By Andre Griffith
We continue our look at assessing the performance of your information technology assets by examining some of the measures you can take to enhance the performance based on the three basic metrics outlined last week that is availability and reliability and response time. While some measures may involve some amount of expenditure, this article largely (but not exclusively) considers some interventions that actually cost nothing at all, requiring nothing more than an insistence on certain practices that result in a more orderly and controlled environment.
One of the first measures that we can take to improve availability and reliability performance is in fact closely related to security. This measure is to limit access to your systems as much as possible. Access to any aspect of your system should only be granted to those who need it. Special care should be taken with what is usually called privileged or special access which you may hear referred to as administrative access, “super-user”, “root”, “system” or some other type of access. By whatever name you hear it, you should understand that the computer system allows users with this level of access to do great damage literally in seconds. With a single command, a super-user can for example wipe out your entire file system and remove all records including your accounts receivable, your audit logs, the proposal that you spent four weeks preparing for that tender which closes tomorrow and in short, anything that you can think of that would give you nightmares. To be fair the computer system will usually ask a couple of questions that amount to trying to determine whether you are a raving lunatic or just your garden variety idiot, however it will not usually seek second opinions if you deny being either. The result in any case is that your system can become unavailable through the actions wittingly or unwittingly of a person with extremely powerful levels of access. It is therefore good practice to limit this type of access only to persons who need it and equally important, only to persons who are qualified. The latter point is applicable for two reasons. Firstly, it is not uncommon for there to be a tendency on the part of relatively senior level staff in many organisations to demand privileged access. Acquiescing to such demands, in many cases puts privileged access into unqualified hands. Secondly, and perhaps more importantly, your very IT practitioners may be the equivalent of the one-eyed in the land of the blind with perhaps more devastating consequences.
I would be a wealthy person if had even a dollar for every incident of system breakdown caused by careless or ignorant use of privileged access. I have seen systems that were acknowledged to be among the best in class exhibit colossal instability with spectacular breakdowns. Such systems magically lived up to their reputation for unparalleled reliability following changes of administrators. In another case, in one local organization there were in excess of forty active administrative accounts on various systems. It should be realized, that this implies opportunity for forty plus people to mess up with disastrous consequences. Worse still, of those forty there were only two who even remotely approached having what I considered to be the requisite skill and understanding of the systems to qualify to hold that access. It is little wonder therefore that system breakdowns were routine and unpredictable. In the case of the above organisation, the simple act of reviewing and revoking unnecessary access, vastly reduced the incidences of failure thus increasing system availability and reliability without incurring any costs. Limiting privileged access is thus one of the zero-cost methods by which you can increase system performance simply by reducing the possibilities for things to go wrong.
To briefly return to our theme of IT governance, it is best practice to have a clearly defined policy by which special access shall be granted. In smaller organisations such as our local businesses and public sector agencies, I think it would also be useful for the chief executive and the highest level executive committee to be informed of the exact persons who hold special access and the systems to which such access applies. I have frequently argued that persons who have proved themselves to be untrustworthy in any way are poor candidates for holding special access and scrutiny of assignments by a wider range of stakeholders may expose some such cases.
Where’s the IT staff ?
Limiting system access first increased reliability, and by definition increases your availability (all else remaining the same) since there are less breakdowns. However, breakdowns can and do happen, and the faster that you can recover from a breakdown, the less downtime you have, thus the higher your system availability will be. Another zero-cost method for increasing performance, may resonate more with the public sector, and that is “your IT staff must be there to rectify the problems when they occur”. This statement, may sound deceptively simple, but again, in my experience, the sheer number of available hours lost to rank indiscipline is staggering. This is a serious problem that we need to fix nationally. We need to start insisting on what were referred to by one former president as “the routine virtues” of work which included regular and punctual attendance! Nothing is more frustrating than to have to face members of the public and proffer the feeble excuse that “the system is down” while no one can get on to the system administrator who has probably not even woken up at 8:00 am or has gone inexplicably missing in the middle of the day. The cost of this phenomenon does not only include the hours spent paying the customer-facing staff (and the absent administrator) to do nothing, but also includes those hours wasted by members of the public who surely have better things to do. And while the private sector may to some degree be insulated from this particular effect, there are many small business which for a number of reasons, do not employ dedicated IT staff but depend instead on independent contractors who are similarly inaccessible during downtime. Ironically, most of these contractors are probably the same public sector employees who can’t be found when they are most needed. In case the significance of this is missed, I should stress that this situation in a very real sense corresponds not only to dishonesty on the part of the state employee, but also on the part of those businesses that utilise their services during time paid for by the taxpayer since in the absence of that unofficial subsidy, the cost paid for skilled services would be several times higher. In my mind there is no difference between that act and outright theft from the consolidated fund. I am certain that this phenomenon also obtains in the private sector which similarly, I argue amounts to businessmen stealing from each other.
Do they know what
they are doing ?
Continuing along the same theme of responding to and rectifying your IT system breakdown, your insistence on the routine virtues will ensure that your staff are around when needed to rectify problems, and it is here that my first non-zero cost measure is introduced. You need to ensure that the persons supporting your systems actually know what they are doing and the way to ensure this is by investing in relevant industry certifications for your staff. Notice the use of the word investing, for an investment it is, and this is where the practice of moonlighting in broad daylight needs to be seriously addressed. One cannot reasonably expect businesses or the state to make such an investment only for it to be effectively stolen by others. This issue of investing in human (and other resources) is to my mind at the centre of what I like to refer to as the difference between “doing IT” and “doing IT properly”. My emphasis on non-cost measures today merely seeks to show how we can do better, with what we have. It is also unarguable, our “bargain basement” approach to IT contributes largely to the all too common experience of unreliable systems.
Response time
With respect to response time (the speed of your systems), there are similarly a number of measures that you can take to improve performance in this regard. One that obviously comes to mind is to keep a close watch on the content that is brought into and stored on your systems. The former will usually require some investment in software for managing the types of content that come into your system via the Internet, however, the Internet is not the only way that content can be brought into your system. CD’s, flash drives, external hard-drives all can bring useless (and dangerous) content on to your system. Believe it or not, a common cause of systems slowing down that I have come across in more than one organisation is the storage of music and movies on corporate servers. These can grow to the stage where they take up the space that operating systems depend on to supplement memory and can consequently slow up systems (increasing response time) and eventually grind them to a halt. Therefore another zero-cost measure that you can take is to have and enforce a policy on the type of content that is permissible for storage on your systems.
It is important to appreciate that some of the various measures that have been outlined above rely on more than just IT interventions to be successful. To complement these measures, the organisation must explicitly articulate these policies and ensure that they are enforceable.
This means among other things ensuring that IT-related offences and their associated sanctions are explicitly covered in personnel and other policy manuals.