Main
Log in

Infrastructure

Conclusion: The ICT Disaster Recovery Plan (DRP) is, more often than not, focused on technology providing for redundancy of infrastructure and systems, including data back-up and data recovery. Whilst these components are important and necessary, we often oversimplify the need for business resumption of the ICT business, which in turn will impact ICT availability. The need to ensure people are part of the planning is critical to success. Often the disaster, whether it be a technology issue, a business issue, such as a fire or denial of access to key sites, or an environmental issue such as a flood or storm, can equally affect the need for expanded operations centres and larger than normal help desk support functions.

Effective planning and testing of the plan, for all aspects of a probable disaster scenario and the ICT Business Resumption Plan (BRP) to support the business as a whole, is necessary. Effective testing of the DRP and BRP for ICT must be a high priority for any CIO to ensure service levels are maintained. Failure to do so will increase the risk of ICT to the business.

Any test of your DRP and ICT BRP should include business and customer involvement to provide your organisation confidence that all known risks have been successfully mitigated. The oversight of the testing of these plans must be planned and conducted by an independent body (preferably a consultancy that has knowledge in the organisation business world, or your ICT advisory service).

Conclusion: ICT health checks enable organisations to better understand risks and prioritise activities to both maintain and improve the performance and reliability of ICT in support of business outcomes.

ICT health checks can be conducted as a light touch in the first instance, with detailed in-depth health checks being conducted as follow-up activities in specific areas where and when necessary.

An effective ICT health check strategy will be business-focused and not based on technology alone. Implanting health checks as part of your annual ICT budget planning will provide timely advice on the organisation’s ICT health and provide in-built regular reviews of ICT health to ensure business outcomes are achieved without unnecessary risk.

Conclusion: Asset management can be described as ‘the life cycle management of physical assets to achieve the stated outputs of the enterprise’. To achieve the appropriate level of asset management maturity, investment in people, processes and technology all increase the likelihood of developing an effective asset management system. Under-investment could result in asset leakage or increased maintenance costs, thus diminishing the expected returns of the assets.

Where asset management maturity model reaches the level of being ‘integral part of everything we do’, organisations can seek accreditation of the asset management framework using ISO 55000:2014.1

Where the common question is often ‘why waste our time on asset management’ then assets are usually at risk of leakage or poor customer satisfaction ratings. Outages and incidents may occur regularly. The risk of business collapse increases without recognition and change. Here organisations need to consider the steps to commence a review using the asset management model.

Conclusion: Telecommunications services and the supporting infrastructure have historically been complex, costly and difficult to change. The modern technology landscape now allows for greater flexibility in the design of networks, and the telecommunications services of voice, video and data they deliver.

The use of software defined networking (SDN), Cloud-based standard operating environments (SOE) with unified communications (UC) and Cloud-based call centre solutions are now mature, secure and commonplace in the market.

These changes with the significantly reduced cost of physical connectivity (lines and links), which are now viewed as a commodity, enable the telecommunications landscape to be agile to each organisation’s business needs and delivered at greatly reduced costs.

Conclusion: The Agency Head/CEO is responsible to accredit the ICT system for use at the PROTECTED level. The accreditation process is specific to the services being delivered for the organisation. The Australian Signals Directorate (ASD) certification process is a generic process that assesses the Cloud Service Provider’s (CSP) level of security only.

The Agency Head/CEO remains responsible as the Accreditation Authority (AA) to accredit the security readiness for the services to be delivered for their organisation. In practice the CIO/CISO will lead the accreditation process on behalf of the CEO.

ASD’s role as the Certifying Authority (CA) for PROTECTED Cloud services provides the agency/organisation using the CSP with independent assurance that the services offered meet government Information Security Registered Assessors Program (IRAP) requirements and vulnerability assessment requirements at the PROTECTED level. The certification process provides a consistent approach to the cyber risk assessment of the CSP’s environment only. The PROTECTED Cloud certification does not cover security assessment related to the design and maintenance of the customers’ services and/or software to be run on the PROTECTED Cloud platform.

The adoption of a PROTECTED Cloud solution will still require a regular review of the security posture. ASD will conduct regular reviews of their processes as the certifying authority (CA), and the Agency Head/CEO will be required to regularly review the accreditation of the service as a whole.

Conclusion: What to monitor and how you respond to the data is often poorly documented and not fully understood until after a failure occurs. In this world of “no surprises”, effective monitoring is a key success factor. If an organisation’s ICT monitoring strategy is to be successful it must be structured around the organisation’s business outcomes. The monitoring strategy framework is achieved through the alignment of the organisation’s critical-business functions, the ICT high-level design, the ICT architecture and the priorities set out in the organisation’s disaster recovery plan (DRP) as the primary influencing factors.
Key to an effective DRP is a clear understanding of the system architecture and design, with sound knowledge of the risks and weaknesses it brings in support of critical business functions. When the ICT monitoring strategy is based on this framework it will deliver a near real-time health status of the organisation’s ICT environment, allow for planning future capacity, and in the investigation of incidents when they occur. An effective monitoring strategy will be business-focused and not monitoring for monitoring’s sake.

Conclusion: Cloud offerings are now commercially available, allowing CIOs to engage the technology offerings with a high degree of trust that the service is secure and responsive at reduced cost to in-house solutions.

CEOs have an obligation to ensure their organisation’s IT systems are cost-effective and meet the security accreditation defined by government (or their Board). PROTECTED Cloud services can reduce cost of operations and meet many of the CEO’s obligations for accreditation (and review) of services, and therefore better manage risk, to meet government and best practice commercial security requirements.

All PROTECTED Cloud data centres certified by ASD are physically located in Australia. Depending on your needs, they all meet Australian Government data sovereignty requirements and offer low latency and in-country technical support teams to assist clients. Provision of PROTECTED Cloud services allows the CIO to restructure IT, moving to a more agile and potentially lower cost option to provide the appropriate security approach.

Conclusion: BYOD strategies need to be updated regularly to keep pace with the evolving nature of not just the devices themselves but also the increasing challenges and complexity to stay secure; all this needs to occur while offering increasingly flexible services to a 24/7 mobile workforce operating on-premises and offline. It is valuable to engage key stakeholders within the organisation’s leadership team, employee champions and also industry peers to ensure the BYOD strategies are as relevant and acceptable as initially reported in an earlier IBRS article in 20081 when personal electronic devices (PED) were being introduced into corporate networks.

Conclusion: Managing large IT environments and provisioning IT services within an organisation is complex and complexity will always exist. However, not all complexity is “bad”. “Good” complexity is the complexity required to simplify, to reduce costs, create value, improve security and improve overall operations and results.

Focus needs to always be maintained on reducing “bad” complexity. “Bad” complexity is the complexity that makes it difficult to do things, difficult to secure, difficult to manage, difficult to innovate, or difficult to adapt to changes in the organisation. “Bad” complexity comes with high costs, including hidden costs in lost employee productivity and morale, potentially loss of new business opportunities, or higher staffing costs due to the limited availability of the skills needed.

Organisations need to maintain a mindset of constantly managing initiatives to drive towards simplification in their IT portfolio, understanding that achieving this will involve sophisticated and often complex planning and the successful execution of those plans.

Conclusion: Technologists consistently under-estimate the growth of data volumes. The result is tactical actions aimed at increasing capacity achieved by adding storage on-premise using traditional bulk storage solutions or moving technical workloads, such as back-up or disaster recovery, to Cloud-based Storage-as-a-Service offerings. This reflects a decades-old mantra of “disk is cheap, buy more disk”.

When the lack of predictability of data volume growth is combined with the need to capture then distribute data from new sources as well as control the hidden cost of data movement across networks, these tactical responses fail to deliver transformational value to end users.

To deliver effective and efficient data storage solutions, IT infrastructure architects must collaborate with their information and data management colleagues to identify the demographics of data being managed1; they must then select storage solutions that optimise data capture, storage, distribution and access based on these characteristics, not simply by volume.

In the News

How Do You Choose The Best Application Environment For Your Business? - WHICH-50 - 8th October 2019

According to a new IBRS study, spend on enterprise solutions is set to increase in 2019-2020. Both IT and line of business buyers need to consider how they manage procurement of these new solutions...
Read More...

The pros and cons of shadow IT In today’s business world - WHICH-50 - 23 July 2019

Shadow IT sounds like a covert — quite possibly dark — force. And to some people it may well be. But the truth is both far simpler and more complex. According to Cisco, Shadow IT is the use of...
Read More...

Busting The Three Big Cloud Myths - WHICH-50 - 11 June 2019

Organisations that are resisting the shift to cloud computing are often basing their decisions on common misconceptions around security, price and integration. That’s a key finding in a recent...
Read More...

ANZ business users calling the shots in ICT decisions

Conducted by Australia’s Intelligent Business Research Services (IBRS) and commissioned by TechnologyOne, the survey of 261 business leaders in ANZ has shown that business functions are having more...
Read More...

Managed security: a big gamble for Aussie IT providers - CRN - 02 August 2018

TechSci Research estimates the Australian managed security services (MSS) market will grow at a CAGR of more than 15 percent from 2018-23 as a result of the increased uptake of cloud computing and...
Read More...

Subscribe to IBRS Updates

Invalid Input
Invalid Input
Please enter a valid email address
Please enter your mobile phone number
Invalid Input

Get in-context advice from our experts about your most pressing issues or areas of interest

Make an Inquiry

Sitemap