that will drive secure technology innovation for our customers.

All too often it seems that technology projects fall into a trap of failure and rework that drives up costs and impedes or damages performance. As Evolvent has changed and expanded over the last few years our teams in commercial and federal sector engagements have noted a wide range of pitfalls and challenges faced by today’s networked virtual organizations. Particularly, many types of security concerns continue to top the list of the CEO or CIO’s priorities.

One lasting and vital change in our view though from the “dot com” days, is the renewed focus on delivering value or really driving business performance through information technology. At Evolvent we think of this in terms of driving performance with technology paired with a well-constructed security model and an acceptance of innovation as a core value in managing technology programs.

This issue includes a wide range of topics, including:

• BusinessContinuityPlanning(COOP)/DisasterRecovery–thisarticlefocusesonthekeyelementsnecessary to build a strategy and plan for your organization to cope with catastrophic events.

• AgileConsulting–thisarticlehighlightsourprocessandmanagementconsultingviewpoint–delivering value for customers who need agile, fast, and innovative results from consulting projects.

• WirelessSecurityConcepts–thisarticlehighlightsthesecuritythreatsinherentinwirelessnetworks.

• ConsolidatedWeb-basedDataRepositoryApplications–thisarticleshowcasesconceptsandideasto achieve more productive and lower cost web-based data management applications based on our teams experience in the federal and non-profit sectors.

• Aframeworkforserviceassurance–thisarticleexaminesamethodologyformanagingrequirements and supporting the need for service assurance.

We are pleased to showcase our partnership with Symantec Corporation for enhanced security learning services. Our organizations cooperate on training projects, developing white papers and web-based curricula in the field of information security. Symantec’s industry thought leaders have contributed an excellent article on creating a security savvy workforce.

We are also pleased to include an article on building expert systems from a new Evolvent partner – PortBlue. Paul Dimitruk, PortBlue’s CEO, discusses advances in software that captures domain expert know-how and structures that know-how into work process and decision support tools.

We have tried to focus this magazine on innovative thinking and analysis for both technology and process issues and explore new ways of thinking about technical problems and hope that working together we can drive more creativity for the federal government and commercial customers.

As noted before, it is imperative in most if not all of today’s organizations that we extract greater value from shrinking IT budgets and ensure that technology creates value for the enterprise on a daily basis. Our belief at Evolvent is that new solutions, new processes and new ways of thinking about business problems helps those of us in the technology trade to really make a difference for the communities we serve.

We hope you enjoy this edition of our Magazine and look forward to working with you in the coming months.

Best regards,

Bill Oldham Chairman and CEO

www.gdit.com

ContinuITy of operations assured.

GDIT_Evolvent_Mag.indd 1 1/26/07 1:13:51 PM

6 Evolvent Magazine

Wireless security

by Guy Sherburne, Vice President, Evolvent

Introduction

Each day, new technologies are announced that change the way businesses and people communicate. During the past few years, the industry started to solidify decade old concepts and new technology designs to make 802.11x standards for

wireless Internet connections a reality, even for the home user.

Enterprises and users are adopting wireless LANs (WLANs) for the convenience of rapid connections without relying on wired infrastructures. With a WLAN, users experience performance levels approaching a wired connection and are free to work and communicate from any location supported by wireless infrastructures.

While WLANs are convenient and provide immediate connectivity, they introduce unique challenges to the network and its users. New security concerns, not present in wired LANs, come to the forefront. Wireless LANs provide a unique entry point for attackers to

VOLUME I | 2007 7

While WlANs are conven ient and provide immediate connectivity, they introduce unique challenges to the network and its users.

gain access to the network and the data it carries. This vulnerability is particularly challenging as the wireless reach extends beyond the bounds of walls and building infrastructure. Today’s IT departments are confronted with a wildly popular networking technology that is very difficult to secure.

Most organizations are not aware of the multitude of wireless vulnerabilities that exist. Wireless technology operates on radio frequency (RF). RF signals have been susceptible to interception, monitoring, and intentional interruption for nearly 100 years. Today’s wireless technology is susceptible to the vulnerabilities encountered by wired networks, plus several new problems to include…over saturation.

The focus of this paper is on wireless security with little information on technology. The problems noted in this paper denote issues uncovered by the Evolvent Cyber Security team, and some of the solutions we have provided to our government and commercial clients.

Basic Challenges of Mobile Networking with Wireless LANs

Security Outsiders with basic radio equipment can easily observe and inject traffic on a wireless LAN. A wireless LAN is uniquely open, creating challenges for protecting sensitive transactions such as the exchange of passwords and other authentication information. Data carried on radio connections also requires careful screening of all traffic originating on the airwaves to verify the traffic’s origin and integrity. Wired LANs do not suffer from these problems. While anyone connected to a wired LAN can observe and inject traffic onto the network, malicious attacks are far less likely since wired connections are usually given only to trusted members of the enterprise.

Mobility Users of wireless LANs can freely move within an organization. For many networks, user movement can disrupt carefully planned network topologies and internal security measures. Cross-subnet movement can also disrupt the user’s experience, causing lost connections and sometimes forcing applications to be restarted.

Mobile devices often lack the processing power needed to support complex,

demanding security applications. New security solutions must be efficient and compact in order to support the variety of mobile devices in enterprises today.

Management Managing a mobile population presents a set of unique challenges. Policy enforcement should be independent of user location and tightly integrated with existing network management tools.

Five Basic Classes of Wireless Threats

Some threats to WLAN mirror those found in wired networks. It is important to classify categories of wireless threats to help with simplification of an activities incident response process and their proactive patch mitigation process. The Evolvent security team uses the categories of wireless threats for the incident response reprocess implemented for the Army Medical Command. Basically, there are a number of threats to wireless technology that can be placed into the following five basic categories:

• Passive Attack – A passive attack is a non-intrusive event that provides an intruder access to information exchanged between wireless Access Points (AP), constituting of eavesdropping or theft. Such an attack does not intrude upon your network often referred to as “eavesdropping,” and is rarely detectable with today’s tools.

• Active Attack – An active attack, like the term, occurs when an intruder intends to alter, destroy, intercept, or force interaction between WLAN devices. These attacks are intentional acts done with malicious intent. The good news is that this form of an attack leaves signatures that are detectable with the proper tools or defenses – set up in advance.

• Negligence – Much like the wired network environment, negligence is not intentional in nature. Many of the security issues are traced to lack of proper training for IT support staff and users of the new and emerging technologies. Administrators are often too busy to stay abreast of technology changes and potential vulnerabilities. A formal vulnerability notification process helps the staff and users to stay abreast on threats and changes in technology.

• Wired Network Attack – The same attacks facing the wired world are present in the wireless environment. Once the wireless device is connected to the wired network, they are susceptible to exploitation from events occurring on the wired network, such as Network Browsing, Port Scanning, OS Flaws and Exploits, Denial of Service attacks, Application Flaws and so forth.

• Specific Wireless Vulnerabilities – These vulnerabilities are dependent on the type of system. The threat may be passive or active or both. Service Set Identifiers (SSID) broadcast in the clear, encryption reliant on WEP only, no real user identification and authentication, Man in the Middle attacks, or even a rogue AP setup within range of the authorize AP established to steel traffic or allow unauthorized user to join the network.

8 Evolvent Magazine8 Evolvent Magazine

Wireless Security Threats

While the vulnerabilities and threats experienced by the hard wired networks may mirror those in the wireless networks, the wireless world does have a few security issues that need to be understood and addressed in architectures that process government information, financial data, or patient information. This portion of this paper identifies the nine major threats facing wireless technology. Each threat identified in the following paragraphs will fit into one or more of the threat categories previously identified.

Default or Factory Settings – Like their brothers in the hard wire environment, nearly all wireless hardware and software vendors use special or privileged accounts and access codes when developing systems. Hackers and Criminals collect the secret or “default” accounts and access codes whenever they are found and share them with each other. These privileged accounts are not always closed before the product leaves

the plant for marketing and they are rarely documented in the user manuals. Using the backdoors left by the vendor, unauthorized access for illegal activities is easily obtained and normally undetected.

In addition to the default access, the “out of the box” configurations are often set at the product’s lowest security threshold capacity to ensure the probability of the product working correctly to reduce customer problems, complaints and calls. Several AP are setup and security configuration changes made, and wireless devices are used without basic virus protection.

Not All WLANs Are Created Equal The Institute of Electrical and Electronic Engineers (IEEE) uses the trademark “WiFi” to denote the 802.11 set of WLAN standards, and the entire 802.11 family. As new modifications to the standard are discussed and tested by IEEE membership, some

manufacturers step ahead of the standard and implement not yet been agreed upon and lack the necessary security features. Wireless devices that must meet government or legal standards need to be checking the approved products list, look for standardization within your communication environment, security features that meet policy criteria without an additional cost, and do not focus on the latest wireless equipment.

In some instances, the manufacturers’ equipment has security features that are proprietary to their product line, and if you enable those features, you lose the product’s IEEE “WiFi Interoperability Guarantee.”

Lack of True Authentication

Access points (AP) do not really have an “Authentication Method” of their own. There is no required “login” of a user name and password, which means little or no logging, tracking, accountability or oversight. Government policy, to meet FISMA requirements, directs user authorization

for access to government networks and sensitive information. Fortunately, there several software and hardware solutions that are FIPS approved security products that ensure authenticated access for each user.

Organizations contemplating wireless should try to leverage existing authentication methods into their wireless implementation such as CAC policy, RADIUS, Windows Domain or Active Directory controllers. Even a Virtual Private Network or “token based” challenge is preferable to none at all.

One major wireless network configuration security capability that should be implemented is the ability to block access to wireless devices that were reported lost or stolen by the user and the possible capability to erase all data on the system.

Wireless Communications Can Be Recorded

Wireless networking is the transmission of network communications across the air Radio Frequency (RF). With the right equipment, anyone can listen in on nearby WiFi communications. By default, all encryption is turned off, allowing anyone to eavesdrop on your email, chat sessions or sensitive transactions.

The WiFi standard comes with a built in encryption algorithm called WEP (Wired Equivalent Privacy.) Due to its poor design, WEP is crackable within 24-hours but better than no encryption at all. Turning on WEP is like locking the front door to your house and leaving a back window wide open. You should enable it and then immediately change the WEP key from the defaults, to prevent anyone with the default keys from getting into your system. Some vendors allow for what is now called dynamically or session generated WEP keys, where the keys change every time a user logs on or automatically altering the keys on a regular

basis. This turns your encryption key into an evolving and ever changing target. Department of Defense wireless devices, those approved for use, are adaptable for use with CAC card and encryption at rest software.

There are other products available such as “Virtual Private Networks” (VPNs) that encrypt the entire framed session not just the data portion. VPN encryption compared to WEP would be equivalent to scrambling the entire envelope, not just the letter contained inside.

Broadcast Service Set Identifiers (SSID) “In the Clear”

Each AP is capable of broadcasting “Beacon Packets.” Beacon Packets are broadcasts that guide clients to the AP. These names are used to help easily identify your equipment and manage your

there are a large number of threats to the WlAN, and they vary in source and threat level. As the protocols and standards grow, so do the technologies and innovations, as well as the skills of those that work on WlANs.

VOLUME I | 2007 9

wireless network resources. Every AP of course comes with a default SSID and there are web sites that contain all of them. Just like configuring a hardwire server, the SSID should be changed immediately, preferably to an alphanumeric one, similar to a system password. If a would-be-intruder knows the SSID of the APs in use on your network, then it is a relatively simple matter for them to tell their remote system (laptop or PDA) to simply join that network. Unless other protections are in place to stop them (MAC filtering, username authentication, VPN, WEP Keys, etc.) the intruder can tell the remote computer the SSID to join and be on your network in less than 2 minutes.

Before purchasing an AP, ensure the device allows for configuration changes that will tighten security and reduce the AP’s fingerprint on the airwaves.

Wireless Cards Broadcast Their MAC Address

All network interface cards (NICs) have a unique Media Access Control (MAC) Address. The MAC is a hardware address that uniquely identifies each node of a network. The MAC Address is an identification code that is supposed to uniquely identify network devices. This ID helps the clients understand which AP they are talking to (by address) and vice versa. The MAC Address helps the network equipment to properly route all inbound and outbound packets of data to and from the right systems.

Unfortunately, MAC addresses can easily be spoofed. If an intruder “listening in” can grab the right addresses, it is then possible to “assume the identity” of either or both the client and AP. Assuming the ID of the client will cause the AP to return all data to the intruder, while becoming the AP’s ID will cause the client to talk to the wrong device.

We highly recommend using MAC address filtering to control access to the AP serving as a deterrent to intruders. MAC filtering will only allow registered network cards to access the network and helps to serve as an access control mechanism.

Improperly Placed Access Points on Your Network

If an AP is improperly placed behind the firewall of your network, it circumvents all security features that the Firewall or

Intrusion Detection systems are providing your organization. This exposes your internal network to threats. We highly encourage placing the AP outside the firewall, if it is then compromised, the intruder will still have to find a way inside the defensive ring of the firewall, just like every other intruder on the Internet.

DoD policy does require wireless devices to have firewalls, IPS and virus protection. However, several of the available wireless devices have not matured to the level where administrators are able to prevent users from disabling the security settings, leaving a potential backdoor to the wired network.

Poor Physical Location of the Access Point in the Building

As previously discussed, WiFi signals are RF Transmissions that radiate off the antenna in a given direction determined by the antenna. Each antenna and its radio have a “Footprint” or a radiation pattern that denotes how far away from the point of emission (the antenna) the signal will be received without the aide of special equipment.

RF signals do not stop where your organization’s wall stops. They radiate out from the antenna, bleeding through the doors, windows and walls of a building, into the surrounding streets, parking lots or adjacent structures. AP placement is important. By using the incorrect antennas, placed in poorly chosen locations, a WLAN’s footprint will be larger than necessary and easy to find. Such conditions can lead to signal leaks and frequency crowding.

If care is not given to the location of Omni-directional antennas (such as toward the center of your buildings), then signal leakage will be more visible to those outside the building. An AP that radiates outward or shaped directional antennas pointed in the wrong directions can cause your organizations to shoot out of the building, practically into the laps of waiting WarDrivers and other eavesdroppers.

The output powers of some APs on the market are configurable, and care must be taken to ensure the wireless network is properly set up to prevent leakage and unwanted foot printing.

WarDriving and Rogue Access Points

The term “WarDriving” is a derivation of a security concept called “WarDialing,” that identified a process used by hackers to dial endless banks and blocks of telephone numbers in search of an unlisted non-secured modem for accessing a system. Anyone, with the right RF scanner and support equipment, is able listen in or view RF traffic flying through the air, “WarDriving.” There are groups of individuals who hunt for APs using sniffer programs, downloaded free from the Internet, along with a laptop or handheld wireless enabled device.

Solid organization procedures and accountability policy help to prevent the installation of rogue, unauthorized APs from being set up and identified by WarDriving efforts and for reporting lost or stolen devices. Thousands of laptops and PDAs are lost, misplaced or stolen in airports, hotels or lounges and restaurants every year.

CONCLUSION

There are a large number of threats to the WLAN and they vary in source and threat level. As the protocols and standards grow, so do the technologies and innovations, as well as the skills of those that work on WLANs.

Contrary to the opinions of many, it is possible to create secure WLANs, but like any other IT system or network; they take time, study and proper planning. Luckily, the number of vulnerabilities in WLAN technology is mirrored by an equal growing number of security measures, which will also continue to grow, helping WLANs grows to their full potential.

Security tools, features and protocols are more robust today than those of WLANs, which is still in its infancy. Current tools offer greater protection than ever before to help minimize the intrusion risks to WLANs.

The technology in use changes so rapidly; the hardware and software are becoming more powerful and less expensive, which will allow for less resource intensive WarDrives for security personnel, the hobbyists and those potentially malicious agents. Staying aware of the threats, controlling network access, requiring users

10 Evolvent Magazine

With approximately 6,000 members, including representatives from Industry, Government, and Academia, we are the largest chapter of AFCEA International in the world. Details about AFCEA International and its back-ground are available at www.afcea.org.

AFCEA NOVA holds monthly luncheons September through June, featuring top Government speakers who brief on how information technology enables National Security. We host three major annual Service IT Day Confer-ences, featuring speakers from Army, Navy, USMC, & Air Force. For our Corporate Table Holders we hold an annual Executive Round Table. And, we have lots of fun with our very special Valentine's Ball, Annual Golf Tournament, and many Young AFCEAN Events.

Proceeds from these and other activities support the AFCEA NOVA Education Fund. AFCEA NOVA is actively involved with local high schools, colleges and universities, and with support from our members and friends in FY2006 we gave out more than $350,000 in scholarships & educational grants.

to authenticate access and protecting the information traveling on the WLAN are basic steps that should be implemented in all wireless networks.

Educate your users, management and administrators. Stick to your Plans, Procedures, and Policies like they are the glue. These are the key strategies for achieving improved security and assurance in your enterprise, for both Wired and Wireless Networking. To wrap this paper up, we would like to leave you with six basic security steps our Evolvent Cyber Security team recommends:

1. Implement wireless LAN with virtual private networking (VPN) to ensure data security

2. Place dynamic IP assignment pool on the “red side” of the VPN client pool

3. Design for high-availability VPN servers (as product becomes available)

4. Avoid intermixing wired LAN and wireless LAN traffic on the same infrastructure when possible

5. Employ access lists, when possible, to limit mobile unit (MU) access to anything except the DHCP server and the VPN gateways

6. Use multiple VLAN support, if available, to separate the AP management traffic from the user traffic

References

1. The Hacker’s Handbook, The Strategy behind Breaking into and Defending Networks, Susan Young and Dave Aitel, Auerbach Publications, 2004, pages 599 and 600.

2. Information Security Management Handbook, Fifth Edition, Harold F. Tipton and Micki Krause, Auerbach Publications, 2004, pages 274, 350, and 563.

3. DoD Directive 8100.2, 14 April 2004, Use of Commercial Wireless Devices, Services, and Technologies in the Department Defense of Global Information Grid (GIG)

VOLUME I | 2007 1111 Evolvent Magazine

Making Web-based Data Repository Applications Work An Evolvent White Paper

Data repository applications abound within commercial or federal organizations. These applications range from simple databases that

leverage inexpensive desktop software to more complex applications that involve either off-the-shelf solutions or custom development. Evolvent teams have discovered a number of common pitfalls over the last few years, many of which will be familiar:

Overuse of Labor: Labor analysis studies have shown that data collection programs and applications frequently use more labor than is necessary to find data, structure data, retrieve it and analyze it. In more than 100 different organizations, Evolvent analysts have shown that expensive functional and technical experts often use and/or develop less than optimal data collection and manipulation applications costing their organizations millions of dollars in lost productivity.

Incompatible systems: Many organizations currently deploy an assortment of web servers, networks, and software that are far from compatible with each other. Regardless of the “web enabled” nature of these web

technologies, the existence of multiple open-source, custom-built, and third party commercial system and application software (sometimes within the same website network) creates significant maintainability problems. Additionally, the sheer number of unique web servers distributed across the enterprise substantially increases the organizations’ overall maintenance costs. This cost is also carried over with respect to the diversity of software languages in which many of the websites’ applications are programmed. An application programmed in Cold Fusion that works well on one website cannot be easily ported over to another website utilizing PHP, ASP.NET, or Java.

Complexity and Dysfunction: The most significant impact to the bottom line for most customers is the complexity of the organization’s information architecture and overall design. The organization of content and data differs substantially from application to application, contributing directly to data disharmony and inaccuracies. To further compound the problem, several applications may provide repetitive content, inappropriate data architectures, or suffer from incomplete data sets that are less than useful. Without organizational cohesion in


the form of a structured, web-based data collection system, many organizations will continue to be unable to harness the power of their data and knowledge assets.

Solution

The solution to solving the problems of redundant overuse of labor, incompatible systems, and complexity and dysfunction is to design flexible, web-based data repositories that are built to serve the information architecture of the organization. With the primary customer supported by a data collection and data discovery system, the power of the client’s networked resources can be integrated to gain accurate and timely access to data. For customers that daily develop and analyze large amounts of project data which must be mined for lessons learned, inspection or test results, operational metrics or a host of other performance related data – a web-based, integrated system of data collection and discovery can allow the client to finally harness knowledge in a transformative way for their organization. To achieve this goal, we recommend a three-part strategy consisting of the following elements:

Consolidate: Reinforce common information architecture at a construct level through automated taxonomy and knowledge discovery tools.

Streamline: Increase accessibility to data by eliminating confusion, noise, and technical difficulty.

Connect: Make all data collection channels multidimensional: up and down between Installations, Regions and Headquarters with horizontal connectivity at all levels.

Strategy for Consolidation

The strategy involved in reinforcing consolidation is as follows:

One Web-based Repository: Web technologies provide a powerful capability to allow for “unified” or “single”

repository of data, which could be records, web content, documents, or structured forms-based data. In

Evolvent’s experience – there is almost never a “single” repository that replaces all other data storage options. In fact, the pursuit of “one” solution is likely to be frustrating in the extreme. The good news is that technology now allows for a more integrated approach that assumes a heterogeneous data environment, and builds capability on

top of integrated data sets rather than attempting the impossible unification of data storage - enabling unified accessibility and data architecture. This results in a solution that is:

The solution to solving the problems of

redundant overuse of labor, incompatible

systems, and complexity and

dysfunction is to design

flexible, web-based data

repositories that are built

to serve the information

architecture of the

organization.

• Easy to Use

• Uncomplicated Layout

• Consistent data

• Relevant Information

By providing these user-experience traits to any data collection project (and not deviating from them), the enterprise customer can focus more on the quality and accuracy of its data rather than focus on their infrastructure for getting that data. Additionally, by applying these traits to the content and look-and-feel of each application design, the client increases the likelihood of higher application utilization and higher order usage such as data quality studies.

One Look: A main aspect of achieving this goal is through the creation of one unified look and feel. This “one look” concept is graphical in nature but will also extend to the basic layout elements within each page of a particular application. By implementing this across the entire web enterprise, no matter what data collection project is concerned, the user will know immediately that they are

VOLUME I | 2007 1313 Evolvent Magazine

within their organization. Additionally, a standard look-and-feel will reduce the time required for a customer to find information. For example, if the information layout for one website is the same for all websites customers will not have to “search” for the relevant data thereby increasing the likelihood of repeat visitation.

One Structure: Another important element of the consolidation strategy concerns content contributors. By implementing a common Content Management System across the entire web enterprise, content contributors will obtain a common graphical user interface (GUI) for uploading content to web pages, a common web application programming language, and the capability to share application resources across the web enterprise. This standardization will allow for the reduction of training requirements from within the organization and create a technical skill set that will be transferable. This could allow the organization to facilitate the movement (geographically) of personnel within the organization to locales that are lacking technical expertise.

One Network: A final important element of the consolidation strategy is the reduction in overall infrastructure overhead costs. Ultimately, utilizing this strategy will allow the customer to consolidate and reduce infrastructure in many cases. The collocation of servers at key facilities worldwide will reduce the need for the current diverse and outdated distributed web architecture. This reduction in infrastructure benefits the organization as a whole by reducing server down times, increasing security advantages, and providing a more dynamic environment for quickly launching new applications that benefit the entire web enterprise and not just a single website.

Strategy for Streamlining

The strategy involved in increasing accessibility by eliminating confusion, noise, and technical difficulty is as follows:

One Information Architecture: Most customers serve their data collection needs with almost a “project by project” view of information architecture. This may be interpretive by nature, i.e. dependent on special expertise on the project team. This variability in the average enterprise’s information architecture (IA) creates excessive (and unnecessary) audience confusion and can make data collection efforts undergo unnecessary gap analysis and validation exercises. To solve this dilemma, and thereby increase the overall usability of each and every data collection instance, consistent

information architecture should be implemented for every project within the organization. The streamlined nature of a unified IA has several benefits to include:

• Standardized Layout

• Reduction in Repetitive Content

• Increased Usability

• Increased Consistency

These IAs should differ slightly from project type to project type within a customer organization, but the overall consistent nature of the unified IA should prevail.

One System: Another benefit of a streamlined and standardized CMS accessible from anywhere within the enterprise is the speed in which information will be uploaded to the websites for each data collection project. Web accessibly contribution applications will allow content contributors to input data from anywhere in the world and have those inputs made live within a matter of minutes. This single capability allows for a more diverse number of personnel that can be used to upload changes to any given website. It also provides mobility to content contributors since they will no longer have to be “on location” to provide updates to a website. The speed at which content can be uploaded, changed and removed will not only benefit the entire organization as a whole, but also make content within the complete web enterprise current, relevant, and timely.

Strategy for Connecting

The strategy involved in making all communication channels multidimensional is as follows:

One Connection: Most organizations data collection applications are highly fragmented. Customers have to move between completely different applications to find information that is not uniform or are not taking advantage of the Internet’s most important tool – links. Additionally, the content that is present in many applications is structured much like the organization itself, and not in a format that would make sense to customers. The overall concept behind multidimensional linking is to create information “channels” that can be used to drive customer traffic down or across communication paths to all relevant (and related) information. These channels will utilize the common information architecture level as the base point for all information connections and enforce linkages for:


• Headquarters-to-Region Channel Connections

• Region-to-Region Channel Connections

• Region-to-Base Channel Connections

• Project-by-Project Connections

This provides for the all customer originating from the Headquarters site to be taken to the Region, Base, or Project level they are most interested in based on the information they want and not the organization responsible for it. This strategy enforces the “non-organizational chart” style of information architecture and replaces it with a “content relevance” or “content driven” style of information architecture. This makes navigation between the separate “content nodes” with the web enterprise audience-centric and not organization-centric. By providing this layout to the audience, it will increase overall usefulness of all enterprise content, make it easier on customers to find information, and reduce the likelihood of hidden or orphaned pages.

Problems Solved

The overall objective to this kind of project is to improve all data collection activities within an organization. By reinforcing the consolidation themes, increasing accessibility by eliminating confusion, and by channeling all communication relevant by content throughout the web enterprise, each organization will significantly improve its capability to collect, analyze and study its data.

By reinforcing the

consolidation themes,

increasing accessibility

by eliminating confusion,

and by channeling all

communication relevant

by content throughout

the web enterprise,

each organization will

significantly improve

its capability to collect,

analyze and study its data.

PACA of New MexicoYour Connection to Contacts and ContractsIn New Mexico’s Aerospace IndustryFounded in 1984, PACA promotes a healthy and vigorous relationship between the aerospace industry and government agencies in New Mexico. PACA offers informative monthly business luncheons with guest speakers, networking opportunities with the who’s who from the local aerospace and defense industry, and member discounts to special events including quarterly educational seminars and the PACA/AFRL “Briefing for Industry” conference (which is an annual review of new business opportunities with 500+ attendees).

For more information, contact:PACA, PO Box 9178, Albuquerque, NM 87119, (505) 842-8911, Ext. 333, www.pacanm.org

systems lifecycle support healthcare IT solutions information assurance enterprise-wide solutions management improvement services business process re-engineering enterprise infrastructure support network/desktop services e-business enterprise authentication/single sign-on

Planned Systems International proudly offers a full-service, single s

approach to providing quality IT solutions and services with an emphasis on

mission. At PSI, we’re in the business of providing comprehensive, sc

solutions that address a wide range of information technology needs

s

-on

single source

mphasis on your

nsive, scalable

gy needs. Our

mission. At PSI, we’re in the business of providing comprehensive, sc

solutions that address a wide range of information technology needs

combination of people, technology, processes and experience sets us apart.

PSI — People Service Integrity www.plan-sys.com

nsive, scalable

gy needs. Our

us apart.


As leaders in the �elds of information security, enterprise information management and web-based software development, Evolvent is highly experienced in the application and development of Industry-leading Vendor solutions in the government and commercial markets. Wehave successfully deployed the full range of systemfunctionality during our six year history. By blending our information security skills with our COTS system expertise we have successfully designed and deployed applications in Web Content Management, Records Management, Collaboration Management and Document Management for organizations that want to capture, manage and deliver their knowledge assets to a target audience based on user pro�les and secure access rights.

Web Content Management · System Installation and Con�guration · Enterprise System Architecture Design · Template Design and Build · Content Creation and Migration · Custom Application and Functionality Coding · Content Creation Training · Content Creation Process Design and Automation

Consulting Services · Information Architecture · Communication Strategies · Audience Segmentation · Requirements De�nition · Content Analysis and Design · User Interface Design and Usability, 508 Compliance · Creative Graphic Design

ENTERPRISE INFORMATION MANAGEMENT

Skills Summary

E v o l v e n t : S e c u r e T e c h n o l o g y I n n o v a t i o n | w w w . e v o l v e n t . c o m | 1 . 8 8 8 . 3 7 9 . 2 1 4 6

VOLUME I, 2006 17

E v o l v e n t : S e c u r e T e c h n o l o g y I n n o v a t i o n | w w w . e v o l v e n t . c o m | 1 . 8 8 8 . 3 7 9 . 2 1 4 6

Records Management · Develop and Implement Records Retention Schedule · Policy Development and User Training · Design and Configure Security Roles and Access Privileges · Identify and Develop Workflow Requirements · Develop and Implement a Metadata Model · Configure Metadata and Content Types · System Implementation and Documentation

Document Management · Design and Configure Security Roles and Access Privileges · Develop and Implement a Metadata Model · Project Collaboration · Define and Develop Workflows · System Implementation and Documentation

Portals and Knowledge Management · Information Architecture · Knowledge Discovery Solutions · Custom Search Engine Integration · Expertise Location · Java Portal Integration (custom JSR-168 Portlets) · 3rd Party Blog, Chat and Forum Integration

Vendor Software Customization/Solutions · User Interface and Look and Feel Customization · Complex Customizations to COTS Software through Proprietary and/or Industry Standard Programming Languages · External Integration and Automation Through Vendor APIs (Java, Web Service/SOAP, COM) · Complete Custom Solutions · High Availability Architecture · Custom Front-Ends (J2EE or .NET)

US Air Force Knowledge Exchange The Kx is sophisticated Knowledge Management intranet that supports 44,000 AF medical users as their primary source of information, research and policy information. Based on Industry Standard Document Management platform, the Kx leverages sophisticated knowledge discovery tools and techniques to push user community generated and syndicated content to profiled users. Integration of collaboration tools, discussion forums, on-line learning systems and streaming video make this the application of choice for the Air Force medical community world-wide. Evolvent has been the system integrator from initial requirements gathering all the way through development, deployment, user training and sustainment.

A humanitarian organization dedicated to tackling the causes of poverty and injustice world wide worked with Evolvent to leverage Industry Standard Document Management & Collaboration product to build a document and collaboration solution, fully integrated with their enterprise portal, in support of their program management and grants application process.

Representative Engagements

US Air Force Knowledge Exchange

World Vision

The Navy Installation Command’s mission is to enable the Navy's Operating Concept through Enterprise alignment of all shore installation support to the Fleet, Fighter and Family. Communication of the available services is primarily managed through CNIC’s web sites around the world. Working with Evolvent, CNIC has deployed web content management server, redesigned the user experience on their web sites, created new templates, introduced new on-line user functionality and consolidated more than 130 separate web applications down to a single, centrally managed site.

US Navy CNIC

After a successful experience with web content management for one sub-agency, the USDA has begun a process of standardizing on single vendor solution for web content management, document management, records management and workflow. This multi-phased approach began with a mandated roll-out of Vendor Web Content Management to 30 subagencies. Evolvent assisted the USDA teams with consulting on high availability architecture and sizing issues, and performed the software rollout of more than 100 server instances.

US Dept of Agriculture

The VA has maintained records and information on the health care of veterans since before the Civil War. They also provide more responses to Freedom of Information Act requests than all other branches of the federal government combined. Evolvent worked with the VA to deploy a records management solution to support those requests, including the development of a RM plan, taxonomy development, access rights and the initial scanning of paper records into the RM system.

Veterans Affairs

The Department of Homeland Security selected Evolvent to develop a new system for the creation, management and approval of Intelligence products. DHS needed a complex metadata solution and complex routing based on numerous document and metadata conditions. To minimize impact of transition to a new system, a custom form design and layout was required to mimic the paper and MS Word-based forms the staff were accustomed to.

US Dept. of Homeland SecurityContact InformationDouglas StockChief Marketing OfficerEvolvent Technologies | 5111 Leesburg Pike | Suite 506Falls Church, VA 22041703.307.9131 | [email protected]


Planning for Disastersby Guy Sherburne, Vice President, Evolvent

VOLUME I | 2007 19

Disasters are inevitable. No one likes to think about the possibility of being involved in a man-made or natural disaster. All too often, disaster planning is put on the

business table for things to do later, much like estate planning. How many of us procrastinate on completing a Will? When was the last time you reviewed and updated your home owner insurance for adequate coverage? Disaster planning, like estate planning, should be done before it is too late.

Somewhere in the world, right now, a disaster is occurring. Disasters do occur nearly every day. The disaster could be as small as a the fire suppression system going off unexpectedly in your computer room, to a major natural disasters resulting from hurricanes, tornados, earth quakes, major criminal activity, or terrorism. Being prepared for the unexpected will go a long way in determining if you are able to return to “business as usual.”

Business continuity or disaster recovery planning is just as important for a small business as it is for a large corporation. Your plan should be simple but effective, comprehensive but designed to meet the needs of your organization. How quickly you recovery to full business operation will largely depend on how effectively you designed and implemented your continuity and recovery management process.

There are key steps to developing any viable business continuity plan. This article is written to provide basic information on continuity and recovery planning, providing some food for thought. There are basic elements with the process that can be broken down into five simple steps. The key steps to become familiar with are:

1 – Analyzing the organization

2 – Assessing the realistic risks that could impact the organization

3 – Developing the strategy

4 – Constructing the plan

5 – Exercising the plan

Before proceeding, keep one thing in mind while reading this article and during the continuity and recovery planning process – always plan for the worst case disaster – Expect the Unexpected. If planned for, the ability to recover from any disaster – small or large – will be ensured.

Analyzing Your Business

The first step in developing a solid, well-rounded recovery process is to conduct a proper business analysis. Senior

management must assume the lead for this process to ensure everyone in the business will support the outcome. The building of any business requires the personal attention of senior management. They have invested heavily in the business – ensuring it remains healthy requires their involvement.

To analyze the business is to obtain the complete business picture of all interactions, inside the organization and between business, customers, and suppliers. Defining present “critical” business communication flow goes a long ways is the analysis process. Using the phrase, “leave no stone unturned,” do not leave out even the slightest internal or external communication linkage.

After all interaction have been clearly identified, the next step is to identify how essential each department’s work is towards running the business – looking for are the true “critical” processes that may be spread across more than one department. Do not forget to include the IT or security team which might not fall directly under any department but may come under an outsourced service supplier.

The first thing most organizations do in the planning process is determining what type of facility is needed, along with required supplies, equipment, and supporting systems. These items should not be identified until you have clearly identified interactions and critical “key” department processes. Putting the cart before the horse is never a good idea.

Before addressing facilities, key personnel need to be identified. Who are the personnel each department needs to accomplish the work? Key personnel should include those from outside of the business and from within each internal department. Who are the essential business personnel? They are those individuals that have to be working to recover the business to full operation – business as usual. Seniority is not the issue…jobs fitting in with one another are the priority. Again, do not forget to include IT and security support personnel.

All service level agreements must be identified. These are legal or regulatory obligations levied on the business and even within each department. Knowing this information helps to prevent getting hit by a double whammy – a major disaster and a major loss of revenue from law suit or loss of a major client. This information is also necessary for the building of cost data, the cost of recovery.

Ultimately, all business vulnerabilities that impact the business, whether large or small must be identified. A formal list of all business vulnerabilities that could expose the business to any threat must be made. Do any of the vulnerabilities result from clients, partners, or suppliers – and how do they present vulnerability? It is vitally important to clearly identify all of potential business vulnerabilities in order to properly


address how often identified threats are likely to exploit each vulnerability. While it may not be possible to remove all threats, it may be possible to reduce one or more vulnerabilities. A simple formula to keep in mind is any “threat that impacts an identified business vulnerability equals a risk to the business.” The next section will cover analyzing risk.

One aspect of the business analysis process that always seems to be overlooked is the thorough review of insurance coverage. A few things to consider are:

• Spreadinsurancecoverageacrossseveralprovidersto lessen the risk of business failure. Remember what happened to several insurance providers who were overwhelmed by hurricane damage – extensive delays in claim processing. Spreading coverage lessens the impact on business and that of the provider – and it may even please your investors.

• Asolidinsurancepolicy,orpolicies,reducestheneedtoretain back reserves thereby allowing the use of business revenue for business growth.

• Checktheinsurancepolicytoseeifitcoversallmajordisasters that present a risk to business and includes terrorism. There are insurance providers that do have separate riders for terrorism coverage.

Assessing “Your” Risks

Remember the “Threat x Vulnerability = Risk” formula. Keep this thought in mind while assessing risks. There are two truths about every risk to your organization – how likely is to happen and what will be the business impact. Several years ago, more than I care to remember, I had the responsibility to develop a viable intelligence agency emergency safeguarding and destruction policy, plus “how-to” guides. The policy and guide were to be used worldwide. The assessment of risk during the policy development was the same used for continuity and disaster recovery planning – using extreme imagination to determine potential risk. While the risk to each business may seem similar, they are drastically different. Successful businesses succeed for different reasons, and those different reasons are what set each business risks apart from others.

When assessing risk, use “what if” and “worst case” scenarios when gathering information for the assessment. The “risk” outcome will be based on the business threats and their impact on business vulnerabilities. It is very important to define risks in “cost terms,” considering how much can be afforded to lose if a disaster were to occur preventing from business as usual – for a day, week, or several months. How would the disaster, in financial terms, affect your customers, suppliers, and potential business growth? Do not forget to account for lost customer or supplier confidence, both of which could affect the recovery process and the obvious desire to return business to operations as usual.

For business first responders, consider what you would do if one or more of your critical players was injured – who will take their place? Communication is critical, a lesson learned from 9/11 and the Gulf States hit devastated during the 2005 Hurricane season. Cell phones would not function – for one reason or another. Unless you are willing to extend the cost for an elaborate emergency communication system, you will need to consider the risk of no immediate electronic communication – cell phone or text messaging.

Planning for a worst case disaster ultimately enables handling lower impact incidents. Throughout the entire analysis process, you need to develop the thought process of who needs to do what, when, where, and how for each disaster situation. You will need to formalize personnel tasking in a function and time matrix – a schedule when business functions need to be implemented by day, week, and month, and who will be responsible for the tasking.

Ultimately, board members or senior management must agree with the assessment results – as indicated at the beginning this process must be looked at from a cost perspective – what can the business afford for the recovery effort.

Developing Your Strategy

It is now time to determine the strategy you will take for the continuity and recovery planning process. While senior management involvement has been important up to this point, it now is essential for a determination on the strategy and the cost that will be applied to the effort. You should have a clear definition on the cost of each associated risks. With that

The first step in developing a solid, well-rounded recovery process is to conduct a proper business analysis.

VOLUME I | 2007 21

information, senior management will be able to determine one of the following strategies to implement:

1. Accept one or more, or all risks and do nothing.

2. Accept the risk(s) and obtain agreements with other businesses to help after a disaster.

3. Work to reduce the number of risks or their severity.

4. Use a combination of 2 and 3.

5. Reduce all risks to a point where external business agreements are not required.

Whatever strategy is chosen, we do not recommend the first choice as it is ultimately the most costly if a disaster were to occur. While the fifth choice is most desirable, it can be the most expensive, hardest to obtain, and even sometimes impossible to obtain if the business is continuing to grow. The strategy we recommend is using a combination of reducing the number of risks and their severity while obtaining support from businesses that support recovery efforts or that provides for storage of critical data and other resources – item number 4.

Regardless of the strategy chosen, senior management approval is necessary before proceeding with the development of the final continuity and recovery plan. Your strategy should outline each process strategy for recovering the operation of business as usual. Facilities, supplies, technology, personnel, alternate sites, agreements, data, and cost should all be included in the strategy. Bottom line, the continuity and recover strategies will consist of predefined and “management” approved actions that are implemented in response to a business interruption. The focus must be on meeting predetermined recovery time schedules established to return to business as usual.

Building the Plan

Continuity and recovery plans will look different for each business, for the reasons cited earlier in this article. However, the basic structure or outline of the plan could share common characteristics. The following information provides a look at some basic characteristics that our Evolvent security team recommends for any business continuity or recovery plan:

Setup

Make it clear that you are coordinating all actions throughout the business

Ensure to write in non-technical or legal language that “everyone” will understand

The content for your plan could vary, but once again, we recommend considering the follow:

Cleary define who needs to do what and who is accountable for what. Each “who” should have an alternate for key positions.

Develop clearly defined simple to follow checklists.

Develop clear and direct instructions for each initial crucial process that must be implemented during the first hour of the incident.

Establish a time frame for checking if your plan is up-to-date ensuring that it remains a “living document.” Changes should reflect business growth and personnel changes.

Keep your plan simple and flexible. Disasters have a different magnitude and impact and will never fit a non-flexible plan. Your personnel need to act quickly and will not have time to read a lot of detail.

Always plan for the worst case scenario – expect the unexpected.

Match your plan to your people – your planning matrix that ties people to functions to time of recovery is critical.

Include external information from outside your business, such as utility companies, emergency services, supplies, customers, and so forth

When dealing with other businesses, customers, or supplies, ensure they understand that your company takes the business of continuity and recovering planning seriously. They should appreciate that your company is confident of returning to “business as usual” in the quickest possible time – some one they will probably want to continue doing business with.

Exercise, Exercise, and Exercise Again

The need to exercise your continuity and recovery plan is similar to a personal fitness exercise program – the more you exercise the stronger your plan will become. Through a continual exercise process, you will discovery potential flaws, as well as confirming that your plan is robust and capable of handling nearly any disaster situation. Your plan is a “living” document that requires exercise to remain healthy. Through an exercise process, your staff will remain trained on critical tasking. You will identify tasks that require updating and verify available services, as well as, any change in cost factors that could result in a need to re-address risk.


2. Telephone Recall

Known in the military circles as the “Pyramid Recall” process, you start the notification process at the top of your key management and personnel list for each scenario. The notification process is cascading, the top individual notifies the next individual until the last individual is contacted who records the time of notification. This process allows you to validate your communication structure, where potential problems may exist, and any difficulty in implementing your various plans. There is very limited cost in implementing this exercise method. Also, include telephone calls to service providers to ensure you have their current telephone numbers.

3. Full Plan Exercise

A full exercise will clearly identify each element in your plan, and how they work together. This type of exercise is obviously more expensive than the Table Top, if done routinely. Scenarios that should be tested under this process are those that you are most susceptible to encounter, or for those disasters that you have an advance notification of, such as a pending hurricane, or one that indicates a possible impact to utilities.

Continuity and recovery plans are only valid if they are a “living” process that assures your return to business as usual. By taking the necessary time to develop a healthy continuity and recovery plan, you are preparing your business to deal with emergencies.

Many businesses may have plans in place to deal with sudden disruptive risks. However, these plans will not ensure a business’ survival if they are not exercised, exercised, and

exercised again. The benefits of a living continuity and recovery plan assure each business that they will continue

business as usual following any major disruption in service.

This article only provides a basic overview of the key elements that each business

should be concerned with – continuity and recovery planning. To procrastinate in

the development of a continuity and recovery process is courting disaster

rather than being prepared for the unexpected. The Evolvent Security team has extensive government and commercial experience in tailoring continuity and recovery

plans. Allow us the opportunity to help you in maintaining the ability to

carry on critical business functions following any disruptive event.

Continuity and recovery plans are only valid if they are a “living” process that assures your return to business as usual.There are various methods for exercising your plan, but Department of Defense activities and various successful corporations have used the follow three successfully for a long time – truly time tested.

1. Table Top

Senior management and key personnel are involved. They would read through each task for each scenario looking for any weaknesses or outdated information that would prevent or hinder plan implementation. Remember to always use a “what if” thought process for each task/scenario. Service agreements should be reviewed and cost data updated.

VOLUME I | 2007 23

Evolvent’s Management and Technology

Consulting PracticeBy Elizabeth Obenchain, Vice President, Evolvent


VOLUME I | 2007 25

Evolvent’s Management and Technology Consulting Practice, which is headquartered in our Falls Church, VA facility, is focused on providing

innovative, strategic level planning and analytical support to our clients. Our methodologies and approaches are rooted in industry standards such as the Project Management Institute (PMI), the Capability Maturity Model (CMMI) and Lean Six Sigma. Our philosophy is management through a focus on the customer (yours and ours) driven by effective and efficient processes to ensure quality products and services.

Strategic EngagementsEvery organization operates on three basic levels – strategic, tactical and operational. At the strategic level, organizations develop the foundation for their existence. This includes the development of vision statements, mission statements and goals and objectives. The strategic level also includes the identification and management of key organizational assets – its people, its knowledge, its processes, its policies, its customers, its suppliers, its technology and its facilities. Evolvent’s Consulting Team works with organizations to define plans that enable them to realize their potential through organizational re-design, strategic planning and alignment of key organizational assets. A good example of this type of engagement is our work with a federal client. This engagement involves the development of a new organizational structure with re-designed processes, policies and governance using organizational re-design and Lean Six Sigma methods.

Tactical EngagementsTactical initiatives are outlined in the strategic plan in alignment with the goals and objectives of the organization. Initiatives are defined that are designed to improve the organization and ensure it meets its goals and objectives. Tactical initiatives are not focused on producing products or services. These are projects where processes are defined or improved, technologies are implemented or upgraded, policies and governance are instituted or changed, market segments are targeted or expanded, facilities are built or enhanced, customer satisfaction is defined or increased and so on.

Many of Evolvent’s Consulting Team’s engagements involve the planning and execution of tactical initiatives, sometimes as extensions of our strategic planning and analysis support and sometimes as independent engagements. Our work with another federal client and a state university are examples of our work on tactical initiatives. Both of these engagements involve the development of strategies for enterprise content management. In the case of the federal client, Evolvent’s Consulting Team successfully developed a plan for the

consolidation of hundreds of independently managed websites into a single web architecture and brand. The main objectives of this engagement were audience focus, consolidation, streamlining of processes and connection of multidimensional communication channels. For the state university, Evolvent’s Consulting Team is developing an approach in line with strategic objectives for the implementation of their enterprise content management initiative, which includes the development of communication strategies, content life-cycle management and consolidated, common content organization and taxonomies for their public, intranet and team-based web sites.

Operational Support EngagementsThe majority of the work performed by any organization is usually at the operational level. This is how organizations produce their products and/or services. This is where customer expectations are managed and met. This is where quality is built into the product or service. This is where the product is delivered. This is where product guarantees are serviced. The operational level is all about the execution of processes. Chances are if Evolvent’s Consulting Team is performing an engagement in support of the operational level, it is really a tactical process management project. With this in mind, it is very important to understand the day-to-day process execution capability and performance of the processes within the context of the initiative.

One of the first steps in any process improvement project is to understand the current state of the process or processes to be addressed. Currently we are involved in an engagement with a commercial client, a company that provides breakthrough solutions in the areas of public health communication, research and evaluation, information technology, education and training, program management support, and health product development. Our work with this client is helping them improve the maturity of their IT management through the incorporation of new processes and methods based on CMMI and industry best practices along with an effective monitoring and control plan to enable continuous assessment of capability and performance.

Our PhilosophyRegardless of organizational context (public, private, government, non-profit), there are three things that enable the daily business of doing business – customers, processes, and assets. Customers are the key to every organization; without them there would be no reason to exist. What they want (“it”) and when they want “it” are the triggers that kick-off the need to produce whatever “it” is. Of course figuring out what “it” is can be a major challenge. But say you have that part


Evolvent’s Consulting Team works with organizations to define plans that enable them to realize their potential through organizational re-design, strategic planning and alignment of key organizational assets.

brings the organization closer to high performance rather than drive them further away. So, how do we do that?

Our MethodsFirst, we look at the organization from a strategic level. What is its mission, its vision, its goals? Who are its customers? What products and services do they provide to their customers? Are their customers satisfied? Are they process oriented in their business operations? Are their organizational assets inventoried? Are their organizational assets aligned with their processes? Are their suppliers providing them the right inputs? Do they have adequate policies and governance in place? Are their people knowledgeable in their duties; do they have the right skills? Do they have the right tools, technology, facilities? If the engagement is to perform strategic planning and/or organizational development we use this information as the basis of our recommendations on how and where to begin. If the engagement is based

figured out. Now you have to produce “it.” And you have to meet the customer’s expected quality of “it.” There are many ways to accomplish that, but in today’s marketplace whatever way you choose better be faster, cheaper and better than the competition. That means efficient, effective processes that drive the way business gets done – processes that are customer focused, are initiated by customer actions and are done when the customer is satisfied. Alignment and management of key organizational assets are required to enable the processes. Without them nothing can get done regardless of how well you know your customers or how well you have designed your processes. Organizational assets are the suppliers that provide the inputs the processes need to properly produce the outputs; they are the people that execute the processes and the knowledge and skills they require to do their work; they are the technology that enables the processes to run more quickly; they are the facilities that house the people and technology; they are the policies and governance that guide the execution of the processes; they are the structure of the organization that delineates roles and responsibilities; they are the outputs of the processes that move “it” through to its end state, ready for delivery to the customer.

Organizations that can do this and do it well are high performers. They are the equivalent of that kid that always busted the curve in high school and everyone wondered how he did it. Chances are that kid worked smarter than the rest of us, not just harder. How did that kid do it? He had a mission, a vision, a set of goals. He made a plan for the things that needed to get done. He executed the plan efficiently and effectively, monitoring his progress towards his goals. He took inventory of his assets and managed them well. He maintained his skills, learning from past experiences and put them into practice. He did not get there overnight. He had a strategy. He had a tactical plan for enabling his strategy. He effectively managed his operation (studying).

Evolvent’s Management and Technology Consulting Practice helps organizations become high performers by enabling them to work smarter. We look at organizations holistically. The types of problems we are asked to solve are rarely in isolation within an organization. Many times the problems that seem so overwhelming are really just the effects of a much more deeply rooted cause. Not understanding the root cause of a problem can lead you to do things that just make the problem worse. While it is not always possible to address the root cause during an engagement with a client, it is important to understand it so that the work we do

VOLUME I | 2007 27

in the tactical or operational level of the organization, we use this information as context for the engagement, ensuring that our recommendations are in line with the organization’s strategic maturity.

Next, we observe the tactical level. It is important to any engagement to understand the way an organization executes its tactical initiatives. Does the organization have a tactical plan based on a strategic plan? Are tactical initiatives selected based on their ability to meet strategic goals and objectives? Are the outcomes of tactical initiatives mapped back to the strategic goals and objectives? Are tactical initiatives managed

well? Are they properly scoped? Do they follow project management principals? If we are performing a tactical engagement, this information is invaluable in understanding the relative importance of the engagement to the organization as well as providing a perspective into the way in which the engagement should be planned and managed. It has to fit into the organizational framework for how these types of initiatives are perceived. If the engagement is based at the strategic or operational level, we use this information as context for the engagement, ensuring that our recommendations are in line with the organization’s tactical initiative management maturity.

Finally, we observe the operational level. Do they follow a set of processes? Are the processes documented? Are the processes monitored and controlled? Are process metrics collected? Are the process metrics relevant? Are decisions made based on the values of the metrics? If the engagement is at the strategic level, we look at all organizational processes at a high level as part of the strategic alignment of processes and assets. When involved in a strategic initiative this information is invaluable in helping to develop achievable goals and objectives as well as providing key insight into what types of tactical initiatives may need to be put in place. If the engagement is a tactical initiative, we look in detail at the processes involved in the context of the tactical initiative (even if it is not a process design or improvement project) and in general at any process that provides inputs to or receives outputs from the processes within the context. Understanding an organization’s process management maturity is

fundamental to the understanding of its overall performance capability.

SummaryEvolvent’s consulting philosophy is based on the premise that the keys to operational excellence are a focus on the customer, a

process driven management approach and sufficient organizational assets to support the execution of the processes. Our experience enables us to help our clients realize their potential through organizational re-design, strategic planning and/or alignment and management of key assets; the identification and design of initiatives are that are designed to improve their organization and ensure they meet their goals and objectives; and by

providing process management oversight for on-going operations to support the

drive for continuous improvement in pursuit of operational excellence.


Executive summary Because solid information security practices are built on technology, policies, and people, even the best security policies and procedures and state-of-the-art technology can be undermined by lack of employee awareness. A security awareness program that includes training, education, and communication at all levels of the organization can help employees learn how to proactively protect information assets.

This paper explains how employees impact an organization’s security and how to communicate with upper management about the necessity and value of a security awareness program in addressing security issues. Next the paper provides an overview of steps to develop, implement, and measure the effectiveness of a security awareness program. Finally, the paper explains how Symantec Security Learning Services can help organizations design and develop such a program, while the Symantec™ Security Awareness Program, a comprehensive set of computer-based training, seminars and other live training experiences, as well as communication tools, can help train employees to ensure program effectiveness.

Ensuring a secure organization Most organizations implement a number of positive measures to secure their infrastructure. These steps may include deploying state-of-the-art technology, creating stringent policies

and procedures, and assigning IT staff to manage these policies. Yet in spite of these efforts, many organizations’ information assets may not be secure as they should or could be. The fact is that in today’s interconnected marketplace and global economy, information assets are at a greater risk than ever before, as threats are more lethal than they were in the past.1

It is no longer enough for organizations to consider just their own information security issues and threats. With even more information flowing between companies, all organizations, whether global or not, need to consider their business partners, outsourcing arrangements, suppliers and customers. The value to organizations created by these arrangements can quickly diminish or disappear altogether due to perceived or real security, privacy, or identity breaches.2

Risk management and due diligence requires that organizations reduce security vulnerabilities to drive down the amount of time and money spent to recover from security incidents, while also ensuring valuable information is protected. At the same time, compliance with regulatory requirements is of growing importance, as a failure to comply may result in financial and legal liabilities, lost business, and a decline in customer confidence.

To better protect themselves from such losses, most organizations have deployed a variety of security technology solutions in conjunction with security policies and procedures. But the effectiveness of even the best technology and procedures is limited if employees do not understand their role in securing the organization’s information assets.

Employees often directly impact the organization’s security Many of the strongest security technologies and policies are evaded not by experienced hackers, but by unaware or untrained employees. Common internal causes of security vulnerabilities include poor password protection, failure to update protection software, failure to scan files, inappropriate on-the-job Web surfing and file downloading, and social engineering. The impact of these vulnerabilities leaves the infrastructure exposed and the organization vulnerable to exploitation, attack, and loss of proprietary information. These security gaps also can prompt a high rate of virus infection (and re-infection), along with a reduction in available network bandwidth. Ultimately, all of these translate into lost productivity due to down time and increased costs to repair programs and replace lost or stolen equipment.

When it comes to information security, people are just as important as security technology, policies, procedures, and

Creating a SecuritySavvy Workforce A Symantec White Paper

1 Ernst & Young, Global Information Security Survey 2004

2 Ernst & Young, Global Information Security Survey 2005

VOLUME I | 2007 29

guidelines. With a full understanding of policies and procedures and their importance, employees can actually strengthen an organization’s security posture. In fact, with proper planning and training, employees can become an organization’s strongest line of defense.

Building a foundation of awareness A security awareness program enables organizations to improve their security posture by offering employees the knowledge they need to better protect the organization’s information through proactive, security-conscious behavior. To successfully protect information assets, employees at every level—from the top down—need a basic understanding of security policies as well as their respective responsibilities in protecting these assets. Without this understanding, organizations cannot hold employees accountable for protecting the organization’s resources and ultimately, its profitability.

To be effective, a security awareness program must be ongoing and include continuous training, communication, and reinforcement. A one-time presentation or a static set of activities

is not sufficient to address the ever-evolving threats to the security landscape. The key messages, tone, and approach must be relevant to the audience and consistent with the values and goals of the organization. Equally important, an awareness program must influence behavior changes that deliver measurable benefits.

Begin with the current environment One of the most overlooked, yet significant, steps in creating an effective employee security awareness program is an assessment of existing security practices and employees’ level of security awareness. Organizations must evaluate their current environment and determine if there are any security awareness problems or particular needs to address. For example, are there specific security requirements associated with remote worker or mobile devices, or other special circumstances that will require extra security attention? Organizations must also determine how new employees are trained, if they understand how to properly operate their computer equipment, and how well they understand existing security policies.

Answers to the following three key questions will provide the critical information needed to create a security awareness program:

Is there a security policy that is enforced across the entire organization?

What are the practices and technologies in place that can help detect a security breach?

Do employees know what to do if they detect a security violation?

The answers to these questions can help organizations set high-level objectives for the awareness program. Ideally, these objectives should be aligned with the organization’s overall goals. To ultimately measure the success of these objectives, current security practices should be benchmarked. For instance, how long does it take to crack employee passwords and how frequently do virus re-infections occur throughout the organization? In addition to helping measure program effectiveness, collecting these benchmarks at the outset will help establish quantifiable objectives for the program. For example, a good employee awareness program objective might be: “within three months, no employee password should be cracked in less than 30 seconds.”

Selling security awareness: How much is your security worth? Before development of the employee security awareness program begins, senior management must understand and fully support it. Without upper management’s endorsement and support, the program is prone to failure—if management does not take security seriously, the organization’s general population will likely not do so either.

Examples of Inappropriate Employee Behavior Potential Operational Impact

• Poor password protection

• Failure to maintain positive control of laptops and PDAs

• Lax telephone security

• Inability to appropriately respond to social engineers or fraudulent actors

• Failure to update virus protection software and scan files

• Launch email attachments

• Surf Web and download files from Internet

• More open to network attack

• Loss of proprietary information; costs to replace equipment

• High costs from telephone fraud

• Vulnerable to exploitation and attack

• High rate of virus infection; lost productivity due to down time

• High rate of virus re-infection

• Reduced network bandwidth; loss of worker productivity

Table 1: Employees directly impact security

When it comes to information security, people are just as important as security

technology, policies, procedures, and guidelines…..with proper planning and training,

employees can become an organization’s strongest line of defense.


An effective approach to “selling” a security awareness program to senior management is to focus on the bottom line, by demonstrating how a comprehensive security awareness program not only will protect the organization’s resources, but will also help ensure regulatory compliance, and improve productivity and profitability in the long run.

Hard facts will almost certainly help management understand the importance of security policies and training, and should be included in any security awareness proposal. As part of the cost/benefits analysis, the security administrators or training managers spearheading the project should research various employee education solutions and calculate costs, including all resource and time requirements. If possible, they should include an estimate of how much money the organization loses each year due to security breaches. These costs may be associated with Web downtime, lost information, fraudulent telephone use, loss of employee productivity, or liability if information is stolen or unusable for a certain amount of time. Once these costs are understood, it becomes easier to demonstrate how implementation of a strong security awareness program can lead to reductions in these losses. As soon as the organization’s executives see the program’s potential value, they are more likely to actively support security awareness programs and initiatives aimed at maintaining and enforcing security policies.

When outlining an awareness program to executives, program champions need to identify key stakeholders throughout the organization. These may include managers from human resources, training, internal communications,

operations, public relations, legal, and physical and IT security. Clearly presenting the value of an employee security awareness program to these different stakeholders helps demonstrate a compelling case that speaks to the operational needs of each interested party and considers not only the intrinsic value of the organization’s information, but also the benefits of protecting that information with a security-savvy workforce.

An effective awareness program can provide value as part of an organization’s regulatory compliance, information security, and risk strategy. It also provides a competitive edge by effectively addressing any internal weaknesses. While the business case to management should make it clear that information security incidents are indeed damaging, it should also emphasize that employees can help prevent many of these vulnerabilities.

Designing an effective security awareness program To design the program, the program coordinator should enlist the input and participation of a broad cross-range of personnel, such as those from IT and physical security, training, HR and legal, and marketing and internal communications. This task force will develop unique content and delivery strategies for executives, middle management, IT and information security staff, and general employees, and determine the scope and design of the program with behavioral change in mind. Based on information obtained from the audit of communication needs for various employee groups, the task force can establish core content topics that address the most significant security challenges.

Designing the program requires the development of a significant amount of documentation, including:

A high-level charter that explains the program’s objectives

A high-level design that defines current security issues and how they will be addressed

Detailed documents that describe how the program will be implemented, managed, and measured

Details include defining key messages and determining who will actually create, review, and approve the content. In conjunction with the design, the task force should consider branding issues, to ensure that employees associate the program materials with the organization. Additionally, this group will need to determine the look and feel of all materials (for instance, online materials, printed copies, videos and presentation materials), and establish how the training will be deployed.

Identify audiences and define objectives In a large organization, there are typically several categories of employees: executives, middle management, IT and information security staff, and other groups within the general workforce population. Given the unique responsibilities of these different types of employees, it is likely that they will require varying levels of security awareness. Identifying specific objectives for each category of employee is helpful.

To encourage a lasting and measurable change in behavior, both high-level and specific objectives for the awareness program should be easily understood and meaningful. The task force should

One of the most overlooked, yet significant, steps in creating an effective employee

security awareness program is an assessment of existing security practices and

employees’ level of security awareness.

VOLUME I | 2007 31

3 ISO-27001 replaced ISO-17799, www.iso.org

identify specific measurable benefits that are realistic and attainable, as well as timely. For example, rather than simply striving to reduce the number of weak passwords, organizations can set an objective to reduce the number of weak user passwords by 75 percent within three months. The objectives must be measurable so that management can ascertain whether or not an adequate return has been realized for the time and resources invested in the program, as well as to help determine how successful the program is in helping the organization achieve the stated goals.

Create meaningful content Perhaps the most significant aspect of a security awareness program is the content itself. It not only needs to explain the organization’s security policies and the procedures that are in place, but also why it is important for employees to comply with those policies, procedures, and guidelines.

By basing the core content for the program on security industry best practices and international security standards (such as those those embodied in ISO-17799 and ISO-27001), organizations can ensure

they are addressing current security concerns via proven methods.3 Once the organization’s security policies are outlined, employees will need to be educated about simple steps they can take to protect the organization’s data, such as how to handle email attachments and safely create and store passwords. Workers who telecommute or travel frequently should understand how to secure their laptop, mobile phone, or PDA. Issues such as social engineering, mobile or remote workers, and regional or language issues for enterprises with multiple offices may require special consideration.

The content of an awareness program will likely need to address the unique requirements of the various categories of employees. To ensure that employees change behavior and actions that negatively impact security, organizations need to make sure that each person fully understands his or her role as it relates to each security policy and their need to comply with it. Once employees understand that security risks can be reduced or eliminated if they modify their behavior, they are often more open to change. For example, many employees may not see the harm in opening unsolicited email attachments. Examples of possible worst-case scenarios can prove more effective than a simple explanation. If possible, companies should illustrate what happens if one employee opens an attachment, activates a virus, and forwards it to the entire workforce.

Implementing the program In addition to relevant content, the success of any security awareness program will rely heavily on how the information is delivered. Depending on the organization’s culture, employee security awareness training can be incorporated into new-hire orientations, lunch ‘n learn seminars, and special training sessions by department, while executives and mid-level managers are likely to be receptive to training that is incorporated into regular management

meetings. While management personnel with security responsibilities may require additional training, they can also prove to be the strongest advocates of the awareness program. To ensure the success of such training, everyone in the organization should participate, not just new employees or other select groups.

Meaningful rewards and positive reinforcement can be important and effective means to encouraging positive security behavior and acknowledging proactive participation. The type of rewards will largely depend on the organizational culture. In addition to rewards, companies can show employees how their behavior has improved the organization’s security stance, perhaps by providing a comparison of statistics before the program was implemented, after the initial training, and six months after the training. Because people like to see how they have improved, providing them tangible results can further encourage them to improve their behavior to protect critical assets.

Recommended content of a security awareness program

• Communicate your security policies and procedures

• Establish core content based on security best practices:

– Protecting critical information – Social engineering – Mobile/remote worker – Virus protection – Password protection – Web browser security

• Stress the importance of each awareness topic

Highlight areas of specific concern

Spell out consequences and penalties for noncompliance

Ensure ongoing maintenance and content refreshment

Vehicles for communicating the security

awareness program:

• New-hire orientation

• Lectures/seminars

• Lunch ‘n’ Learn sessions

• Web-based training

• Videos, DVDs, CDs

• Corporate outings/events

• Management meetings

• Board of Directors meetings

• Add-on to other training events

• Guest speakers

• Informal leaders, influencers

• Corporate newsletters

• Posters, marquees

• Pamphlets, reminder cards

• Email blasts, Web reminders

• Screen savers

• Web banners

• Job aids

• Quizzes

• Contests

Measuring program effectiveness To ensure long-lasting results, the most effective security awareness programs are ongoing, and incorporate content that is regularly updated to meet changing security needs. Those organizations with a learning management system (LMS) in place can use it to support program training scheduling, registration, content, and tracking. As part of establishing a continuous learning

cycle, organizations need to run multiple security awareness campaigns, and communicate with employees on a regular basis. Similarly, the effectiveness of the program will also hinge on periodic evaluation, review, and revision of training topics and security awareness campaigns.

Online security awareness programs should include some tracking system—whether through an LMS

or some other mechanism—that enables organizations to identify who is participating in the training, how much time they spend on the program, and whether they actually complete the training. Many of these solutions also include evaluations, such as quizzes, as well as a means to track test results via management reports, and metrics against which organizations can evaluate results.

Should an organization opt to use an off-the-shelf solution for awareness training content or work with a security provider, they should ensure the training content provided meets Sharable Content Object Reference Model (SCORM) standards.4 Based upon the work of leading industry organizations, SCORM standards have been developed to address the integration of training content into LMS applications, and define standards for content development and delivery for Web-based training.

Key indicators of changes in behavior In addition to measurable results, changes in employee behavior also provide evidence of the effectiveness of the security awareness program. Key indicators of positive changes include a drop in email virus infection (and re-infection) and a reduction in the types and number of calls to the help desk. Informal walk-around audits can provide additional indications by helping to evaluate whether or not passwords are openly displayed on desktops, if systems are left logged on and unattended, or if sensitive paperwork is left on desks overnight. From a network perspective, a successful security awareness program should result in better system performance and Web use. Password-checking programs also can help to measure the program’s effectiveness.

4 For more information about SCORM: www.adlnet.org/index.

cfm?fuseaction=scormabt

Security Topics Benefit

Information Protection Communicates the need to protect business information and suggests measures that employees should take to reduce risks and properly protect vital organizational information.

Socical Engineering Makes the workforce aware of various social engineering ploys—how they are implemented, why they are implemented, and ways to avoid them.

Remote Worker Security Discusses the risks associated with working remotely and ways to protect the organization’s information while working remotely.

Virus Protection Educates the workforce on computer viruses, Trojan horses and worms, and recommended practices to reduce the risk of infection.

Password Security Tells employees why passwords are so important, how to create strong passwords, and best practices for password use.

Web Browser Security Informs of the risks associated with using a Web browser to surf the Internet, and provides measures to be taken to reduce the risks.

Email Security Reminds employees of proper email etiquette and reminds them of the risks of virus infection from email attachments.

Instant Messaging Security Explains some of the risks associated with instant messaging communications tools and provides precautions that should be applied to ensure instant messaging practices do not jeopardize confidential information.

Telephone Security Communicates the importance of telephone security, the severity of telephone fraud, and security best practices to reduce the risks

associated with telephone fraud.

Mobile Security Makes employees aware of the risks associated with the use of laptops and Personal Digital Assistants (PDAs), and provides ways to reduce those risks.

Table 2: Security topics covered in Symantec Security Awareness Program

VOLUME I | 2007 33

About Symantec

Symantec is the world leader in providing solutions to help individuals and enterprises assure the security, availability, and integrity of their information. Headquartered in Cupertino, Calif., Symantec has operations in more than 40 countries. More information is available at www.symantec.com.

For specific country offices and contact numbers, please visit our Web site. For product information in the U.S., call toll-free 1(800)745-6054.

Symantec CorporationWorld Headquarters20330 Stevens Creek BoulevardCupertino, CA 95014 USA+1 (408) 517 80001 (800) 721 3934www.symantec.com

Symantec and the Symantec logo are U.S. registered trademarks of Symantec Corporation. Symantec Security Awareness Program is a trademark of Symantec Corporation. Other brands and products are trademarks of their respective holder/s. Any tech-nical information that is made available by Symantec Corporation is the copyrighted work of Symantec Corporation and is owned by Symantec Corporation. NO WARRANTY. The technical information is being delivered to you as-is and Symantec Corporation makes no warranty as to its accuracy or use. Any use of the technical documentation or the information contained herein is at the risk of the user. Copyright © 2006 Symantec Corporation. All rights reserved. 03/06 10554664

To ensure long-lasting

results, the most

effective security

awareness programs are

ongoing, and incorporate

content that is regularly

updated to meet

changing security needs.

Communicating quantifiable results to upper management is critical to demonstrating that the program is successfully creating an informed organizational culture and is delivering measurable results. Such communications will remind management that the security awareness program was the right decision and positions the program leader as the go-to person for subsequent security projects.

Symantec Security Awareness Solutions Designing and implementing a security awareness program can be a formidable task—even if the organization has the expertise and internal resources. Fortunately, organizations can leverage the expert assistance of security professionals and numerous off-the-shelf security awareness solutions.

Symantec Security Learning Services provide assessment, planning, and design services that help companies build effective security awareness programs. Since they are knowledgeable in all aspects of security awareness, Symantec security experts can help organizations develop a program, train employees to protect information, measure results, report progress to upper management, and prepare for regulatory audits.

To round out an awareness program, organizations can use solutions such as the Symantec Security Awareness Program. This program provides a comprehensive set of training and communications tools to help companies meet regulatory requirements for employee security awareness training, while encouraging appropriate behavior and reducing security vulnerabilities.

Based on security industry best practices and international security standards, the program addresses a full range of today’s key security issues via a series of technology-based training modules. Along with computer-based tutorials, the program provides executive and technical seminars, as well as supporting material, including screen savers, ready-to-print pamphlets, reference cards, and posters for effective communications to all employees. Organizations can insert additional content into the Web-based training tool—such as explanations of organizational policies and links to other documents or Web pages—and can also co-brand all of the training materials to reinforce organizational identity with the content.

Conclusion Sophisticated security technologies alone cannot secure the enterprise. The most successful information security combines state-of-the-art technology, comprehensive procedures and policies, and a highly trained and motivated workforce that understands its roles and responsibilities in protecting the organization’s valuable information assets.

While many organizations have robust employee communications programs in place, they cannot always dedicate the time and resources needed to develop and implement an effective, long-term employee security awareness program. Before making the decision

to implement an awareness program, organizations should consider leveraging the security expertise of leading security solution providers such as Symantec to help develop a program, train employees to proactively protect information, and measure the results of the organization’s security awareness program efforts. By engaging experts to assist in improving the organization’s security posture, employees can focus on improving their business and bottom line.

VOLUME I | 2007 35

As an ongoing, informative process many federal organizations have established strategic initiatives to assess their IM/IT capabilities and needs. This

assessment is a continual effort which is outward-looking to engage new technologies, and internally-focused to assure end users and customers are fully involved in defining needs and reviewing the satisfaction of those needs on an ongoing basis.

Evolvent utilizes Six Sigma methodologies and tools both internally and on client programs to actively frame strategy, assess, and control both programs and processes. Figure 1 represents the strategic framework of activities that our team recommends.

The process tasks of define, measure, and analyze comprise an ongoing real-time assessment capability while the improve phase encapsulates the requirements management process

we discuss in greater detail later in this brief. The control tasks in this model include the service assurance or oversight framework elements we would propose. Figure 1 describes the high-level view of this process interaction and in this white paper, Evolvent analysts and consultants describe a path for establishing the major elements of this strategic framework: assessment, requirements management, and service assurance tasks.

Capability Assessment

Information technology and in particular clinical information technology is a rapidly changing and dynamic market, and this dynamism requires a continual focus on assessing new capabilities and how well existing services and products serve the enterprise. This informs a strategic model of how and in what operational manner, IM/IT must serve the organization — which in turn supports a defined, more formal requirements management process.

An Evolvent Strategy for

Requirements Management

and Service Assurance

An Evolvent White Paper


Figure 2 illustrates the enterprise assessment data elements or assets that need to be considered on an ongoing basis. The opportunity to connect assessment to requirements to service assurance is a critical linkage that will make defining the control or oversight mechanisms possible – since controls will be built on hard data validated by process rigor.

Figure 3 illustrates the assessment elements integrated within a Six Sigma approach as referenced in our proposed strategic framework. Through developing an established strategic framework, conducting rigorous assessment and gap analysis and utilizing Six Sigma approaches to business case and project development, one can establish a definitive baseline for requirements management and service assurance.

Evolvent is currently utilizing this model in support of federal and commercial clients to develop an IM/IT management strategy in support of business process reengineering objectives. Over the last six years, Evolvent has worked with more than fifty federal and commercial clients to conduct IM/IT assessments from an operational, business case, and cost assessment perspective.

A Strategic Model for Requirements

Management

Formal requirements management processes add discipline for both the user and the provider of IM/IT services. The processes also establish benchmarks

ASSESS ENTERPRISE ASSETS

PROCESS ARCHITECTURE

CURRENT STATE:

– GUIDANCE

– EXECUTION

– CAPABILITY

– PERFORMANCE

FUTURE STATE:

– GUIDANCE

– EXECUTION

– CAPABILITY

– PERFORMANCE

KNOWLEDGE REQUIREMENTS

TECHNOLOGY INFRASTRUCTURE

ORGANIZATIONAL STRUCTURE

LOCATIONS / FACILITIES

HUMAN RESOURCE SKILLS

CLIENTS / CUSTOMERS / CONSUMERS

Figure 2: High-level Capability Assessment Elements

Figure 1: Evolvent Strategic Framework Model

and the data elements necessary for service assurance. If the perceived benefit is not quantified and established by a requirement, it is very difficult to enforce a service level agreement.

The intent of the requirements management process is to facilitate rapid development and fielding of affordable and sustainable operational information technology systems. The primary goal is to fulfill a stated need(s) with an effect-based, requirement-focused material solution. This must be innovative and flexible in the way it resources current and future information technology strategies.

StrategyStrategy DesignDesign Realization Operations

Define

ESIGN uild igrate aunch ustainISCOVERY

Project Management

Configuration Management

Strategy DesignRealization Operations

Project Management

Change Management

Configuration Management

DISCOVERY DESIGN BUILD MIGRATE LAUNCH SUSTAIN

Improvement

Opportunities

System Development

Organization Development

Opportunities/

Gaps

Pilot Results -Adjust “To Be” Process

Business Context

Architect and Align

Vision Understand Renew Develop ImplementNurture and Continuously

Improve

Define Measure Analyze Improve Control

Improvement

Opportunities

System Development

Organization Development

Opportunities/

Gaps

Pilot Results -Adjust “To Be” Process

Business Context

Architect and Align

Vision Understand Renew Develop ImplementNurture and Continuously

Improve

Define Measure Analyze Improve Control

Strategy Design

VOLUME I | 2007 37

ALIGN ENTERPRISE ASSETS

LEAN SIX SIGMAFOCUSEDORGANIZATION:

– MISSION

– VISION

– SCORECARD

– STAKEHOLDER RELATIONSHIPS

PROCESS ARCHITECTURE

KNOWLEDGE REQUIREMENTS

TECHNOLOGY INFRASTRUCTURE

ORGANIZATIONAL STRUCTURE

LOCATIONS / FACILITIES

HUMAN RESOURCE SKILLS

CLIENTS / CUSTOMERS / CONSUMERS

PE

RF

OR

MA

NC

E G

AP

AN

ALY

SIS

PR

IOR

ITIZ

ED

OP

PO

RT

UN

ITIE

S

PROGRAMSTRATEGY

PROGRAM(S)

PROJECTSBUSINESS

CASE(S)

Figure 3: Assessment Elements and Lean Six Sigma

DEFICIENCY IDENTIFIED

SPONSOR ASSIGNED

INITIAL STAFFING

REQUIREMENT STRATEGY REVIEW

STAFFING FOR INITIAL VALIDATION

REQUIREMENT BOARD

REQUIREMENT COUNCIL

RETURN TO SPONSORVALIDATES

APPROVES

Disapproved

Disapproved

Develop Requirement Documents

RequirementDevelopment Process

DEFICIENCY IDENTIFIED

SPONSOR ASSIGNED

INITIAL STAFFING

REQUIREMENT STRATEGY REVIEW

STAFFING FOR INITIAL VALIDATION

REQUIREMENT BOARD

REQUIREMENT COUNCIL

RETURN TO SPONSORVALIDATES

APPROVES

Disapproved

Disapproved

Develop Requirement Documents

RequirementDevelopment Process

Figure 4: High-level Requirements Development Process

The following paragraphs describe an overarching, approach/strategy for developing, and coordinating and approving requirements. This process should complement, not replace, existing strategic management/resourcing processes. Figure 4 highlights the high-level view of the requirements development process utilized within the Department of Defense. This is a draft representation of the major milestones and is variable depending on the priorities of the organization. Our recommendation would be to tailor this basic model to a streamlined methodology focusing on requirements within the strategic framework to be defined.

Requirements Strategy

Development

Once a sponsor is assigned to fulfill a capability shortfall with a materiel solution, an important first step is developing a viable requirements strategy. The requirements strategy supports the program initiative by establishing the path and resources necessary to not only successfully advance through each phase of the process, but to develop a quality requirements document. The requirements strategy reflects the

Information Technology and in particular “clinical”

information technology is a rapidly changing and

dynamic market, and this dynamism requires a

continual focus on assessing new capabilities and

how well existing services and products serve the

enterprise.


requirement as outlined in strategic planning documents. The requirement strategy should address program items such as funding, schedule, testing, supportability, analysis, and potential roadblocks. It is imperative the sponsor develops a collaborative requirements strategy to ensure stakeholders are actively informed and involved from the beginning.

Requirements

Strategy Review (RSR)

Following the development of the requirements strategy and prior to documenting the needed capabilities, the requirements strategy is presented to a corporate committee structure (i.e., Requirements Board and Council) with process oversight responsibilities. During the RSR, this committee will review the requirements strategy, ensure the requirements are being met, and provide any necessary guidance to support the most effective/efficient acquisition approach. Some areas covered during this review are:

Mission Need: Defined in terms of mission, objective, and needs

Required Capability: What is the current capability gap?

Current and Future Concepts: What you do now and how that will change and how will this concept interface or affect other organizations?

Urgency and Timing: What is the driving factors pushing the need (Top-down directed, unsupportability of existing architecture?

Business Drivers

Opportunities

Threats

Strengths

Weaknesses

Vision

Mission

Principles & Values

Vision

Mission

Principles & Values

Goals

Objectives

Strategy Scorecard

Stakeholder Relationships &

Requirements Process


Requirements ProcessKey Performance

Indicators & Targets

Expectations & Requirements

Critical Success Factors Human CapabilitiesHuman Capabilities

Locations/FacilitiesLocations/Facilities

Technology ArchitectureTechnology Architecture

Roles & Organizational Structure


KnowledgeKnowledge

Process ArchitectureProcess Architecture

Enterprise Asset Architectures

Strategic Plan and Scorecard

The strategic framework ensures Lean Six Sigma methods are successful, improvements are sustainable and support service

assurance objectives.

Business Drivers

Opportunities

Threats

Strengths

Weaknesses

Business Drivers

Opportunities

Threats

Strengths

Weaknesses

Vision

Mission

Principles & Values

Vision

Mission

Principles & Values

Goals

Objectives

Strategy Scorecard


Requirements Process


Requirements ProcessKey Performance

Indicators & Targets

Expectations & Requirements

Critical Success Factors Human CapabilitiesHuman Capabilities

Locations/FacilitiesLocations/Facilities

Technology ArchitectureTechnology Architecture



KnowledgeKnowledge

Process ArchitectureProcess Architecture

Enterprise Asset Architectures

Strategic Plan and Scorecard

Figure 5: Strategic Framework and Service Assurance

Vision Statement

Strategic Objectives

Fina

ncia

l

Strategic Financial

Goals

Cust

omer Strategic

Customer Focus

Inte

rnal Strategic

Goals for Excellence

Grow

th

Strategic Goals for

Innovation & Growth

Financial Critical Success Factors

Customer Focus Critical Success

Factors

Internal Excellence

Critical Success Factors

Innovation & Growth Critical Success Factors

Financial Critical Indicators/ Metrics

Customer Focus Critical Indicators/

Metrics

Internal Excellence Critical Indicators/

Metrics

Innovation & Growth Critical Indicators/

Metrics

Vision Statement

Strategic Objectives

Fina

ncia

l

Strategic Financial

GoalsFina

ncia

l

Strategic Financial

Goals

Cust

omer Strategic

Customer FocusCu

stom

er Strategic Customer

Focus

Inte

rnal Strategic

Goals for ExcellenceIn

tern

al Strategic Goals for

Excellence

Grow

th

Strategic Goals for

Innovation & GrowthGr

owth

Strategic Goals for

Innovation & Growth

Financial Critical Success Factors

Customer Focus Critical Success

Factors

Internal Excellence

Critical Success Factors

Innovation & Growth Critical Success Factors

Financial Critical Indicators/ Metrics

Customer Focus Critical Indicators/

Metrics

Internal Excellence Critical Indicators/

Metrics

Innovation & Growth Critical Indicators/

Metrics

Figure 6: Sample Management Scorecard

The development of a strategic IM/IT direction includes

the identification of the overall vision and mission of

the initiative, identification of key stakeholders and the

definition of an IM/IT performance scorecard.

VOLUME I | 2007 39

Materiel Requirements: What materiel requirements are necessary to meet the need or requirement?

Initial Analysis of Alternatives: An assessment of the advantages and disadvantages of the initiative to include initial costs and operational effectiveness.

Issues: Identify any issues, concerns, and constraints

If satisfied, the corporate committee structure approves the sponsor’s development of detailed requirements documents. The RSR should occur prior to a High Performance Team (HPT) meeting to allow for RSR-directed strategy changes.

High Performance Team (HPT)

The HPT is the preferred method for developing requirements documents. An HPT consists of a lead (normally the sponsor) 8-12 core members and a support staff providing reach back expertise in areas not represented by the core team. The core team may consist of subject matter experts from within the customer organization, key partners, and other other entities such as suppliers as required. Benefits of the HPT methodology include:

An Experienced facilitator guiding team through the requirements process

Accelerates the documentation process and increases the potential for a quality product

Captures, articulates, and documents requirements in minimum time

Achieves stakeholder buy-in before formal coordination begins

The output from the HPT should be a well-defined requirements matrix and quality documents outlining the requirement to include the architecture, logistically supportability, and technology maturity. These documents should capture the information necessary to develop or produce a proposed program using existing acquisition strategy.

Document Review, Validation, and Approval

Initiation of document review is dependent on the sponsor’s strategy. Once a document enters the review/staffing process, it follows pre-determined, well-defined procedures and timelines. The validation phase is the formal review process of the requirements documents by the requirements board and Council to confirm the capability need and operational requirement. Approval confirms the validation process is complete and provides the office sanction of the identified requirement as described in the documents. Approval level

is normally dependent upon established financial thresholds. A waiver request form complying with the aforementioned processed should contain compelling justifications.

Requirement Document Library

Maintaining an electronic repository for approved requirements documents and supporting documentation is paramount. After document processing is complete, the approved document is maintained in a requirements library.

Evolvent personnel are experienced professionals with an established record of executing commercial and federal sector requirements processes. Our approach and capability to assess and reengineer processes utilizing Six Sigma tools and techniques also helps our clients achieve a more effective, streamlined model.

A Service Assurance Model

Service assurance is an established management concept where third party service providers to an organization provide some service that requires oversight and management. In environments such as health care where the provision of IM/IT is truly a life or death responsibility, the need to provide timely and effective oversight could not be greater. Figure 5 below illustrates the intersection of the different methods and elements propose and how they support successful service assurance. Key elements of service assurance include the strategic development of:

Key performance indicators (KPIs),

Performance measurement targets, and

Defining critical success factors (CSFs),

As a result, this can provide metrics-based oversight to its external service provider. Service-level agreements can also become much more effective when supported by Six Sigma based methodologies.

Building from the management of requirements and stakeholder relationships, the scorecard is then a consolidated version of requirement-specific KPIs and CSFs. This scorecard forms a linkage between vision and mission and internal or external value drivers for the enterprise. Driven by established metrics, the balanced scorecard lends a greater degree of granularity and definition to the organization’s oversight methodology. The establishment of a strategic IM/IT direction includes the identification of the overall vision and mission of the initiative, identification of key stakeholders and the definition of an IM/IT performance scorecard. The scorecard is defined such that it supports the overall mission objective(s)

and is traceable to the IM/IT vision, specific requirements, and any enterprise-level scorecards that are in place. The scorecard will provide the foundation for the development of performance based metrics for the IM/IT service assurance capability as well as be the basis for the definition of Service Level Agreements. Figure 7 illustrates the basic scorecard format that may be tailored to the value chain.

“Customer focus” metrics may be patient safety benchmarks or customer satisfaction surveys. In service assurance terms, the scorecard is a tool to showcase how IT serves the core mission of the organization.

Once metrics and a scorecard are defined, a representational strategy for the performance data can be developed and implemented. In some programs, Evolvent has provided a web-based, real-time capability. In other programs, the data is more sensitive and its distribution more restricted. Depending upon the data element and its audience within, a dashboard may be limited to certain metrics such as an overview of “customer service” data – while financial metrics data is distributed only to department leadership.

This representational strategy is key to the success of executing oversight. Our organizational design, collaboration, and communications strategy experience has certainly enabled Evolvent to develop skill in navigating sensitive communications problems.

Evolvent has had substantial experience in developing metrics, performance measurement strategies, and in building performance dashboards for federal IT managers. There are many different representational strategies that can be delivered via a range of methods including confidential reports or even web-based IT “health” reports.

Evolvent Solution

The approach outlined in this paper is built on Evolvent’s consulting experience and requires business process reengineering on a large scale, understanding of business rules development, cost measurement issues, performance metrics development, change management, and communications issues to ensure the mission of providing the most effective and efficient IM/IT support services to federal and commercial customers.


VOLUME I | 2007 41

Expert Systems in the Spectrum of Knowledge Management

A good deAl of effort in the Knowledge MAnAgeMent (KM) world is devoted to organizing and searching unstructured data and information imbedded in documents. Much progress has been made in recent years in this mission. However, the other end of the KM spectrum, taking already structured knowledge and turning it into interactive work process and decision support tools, has also seen breakthrough innovation in recent years. These innovations have created a new era of “expert systems” that support practical “real-world’ tasks and missions.

Expert systems can take many forms. The form we will focus on in this article is software that captures domain expert know-how and structures that know-how into work process and decision support tools. In recent years expert systems in this form have come down from exclusively the “PhD level” to the “BA level”. With that expert systems can reach a much longer “tail” of applications that would have not been feasible before.

In this context “structured knowledge” is expert process-based know-how that has already been organized and made explicit or tacit expert know-how that can be readily organized and made

A NEW ERA FOR EXPERT SYSTEMSBy Paul Dimitruk, Founder and CEO, PortBlue Corporation

explicit once it is elicited. “Process-based know-how” is know-how that an expert uses to do a task and produce a product. The “product” may be an analysis or diagnosis, a report, a decision or the completion of a task. The expert system is designed to enable a community of users to apply that expert’s process-based know-how to themselves create a similar product.

Breakthroughs in Knowledge Engineering Theory, Methodologies and Tools Enable More Effective Capture of Expert Know-How

One pathway in the development of these more practical “real world” expert systems is the convergence of more robust methodologies for knowledge elicitation and structuring and tools that enable a knowledge engineer (KE) to develop applications in high speed development cycles.

Better knowledge elicitation and structuring is derived from the observation that experts generally operate by similar means, whatever their domain of expertise, in creating their “product”. Most often expert know-how takes the form of a mental framework (“How do I think about this”) followed by branching (“if/then”) logic, identification of context and constraints, weightings and rankings of various criteria, rules of thumb,


and the like. A capable KE, using these constructs, can assemble a representation of the expert’s know-how and convert it into a work process tool that enables non-experts (or the less expert) to produce a comparable “product”.

At an even more simplified level, almost all experts follow the same two steps in their daily activity. First they “profile” and then they “optimize”. By profiling I mean figuring out “what’s going on here?” Experts are good at assessing what the key conditions are in an environment within their domain of expertise—a kind of situational awareness. By optimizing, I mean “now that I know what’s going on here, I can select an optimal course of action given the situation—or at least I have a working hypothesis on the best course of action”. Much of our work at PortBlue is built around determining how an expert is profiling and optimizing to, for example, accomplish a task and then converting this into work process and decision support tools that help others replicate the expert’s work.

Examples of “New Era” Expert Systems

Examples of the expert systems we have developed at PortBlue include applications that provide:

• Capitalinvestmentdecisionsupportfor healthcare facilities, including highly detailed guidance on the design, development and operation of surgical centers.

• Physicians’practiceoptimizationtoolsthat help determine and evaluate the profitability of payers and providers.

• Hospitaloperationsperformanceimprovement tools that, for example, help optimized pharmacy drug group management.

• A“PayforPerformance”applicationthat guides gastro-intestinal surgeons through complex, emerging surgical procedures.

components an expert system can incorporate—based on how a leading expert in hospital disaster management would operate. CommandAware provides guidance and support in:

• Assessingthekeyhazardsaspecifichospital faces within its environment

• Structuringandorganizinganeffectiveincident command team

• Developinga“bestpractices”DisasterManagement Plan

• Complyingwithregulatoryandaccreditation requirements

• Creating“JobActionSheets”forallhospital roles, customized by incident

• Assessingandtrackinghospitalcapacity, including beds, personnel, supplies, equipment and critical infrastructure and time-slicing forward on likely future bed capacity.

• Managingtheflowofinformationand requests during an incident so that communications get to the right people, accurately and on time.

• Creating“afteractionreports”andmanaging post-incident process improvements.

In each of these components and others CommandAware replicates what an expert consultant would provide—and more—if he or she were available to mentor a hospital’s staff through all the steps required to prepare for, manage through and recover from an incident, from a mass casualty event to a minor every day incident.

The Knowledge Engineering Tool Kit

CommandAware is web based and built on PortBlue’s proprietary Knowledge Capture Tool (KCT). The KCT allows a non-programmer, normally a bright young analyst, to work directly with the expert to elicit and capture his or her know-how. The KCT also allows a PortBlue KE

• Acomprehensivehospitalincidentmanagement system that guides and supports personnel in all key hospital roles in preparing for, managing through and recovering from “All Hazards” incidents.

These applications reflect the tremendous need in healthcare to push expertise and best practices into increasingly challenged healthcare systems and providers, enhancing overall provider performance while recognizing the severe financial constraints most healthcare systems must operate within.

A Case Study: CommandAware™

The last application mentioned, called CommandAware™, highlights many (although by no means all) of the

VOLUME I | 2007 43

to open the application at any time and modify its structure, logic and content—in real time. So as with a human expert, new developments and insights can be incorporated in the work process as they emerge. For example, when the CDC issues a new alert or protocol, it can be in CommandAware and available to the user community the same day. It is the KCT that enables a PortBlue KE to develop applications in high speed development cycles, most often measured in weeks or months, not years.

Using the KCT, the PortBlue KE works side-by-side with the expert in an iterative process as the application is built, literally before the expert’s eyes. This fast cycle, iterative development process keeps the expert both more engaged and better able to assure that the ultimate product accurately reflects his or her know-how and experience.

Conclusion: A New Era for Expert Systems

CommandAware, like its sister applications, represent the new era of expert systems development that:

• cancaptureanddeployaverywidearray of expert domain knowledge,

• intopractical,“realworld”workprocess and decision support tools

• thatarefastandeconomicaltobuild,modify and maintain.

Among the domains where these new expert systems are being deployed by companies like PortBlue are healthcare and homeland security. With this, even the most remote or inexperienced user can use practical expert know-how in their daily work processes and decisions, raising the bar of performance and effectiveness for their organizations, customers and communities.

Paul DimitrukFounder & CEOPortBlue [email protected]

Security Capabilities

ConSulting ServiCeS

• InformationAssurance

• SitePre-ConstructionSecurityDesign

• Top-Down,Bottom-UpOrganizationalSecurityAssessment

information aSSuranCe

• AccomplishallDoDandNISTCertifi-cationandAccreditationprocesses

• PerformallDoDandNISTInformationAssurancesupportprocesses

• ImplementIncidentIntrusionRe-sponseCapability

• ConductThirdPartySecurityTestandEvaluations(ST&E)

• Designhighlyeffectivesecuritypatchmitigationprocess

• DevelopsystemuniqueContingencyPlansandInformationSystemSecu-rityPlans

• Assistindesigningsecurenetworkarchitectures

vulnerability, threat, and riSk aSSeSSmentS

• SecurityPolicyGapAnalysis

• Technologypenetrationtesting

• ApplicationSecurityandCodeReview

• WirelessSecurity

• ITArchitectureSecurity

• PhysicalSecurity–includesfullsiteassessment

• ComputerProcessingFacilities

• Firewall,IDS,IPS,andotherSwitchsecuritytesting

PoliCy and Plan develoPment

• InformationSystemSecurity/InformationAssurancePolicy

• PhysicalandPersonnelSecurityPolicy

• EducationandMotivationPolicy

• ContingencyPlanning

• BusinessContinuityPlanning

• InformationSensitivitySafeguardingPolicy

• ApplicationDevelopmentSecurityPolicy

• NetworkandServerSecurityPolicy

• VulnerabilityManagementPolicy

eduCation and motivation training

• InformationAssurance–Executive,Managerial,Supervisory,andUserLevel

• DevelopmentofcompleteSecurityTraining,Education,andMotivationProcess

• HowtoestablishaviableInformationAssuranceprocess

• TailoredComputerBasedTraining

• SoontodeployCISSPandSecurity+trainingandcertificationtesting

• HowtoconductCertificationandAccreditation

buSineSS Continuity/diSaSter reCovery Planning

• BusinessImpactAssessments

• RiskAnalysis

• CreateContingency/DisasterRecoverPlans

• ContingencyAuditandPlanAssurance

• ServiceLevelAgreements

• TrainingandTesting

Evolventistherecognizedleaderinallsecurityprocesseswithexceptionalexperi-enceinsecuritytechnologyapplications,networks,andhardware.Wehavesuc-cessfullydeployedourfullrangeEvolventsecurityfunctionalityduringoursixyearhistory.ThroughtheblendingofourteamofSecuritySubjectMatterExpertscollec-tive300-plusyearsofexperience,datingbacktothelate60’s,wehavesuccessfullydeployedcost-effectivesecuritysolutionstoeachofourcustomers.ThescopeofourbenchmarkedservicesincludeInformationAssurance;Vulnerability,Threat,andRiskAssessments;PolicyandPlanDevelopment;EducationandMotivationTraining;BusinessContinuity/DisasterRecoveryPlanning;andConsultingServices.

Contact Information

Guy Sherburne, Vice President [email protected]

Evolvent Technologies4400 Piedras Drive SouthSuite 175San Antonio, TX 78228tel: 210.735.3400

EVOLVENT | SECURE TECHNOLOgy INNOVATION | WWW.EVOLVENT.COM