final wcc 7799 - Wiltshire First (E... · 2010. 1. 7. · Commercial In Confidence NCC Group Consulting Report To ICT Strategy Version 1.0 Final 28th July 2004 NCC Group Manchester

CCoommmmeerrcciiaall IInn CCoonnffiiddeennccee

NNCCCC GGrroouuppCCoonnssuullttiinngg

RReeppoorrtt TToo

IICCTT SSttrraatteeggyy

VVeerrssiioonn 11..00 FFiinnaall2288tthh JJuullyy 22000044

NNCCCC GGrroouuppMMaanncchheesstteerr TTeecchhnnoollooggyy CCeennttrreeOOxxffoorrdd RRooaaddMMaanncchheesstteerr MM11 77EEFF

LLeeaadd aauutthhoorr::bbaarrtt..wwaallsshh @@nnccccggrroouupp..ccoomm

QQAA ccoo--oorrddiinnaattoorr::aanntt..hhaarrrriissoonn@@nnccccggrroouupp..ccoomm


Version 1.0 - 2 -

CONTENTS SSeeccttiioonn 11 EExxeeccuuttiivvee SSuummmmaarryy 44

1.1 Objectives of the review 4

1.2 Disclaimer 5

1.3 Setting the context 5

1.4 Key conclusions 6

1.5 Key recommendations 7

SSeeccttiioonn 22 BBeenncchhmmaarrkkiinngg IICCTT iinn WWiillttsshhiirree 88

2.1 Summary 8

2.2 Introduction to the section 8

2.3 ICT spending levels 8

2.4 Benchmarking ICT spending 9

2.5 ICT staffing levels 10

2.6 The basis for apportioning corporate costs 10

2.7 Overall conclusion 11

2.8 Recommendations 11

SSeeccttiioonn 33 IICCTT aanndd bbuussiinneessss aalliiggnnmmeenntt 11223.1 Summary 12


3.3 Local autonomy versus centralised control 12

3.4 The need for an enterprise architecture 14

3.5 ICT organisational structure 16

3.6 ICT funding and sourcing mechanisms 21


SSeeccttiioonn 44 IICCTT mmaannaaggeemmeenntt aanndd ggoovveerrnnaannccee 2255

4.1 Summary 25


4.3 Comparison against the CObIT standard 25


SSeeccttiioonn 55 TThhee CCoouunncciill’’ss IICCTT IInnffrraassttrruuccttuurree 3300

5.1 Summary 30


5.3 The importance of infrastructure 31

SSeeccttiioonn 66 IInnffrraassttrruuccttuurree 33226.1 Network 32

6.2 Servers 34


Version 1.0 - 3 -

6.3 Desktop Environment 39

6.4 Common Applications 44

6.5 Business Applications 46

6.6 e-Government 48

6.7 Security 50

6.8 Telephony and Communications 53

6.9 Costing the Tactical, Short term and Medium term plan 55

SSeeccttiioonn 77 IInnffrraassttrruuccttuurree RReeccoommmmeennddaattiioonnss 5599


AAppppeennddiixx AA IICCTT SSeerrvviiccee aanndd OOppeerraattiioonnaall SSuuppppoorrtt 6633

AAppppeennddiixx BB AAccttiioonn PPllaann 7722

AAppppeennddiixx CC TTaaccttiiccaall//SShhoorrtt TTeerrmm aanndd MMeeddiiuumm TTeerrmm PPrroojjeecctt PPllaann 7788

AAppppeennddiixx DD GGlloossssaarryy 7799

AAppppeennddiixx EE EEnntteerrpprriissee AArrcchhiitteeccttuurree aanndd MMiiddddlleewwaarree 8822


Version 1.0 - 4 -

SSeeccttiioonn 11 EExxeeccuuttiivvee SSuummmmaarryy

11..11 OObbjjeeccttiivveess ooff tthhee rreevviieewwNCC Group was commissioned by Wiltshire County Council to develop an ICT strategy covering:-

• Technology; • Management and; • Governance.

The following areas were deemed to be out of scope:-

• IT in schools; • Corporate and departmental data; • Financial management systems.

After detailed discussions with the Council it was agreed that it would be necessary and beneficial to comment on the Council’s current financial system (APTOS), the information management aspects of data and the impact on technical infrastructure. The major deliverable from the assignment is an ICT strategy which outlines the key issues facing the Council as it strives to deliver its performance and improvement plan and in particular it’s ‘e’ Government programme, with appropriate recommendations for action. Within the ICT strategy the Council is seeking to determine its approach both in the short/medium term to delivering its strategic ICT objectives as well as a high level road map identifying potential key project areas. Both these issues are covered in detail in Appendix B and Appendix C, the Action plan and Tactical/Short and Medium term Project Plan respectively. The Council has separately commissioned a review of business processes across the Council and is initially looking at support services. The ICT strategy must compliment this separate but interlinked project in order to drive out maximum benefit through the implementation of new systems underpinned by new and more efficient processes. The work undertaken by Serco in this regard will be complimented by the ICT strategy’s proposals in respect of:-

• The development of a corporate wide asset inventory with appropriate recommendations for change management;

• The analysis of current areas for improvement in the Council’s • Financial management system; • The debate around the need for an enterprise architecture approach

which is designed to improve the corporate handling of personnel information.

A primary driver for the strategy is a concern that the Councils current management and governance arrangements may not be fit for purpose in respect of the challenges faced, and that any future investment in ICT is properly justified, capable of measurement in terms of benefits realized, and is


Version 1.0 - 5 -

laying the foundations for a quality service for staff and citizens in the longer term. In this context the ICT strategy has been developed without the usual focus on ‘vision’ which is already well established, or the broader implications of information management strategy, some of which is already being addressed through the BPR project and other initiatives, and some of which will flow from this strategy. The impact of this on the strategy is that issues are addressed clearly, conclusions are evidenced and recommendations tend to be directive rather than option based.

11..22 DDiissccllaaiimmeerrThis report has in part been developed based on documentation provided by Wiltshire County Council, NCC Group does not warrant the accuracy or the completeness of this documentation. References to particular products or services should not be taken as an endorsement of those products or services by NCC Group unless explicitly stated.

11..33 SSeettttiinngg tthhee ccoonntteexxttWiltshire County Council is a large and complex organization and in common with other local authorities in England is striving to deliver a series of strategic projects as part of its approach to ‘e’ Government. In 1999/2000 the Council procured a major upgrade of the Councils financial management system from ‘green screen’ to a windows based system, and also invested in a replacement management information system for social services (CareFirst). The Council also reviewed its infrastructure requirements (in 2002) which led to a number of key initiatives including the rationalization of data storage, upgrading of desktop operating systems and the acquisition of an enterprise licence agreement for Microsoft software. The primary focus at present is around access to and the quality of services experienced by the Council’s citizens. This is branded in the Wiltshire context as ‘transforming the customer experience’ (TCE). The TCE project is predicated on a phased implementation of one stop shop working supported by customer relationship management techniques and technology, including the re engineering of a wide range of business processes. In addition there are a number of pilot projects underway designed to prepare the Council for a range of new and innovative technologies such as mobile working using wireless technology. The Council is also procuring a County wide community portal in conjunction with Districts and other partners, and there are plans to deliver transaction services ‘virtually’ over the World Wide Web.


Version 1.0 - 6 -

Plans are also in place to improve the ‘look and feel’ of the Councils current web site through a redesign of structure and improved content, a third party supplier has been commissioned to carry out this work. Finally the Council has recognized the need for infrastructure investment and several projects are in train to improve corporate storage capacity/capability and to facilitate and improve access to external partner networks, as well as upgrade key corporate applications. The Council has a history of different approaches to the provision of ICT services and the development of ICT strategy with at least two iterations of the central and devolved approach having been tried. The Council has through both an IDeA review and the CPA process recognized the need to work in a more joined up fashion and is anxious that this is a consideration in the development of the ICT strategy.

11..44 KKeeyy ccoonncclluussiioonnssWe benchmarked the Council’s ICT spending and staffing levels against other county councils for which we have comparative data (data provided by the Audit Commission). We found that Wiltshire spends £3 million less on ICT than we would expect, and is understaffed by approximately 27 employees. We do not think that the Council’s ICT provision and infrastructure is aligned optimally with its business and service needs:

• Local autonomy combined with a ‘departmental based’ view of ICT investments has resulted in the Council having a disparate ICT infrastructure, with significant areas of duplication of information. This prevents the Council from having a common view of its finance, staff and customers. To overcome this weakness the Council should adopt an ‘enterprise architecture’ where information can be shared, and single instances of corporate applications fulfil the Council’s administrative needs.

• The organisational structure of ICT management and provision does not

meet the Council’s requirements. We propose that the Council creates a senior second-tier post with overall responsibility for ICT management and governance.

• Improving the Council’s technical architecture will be costly and high risk,

and the Council may wish to explore developing partnership-based relationships to meet the short/medium-term investment needs and reduce risk.

We assessed the Council’s ICT management and governance processes against the internationally recognized CObIT standard. Our evaluation shows that the Council has immature governance processes. One area of relative strength is the Council’s approach to IT risk management. The key weaknesses are:


Version 1.0 - 7 -

• The lack of a robust corporate ICT strategy which defines how investments will be appraised, what standards are in place and must be followed, and how benefits will be realized.

• The absence of a corporate ICT architecture, which sets-out the major building

blocks around core applications, shared information through consolidated servers and storage, and appropriate access to information via a robust voice and data network.

11..55 KKeeyy rreeccoommmmeennddaattiioonnssThe recommendations in this report are detailed in the following sections. To help focus the Council’s thinking we think the most important recommendations are:

• Maintain this ICT strategy and adopt a five-year rolling investment approach to funding ICT.

• Make provision for an additional ICT investment of around £3million P.A.

• Adopt an enterprise architecture for ICT across the Council (as defined in

section 3.4)

• Introduce a new senior post to manage ICT across the Council.

• Review the organizational structure of ICT management and provision to make it more corporate and customer focused.

• Address the issues and actions highlighted in Appendices A, B and C.


Version 1.0 - 8 -

SSeeccttiioonn 22 BBeenncchhmmaarrkkiinngg IICCTT iinn WWiillttsshhiirree

22..11 SSuummmmaarryyWe benchmarked the Council’s ICT spending and staffing levels against other County Councils for which we have comparative data (data provided by the Audit Commission). We found that Wiltshire spends £3 million less on ICT than we would expect, and is understaffed by approximately 27 employees.

22..22 IInnttrroodduuccttiioonn ttoo tthhee sseeccttiioonnThis section of the report presents a high-level benchmarking analysis of the Council’s ICT spending and staffing levels when compared against other County Councils for which we have comparative data.

22..33 IICCTT ssppeennddiinngg lleevveellssThe Council currently has three main areas of ICT expenditure, these are:-

• The ‘e’ Government programme focusing on TCE and associated projects, the value of this budget is approximately £9 million over a four year period, commencing 2/3 and completing in 5/6. However within this figure there is a positive on-going revenue baseline adjustment of £2million.

• Corporate expenditure consisting of Vivista costs, CICTU and other corporate costs around corporate licences, firewall expenditure etc. The value of this budget which is fully recharged on PC population basis is £4million.

• ICT expenditure by the three major service directorates is estimated at £3 million.

From research carried out it is likely that there is an element of ‘hidden’ spend by departments both central and service based, however in the overall quantum it is not thought to be material, and may centre on the late buying of PCs at year end. This is likely to occur through coding of expenditure (to where budgets are under spent)and should be discouraged since apart from budgetary management issues, it distorts the true required level of spend on ICT. It has proved difficult to accurately track expenditure by two of the three service directorates, this is partly due to the complex arrangements for some externally funded projects and services, in addition to the devolved nature of some ICT expenditure within directorates, making it difficult to tag accurately the true level of spend. The coding structure in APTOS and the difficulty in producing clear management reports have also hindered the process.


Version 1.0 - 9 -

22..44 BBeenncchhmmaarrkkiinngg IICCTT ssppeennddiinnggWe have conducted a high-level benchmarking assessment to compare Wiltshire’s identified ICT spending and staffing levels against other county councils for which we have comparative data. The data we used was obtained from published best value reviews of ICT available on the Audit Commission’s website. We appreciate that some of the data is up-to two years old, but we think that for the purposes of outline comparisons it will still be of sufficient accuracy. In terms of ICT spend, Wiltshire had identified a spend of £6.4 million (excluding the costs of the TCE project), representing 1.77% of net revenue budget. This compares against the average county council spend of 2.11%. If Wiltshire’s spend was equivalent to an average county for which data was available, it would spend an additional 0.347% of its budget on ICT, equivalent to £1,260,000 million on a £363 million budget. Wiltshire’s comparative spend is shown below. (The SOCITM* benchmarking report for 2003 similarly has Wiltshire spending at 2.2 % of its gross budget against a Shire average of 2.56% a difference of 0.36%) (*Society of information technology managers) Wiltshire’s ICT spend as a proportion of net revenue budget

However Wiltshire has a history of under-investing in ICT, and some catch-up is required. If we compare Wiltshire against Staffordshire (a county which is investing in new core applications), the gap is 0.88%, equivalent to £3.2 million per year. We feel that this figure is a more realistic gap estimate for Wiltshire given the ICT investments which are required.

0 0.5 1 1.5 2 2.5 3 3.5

Surrey

Staffordshire

Durham

Northumberland

Average

Wiltshire

Essex

Hampshire

Suffolk

Worcestershire

Derbyshire

ICT spend as % of net revenue budget


Version 1.0 - 10 -

22..55 IICCTT ssttaaffffiinngg lleevveellssWhen we examined ICT staffing levels we found that Wiltshire has 0.150 ICT staff (central, departmental and outsourced) per 1000 population. The average for the group of counties for which we have data is 0.2121 per 1000 population. If Wiltshire’s staffing levels were equivalent to an average County for which data was available, it would have an additional 0.052 ICT staff per 1000 population, equivalent to 26.8 employees for a population of 433,000. Wiltshire’s comparative staffing level is shown below. The SOCITM report for 2003 appears to confirm this trend with an average ICT staffing establishment for Shire Counties of 99, Wiltshire has around 60-65 ICT professionals across CICTU, service directorates and Vivista (the latter being subject to fluctuation per demand). Wiltshire’s ICT staffing levels as a proportion of population

22..66 TThhee bbaassiiss ffoorr aappppoorrttiioonniinngg ccoorrppoorraattee ccoossttssThe basis for the apportionment of central recharges is invariably a contentious issue. The way that Wiltshire recharges corporate costs is simple, straightforward and easy to administer, being based on PC population with a slight variation in the methodology for Vivista costs which are reassessed during the financial year based on asset inventory reviews. This lack of sophistication may cause a degree of inequality for example departments playing ‘catch up’ in refresh terms are likely to incur significant extra revenue recharges.

0 0.05 0.1 0.15 0.2 0.25 0.3 0.35

Staffordshire

Northumberland

Suffolk

Surrey

Durham

Average

Derbyshire

Worcestershire

Wiltshire

Hampshire

Essex

ICT staff per 000 population


Version 1.0 - 11 -

However which ever system is adopted it is likely to have similar vagaries (in our experience). The Council is obliged to take account of the Best Value Accounting Code of Practice (BVACOP) In determining the basis for recharging, we would recommend that a review is undertaken of the methodology used with user involvement, to examine if there is a more appropriate basis for recharging. However an overly complex and expensive system to administer should be avoided. In terms of the categorization of charges made these seem appropriate given the current devolved nature of budget holding.

22..77 OOvveerraallll ccoonncclluussiioonnOur overall conclusion, based on the group of Counties shown above, is that Wiltshire spends less than the County average and considering the amount of future investment required, may need to increase expenditure annually by approximately £3 million.

22..88 RReeccoommmmeennddaattiioonnssThe Council should review its ICT spending and staffing levels when formulating its long-term financial strategy. The Council should review its ICT recharging policy with user involvement to ensure that it is equitable and within the BVACOP guidelines.


Version 1.0 - 12 -

SSeeccttiioonn 33 IICCTT aanndd bbuussiinneessss aalliiggnnmmeenntt

33..11 SSuummmmaarryyWe do not think that the Council’s ICT provision and infrastructure is aligned optimally with its business and service needs:

• Local autonomy combined with a ‘departmental-based’ view of ICT investments has resulted in the Council have a disparate ICT infrastructure, with significant areas of duplication of information. This prevents the Council from having a common view of its finance, staff and customers. To overcome this weakness the Council should adopt an ‘enterprise architecture’ where information can be shared, and single instances of corporate applications fulfil the Council’s administrative needs.

• The organisational structure of ICT management and provision does not

meet the Council’s requirements. We propose that the Council creates a senior second-tier post with overall responsibility for ICT management and governance.

• Improving the Council’s technical architecture will be costly and high risk,

and the Council may wish to explore developing partnership-based relationships to meet the short/medium-term investment needs and reduce risk.

33..22 IInnttrroodduuccttiioonn ttoo tthhee sseeccttiioonnThis section of the report focuses on how the Council seeks to align the business needs of service units with its ICT strategy. We examine:

• The balance between local autonomy and centralised control in ICT strategy development.

• The funding mechanisms and underlying prioritisation processes which

underpin ICT investment decisions.

• The organisational structure of ICT management and service provision, and the degree to which they are aligned with end-user needs.

33..33 LLooccaall aauuttoonnoommyy vveerrssuuss cceennttrraalliisseedd ccoonnttrroollMany organisations have sought to consolidate all of their ICT support arrangements with the intention of generating scale economies and savings. In our experience, this has largely been unsuccessful. Business units instinctively understand that an element of devolved support is correct, and where devolved staff have been centralised, they have subsequently re-emerged in departments, thus increasing rather than decreasing the overall numbers of ICT support staff. The Audit Commission developed the concept of a federal model of ICT support (see below); seeking to gain the advantages of centralisation (such as scale


Version 1.0 - 13 -

economies and control over standards) and the advantages of devolvement (such as flexibility and responsiveness). A federal model of ICT support

Wiltshire does not comply with the Commission’s federal model, and we believe this is the underlying reason for many of the problems faced by the Council. Wiltshire has a unique organisational approach to ICT – it appears to capture the disadvantages from the extremities of the centralised and decentralised models, whilst at the same time avoiding the benefits of the federal approach:

• Central and departmental ICT provision is not underpinned by a robust ICT strategy. Given the current procurement of new corporate applications, it is vital that an ICT strategy is developed so that maximum value can be derived from any forthcoming investment in core systems.

• Departments have a ‘local’ view of ICT and have made many small

investments in ICT (for example there are around 150 servers each with their own storage) if a corporate view had been taken it would have been more efficient to make a centralised investment in large servers and storage, thus enabling scale economies to be realised and the burden on technical support staff to be lowered.

• The ‘departmental-based’ view results in the Council not having an

‘enterprise architecture’ which should act as a high-level strategy for how the Council will be able to share access to common data about its staff, citizens and customers, provided via single instances of corporate applications such as finance, HR, CRM etc. Instead the Council has developed several hundred Excel and Access applications to make-up for perceived deficiencies in the corporate applications portfolio.

unresponsive

no systemownership

not meetingbusiness needs

no controlof overheads

excessivecosts

variablestandards

reinventingthe wheel

incompatiblesystems

scaleeconomies

group-wideperspective

pooledexperience

capturesynergies

CENTRALISED IT DECENTRALISED IT

FEDERAL IT

functionalIT leadership

controlof standards

integration

critical massof skills

userscontrol

priorities

ownership

responsive tobusiness

needs


Version 1.0 - 14 -

33..44 TThhee nneeeedd ffoorr aann eenntteerrpprriissee aarrcchhiitteeccttuurreeThe Council has identified weaknesses with its corporate systems. For example the central finance system does not provide commitment accounting or electronic procurement functionality. To make-up for deficiencies in corporate systems Council departments have created hundreds of Excel and Access based applications, which are used for local management purposes. This means that the Council does not have a consolidated view of the data it holds about services and customers, and additionally this data is impossible to interrogate at a corporate level.* To remove these difficulties, the Council should adopt enterprise architecture. The recommended enterprise architecture is based on the following principles, and is shown diagrammatically overleaf.*

• Single instances of corporate applications (e.g. finance, CRM, HR, procurement) are acquired, and these have sufficient functionality to replace the existing Excel and Access-based application infrastructures.

• The applications share common data on shared storage devices,

allowing the Council to have a single view of, for example, its finances, employees and customers.

• There is an overarching Information Management Strategy which ensures

that all information is controlled and relationships between data in disparate corporate applications are clearly mapped. This will facilitate data interchange, using government standards such as XML.

*The diagram shown overleaf is a high level conceptual diagram for illustrative purposes; a more detailed diagram is attached as Appendix E which outlines the relationship between middleware and back office systems in an enterprise architecture solution.


Version 1.0 - 15 -

Moving towards an enterprise architecture


Version 1.0 - 16 -

33..55 IICCTT oorrggaanniissaattiioonnaall ssttrruuccttuurreeThe structure of Wiltshire’s ICT organisation reflects the low-key impact of IT across the Council. Responsibility for ICT resides with Finance, and there is not a dedicated 2nd tier officer responsible for ICT across the Council, this is an untenable position given the aims and objectives of the Council and the strategic importance of ICT. There are two aspects to this issue. Firstly the Council will not raise the profile of ICT within the Council if ICT is seen as just a part of a range of responsibilities under one officer, the role requires the dynamism and expertise of a dedicated full time professional. Secondly the appointment of a second tier officer in itself will not address many of the organisational issues facing the Council. ICT must be viewed from a much more corporate perspective and the officer corporately responsible for ICT must work within an agreed framework which commands the support of all chief officers and leading elected members. The focus should be on communication rather than control. As part of this framework a series of technical, professional and managerial standards should be further developed, and enforced corporately through this new post. This is an absolute pre-requisite of the federal model. For the purpose of this strategy document we will refer to this post as the ‘Corporate Head of ICT’. This recommendation should not be viewed as a criticism of any one or group of individuals, rather recognition of the size of the ICT role and the difficulties of adopting and implementing corporate standards and approaches in a much devolved environment. The Annual SOCITM* survey for 2003 shows that of all 17 local authorities in the South West region, none has a more devolved approach to ICT than Wiltshire. (*Society of information technology managers) 33..55..11 LLooccaattiioonn aanndd mmaannaaggeemmeenntt rreeppoorrttiinngg ooff IICCTT ssttaaffff

As indicated in paragraph 3.3 we believe there is a strong case for a local presence in relation to some ICT professionals. We found some examples of excellent working between ICT coordinators and their service directorates, and it is clear that disruption to this arrangement would not be beneficial to the Council. However there is (in our view) a need to tie those staff into a more general corporate framework, and we have examined two options.


Version 1.0 - 17 -

Option A It is possible that the staffing structures under (and including)the ICT coordinators could have a ‘thick’ reporting line to a new corporate post, effectively making those staff managerially responsible to the Corporate Head of ICT, whilst physically located in directorates and taking day to day instruction from directorate management. Option B Alternatively these staff could continue to remain managerially responsible to service directorates with a dotted line to the Corporate Head of ICT, referring to that person for ‘professional advice and guidance’. In developing the ICT strategy we came across a number of examples where out posted professional staff through various consultative procedures were effectively operating in the Councils overall corporate interests whilst serving the needs of service directorates For example, the Senior Finance Forum, here the relevant Assistant Directors meet on a regular basis with the S151 officer to review the corporate financial position of the council, and discuss issues of corporate and strategic importance. Similarly the communications service within the Council has arrangements in place to ensure that the ‘corporate’ message is given to external agencies, press and partners. Our preferred approach would be to adopt option B as an interim measure leading to option A. Our view is that there is little merit in adopting option A too quickly and that this option is best implemented after a second tier officer has been appointed and new standards have been corporately adopted and credibility and trust has been established. The following strategy and recommendations make clear the advantages of such an approach. The secret to success is we believe one of timing, the appointment of the right individual with the appropriate status and remuneration, and a fine judgement as to when the organization is ‘mature’ enough (in an organizational sense) to make it work.


Version 1.0 - 18 -

33..55..22 MMaannaaggeemmeenntt ooff tthhee ‘‘ee’’ GGoovveerrnnmmeenntt pprrooggrraammmmee

We believe that the Council has the constituent parts of a strategic approach to delivering ‘e’- Government in place. There are a number of working parties and groups looking at particular aspects (TCE, valuing people, financial management etc) which feed into the “make it happen group” which in turn (as part of a broader change programme) reports to CPG. However we feel that the arrangements may be overly complex and would recommend these arrangements are reviewed and streamlined. Additionally we have concerns that there are insufficient resources dedicated to making the programme happen, many of the staff involved are by the nature of the undertaking involved in other projects such as the BPR project. Unless these staff are released to concentrate on these transformational projects there is a risk that quality or timescales for delivery will suffer. We would extend this concern to the resource applied to project managing the overall programme. 33..55..33 MMaannaaggiinngg aanndd ddeevveellooppiinngg tthhee CCoouunncciill’’ss IICCTT ddeevveellooppmmeenntt pprrooggrraammmmee..

The work undertaken in completing the ICT strategy has indicated that the current arrangements for agreeing the corporate development programme are not satisfactory. We would expect to see regular meetings of ICT professionals and senior users on a quarterly basis to review progress on the Councils strategic development plan, which is essentially a list of major corporate ICT related projects. The plan would be developed by the Corporate Head of ICT on a bidding basis and discussed with all parties at the beginning of each financial year. In addition to this task the group would set technical standards for the Council and develop and update the Councils ICT strategy. Representation at a senior technical and user level from all directorates is essential for the group to work successfully. The Head of Corporate ICT would chair and administer the group and report on an ad hoc basis to CPG. The primary deficiency with the current arrangements of ICT coordinators meeting with the head of CICTU is that it lacks sufficient seniority or organizational clout to foster and develop an enforceable corporate culture, and has no link to the Council’s senior management team. It is important to provide adequate programme and project management resources to develop and implement the Council’s ICT development


Version 1.0 - 19 -

programme and consideration should be given to the appointment of a project support officer. 33..55..44 AAlliiggnniinngg tthhee IICCTT ssttaaffffiinngg ssttrruuccttuurree wwiitthh bbuussiinneessss nneeeeddss

We have examined the current structure of CICTU and its relationship to the Councils business requirements and concluded that it is too technically focused and based on ICT disciplines rather than the business needs of the Council. Outlined below is a diagrammatic representation of the current structure.

Overleaf we have outlined at a high level the functional groupings we think the Council needs to consider regardless of the location of these functions e.g. outsourced or in house.

Current CICTU Structure

Head CICTU(Les Snelgrove)

IT/Sec Manager (Chris Christensen)

IT/Sec Officer (Steve Grieshaber) IT/Sec Officer

(Mike Potter)

DP Admin Assistant

(James Costello) Senior

Technical Consultant (Tim Way)

Contract Monitoring Officer(Julia Sheppard)

ICT Contracts Manager

(Peter Morris)

Admin Assistant Finance

(Jean Lipinski)

Admin Assistant

Purchasing (Janet Laver)

Admin Assistant General

( Issy Woodward)

Technical Consultant

(Brian Hockley)

Programme Co-ordinator

(John Pheasant)

Monitoring Assistant

(Marissa Russell)

Project Manager

Established Post

Vacancy

IT/Security

Contracts

Technical

Procurement & Admin

Temporary Contractor

Projects


Version 1.0 - 20 -

A more customer-focused organisation

33..55..55 VViivviissttaa

The Council has a managed service with Vivista for a wide range of operational ICT services. The contract is currently under review by CICTU and this strategy document whilst addressing a number of issues raised by users with the current arrangements, has not dwelt in detail on this area whilst this review is underway. Needless to say the relationship with any third party supplier is a crucial ingredient in the mix for successful service delivery and the expiry of this contract in 2006 represents an opportunity for the Council to improve and build on the current service levels. It follows that all procurement options should be analyzed at the earliest opportunity involving key users and should be rigorous in its assessment of the options. In particular the structure of any new contract should be based on procuring a holistic quality service rather than an over use of the catalogue approach based on core and discretionary items, which has caused both users and suppliers a number of problems, this will have financial implications. This work is already underway and the Council should consider the scope of any new contract as part of its’ wider consideration for the potential for partnership working.

Head of Customer Services and Quality

Departmental ICT co-ordinator

Quality and Service Delivery Manager

User RelationsManager

Head of Infrastructure

Operations Manager

Second/third line support

Head of Projects

Development and Integration Manager

Project Managers (Pool)

Head of Strategy

ICT Risk and Security Manager

Strategic Architecture Manager

Strategic Procurement Manager

Corporate Head of IT


Version 1.0 - 21 -

33..66 IICCTT ffuunnddiinngg aanndd ssoouurrcciinngg mmeecchhaanniissmmssWiltshire’s ICT funding mechanisms are, in the main, departmentally focused, and consequently the Council does not have the wide-area infrastructure it needs to support modern business applications. If the Council is to address the weaknesses in its ICT infrastructure then it must act corporately and set-aside investment and renewal funding so that is can develop and maintain a fit-for-purpose and sustainable infrastructure. These funds should be managed corporately and this may entail an element of budget re-centralization particularly in the areas of discretionary development budgets. We understand that the Council has (to meet its e-government obligations) set aside £9 million over the next three years. We understand that this allocation is ‘supply limited’ i.e. it reflects what the Council can afford rather than what is really needed. Whilst this is a large amount of money, we think that it will be insufficient to meet the Council’s medium and longer term investment needs. The Council has adopted a traditional approach to funding ICT, managing projects in-house and retaining the major risks. We think the Council would benefit from consideration of alternative funding mechanisms, possibly via some form of partnership, where funding can be obtained and paid for in line with longer term affordability constraints , perhaps through an ‘invest to save’ mechanism. In the interests of informing the debate we have outlined a number of models for consideration. These do not form part of the recommendations for the ICT strategy as there are clearlyNon- ICT related issues which impinge on a number of these models and a wider range of considerations would need to be examined in detail before considering adoption. An outline of the main sourcing options open to the Council is given below 33..66..11 LLooccaall ggoovveerrnnmmeenntt ssoouurrcciinngg ttrreennddss;; tthhee ssoouurrcciinngg ssppeeccttrruumm

Councils have a number of sourcing choices. These are described below in the ‘sourcing spectrum’.


Version 1.0 - 22 -

There are three main options within this spectrum, as described below. 33..66..22 TThhee iinn--hhoouussee ooppttiioonn

This relies on the partner to help with implementation and configuration. This is the model traditionally adopted by local authorities:

• It does not transfer risk to the partner since it is largely input-based.

• It can generate affordability issues since the investment is usually funded fully by the authority.

• The authority needs to provide many skills from in-house resources, and

this may be difficult because of resource/skill constraints.

• It does, however, allow the integration of front and back-office processes to be achieved because the authority is wholly responsible for all service delivery.

• There are no major exit/termination issues since the authority is in control

of the resources. 33..66..33 TThhee bbuussiinneessss iimmpprroovveemmeenntt ppaarrttnneerrsshhiipp

Authorities such as Bath & NE Somerset and Slough BC have recently entered into these deals. This is emerging as the most popular model currently under consideration by local authorities, and is a ‘halfway house’ between traditional

1. In-house

Retain risk Affordability issues High skills needed Integration achieved No exit issues

3. BPO/PPP

Transfer staff

Transfer risk

Possible integration

problems

Possible change

control issues

Access to skills

Exit issues

2. Business Improvement

Transfer some risk

Integration can be achieved

Risk/reward possible

Possible change control issues

Access to skills


Version 1.0 - 23 -

in-house delivery and full business process outsourcing (BPO) or public- private partnership (PPP):

• It allows some risk to be transferred to the partner. For example the

partner may be responsible for ensuring that new applications and business processes are implemented which enable the authority to achieve savings through process rationalisation.

• It allows the integration of front and back-office processes to be

achieved because the authority is wholly or mainly responsible for all service delivery.

• It provides a platform for risk-reward, where benefits can be used to fund

the investments needed to modernise services. Savings resulting from the investments can be shared between the authority and the partner. This is advantageous if the Council may require help with up-front funding. If the Council is confident that it already has access to the financial resources it needs then it may not be necessary to use a risk-reward framework.

• It provides access to skills when they are needed – for example, the

partner will need to provide suitably skilled resources during implementation and upgrade phases, and in support of business process re-engineering (BPR).

• Business improvement partnerships can be procured in relatively short

timescales compared with BPO/PPP partnerships. 33..66..44 BBuussiinneessss pprroocceessss oouuttssoouurrcciinngg oorr ppuubblliicc--pprriivvaattee ppaarrttnneerrsshhiipp

Authorities such as Middlesbrough, Redcar and Cleveland, Liverpool, Bedfordshire, Lincolnshire and Milton Keynes have entered PPP agreements.

• These are large scale (between £200m and £1bn), long-term (10-15 years) that involve the transfer of substantial numbers of staff (typically between 500 and 3000).

• Because the partner is wholly responsible for the delivery of the scoped

services, the risks around these services are transferred to the partner. This can be attractive with some administrative services.

• The partner typically invests in ICT to enable savings to be attained in front

and back-office services.

• There can be problems with achieving integration between front and back-office services. For example, the partner may be responsible for first-level customer contact, but there may be the need to integrate with retained services such as education and housing. If this is not thought-through properly it can result in expensive changes being required.

• The partner is required to provide the skills needed to achieve the service

outcomes and will often be responsible for implementing complex ICT systems.


Version 1.0 - 24 -

• Much effort is required to ensure that the exit issues (be they at expiry or because of termination) are considered. Authorities must consider the impact on staff, assets and data. It is common for performance bonds and/or guarantees to be secured in order to deal with exit costs.

• Because the partner becomes the employer for the in-scope services, it

usually includes significant BPR within the scoped services (but BPR may be excluded unless specifically required for non-scoped services).

• PPP/BPO partnerships generally take a minimum of two years to procure.

33..77 RReeccoommmmeennddaattiioonnssThe Council should:

• Adopt ‘enterprise architecture’ where information can be shared and single instances of corporate applications fulfil the Council’s administrative needs.

• Create a senior second-tier post with overall responsibility for ICT

management and governance.

• Consider if some form of partnership with the private sector would be beneficial in helping to meet the Council’s investment needs.


Version 1.0 - 25 -

SSeeccttiioonn 44 IICCTT mmaannaaggeemmeenntt aanndd ggoovveerrnnaannccee

44..11 SSuummmmaarryyWe assessed the Council’s ICT management and governance processes against the internationally recognized CObIT (control objectives for IT), standard. Our evaluation shows that the Council has immature governance processes. One area of relative strength is the Council’s approach to ICT risk management. The key weaknesses are:

• The lack of a robust corporate ICT strategy which defines how investments will be appraised, what standards are in place and must be followed, and how benefits will be realized.

• The absence of a corporate ICT architecture, which sets-out the major building

blocks around core applications, shared information through consolidated servers and storage, and appropriate access to information via a robust voice and data network.

The Council’s ICT governance arrangements should be strengthened to resolve the problems identified.

44..22 IInnttrroodduuccttiioonn ttoo tthhee sseeccttiioonnSound ICT governance processes help the Council to make decisions which are:

• Justified on economic and/or strategic grounds, adding-value to the Council’s service delivery and management capabilities. This requires the Council to develop robust business cases to underpin the investment, backed-up by an analysis of long-term costs, benefits and risks.

• Able to demonstrate that the anticipated benefits have been realised

through robust post-implementation review procedures. Our evaluation of the Council’s ICT governance processes is based upon analysis of how the Council compares against the ‘planning and organisation’ standards set-out in CObIT (control objectives for IT), an internationally recognised framework for ICT governance. The CObIT standard has been developed by the Information Systems Audit and Control Association (ISACA). Compliance against CObIT standards is measured using a six-stage maturity model.

44..33 CCoommppaarriissoonn aaggaaiinnsstt tthhee CCOObbIITT ssttaannddaarrddThis section of the report outlines the key components of the CObIT ‘organisation and planning’ framework, identifies the Council’s current position and the actions required to meet best practice. The CObIT ‘organisation and planning’ standard seeks to evaluate such areas as the strategic contribution of ICT to the organisation, the effectiveness of ICT investments and the management of projects. The evaluation is based around the Council’s position on a six-stage maturity level assessment.


Version 1.0 - 26 -

44..33..11 MMaattuurriittyy lleevveellss ddeeffiinneedd

The approach to maturity models for control over IT processes consists of developing a method of scoring that grades an organisation from ‘non-existent’ to ‘optimised’ (from 0 to 5). The levels are defined further below.

Level Description 0 Non-Existent Complete lack of any recognisable processes. The organisation has not

even recognised that there is an issue to be addressed.

1 Initial There is evidence that the organisation has recognised that the issues exist and need to be addressed. There are, however, no standardised processes but instead there are ad hoc approaches that tend to be applied on an individual or case-by-case basis. The overall approach to management is disorganised.

2 Repeatable Processes have developed to the stage where similar procedures are followed by different people undertaking the same task. There is no formal training or communication of standard procedures and responsibility is left to the individual. There is a high degree of reliance on the knowledge of individuals and, therefore, errors are likely.

3 Defined Procedures have been standardised and documented, and communicated through training. It is, however, left to the individual to follow these processes and it is unlikely that deviations will be detected. The procedures themselves are not sophisticated but are the formalisation of existing practices.

4 Managed It is possible to monitor and measure compliance with procedures and to take action where processes appear not to be working effectively. Processes are under constant improvement and provide good practice. Automation and tools are used in a limited or fragmented way.

5 Optimised Processes have been refined to a level of best practice, based on the results of continuous improvement and maturity modelling with other organisations. IT is used in an integrated way to automate the workflow and provide tools to improve quality and effectiveness, making the enterprise quick to adapt.


Version 1.0 - 27 -

44..33..22 EEvvaalluuaattiioonn aaggaaiinnsstt tthhee CCOObbIITT oorrggaanniissaattiioonn aanndd ppllaannnniinngg ssttaannddaarrdd

CObIT standard Description Wiltshire’s position Action required Define a Strategic IT Plan

Define a Strategic IT Plan with the business goal of striking an optimum balance of information technology opportunities and IT business requirements as well as ensuring its further accomplishment

1

The Council does not have an activated corporate ICT strategy; however some departments have defined their ICT requirements in the form of forward plans. The Council has a departmental -based approach, resulting in – for example – 150 servers hosting applications, instead of the expected number of between 30 and 50. This means that the Council is unable to co-ordinate its long-term ICT requirements, leading to insufficient value being obtained and information becoming duplicated and fragmented.

Develop a corporate ICT strategy with a rolling five-year funding horizon.

Define the Information Architecture

Define the Information Architecture with the business goal of optimising the organisation of the information systems

0

The Council does not have an information architecture. This means that the Council does not have a single view of its information, resulting in unnecessary duplication of information, and the inability to share common information across the Council.

Define technical information architecture as part of the corporate ICT strategy.

Determine Technological Direction

Determine Technological Direction with the business goal of taking advantage of available and emerging technology to drive and make possible the business strategy

1

The Council has some ICT standards in place but these are too wide to be of benefits. Fir example, Windows 95, 98, 2000 and XP are recognised desktop standards within Wiltshire. This means that ICT solutions selected by departments may be incompatible.

Define core standards as part of the corporate ICT strategy and ensure these are communicated and enforced.


Version 1.0 - 28 -

CObIT standard Description Wiltshire’s position Action required Define the IT Organisation and Relationships

Define the IT Organisation and Relationships, with the business goal of delivering the right IT services

1

The Audit Commission’s recent report on ICT management arrangements concluded that the Council’s organisational structure for ICT is confusing to end users. ICT is not structured around the business needs of end-users. This means that there is a greater danger of the corporate standards referred to being ignored.

Refine the ICT support structure so that it shaped around user requirements rather than technical ICT disciplines.

Manage the IT Investment

Manage the IT Investment with the business goal of ensuring funding, controlling disbursement of financial resources and realising benefits

0

The Council does not manage ICT investments effectively. For example, investment decisions are not always made on the basis of “What’s best for the Council?”, and there is no standard process for determining if benefits have been realised. This means the Council may be making sub-optimal investment decisions and that it fails to achieve the anticipated benefits from the investments.

Enforce a corporate process for investment appraisal which identifies long-term costs and benefits. Introduce a corporate process for benefits realisation which makes individuals accountable for the delivery of benefits. Centralise ICT budgets so that investments are made for the ‘corporate good’ rather than for the benefit of a single department.

Communicate Management Aims and Direction

Communicate Management Aims and Direction with the business goal of ensuring user awareness and understanding of those aims

0

The departments we consulted were unaware of the Council’s long-term aims for ICT. This means that investments are being made in the absence of clear long-term objectives for ICT.

Develop communications capability as part of the corporate ICT strategy development process.

Manage Human Resources

Manage Human Resources with the business goal of acquiring and maintaining a motivated and competent workforce and maximising personnel contributions to the IT processes

1

There is no systematic process to feed-back user views on ICT service delivery performance. This means that it is not possible to manage the HR aspects of ICT.

Develop a process to measure user satisfaction systematically.


Version 1.0 - 29 -

CObIT standard Description Wiltshire’s position Action required Assess Risks Assess Risks with the

business goal of supporting management decisions in achieving IT objectives and responding to threats by reducing complexity, increasing objectivity and identifying important decision factors

3

The Council has developed an ICT risk register, and has established disaster recovery arrangements for 33 of its 150 servers. The Council’s ICT security policy sets good standards, but because of deficiencies in the wide-area infrastructure these can only be enforced effectively within County Hall.

Maximise the benefit of risk management by ensuring that the corporate ICT strategy includes the requirement for regular consideration of the risks it faces.

Manage projects Manage Projects with the business goal of setting priorities and delivering on time and within budget

1

The Council has project management processes in place, but these are not enforced rigorously. The Council does not have a dedicated ICT project management resource. The Council’s SOCITM return found that 6 out of 7 projects were not reviewed following implementation.

Ensure that the corporate ICT strategy requires formal project management processes to be enforced.

44..44 RReeccoommmmeennddaattiioonnssThe Council should: Action required

• Develop a corporate ICT strategy with a rolling five-year funding horizon. • Define technical information architecture as part of the corporate ICT

strategy. • Define core standards as part of the corporate ICT strategy and ensure

these are communicated and enforced. • Refine the ICT support structure so that it shaped around user

requirements rather than technical ICT disciplines. • Enforce a corporate process for investment appraisal which identifies

long-term costs and benefits. • Introduce a corporate process for benefits realisation which makes

individuals accountable for the delivery of benefits. • Centralise ICT budgets so that investments are made for the ‘corporate

good’ rather than for the benefit of a single department. • Develop communications capability as part of the corporate ICT strategy

development process. • Develop a process to measure user satisfaction systematically. • Maximise the benefit of risk management by ensuring that the corporate

ICT strategy includes the requirement for regular consideration of the risks it faces.

• Ensure that the corporate ICT strategy requires formal project management processes to be enforced.


Version 1.0 - 30 -

SSeeccttiioonn 55 TThhee CCoouunncciill’’ss IICCTT IInnffrraassttrruuccttuurree

55..11 SSuummmmaarryyA Server and Network infrastructure needs to be created which will provide equal access to ICT facilities no matter where the user is situated, and equally to mobile and home workers. WCC must consolidate its processing into the principal Business applications where possible, and rationalise the number of subsidiary applications, Excel Spreadsheets and Access Databases in use. All equipment needs sustainable funding to ensure that it is kept up to date from both hardware and operating system perspectives. The Financial System (APTOS) should be enhanced or replaced to address shortcomings in its functionality; it no longer meets business requirements. Whilst Departments should have the freedom to select Line of Business Applications which best meet their business needs, it is important that there are clear standards set from the centre which allow corporate goals to be met and that all software is coherent with key corporate strategies – e.g. servers, network, security, e-Government. The Council should develop a corporate telephone (voice) network which provides a common infrastructure for all WCC employees at all locations. . A common network infrastructure supporting both voice and data could realise a number of financial and service benefits, although would require a common management structure for both networks.

55..22 IInnttrroodduuccttiioonn ttoo tthhee sseeccttiioonnAt the heart of any Local Government e-Government strategy is the ability for the Council’s employees and customers to be able to easily communicate, obtain information and access services through voice and data services which embrace the entire spectrum of the Council’s geography and businesses. The role of ICT is to facilitate such access in a seamless and joined up manner so that customers can interact with the Council by any chosen access method (e.g. phone, personal visit or Internet) and deal with multiple issues (which may span service department boundaries) in a single contact. The ICT Infrastructure must therefore enable and empower staff to act corporately, and to be able to access information no matter where they happen to be working (e.g. any Council office, home, laptop whilst travelling or on a customer’s premises). The Infrastructures to facilitate this need to be robust and flexible, and in particular:

• Provide availability to support 24x7 operations as closely as possible. • Provide equal access to voice and data services no matter where a

member of staff may be located, or if a member of staff is mobile or works from home.


Version 1.0 - 31 -

• Allow “joined up” access to services by citizens, who should not need to understand service delivery structures – this not only places a requirement on the Council’s own systems but also the need for systems to operate coherently with systems used by other Agencies, e.g. NHS, District Councils, etc.

• Provide levels of security commensurate with the information being accessed and to protect data which is stored in the systems and to meet legislative requirements.

55..33 TThhee iimmppoorrttaannccee ooff iinnffrraassttrruuccttuurreeWCC’s current ICT Infrastructure contains examples of both excellent and unsatisfactory systems. The condition of infrastructure is variable throughout the County Hall campus. The contrast is very much more significant when facilities between County Hall and outlying sites are compared, with the latter often having modest data network connections, incoherent telephony services, unsatisfactory server and security management, etc. This is creating a “digital divide” between the various Council offices and makes it difficult for staff who normally work outside of the County Hall complex to utilise corporate systems (e.g. e-mail, Intranet) and to access Line of Business applications. This deficiency needs to be urgently addressed and will involve investment in all of the areas contained in this report.


Version 1.0 - 32 -

SSeeccttiioonn 66 IInnffrraassttrruuccttuurree

66..11 NNeettwwoorrkkThe current network, which uses a number of “point to point” links with some dial up (PSTN and ISDN at the extremities), is now failing to serve the Council’s business needs and requirements. There are a number of reasons for this including:

• Although the principal hub sites have some resilience (e.g. alternate routing), for many parts of the network there is little resilience within the network due to many single points of failure.

• Response times are unsatisfactory in many locations due to insufficient bandwidth availability; the cost to increase bandwidth is high.

• Running costs are high, particularly where dial-up connections are deployed.

• The Virtual Private Network (VPN) service which allows users to be connected when working remotely (e.g. from home) is unreliable and does not support the latest versions of the Microsoft operating system (XP).

• The current network provides variable service depending on the way each office is connected. Many outlying sites have unsatisfactory connections and thus the “digital divide” is enforced.

• It is difficult and expensive to expand the network due to the technologies used.

• The topology makes it difficult to add additional services, e.g. home working, connection via mobile telephones, etc.

The Peoples Network (PN) project in the Libraries has successfully deployed BT’s MetroVPN product. This is a BT Managed Service which allows a number of different connectivity options and hence a variety of alternative methodologies to meet the needs of all classes of user situations from home workers and small offices to the largest of sites. The original PN bid required WCC to provide funding from corporate council resources beyond the initial PN grant funded years. WCC agreed to this funding subject to the condition that on the MetroVPN solution could be rolled out not only in Libraries but throughout the Council. In order to counteract the network problems described above and to move forward with a modern infrastructure which will meet user needs and expectations and allow e-Government initiatives to be implemented, WCC need to consider implementing a new network technology. Subject to the following, MetroVPN would provide an ideal service:


Version 1.0 - 33 -

• WCC need to ensure that connectivity to MetroVPN can be realistically achieved throughout its geography. In particular it needs to audit availability of services in areas where low to moderate usage is required (e.g. small offices or homeworkers) and verify whether BT is able to provision ADSL connectivity in such areas. Where ADSL connectivity is unavailable, alternative means of connectivity (e.g. SDSL using a BT EPS8/9 circuit and short-haul modems connected to a WCC hub site, or radio or satellite communications) should be investigated. WCC should ensure that all sites can be connected through affordable and sustainable means. The use of services which charge on the basis of connect time or data volumes (e.g. PSTN, IDSN) should be avoided due to the variable nature of revenue costs. This segment of the project is essential; WCC should not attempt to roll out a network which is not capable of achieving the objective that all offices are connected.

• A thorough audit of bandwidth requirements at each site is conducted. This is to include availability for future growth, e.g. e-Government projects. This requirement should be costed and WCC must then agree a sustainable means of funding the network for the next 5 – 10 years, such funding may include contributions from both corporate and departmental budgets.

• Ability to support centralisation and rationalisation of servers across all WCC sites, and to support information sharing between all officers no matter where they might be located.

• Ability to support IP Telephony at reasonable cost. • Ability to support videoconferencing.

It is essential to the success of WCC’s ICT infrastructure and e-Government program, that a new network is implemented at the earliest opportunity and without delay. This must address issues about VPN connectivity, bandwidth requirements to outlying offices, provision for home workers, etc. Without this, the current “Digital Divide” cannot be overcome. WCC therefore need to ascertain that MetroVPN will meet their requirements, including the issues raised above by immediately initiating a project to verify that successful implementation can be achieved, and to cost this. Once this feasibility stage is complete, WCC should move forward with implementation using a detailed project management methodology and with sufficient resourcing to not only provide the day to day installation support, but also change control support and configuration control to document the service. To achieve this within a reasonable time frame (12-18 months) will need sustained availability of both human and financial resources. The NCC Group consider that to proceed with the further implementation of the VPN without having first successfully concluded the feasibility stage would be a high risk exercise for WCC as the Council could invest in a project which cannot be successfully completed and cannot achieve its objectives. There are a number of related issues with the network, these include Security, Desktop and Server Operating Systems and Mobile computing; these are addressed in the relevant sections in this report.


Version 1.0 - 34 -

66..22 SSeerrvveerrssThroughout the Council, there are many instances of servers running old, out of date versions of Operating Systems including Novell 3 and Microsoft Windows NT4. This presents a number of risks to the Council:

• If there is a problem then WCC are unlikely to be able to obtain support from any third party including the supplier/original manufacturer.

• Incompatibilities may cause inefficiencies or malfunctions in other areas of the Council’s infrastructure, e.g. old operating systems may use the LAN and WAN inefficiently or may prevent data from being exchanged between applications and users.

• Older operating systems compromise WCC’s security policy. • Patches may no longer be available from manufacturers to address

issues including those of performance and security. • Vivista’s1 resources will be severely stretched trying to support the

number of possible permutations many of which will not be supported by the manufacturers.

Upgrading to a new release of operating system is not a trivial task. The new system needs to be tested with the Council’s infrastructure (network, LAN, desktops, etc.) and enterprise, line of business and local applications. Any or all of these may require upgrading to support the new system. Therefore a project to encompass a range of tasks will need to be established and it may be necessary to liaise with a number of third parties, e.g. application vendors. An option to wait until the last possible moment to implement an upgrade, e.g. until a current system breaks, is not viable due to the time lag required to conduct the above activities before the new system can be rolled out in the “live” environment. Microsoft’s current policy (which is similar to most other manufacturers) is to support the current and previous operating systems for both servers and desktop computers. Typically this means that from a point where an operating system becomes stable2 it has a life span of approximately four years. WCC should adopt a policy of updating operating systems within this time frame. Retaining older operating systems is also inhibiting the Council’s ability to proceed with new projects, such as the implementations of Common Directory Services. Test facilities need to be available to allow Vivista to be able to test systems prior to installing these on live systems. In particular the effect of operating system patches and upgrades on WCC applications needs to be tested before these are installed on live servers, and particularly in the case of security patches delays to roll out can present significant risk. Currently upgrades are often installed without a sufficient breadth of testing. If a patch then causes a problem with the local infrastructure or applications, this

1 This problem is not specific to Vivista, but would true whether support is an in-house or externalised function. 2 Use of early releases of a new operating system is not advised, as there may be several issues which only become apparent in the live environment. A view should be taken by the ICT Support Staff, using industry information as to when systems are stable and can be effectively implemented throughout the Council.


Version 1.0 - 35 -

may result in serious inconvenience to users. Systems can be down for a period of time whilst restored back to the previous level. If WCC can rationalise its operating environment so that fewer variants of hardware and software are in use, then the provision of test servers will become simpler as fewer servers will be required and consequently there will be fewer scenarios to replicate and test. Servers which are available for testing may also form part of the Council’s Disaster Recovery policy, as they could also be made available to provide resilience for production systems, see The “Big Box” project, as currently scoped, will provide a Storage Area Network (SAN) solution for County Hall users. A SAN is a high-speed special-purpose network that interconnects different kinds of data storage devices with associated data servers on behalf of a larger network of users. Typically, a storage area network is part of the overall network of computing resources for an enterprise. A storage area network is usually clustered in close proximity to other computing resources, e.g. servers, but may also extend to remote locations for backup and archival storage, using wide area network carrier technologies. A SAN will provide a flexible solution for storage addressing a number of issuers including resilience, management overheads, and flexible capacity changes (reconfiguration upwards or downwards as application requirements change). There are currently a number of problems with capacity in WCC’s Server room including connectivity to the LAN switches and floor space. These will be resolved within the County Hall complex by the implementation of “Big Box”. The “Big Box” project does not seek to address users located outside of County Hall. Such users will continue to use traditional server and storage technology. Not only will these communities be excluded from the aforementioned benefits, but in many cases the existing local server infrastructure is becoming old, unreliable and lacking capacity and without a corporate implementation of “Big Box” will be replaced by “conventional technology”, thus maintaining the “Digital Divide”. The NCC Group recommends that WCC consider “Big Box” as a corporate, and not just a County Hall project. However it is necessary to address the network issues, and provide good interconnectivity between all offices before implementation of SAN at all sites can be achieved. However once the network upgrades have been completed, a corporate SAN approach should be taken. It is important therefore that the future implications of a corporate SAN are considered when specifying the bandwidth for the MetroVPN project. The rollout of a corporate SAN across the Council should further address the following issues:

• Enhance mobility options, as users will be able to access data from any point at which they can connect to the VPN.

• Enhance information sharing possibilities, particularly between workgroups who may be split across several offices and where some members may be home workers.


Version 1.0 - 36 -

• Improve security as storage will be contained within the secure environment of the County Hall computer room.

• Improve resilience – components of a common infrastructure can be easily replicated if a single component fails, and the possibilities for a DR site based around common infrastructure are enhanced

There are a number of issues with servers (principally file and print servers, but also some application servers) which are located outside County Hall, including:

• Physical security of devices: No on-site staff designated to ensure equipment is secure, etc.

• “Accidental” downtime, e.g. devices being unplugged from mains or network.

• No environmental control, no air conditioning UPS etc; many of the outlying buildings do not have accommodation suitable for a mini-server room.

• Inability to easily share data with users in other locations. • Local users are responsible for loading and storage of backup tapes.

These issues would be resolved by following the “Big Box” approach previously outlined. Some LAN equipment is reaching the end of its life. In particular, the 3Com CoreBuilder 9000 switches will need replacement as these will be unsupported in the immediate future.(The Council has made financial provision for the replacement costs of these items.) Like other aspects of the infrastructure, this is an ongoing issue, as the CoreBuilder 3300 switches will reach the end of their life within a few years and will likewise need replacement. Budgets must be committed to the ongoing refreshment of this equipment at regular intervals; failure to do this would pose a severe risk to business continuity should these vital elements of WCC’s network fail. There is also an issue with the capacity of switches. This will be resolved within the switching element of the SAN (“Big Box” project). However the issue that such equipment becomes life-expired is an important one and WCC must plan to refresh all infrastructures before it becomes unsupported. Budgets should include provision for such regular renewals. For the most part, WCC’s current application architecture follows a traditional “client server” (thick client) approach. This traditional architecture, whilst efficient within small deployments of an application within a limited geographical area has a number of inefficiencies when applications are rolled out across multiple locations. Many organisations are now moving to “thin client” architecture as this offers:

• Applications that run on central servers, so any patches and updates can be easily loaded centrally without having to visit every PC to load and test software.

• Applications using central processing power, thus a consistent level of service is provided across all users.

• Testing is simplified through a corporate infrastructure, rather than having to support many different PC configurations.


Version 1.0 - 37 -

• It is easy to allow users access to additional functionality as it is simply a case of enabling the additional functions and no software has to be loaded or configured on the user’s machine.

• Bandwidth requirements are reduced optimising performance on the network and reducing costs of most formats of mobile communication.

• Although the initial implementation costs of thin client can be more expensive, because of reduced overheads as described above, the total cost of ownership model for thin client should produce cost savings compared with a thick client approach.

Many Local Authorities which are deploying and enhancing distributed working arrangement, including those that are setting up mobile and home working, are realising benefits by moving to thin client architecture. It is important that this is now a primary consideration for all new application deployments within WCC and corporate ICT (e.g. server and network architecture) should be developed to support this requirement and corporate standards should encourage users to deploy thin client working whenever an opportunity presents itself. Many applications now include a thin client (sometimes referred to as a “browser based”) option and it is important that such options are considered in the evaluation of new products, e.g. any replacement to the financial systems. Where such an option is not available, WCC may wish to consider other thin client techniques such as the use of Citrix MetaFrame. WCC need to create an environment in which users have the facilities and training to be able to use their ICT services to share information between members of workgroups and between officers involved in similar areas of service provision. The infrastructure should permit the sharing of information irrespective of a user’s location even if working remotely from other users with whom information is to be shared. Functionality which can be implemented to assist this process includes:

• Shared directories, allowing users to store common pieces of information, files, templates and other resources.

• Local sections of the Intranet service providing “bulletin board” assistance.

• Shared notes within Microsoft Office containing “useful” information. There is a need to implement Common Directory Services across servers. Given the use of Microsoft products within WCC, Microsoft Active Directory3 may be an appropriate product. Shared directory services allow an organisation to establish a distributed computing environment to be established across the complete geography of its network, including home and mobile workers and those working in small offices. Active Directory is the focal point in a Windows server network, simplifying management, strengthening security, and increasing interoperability. Active

3 Microsoft Active Directory - COPYRIGHT NOTICE. Copyright © 2003 Microsoft Corporation, One Microsoft Way, Redmond, Washington 98052-6399 U.S.A. All rights reserved.


Version 1.0 - 38 -

Directory can help consolidate the management of the existing network environment, increase network security, and integrate many different components into one scalable network.

• Manageability: It allows efficient sharing and management of information about network resources or users. It provides a single point of management for Windows Server user accounts, clients, servers, and applications.

• Security: It acts as the central authority for network security, letting the operating system verify a user's identity and control access to all resources. It can be used to extend systems securely to the Internet.

In the short term, WCC will need to consider an upgrade to Microsoft Exchange, which is necessary both because there is a need to have a current version for support and additional functionality I s required to meet business needs. To upgrade it will be first necessary to implement Active Directory.

Active Directory has a number of interdependencies with the network and applications in use, and it is essential that WCC construct a methodical approach to its implementation to ensure that Common Directory Services are efficiently and effectively rolled out throughout the Council


Version 1.0 - 39 -

66..33 DDeesskkttoopp EEnnvviirroonnmmeennttWCC currently have PCs of various ages, some of which are five or more years old. These run the spectrum of Microsoft Windows operating systems – 95, 98, 2000 and XP. This is creating a number of issues including:

• The older operating systems do not support functionality which allows software to be automatically downloaded and updated. This is particularly crucial where patches for security issues and virus pattern updates are concerned, this weakness exposes vulnerability within the overall security of the Council’s infrastructure and reduces the effectiveness of the Security Policy.

• When updating the operating environment, network and applications it is necessary to test against all releases of the Windows desktop systems. This increases the time taken to prove that new functionality can be released and presents many difficulties where incompatibilities are found.

• Peripheral devices, such as printers, cannot be consistently supported as drivers are not available in certain operating system releases.

• Support is complicated since problems in one version of Windows may not occur in a different one.

• Systems may run slow and the systems may create inefficiencies, e.g. in network traffic, because the latest techniques for security, compression, resilience are not supported in older versions.

Whilst there has been some good progress in moving users to Windows XP, there are still a number of PCs which need to be refreshed. In some cases Vivista have to build modern equipment with old operating systems as applications will not run with the latest versions, e.g. XP. Vivista are contracted to support 95, 98, 2000 and XP. There is no driver for Departments to upgrade; the departments have to bear the upgrade costs (including any related charges for application upgrades to achieve compatibility with the latest operating systems), but pay the same support cost no matter what the operating system. Older operating systems are causing a number of problems e.g. they may not be capable of accepting automatic updates for security updates and patches. This not only presents a risk to the PCs concerned, but also to all PCs within the WCC network, e.g. the Sasser virus cannot infect a Windows 95 or 98 PC, but can act as a “carrier” taking the infection to Windows XP PCs within the network. By retaining these older operating systems, there is a high risk that WCC could be vulnerable to virus attack which could be expensive to cleanse and cause significant disruption to business. Industry practice is now to support the current and previous Microsoft releases only. There is significant risk to WCC if it runs business critical systems on operating system versions which Microsoft no longer supports. The problem will continue to reoccur as technology will continue to advance, therefore WCC must plan to ensure that their policies and procedures will ensure that outdated desktop equipment and systems do not proliferate in common


Version 1.0 - 40 -

usage in future years. A refresh policy therefore needs to be introduced to ensure that:

• Equipment is current – PCs, Printers, etc. • Operating system is a supported version – This means current release

and “current minus one” for Microsoft products, and will therefore involve a refresh at least once every three years.

• Applications must support current Operating System levels and must be upgraded as new versions of Operating Systems are released. When procuring new applications it is important to determine vendors approach to new Microsoft releases and ensure that this is compatible with this objective.

• By retaining older operating systems introduces a high level of risk into WCC ICT operations, e.g. inability to load latest virus checker patches, inability to implement new projects which depend on current release levels, etc.

There is currently good central control on procurement. Desktops are ordered from Dell through a Corporate Contract; other peripherals such as printers are ordered through a Hampshire County Council Corporate Agreement with XMA; WCC are an Associate Member of this Agreement. Departmental ICT Coordinators specify equipment to ICT purchasing to buy corporately. Central procurement of corporate applications is good. There is a corporate license for 2,300 users for Microsoft Office. Departmental ICT Coordinators handle licensing for local packages including Line of Business Applications. Once a PC has been delivered, the following occurs:

• it is checked by WCC corporate Purchasing; • it is then passed to Vivista with a “Build Sheet”; • Vivista tag the device and add it to the asset register; • the P.C is configured using a standard image together with any special

applications for the user. Until recently there were over 100 different images to meet the differing requirements of departments and workgroups. This has been rationalized but further rationalization is required. Having too many images complicates support, as there are many different permutations to consider whenever a problem occurs or a new version of any software is to be tested. Further if there are any changes to the desktop environment, the number of images to be amended is great and care needs to be taken with change control to ensure that the correct image is reloaded to each PC. WCC are encouraged to follow this process of rationalisation of images rigorously to ensure that support is not unduly complicated by having so many different images; The NCC Group’s experience is that most Local Authorities have only a dozen or so images. Vivista are provided with on-site workshop space to build PCs. This currently limits the number of PCs which can be built to around 35 per week; Vivista estimate that this should be increased to 50-60 to meet demand.


Version 1.0 - 41 -

When Vivista receive the PC to build, they then tag the device and add it to the Asset Register. However the PC may not immediately go into service, e.g. there may be some delay between procurement and when the Department need to bring this into service. As the charging model for the Council’s payments to Vivista is based on this Asset Register, it is possible that WCC are paying for a support charge for machines which may not come into service for several months. The Council as part of its work on business processes has identified the whole of ICT asset management as an area requiring review and change and plans are in hand to alter existing processes. Change management processes within WCC are, e.g. ICT Coordinators relocate equipment without informing Vivista. WCC completed an asset count at the end of March 2004 to verify numbers. This asset count will provide the Council with a cross-check with Vivista’s records. It is important that WCC has a method by which it can verify Vivista’s Asset Register, which is the basis for the charging mechanism for the Vivista contract. It is recommended that a formal Change Management process is introduced whereby ICT Coordinators notify Central Purchasing of all decommissioned or relocated equipment, who in turn have the responsibility of ensuring that such changes are noted by Vivista and contract charges (including contract costs) are amended accordingly. The Change Management process should also allow good records to be kept of software in use to ensure that WCC complies with the licensing arrangements of the various packages which are in use both corporately and a local level. This process should both determine changes to existing arrangements and identify where PCs are taken out of use, to ensure that the licenses can either be ceased or “recycled”. Organisations must be able to account for software in use, and failure to do so leaves the Council exposed to the risk of severe penalties if anomalies are discovered should systems be audited by a supplier. There needs to be corporate guidance regarding the procurement and use of printers, which not only takes into account the capital cost of the device but also its ongoing running costs, use of ICT resources, etc. A Printer Strategy which considers the following is required:

• There have been issues where users have old printers which cannot be supported on the latest operating system as drivers for these are no longer available. There are also issues where new printers are not supported by older operating systems. As described earlier, a clear strategy should be established which directs from the corporate centre the operating systems which are supported. This will consequently dictate what devices can be supported and a refresh policy for older devices.

• Many printers are low specification ink-jet type devices which are allocated on a 1:1 basis to PCs. These are seen as cheap to buy, but there is no account made of the total cost of ownership. It is likely that the “cost per page” for such devices can exceed 5p. WCC need a policy to implement high specification network printers or multi-functional devices (combined printer, scanner, copier and fax) which can reduce costs to under 1p.


Version 1.0 - 42 -

An Equipment Strategy is required for homeworkers. Within the current Vivista contract, there is no element for support at employees’ homes. If WCC is to implement home working, it would be unrealistic to expect homeworkers to return their equipment “to base” whenever a problem occurs. The following need to be addressed:

• Provision of council equipment to homeworkers – PCs, Printers, etc. • Support – Helpline and on-site maintenance. • Security of equipment – see security section.

The current arrangement is that WCC users call Vivista’s Help Desk in Sutton, Surrey to log calls using a freephone number or a PABX short code which dials this number. The call is logged by a member of Vivista’s staff in Sutton and is then passed to on-site staff within WCC to contact the user and deal with the query. This arrangement is expensive and inefficient as there is always at least two members of Vivista’s staff involved (one in Sutton and one at WCC). Industry best practice indicates that a high percentage of calls should be cleared down within the initial call, particularly where remote diagnostic tools are available. On-site staff should not be dealing with routine queries but should be targeted to deal with key issues which need on-site involvement. WCC need to consider the effect of “Mobile Computing” in its overall strategy. Mobile Computing is concerned with the provision of coherent and relevant ICT facilities to users who work away from the office on either a temporary or permanent basis. Mobile Computing covers a wide range of technologies, including:

• Hot Desking: The ability for a user to be located at any desk within any WCC office and to enjoy full telephony and computer facilities, e.g. to be able to log on to their e-mail and applications and to receive telephone calls from users dialling their usual extension number.

• Docking Points: Points at various Council locations, including possibly some public premises such as Libraries and Sports Centres, where users can “dock” their laptop computer to send and receive e-mail, synchronise calendars and access their line of business applications. In some Local Authorities, PCs have been provided for users who do not have a laptop machine but need to access their e-mail, applications, etc.

• WiFi: “WiFi” is the common name for Wireless Network technology, allowing computers to join a network by establishing a fast radio connection between a PC or PDA and an “access point” on a corporate network using defined standards known as 802.11, and may be used in two ways: � Provision of WiFi within Council premises as an extension of the

“Docking Point” service, to provide a means for users to securely connect to the Council’s network

� Public access for users to access the corporate VPN, e.g. in hotels, cafes, trains, motorway service areas.


Version 1.0 - 43 -

WiFi access in this context may be used to connect to the Council’s VPN for mobile users to then access their applications, e-mail, etc.

• Mobile phones: An increasing number of Local Authorities are investigating techniques to support mobile applications using GPRS technology. GPRS is an efficient and cost effective means of using mobile phones to transmit and receive data – calls are charged by the amount of data transmitted and speed can approach those of a traditional landline modem. With the advent of 3G mobile technology, “broadband” speeds will be achievable. Mobile phones can service applications running on either laptop computers or PDAs, and also a growing number of “smart phones” which include the ability to run applications including e-mail.

• Internet Cafés: A growing number of public Internet sites are becoming available throughout the country and throughout the world. It is important that WCC adopt a policy for the use of Internet Cafes. Such public access has some inherent risks, as the security of the environment in which the user is working is dependent upon the service provider. However it may be deemed reasonable to use such services for the non-secure e-mail and routing functions.

A classification system needs to be constructed and enforced corporately which will allow the sensitivity of information to be determined, and hence a policy of how and where it is appropriate to access various classes of information. Mobile Computing affects the Network, Server and Desktop technologies and it is important that these are all developed to support this method of working. WCC have made some good progress in some of these areas, in particular:

• There is a limited pilot of WiFi at three points within County Hall. Based on these experiences, WCC will be able to more fully deploy this technology in appropriate areas, e.g. meeting rooms, Council Chamber, etc. The experiences from this pilot will allow the Council to more fully deploy the technology. WiFi is not considered to provide sufficient throughput to fully replace traditional wired solutions but may be considered where the building infrastructure (e.g. trunking) will not allow any more cable to be installed.

• Hot desking is being trialled in the ICT Projects Room. Again, this is providing valuable experience, and can be deployed elsewhere as the Council’s business practices dictate.

• If WCC proceed with the project to move their ISP to MDS . MDS already have the required platforms to support secure connectivity from GPRS enabled mobile phones.

However a number of areas still need to be considered, including: • Provision of docking points in suitable “public” locations • A security policy which recognises that some places of access will be

inherently less secure than others, and therefore a user’s access levels may reflect the way that ICT services are being accessed. For example a connection via secure GPRS mobile link may afford a user full access privileges whereas access from an Internet Café may only allow limited access to functions with a low security rating.


Version 1.0 - 44 -

66..44 CCoommmmoonn AApppplliiccaattiioonnssWCC currently uses Microsoft Office Suite – Access, Excel, Outlook, PowerPoint and Word. The applications are all “fit for purpose”. However there are a few issues:

• The operating system release of the PC desktop will determine the Office release, e.g. Windows 98 machines will use Office 97. Functionality between different versions of applications is not always compatible between releases, and this can cause significant user problems, e.g. the ability to access Access databases which are shared between users who have different versions.

• Different versions of Microsoft Office products may result in incompatibilities which mean that attachments to e-mails cannot be read; this affects both internal and external e-mails.

• Many users lack knowledge of basic functionality of how to use the systems with which they have been provided, including the Microsoft Office suite. Users need access to training on everyday tasks, including how to share information (use of shared folders and drives, etc).

To promote remote and mobile working, and to ensure that a “Digital Divide” is not proliferated, it is important that unless security considerations dictate otherwise, users can access information no matter where they are located. A common server policy, where access is based on security and not geography is desirable and this can only be achieved by a corporate-wide roll-out of “Big Box”. Some restrictions currently exist because of the unsatisfactory quality of the existing VPN. As users are migrated to the Metro VPN this should improve. Significant amounts of information are retained in Access Databases and Excel Spreadsheets. These are all created for local purposes and used for very specific requirements. In the fullness of time, these applications expand beyond the normal capabilities of non-IT staff to maintain, which increases support. There are also issues about the security and backup status of such local applications as these have not usually been reviewed by qualified ICT staff. WCC needs to set a corporate policy for the use of locally developed database applications5. Wherever possible users should use applications which securely store data on corporate servers where data can be properly managed. Applications, including databases, when developed under proper project control will ensure that information is stored in a format that is compatible with other uses in the Council, and will reduce overheads – e.g. duplication. Because there is widespread use of these locally developed applications, there is often duplication both in the data stored and in some cases the application itself. It is important that there is better knowledge of local applications, as often complimentary workgroups could benefit from joint usage of these. Locally developed applications are often very specific in their purpose and fail to take into account corporate standards. In particular it is important to reduce duplication of data, and ensure that wherever possible local applications and

5 The NCC Group established that there are locally developed applications using tools including Access, Excel, Visual Basic and other similar Microsoft tools.


Version 1.0 - 45 -

their data can be easily integrated with line of business and corporate systems and databases. There is currently a 50Mbytes quota set on user’s e-mails accounts; this means that once a user has 50Mbytes of data stored in the e-mail account, further incoming e-mails will be rejected. In some departments this quota is causing major business problems. At one time 50Mbytes would have represented a significant volume of e-mail messages. However with modern, function-rich e-mail clients this is no longer the case and 50Mbytes can represent just a dozen or fewer messages. This is particularly true in departments where e-mail attachments routinely include large legal documents, plans or drawings. One department having most difficultly with this limit is Environmental Services because of the nature of the information, such as planning, which is being interchanged with external companies. With the new server this limit needs to be set more realistically to match business need, and this needs to be address across the whole of the Council, not just in County Hall. The information which is contained in e-mails is live business information and not transient data which can be wiped. However there is no necessity to store this information in a live mailbox (inbox) file; what is required is a simple means for the use to archive such information and to be able to easily retrieve it, e.g. by using a keyword. Information is often e-mailed to multiple recipients as there is no effective methodology to share information within departments and workgroups. Any archiving solution which is implemented should allow e-mails to be shared securely across a workgroup. This may be addressed as part of the information strategy. Like all Local Authorities, WCC staff are suffering from “e-mail overload”. This can be true for both internal e-mail (where people may be unnecessarily cc:’ed or bc:’ed into correspondence) and external e-mail (particularly where e-mail is addressed to an individual, e.g. [email protected] rather than a service specification e.g. [email protected]). These service-specific addresses are already advertised on the Council’s Internet site. WCC need to adopt a policy which dictates when users access a “person-specific” and when they access a “service-specific” e-mail address. The volumes of e-mail, both internal and external, are burgeoning in many Local Authorities, and WCC is no exception. It is important that WCC adopt a policy for the use of e-mail which clearly defines the usage and standards for e-mail and allows staff to benefit from the availability of this communications medium, rather than it to be a burden. Such a policy should include parameters for responding to e-mail, handling e-mail for absent officers, who to include in distributions lists, etc. In the medium term, WCC should invest in tools to assist the workflow of e-mails, and this may be linked to other initiatives, e.g. CRM.


Version 1.0 - 46 -

Greater use of the Intranet at both Corporate and departmental levels needs to be encouraged. The Intranet provides an ideal platform for sharing information both within and between workgroups. Working groups need to be set up at Corporate and Department level to pursue opportunities and resources provided to provide and manage information.

66..55 BBuussiinneessss AApppplliiccaattiioonnssMost Business applications, except for Finance, have been described by users to The NCC Group as “Fit for Purpose”. However WCC must not become complacent as applications need to be kept up to date, and to continue to add additional modules where there is business justification for example:-

• to increase the numbers of tasks which can be completed within the application and thereby reduce information held in local applications such as Access Databases or Excel Spreadsheets.

• to increase the user base, e.g. in Social Care to procure and implement the CareFirst module which will allow Social Workers to directly input case data on mobile computing facilities.

As with other elements of the Council’s infrastructure, it is important that Line of Business applications are appropriately funded so that they are updated as and when appropriate. Updates will not only be necessary to maintain functionality, but also so that applications are compatible with the latest releases of server, network and desktop operating systems, and to ensure that application software does not become the reason for infrastructure not being kept up to date.6

The non-availability of applications across all Council locations is another example of the “Digital Divide”. Some of this is caused by a server and network architecture which does not lend itself to the sharing of applications across the geography. Many applications are not suitable to be used across the WAN, this includes the financial system APTOS. In some cases, WCC have not purchased modules which allow applications to be delivered across the WAN. In other cases, the current situation where the network infrastructure is driven corporately but the application strategy is driven departmentally, means that departments understand that modules to allow applications to run across the Council can be procured, but do not have the capability of increasing the network capacity to that demanded by those additional modules. Increases in bandwidth and network availability as an updated WAN infrastructure is rolled out will improve the situation. The issue of timing between departmental and corporate projects is likely to exist well beyond the implementation of MetroVPN. If the corporate infrastructure is proving to be inhibiting a department’s ability to implement a new project there must be a means of upgrading that infrastructure, possibly by use of some departmental monies to fund the specific corporate upgrade which is required. 6 Vivista commented to The NCC Group that some of the systems running old operating systems are doing so because applications have yet to be tested against the latest versions of the operating systems, e.g. against Windows XP.


Version 1.0 - 47 -

Corporate standards need to be applied to the selection of applications to ensure that these can be effectively and efficiently delivered to all points (e.g. that they use network bandwidth optimally). This corporate mandate should dictate minimum standards to which applications must comply, including the use of Thin Client technologies where it is appropriate to use these. It is important that an Information Management strategy is implemented which allows data to be mapped between the various business applications, and for interfaces to be created to allow sharing of data between these applications, e.g. by the use of government and industry standards such as e-GIF and XML. Management and mapping of the data should be a corporate function with appropriate assistance from database managers for each of the applications.

So far as the financial systems are concerned, there are a number of functionality gaps in APTOS, including:

• e-Procurement • Purchasing • Commitment Accounting • Management Information

This is causing a proliferation of Access Databases and Excel Spreadsheets which often contain unsatisfactorily constructed and uncoordinated data. WCC should urgently investigate options to consider the following and then implement a project to implement enhancements/upgrades or a replacement system as soon as possible.

• Upgrade or enhance APTOS to a level which will provide the functionality.

• Invest in a new “Best of Breed” Financial application which will meet these and other future requirements.

• Invest in an Enterprise Resource planning application which will integrate other parts of the Council’s administration, e.g. Payroll and HR.

Cyborg, was purchased as a fully integrated payroll and HR suite. The payroll module has been very effective within the Payroll Department (a corporate function) and is successfully used to both process the Council’s own payroll and also the payrolls of several other organisations for whom the Council acts as a “Payroll Bureau”. Several updates have been applied to Cyborg so that it is up to date from both legal and functionality perspectives. ERP may not be a suitable solution to encompass payroll, as it would involve not only changing the processing of the Council’s own payroll but also the payrolls of all the organisations for whom the Council acts as Bureau. Moving away from Cyborg would involve significant cost in transferring all of these payrolls, and the non-Council organisations would be unlikely to financially contribute to the change as they would derive no benefit from it. Further transferring so many payrolls would involve a high element of risk to an ERP project, as WCC has


Version 1.0 - 48 -

responsibilities to produce the payrolls in a timely fashion to the external organisations. HR within WCC is a devolved function and there are no corporate standards, hence the quality of information contained in Cyborg is variable and often incomplete. This makes management reporting difficult and causes problems with reporting, e.g. metrics to Central Government, KPIs, etc.

66..66 ee--GGoovveerrnnmmeennttThere is a concern amongst the ICT Coordinators that they do no know what strategies are being set within the e-Government program. ICT Coordinators need to be able to take a view as to how these initiatives will fit in with their local business requirements and may influence priorities, e.g. deploying new modules. The e-Government Team must operate as a “joined up” operation within the various Corporate and Departmental Teams which specify and support ICT within WCC. There is a need for Departments to move ahead with technologies such as EDM and DIP to fulfil business needs. If corporate standards are not set, then this could result in a number of different and incompatible systems being proliferated across WCC. Programs, including high-level project plans for the deployment of key technologies are required in order that WCC can move forward with a greater level of integrated ICT. The e-Government Team is researching technologies which will meet the business requirements for WCC to implement an infrastructure which supports e-Government (e.g. CRM, DIP, GIS, EDM, and Transactional Web Site). It is important that these technologies are not just implemented to fulfil e-Government targets, but are truly implemented to improve the cost and quality of the Council’s service delivery. Such key technologies should not just be implemented as technical solutions, but as business driven projects. The Council’s businesses must embrace these technologies and ensure that they become everyday business tools within the Council’s business practices. Use of such tools should also be driven by emerging working practices driven from the ongoing BPR exercise. Project plans should include how the business will use the systems, e.g. how the Departments who hold information will populate the e-Government systems such as GIS with this data. ICT Coordinators do not seem to understand the current strategy for back office integration, and yet they control the back office applications with which CRM must integrate. WCC have corporately adopted eGIF as the recognised Government standard to allow interoperation of applications. It is important that all new applications procured conform to this standard. WCC should develop it has its own in-house standards (e.g. database of preference, operating system and network protocols supported) and these should be promoted and enforced from a senior level of management. Such standards will ensure that all applications are compatible and can be integrated, and new systems should only deviate from theses where there is an overriding business case which has been clearly documented.


Version 1.0 - 49 -

E-Government can only be successfully implemented if the various strategies for server and network deployment specified elsewhere in this report are implemented. In particular WCC must have a network and server strategy which does not disadvantage any particular section of the Council’s staff, and provides equal access to corporate, desktop and line of business applications no matter where an employee is located or if he is a mobile or home worker. As part of providing a “joined up” service to customers, it will be important that systems can access common information. This may simply be the ability for a call centre agent using CRM to access an officer’s electronic Outlook diary to make an appointment. It may alternatively be links into back office systems to allow name and address details to be updated or service history to be accessed. Such data sharing has a number of legal issues, including Data Protection Act, Freedom of Information and Human Rights legislation. There is also an “infrastructure” element to Data Sharing and in particular:

• WCC needs to have Information Management Strategy which should help the Council understand what information it holds, to consolidate and minimise duplicate information.

• The Network and Server Strategy must underpin the user requirements and provide an infrastructure that will physically allow the data to be shared.

• WCC needs a policy which defines the ownership of data. For example, there are many local Excel worksheets and Access databases; this means that it is often difficult for one workgroup to know what another workgroup has. If knowledge was available then information could be shared.

• An Information Sharing protocol is required to define the conditions, security requirements and other necessary prerequisites for sharing.

The e-Government agenda requires Local Authorities to provide a means for the customer to contact the Council by any chosen method. This requires the implementation of technologies to handle personal visits (One Stop Shops), telephone calls (Call Centre) and electronic contact (the Internet). WCC are piloting both a Call Centre and One Stop Shop, the latter being located at Salisbury library. However there is currently little progress with Internet transactions. WCC needs to ensure that their web site will support on-line processing for all of the most popular transactions, including payments, job applications (currently not provided as WCC cannot provide a secure transmission path to receive the application form), street scene reports (street furniture faults, abandoned vehicles, etc). WCC needs to consider how it will promote an environment in which there is equal access to services for all its customers. There is both a “service” need to ensure that none of its customers are disadvantaged and also statutory duties to provide access as determined by the Disability Discrimination Act. This includes having facilities for the disabled to:


Version 1.0 - 50 -

• Access one stop shops (usually a physical access issue, together with resources for those with hearing or sight disabilities).

• Access call centres (including provision of textphone for those with hearing impediments).

• Access web sites. In this respect WCC have made good progress with the Bobby™ standards.

The Wiltshire and Swindon Partnership is providing some level of “joined up” Internet provision to the public, joining the services of the County Council, the District Councils and Swindon. This is essentially a Content Management System with XML support which can have information loaded from any of the partners. Currently the services supported are Abandoned Vehicles, Change of Address and some Social Care functionality for the vulnerable (elderly). In order to provide a seamless means of customer contact for County and District Council services, it is important that this hub service is further developed.

66..77 SSeeccuurriittyyThe current security practices and guidelines in place within WCC and implemented within County Hall are, for the most part, considered robust by The NCC Group. WCC have appointed a full-time security officer who is working towards BS7799 accreditation for the Council’s systems. The standard of the work completed to date is reflected in the fact that the Council has been able to provide a bridge between its network and the NHS network allowing WCC staff to access CareFirst from NHS premises and NHS staff to access their core line of business applications from Council premises. Connections to other external networks including DVLA, WICKD (Child Protection), AWARDS (Student Grants), have also been achieved. Amongst the security initiatives implemented by WCC are:

• good access to control to computer/server room and other key areas within the infrastructure;

• environmental controls in the computer room and network switch rooms;

• computer use policy which includes regular password changes; • control of backup media; • firewall, mail sweeper and virus checking policies are all in place; • a risk assessment of all systems and infrastructure has been

conducted, and there is an ongoing process of risk reduction in place;

• e-mail practice; • nominated officers to monitor security issues; • thorough job descriptions for all staff involved in areas of work which

impinge on the security of systems, including responsibilities for third parties, e.g. Vivista;

• Firewall penetration testing. There are quarterly meeting at corporate level to discuss and action IT security, and legal issues such as Data Protection and Freedom of Information.


Version 1.0 - 51 -

Regular training in security practices is available to all staff, and is recommended on an annual basis. WCC have retained control of password/security allocations so that they could operate irrespective of the status of the third party contracts such as Vivista. A risk register has been assembled and by pursuing an aggressive policy a number of issues have now been closed. In evaluating the implementation of security procedures, the “Digital Divide” again becomes apparent, as whilst the aforementioned security policies are theoretically applied to all Council offices, their implementation outside County Hall is unsatisfactory. Examples of weaknesses include:

• There is no security officer formally nominated at each site. The appointment of such officers would ensure that responsibilities were formally allocated and an appropriate of level of training and monitoring could be established.

• A full risk assessment at each site is required, e.g. to consider power supplies, physical security (where servers are located), disaster recovery, etc.

As the sharing of information and applications improves, and as the server and network infrastructure improves, weaknesses in security at outlying offices will have an increasing impact on the overall security of WCC’s systems. Weaknesses at outlying offices could therefore impact significantly on the ambition to achieve BS7799 accreditation. With respect to Disaster Recovery and Business Continuity Planning for ICT systems and infrastructure, WCC has made limited progress. Out of 150 servers currently in use, there are disaster recovery plans covering only 33 of these. It is important that all servers and the network both WAN and LAN infrastructure interconnecting these is fully and regularly risk assessed, and that WCC’s change management procedures ensure that the risk assessment is revised whenever systems and services are revised. Amongst the areas WCC needs to consider are:

• Network failures: In particular the ducting between the campuses on either side of the main road at County Hall is a major risk. Cables carrying both voice and data traffic are run in a single duct, and if damaged, e.g. because of road works, could put services out of action for some considerable time. There are also a number of risks within the current data network topology which bases services around a number of hub sites; this risk will be considerably reduced as MetroVPN is implemented.

• Server failures due to non-availability of the main server room: There are a number of risks that could put the server room out of commission, including major power failures and fire damage. WCC need to consider how these risks could be mitigated, e.g. by establishing a contract with a company who can provide on or off-site disaster recovery facilities


Version 1.0 - 52 -

• Whilst central resources are essential within disaster planning, it is also essential to consider how users would access the services in the event of a major incident, e.g. if a major part of County Hall become inaccessible. WCC need to plan how they would provide desktop PCs and the network connectivity for these so that users could access e-mail, line of business applications, etc.

The diversity of WCC’s infrastructure ( both in terms of devices deployed and the range of operating systems supported) make it difficult and expensive to thoroughly provide resilience. Rationalisation of systems through upgrading to current operating system levels and device consolidation (the Big Box project, which should be considered for council-wide deployment) should greatly simplify this provision. Equipment provided for resilience also has the potential of use as test systems, which would address the issue of testing. WCC are planning to move their ISP (Internet Service Provider) and this requirement will be the subject of anew tender in the near future. The new arrangements should not only consider connectivity issues, but also whether any security benefits can be realised through any new arrangements, including:

• Sending secure emails; • Receiving secure information from the web site e.g. job application

forms; • Business continuity facilities; • Assistance with the roll out of virus updates, operating system patches

etc particularly to remote users; • Mobile connectivity e.g. secure GPRS access.

The use of old operating systems on the desktop, such as Windows 95 and 98, poses a serious security ness. These operating systems allow users to bypass logon and also to refuse updates to virus patterns, operating system patches etc. It is important that such weaknesses in the Council’s security are resolved without delay. Adherence to change management procedures as defined in the security policy is unsatisfactory within WCC. The approach of application selection and procurement at departmental level and security at corporate level may be an explanation for this. Within its corporate standards, WCC needs to ensure that ICT Coordinators engage the corporate security staff at an early stage of their planning for new applications and upgrades. Some areas to consider include:

• Does the application comply with WCC’s security policies? • Will the supplier require remote access to the system, e.g. for

maintenance and if so how will this be achieved securely, so as not to compromise the Council’s security or its connectivity to third parties such as the NHS? 7

• Does the application run on WCC’s supported operating systems, processors and network protocols?

7 The security regime required by organisations such as the NHS to allow connectivity with third parties applies to the whole of the organisation’s infrastructure, not just the segment to which the connection relates, so WCC could have access to NHS withdrawn if a security ness appears in another system, e.g. environment systems.


Version 1.0 - 53 -

• Does the application share data, supply data to or extract data from other WCC applications, and if so what are the implications for both the new applications and the applications to which it interfaces?

Such issues, which fundamentally impact on the security regime, need to be considered at an early stage of the project. The current situation where they are considered shortly before or at implementation is untenable and presents a severe risk to WCC’s overall security. Policies introduced and implemented corporately should ensure that Change Management has this priority by becoming a “tick box” within the early stages of ICT related project.

66..88 TTeelleepphhoonnyy aanndd CCoommmmuunniiccaattiioonnssThe Mitel system at County Hall has been in use for several years. It is very reliable and has been regularly updated to ensure that the system meets the up to date functionality requirements. The modular design of the Mitel equipment means that is can easily be upgraded and enhanced as the Council’s business needs change and new technologies are developed. The SX6000 lite switch is currently being enhanced for the Call Centre. Outside County Hall, a number of Departmental systems are in use, primarily from BT. A new Panasonic System is being implemented by Midland Technologies at Salisbury Library to meet the new one-stop shop requirements. This provides 8 ISDN trunks (which will also service Video Conferencing between Salisbury and County Hall) and 20 extensions. WCC has a leased line Voice Network from County Hall covering Police (extending to Fire) and some District Council offices. These are provided using a mixture of Analogue Circuits and FeatureNet. The link to North Wilshire DC has been ceased because their new IP Telephony solution is incompatible with WCC’s PABX. Other links are being reviewed due to cost and usage levels. There is no “on network” voice network between County Council offices as it has been considered that standard dialled voice calls are cheaper than renting private circuits. e-Government will necessarily change the way in which the Council works, placing much greater emphasis on delivering a comprehensive and seamless access solution to the Council’s customers. It is anticipated that a high volume of incoming telephone traffic will ultimately be routed through the call centre in the first instance; the call centre will then transfer calls that they cannot handle. This is a principal reason why the voice telephone service must be coherent across the whole of the Council, and where possible should be capable of extension to include all outlying offices as well as home and mobile workers. WCC need to develop a strategy to provide a coherent voice network that can be implemented across the whole Council. Traditional solutions which have deployed leased circuits between offices are now generally benchmarked as “expensive” and “inflexible” and many public and private sector organisations, including several Local Authorities are implementing IP Telephony as the solution to this issue. IP Telephony allows voice and data to be shared on the same inter-


Version 1.0 - 54 -

office circuits, and can even be extended using business-quality8 ADSL connections to workers’ homes. Solutions in the IP Telephony market fall into two categories:

• Telephone services provided on routers which will also allow data connections; the prime example of this is the Cisco IP Telephony solution where a connection to a router can be configured as either voice or data, and the latest family of routers even provide the requisite in-line power for the telephone handsets.

• Enhancement of existing telephone systems (including Mitel, Ericsson, Nortel, etc) to use IP Telephony for either direct connectivity to extensions or to provide inter-switch links between offices. This option is often seen as lower risk, since the IP Telephony service operates in parallel with the legacy service, but offers less flexibility and increased costs as telephony as well as data-router equipment is usually required at each site.

WCC need to undertake an exercise to consider both options, using pilot projects where appropriate to determine which solution best meets their requirements. IP Telephony requires the implementation of “Quality of Service” (QoS) on the network. This ensures that good speech quality can be maintained for telephone calls, and is particularly important at times when the network is heavily loaded. MetroVPN can provide this QoS functionality, but at a cost, and WCC are encouraged to include in their feasibility planning for this service estimates which will fulfil the IP Telephony requirements. By implementing IP telephony, voice and data will share the same network infrastructure. In order to develop these and provide coherent management and support, it is important that the voice and data networks are managed as a single entity. Within the aims and ambitions of the e-Government programme, WCC wish to provide single interfaces for customers to access the services of complimentary public sector services in the region. In particular, it has been identified that one stop shops, such as the one now being implemented at Salisbury Library, should be capable of assisting customers with both County and District Council services. Consequently, there is a requirement for these access points to be able to access telephony services for all organisations which it serves, and therefore there should be full interoperability between these various organisations’ telephone switches, e.g. to include call transfer and enquiry calls. It is therefore important that WCC do not develop the telephony strategy in isolation, but ensure that any upgrades or new systems to be implemented are capable of servicing the wider objectives. Fixed line voice telephony should not be viewed in isolation and WCC needs to consider how the use of fixed line and mobile technologies will converge. Like many Local Authorities WCC is taking advantage of the Government

8 Some “home” ADSL services which have low bandwidth capability and/or high contention ratios are unsuitable for IP Telephony.


Version 1.0 - 55 -

Telecommunications Mobile (GTM) Framework which provides public sector organisations with access to a wide range of mobile voice, paging and data services from Vodafone and Orange. Such contracts allow Local Authorities to reduce the capital and revenue costs of their mobile telephone network and to deploy technologies which allow seamless integration with their PABX (fixed line) voice network. As a voice telephony strategy is developed, a review of mobile telephony should be incorporated to ensure that both media are used to maximum business advantage. Telephony is becoming an increasingly essential instrument within day to day business processes. Without the telephone it is impossible to operate as “business as usual”, and even short disruptions to service will create difficulties. More and more contact from the Council’s customers is by telephone, and the implementation of a call centre which can more efficiently answer and process calls is likely to further increase this percentage. It is essential that all telephone services have high availability, and resilience is of the essence. Telephone services needs to be considered as part of the Council’s Disaster Recovery and Business Continuity Planning . There are many cables, both voice and data, running in WCC’s trunking across the road between the County Hall and the Library site on the opposite side of the road; this presents a serious risk if this trunking became damaged e.g. through road works. WCC needs to consider its video conferencing requirements. The use of ISDN based videoconferencing, unless required because of limitations of third parties with whom the Council needs to communicate, should be avoided as it is expensive. The use of IP based videoconferencing equipment, which uses an upgraded WAN infrastructure, should be pursued.

66..99 CCoossttiinngg tthhee TTaaccttiiccaall,, SShhoorrtt tteerrmm aanndd MMeeddiiuumm tteerrmm ppllaannAttached as appendix C to this strategy document is a tactical, short term and medium term plan. The plan outlines a number of key infrastructure and policy actions that are required to take place over the next three years based on achieving key targets within a six month time frame moving through to 12 months, 24 months etc. Each phase represents a dependency on the next phase of work in other words the actions are sequential (but in some areas may overlap) and are based on:-

• An assessment of relative priority; • A view of what is realistically achievable; • A recognition of the interdependency of the actions.

The table below outlines at a high level the estimated cost of the action plan split between capital and additional on going costs. It has not been possible at this stage to cost all elements of the action plan and where this is the case exemptions have been highlighted, similarly a number of costings at this stage are subject to further analysis and feasibility studies. It should also be noted that no account of the internal resources required to project mange and support this programme have been made.


Version 1.0 - 56 -

The aim of table 1 is to give the Council an approximate view of the likely cost of the overall programme for high level planning purposes. No account has been taken of funding sources and a number of the actions have already been wholly or partially budgeted for, where this is the case this has been indicated. Table 1 Tactical 6-12 months £000s

Capital

expenditure

Additional

ongoing

1 Wide area network 200 300

2 Big Box 400 100

3 Desk top 125

4 Server 120

5 Network switches 200

6 Financial systems 50

7 Document management 250 50

8 Libraries 300

Sub Total £1.645 million £450,000

Short term 12-24 months £000s

1 Big Box 150 100

2 Wide area network 50 500

3 Corporate policies 35

4 Information sharing 40

5 Mobile computing 30

6 Help desk N/A

7 Desktop 170

8 Financial systems 425 75

9 Security improvements 30

10 Internet connectivity improvements 30


12 Server refresh 20

13 Network switches refresh 50

Sub Total £1,060 million £795,000


Version 1.0 - 57 -

Medium Term 24-36 months £000s

1 Telephony 1P pilot 20

2 Big Box 150 100

3 Financial Systems 450 75

4 Video Conferencing trial 15

5 Desktop 170

6 Disaster recovery and Business Continuity

N/A

7 Mobile telephony N/A

8 Financial Systems 425 75


10 Server refresh 20

11 WAN 50 700

12 Network switches refresh 100

Sub Total £1,480 million £1,020 million

Grand Total one off cost for years 1-3 £4,185 million

Grand Total additional on going costs for

years 1-3

£2,265 million

66..99..11 CCaavveeaattss aanndd AAssssuummppttiioonnss

In order to arrive at this high level planning total a number of assumptions have been made and some areas have not been costed at this time. These assumptions and caveats are outlined below. Tactical Costs in 1) (WAN), are subject to a detailed feasibility study. Costs in 2) (The Big’ box project County Hall), are already budgeted for within the Councils spending plans. Costs in 3)(Desktop), relate to 50k for image rationalization and 75k for elimination of windows 95 PCs outside of the library service. Costs in 5) (Network switches) are already budgeted for in the Councils spending plans. Costs in 8) (Libraries), relate to the replacement of Windows 95 PCs and an allowance of 150k for the upgrade of the existing Library management information system, no allowance has been made for maintenance or on going licence costs. Short term Costs in 1) (Big Box), relate to rolling out the storage area solution beyond County Hall, similarly the costs in WAN 2).


Version 1.0 - 58 -

Costs in 3, 4, and 5 relate to specialist consultancy services. Costs in respect of 8)(Financial systems), cover licences, hardware, training and project management in respect of a replacement for APTOS based on a best of breed approach. On going costs are estimated at 15% of anticipated licensing costs of £500k. It has not been possible to cost 6) (Help Desk), due to the interdependence with the Vivista contract and any future arrangements in this regard. Costs in respect of 7)(Desktop), relate to the replacement of Windows 98 PCs ahead of the leasing programme, the second and final tranche for this element of the action plan is in the medium term phase. Medium term It has not been possible to cost actions 6 and 7 (Disaster recovery and Mobile telephony) at this stage due to the high number of variables and dependencies which will become clearer after the various feasibility studies.


Version 1.0 - 59 -

SSeeccttiioonn 77 IInnffrraassttrruuccttuurree RReeccoommmmeennddaattiioonnss

77..11 RReeccoommmmeennddaattiioonnssThe Council should:

• Conduct a feasibility study to ensure that MetroVPN can be successfully rolled out throughout the Council’s geography and that it has sufficient resources to complete and sustain the project.

• A detailed project plan to rollout MetroVPN to all WCC offices within a 12-

18 month timeframe should be established.

• Facilities for mobile and home working should be made available through the use of MetroVPN at an early stage in the project’s implementation.

• WCC should establish a “Refresh Policy” which ensures that operating

systems on servers are updated every three to four years. This not only eliminates the risk that WCC may be unable to obtain support for systems, but also allows WCC to proceed with new initiatives which may rely on current operating system levels.

• An analysis of requirements for testing should be made, and funding

should be made available for the procurement of these servers.

• The NCC Group endorses the current strategy to roll out “The Big Box” project to rationalise server and storage capabilities. However the installation of this infrastructure within the County Hall campus should be seen as the initial phase of a corporate project to provide equal server and storage facilities across the whole of the Council.

• The life of all equipment which forms part of WCC’s corporate ICT

infrastructure should be considered and a financial model should be constructed which creates the necessary budgets to refresh equipment before it becomes life-expired.

• A corporate strategy for the deployment of Thin Client architecture

should be determined and followed in all new procurements.

• The server infrastructure should be structured to promote information sharing and users trained in the functionality available for this purpose.

• WCC should establish, at the earliest available opportunity, a project to

implement Active Directory, including the required upgrades to other elements of the infrastructure.

• WCC must ensure that a refresh policy which ensures that all PCs are

running (and are fit to run) either the current or “current minus one” version of the Microsoft Windows operating system.


Version 1.0 - 60 -

• The process of rationalising the number of images in use needs to be continued.

• The capacity for Vivista to build PCs needs to be increased.

• It is essential for WCC to create a central Asset Register which robustly

logs PCs in use, and reliably records devices which enter and leave service and also records changes to use where these affect licensing, location, support, etc.

• A Change Management process which supports the Asset Register should

be implemented corporately. This process should also underpin WCC’s records of Licensed Software in use, to ensure that there is compliance with licensing conditions.

• WCC must be able to independently verify the number of PCs in use, and

hence the charging mechanism for the Vivista contract.

• A Printer Strategy which encourages the use of cost-efficient network printers and refresh of outdated devices should be established corporately.

• WCC needs to create a policy which is supported by appropriate third-

party contracts to provide ICT equipment to homeworkers and to support this equipment.

• The Help Desk processes need to become more efficient by ensuring that

the maximum number of calls can be answered by first-line staff and the on-site staff are free to deal with issues which necessitate their attention.

• WCC needs to consider the various aspects of Mobile Computing and

deploy the technologies to support these where there is a business demand for their provision. Amendments are needed to the security policy commensurate with these requirements.

• With the rationalisation of Desktop operating systems, WCC should also

rationalise the versions of Microsoft Office in use.

• All users should be encouraged to undertake training in both basic and advanced Office functionality within the context of a corporate strategy, aimed at raising the standard of general capability and performance.

• Desktop products should be implemented to promote information

sharing. This may not only impact on how applications are implemented, but also on training and other infrastructure issues such as server and network strategies.

• Wherever possible users should be encouraged to have applications

designed by ICT professionals, to ensure that software is both robust and secure, and follows corporate standards for ICT. Such developments should be capable of future expansion and integration with other departmental and corporate applications should the need arise.


Version 1.0 - 61 -

• An e-mail archiving system should be introduced to allow users to save and share business information which has been sent to them using this medium.

• E-mail restrictions need to be reviewed in the light of business need.

• E-mail issues need to be addressed across the whole Council.

• A policy for the use of e mail should be developed. • Workflow tools, possibly linked with CRM, should be introduced to help

staff deal with the processing of e mail correspondence.

• It is important that information can be shared electronically between colleagues, including those working at various WCC locations and those who are mobile or are working from home. The Intranet provides an ideal platform this, and it is use for both publishing and finding information should be encouraged at corporate, department and workgroup levels.

• Applications must be funded to ensure that:- -the maximum benefit can be taken from the applications and thus the Council is obtaining the maximum return on its investment; -applications are kept up to date and compatible with the latest server, network and desktop operating systems and strategies.

• WCC need to set a corporate standard which means that all new

applications must be capable of being run across the WAN, thereby removing this element of the “Digital Divide”.

• There must be a mechanism to improve corporate infrastructure to

standards required by departments to run specific applications which demand additional capacity; this may involve a method of some department funding be made available to corporate, e.g. to fund additional WAN bandwidth for specific purposes.

• WCC need to instigate a project to update the Financial Systems, and to

consider various options including updating current software, acquiring a new “best of breed” package or procuring an Enterprise (ERP) system.

• Because of the complexity of the Payroll Department acting as a Payroll

Bureau, the deployment of an ERP system into this area is likely to be a difficult and high risk project, risk planning would need to reflect that.

• Corporate standards need to be set for the use of the HR module within

Cyborg, and the data which recorded. This is not only important for the Council’s internal use, but also so that WCC can fulfil its legal obligations by providing statistical information to central government and other related organisations.

• There needs to be better communication between the e-Government

team and the departmental ICT Coordinators. e-Government “cross


Version 1.0 - 62 -

cuts” all of the Council’s businesses and it is important that WCC have a joined-up approach to providing all elements of e-Government including CRM and other such initiatives.

• There needs to be better liaison between the e Government team and

the Departments to ensure that technologies can be used to maximum advantage. In particular there needs to be greater understanding of how e Government technologies will integrate with existing Line of Business applications.

• WCC must pursue an aggressive programme to improve Server and

Network provision, particularly to outlying offices, to ensure that the current “Digital Divide” does not become an inhibitor to successful delivery of its e Government project.

• WCC needs to develop an environment in which information can be

shared across various applications without any departmental or service boundary.

• WCC needs to pursue all access channels for e Government and ensure

that it addresses access issues.

• Security needs to be implemented to a common standard across the entire Council.

• A more thorough approach to Disaster Recovery and Business Continuity

Planning is required, using a robust risk assessment of ICT infrastructure and systems at all WCC sites.

• A robust Change Management regime which considers all security

aspects needs to be driven from the corporate centre and implemented throughout the Council.

• WCC need to develop a strategy to allow the provision of a coherent

telephone infrastructure which will extend across all outlying offices and should include facilities for home working. The strategy should encompass not only the County Council’s requirements, but should facilitate the implementation of access points which will allow customers to complete transactions with complimentary public sector organisations such as the District Council. IP Telephony is likely to play a significant part in this strategy, and therefore a strategy to deploy IP Telephony, including the establishment of pilot projects to determine the most appropriate technology for WCC, should be developed at the earliest possible opportunity.

• In the medium term, WCC should provide integration between their fixed

line and mobile voice networks.

• A disaster recovery plan is required for the Voice service. A strategy to use IP technology for the delivery of video conferencing services should be pursued.


Version 1.0 - 63 -

AAppppeennddiixx AA IICCTT SSeerrvviiccee aanndd OOppeerraattiioonnaall SSuuppppoorrtt

Summary We compared the Council’s ICT management processes against 21 world-class standards using a traffic light system where:

• A green light means that the Council has implemented much of the process and there is little point in further implementing this process.

• An amber light means that the Council has implemented some of the

process, but there is further effort needed to maximise the value-for-money that this process can deliver, whilst minimising the risks faced by the Council.

• A red light means the Council has not implemented the process, or

implemented it inappropriately, and there is an opportunity to improve value-for-money and reduce risk through implementing the process.

We found that only one of the areas we examined secured a ‘green light’ and that related to Vivista. We scored 17 areas as ‘amber’ and three areas as ‘red’. The areas scoring ‘red’ have common characteristics: They relate to the fragmented nature of ICT investments – mostly department funded resulting in insufficient attention being given to scalability, fault tolerance, disaster recovery, and a long-term view on the costs and benefits of the investment. The areas scoring ‘amber’ relate to the general propensity to ‘firefight’ rather than make strategic investments which will reduce the long-term workload. This includes such functions as asset management, fault tolerance, the enforcement of standardisation, capacity management and change management.

Introduction to the Section The processes which are used to deliver IT have an important impact on operating costs. For example, making use of technologies which allow IT support staff to solve problems using remote control tools makes those staff more efficient since the need to personally visit end-users can be eliminated. We have identified a set of 21 processes which should be implemented if maximum value-for-money is to be extracted from IT investments. In this section of the report we detail these processes and give our opinion on the Council’s position using the traffic light system described above.


Version 1.0 - 64 -

Wiltshire’s Position Our assessment of the processes and the extent to which they have been implemented in Wiltshire are outlined in the table below. Process Good practice Position at Wiltshire Asset Inventory Non-automated inventories are 20%

inaccurate on average, resulting in mis-statements within accounting data, increased losses due to theft, mis-allocation of assets, and incorrect tax reporting on IT assets. Using asset inventory, these problems can be reduced or eliminated. As well, up to 50% of each help desk call is spent on understanding the hardware and software configuration. Call time can be reduced by providing access to the inventory data to the help desk support personnel.

�aAn automated Asset Inventory Tool – Centennial is currently being used by Vivista which covers all networked assets. There is also a paper-based system, which utilises a Change Control procedure. Greater adherence to this procedure would improve control mechanisms.

Virus protection and elimination

With the proliferation of data sharing via e-mail and the WWW, the chances of virus infection has increased dramatically. New viruses infect systems, documents and even cells in spreadsheets. Virus detection and elimination helps to maintain user productivity and eliminate costly administration labour in repairing virus infections. Viruses can take up to 14 person hours to eliminate from a network and cause 4 hours of downtime for each infected machine. An organisation with 1000 computers is expected to encounter at least seven infections over a 12 month period. A proper virus protection plan and tools minimises the risk of infections and provides a means to more quickly recover should an infection occur.

�aEmail - There are currently 3 layers of interception. Mailsweeper consists of a double layer of Sophos and Command. The Exchange Servers have Groupshield. Internet – There are currently 2 layers of interception. Sophos and Command on the Websweepers. All networked client machines and servers are protected by regular automated Sophos updates via the network. Standalone client machines are updated manually by users via a monthly CD – and this is a key ness.

Centralised network and desktop management

By implementing network management products and centralising the management of performance information and alerting, administrators can better set policies, pro-actively avoid issues and respond quickly should issues occur.

�aThere is centralised network management at present carried out by Vivista. However, this is limited within the desktop environment due to the multi platform operating systems within WCC. A standard W2000/XP operating system is recommended to enable the proactive use of set policies. WCC are striving towards a W2000/XP standardised operating system platform.


Version 1.0 - 65 -

Process Good practice Position at Wiltshire Centralised help desk, support knowledge base, and remote control

By consolidating calls to a central location economies of scale in the support centre can be achieved. Problems are better centrally tracked with common problems being identified and pro-actively eliminated. Combined with an inventory system that can display configurations of the system having issues and a desktop remote control capability, the help desk can be dramatically improved, reducing the duration of calls by 50-70%, and reducing call frequency. Be aware however that help desk support needs to continually monitor service levels to assure performance. In most organisations, help desks do not provide adequate knowledge and response times to meet user expectations. Users then turn to peers for support.

�aA central service desk infrastructure is in place, using Remedy as a call logging system. The service desk provides first line support and also has the responsibility of call closure. Various reports and metrics are available i.e. Trend Analysis. There is an SLA currently in place. Proxy and Dameware software is used for remote control.

Scalable Architecture

Business is continually changing and competition continually increases. As a result, the organisation you manage today is not the same one you managed a year ago. It is vital, in order to reduce the cost of keeping up with change, that you develop an architecture that provides for scalability and flexibility to meet the ever changing business needs. Re-engineering of the infrastructure on a continuous basis is costly. Select an architecture that is scalable to reduce overall change costs.

�aThe Council’s approach of devolved budgets makes it extremely difficult to develop a scalable architecture. In order to achieve further centralisation of services, the first stage will be the creation of a network infrastructure that can deliver the required bandwidth to all sites. Only then can services be centralised and rationalised.

Component Application Software

Similar to a scalable architecture, it is important to create a scalable application development environment, one which can quickly deliver initial products, build to meet growing business needs, and flexible enough to meet changing business requirements.

�aThe fragmented nature of ICT investments means that the Council does not seek to deploy re-usable components. However given that the majority of ICT applications are packages, this is not a major issue at present. The integration of CRM with back-office applications could raise the importance of this issue.


Version 1.0 - 66 -

Process Good practice Position at Wiltshire Fault tolerant systems and network

If end-to-end network resources were available 96% of the time (better up-time than most networks experience) a 300 user network could still be faced with losses of £500,000 each year. This manifests itself in lost productivity, the inability for users to accomplish their work, and lost revenue, the bottom line revenue impact of not being able to perform mission critical transactions. A fault tolerant network that implements fault tolerant storage (RAID), servers and network components can increase uptime and eliminate costly resources.

�aThe core network is managed by a Vivista and resources are available 100% during the core working hours. The actual core working hours are 8am – 6pm Monday to Friday. Automated monitoring and alerting is in place using BMC Patrol enterprise management applications. The wide-area network is the main area of concern, and it requires significant investment if it is to become ‘fit for purpose’ for a modern authority.

Policy-based management

Implementing policy-based management limits the access of users to specific applications, data, and system control needed for their jobs. By limiting the users to just the right amount of computing power, management and support costs are reduced, while productivity and scalability is maintained. Policies eliminates much of the end user IT costs by providing a system that does not allow users to access applications for which they are not trained and minimises system changes.

�aA policy based management system is in place within the Peoples Network infrastructure, which supports the libraries it is not in place elsewhere within system. However an Active Directory environment would be required within the corporate environment of WCC if a full policy based system was to be implemented. The presence of Windows 95 based PCs also limits this functionality. There are further opportunities to reduce the risk of user errors causing widespread problems through greater use of policy based management and desktop lockdown.

Standardised desktops and network

A standardised desktop platform and network architecture will allow for economies of scale in purchasing, support, and management. Purchasing can be performed in volume to get better pricing. Components can be quickly replaced because they are swappable and spares can easily be made available. Support and management are reduced because each system and network is identical, reducing training and re-education expenses, and allowing common issues to be identified and engineered out of the organisation in a unified fashion.

�aA standardised desktop is in place within the AD Peoples Network environment only. A standardised desktop platform is recommended for the WCC Corporate environment but will not be achieved until AD is implemented. Procurement is not covered within the Focus Contract. Components and spares are available through Vivista’s break and fix service on all major items of infrastructure. The central purchasing scheme works well but the lack of overall awareness of requirements results in money being wasted and creates installation planning difficulties.


Version 1.0 - 67 -

Process Good practice Position at Wiltshire Backup data and plan for disasters based on a risk assessment

Most organisations backup their server data but do not backup client information and rarely are prepared with continued operation or recovery plans in the event a disaster strikes. Many keep the backup tapes next to the server being backed up … in a site disaster the server and the tapes are both destroyed! A good disaster recovery plan includes tested policies for data protection, emergency team formation and alternate site preparation and procedures. Specialised consultants and services are available to assist in developing and implementing these plans.

�rSystem data is backed up. WCC inform Vivista which Client/Application data on Servers is backed up. Backup tapes are kept in safes between 2 buildings. Disaster Recovery is not included within the Focus Contract. The Council should develop a disaster recovery plan based on an assessment of the risks it faces from the long-term loss of IT systems and staff.

Better planning of projects

A better plan and up-front analysis avoids costly mistakes later. A team oriented planning methodology provides structure to the planning process. A plan involves multiple members from representative organisations with defined roles, vision, scope and most importantly a method for identifying and mitigating risks. TCO management is one planning method that lets you plan IT finances proactively by analysing issues, identifying trouble spots, and simulating plans prior to improvements.

�aFormal project management of IT projects is undertaken using Prince 2 methodology. Training on the use of Prince 2 is well developed with a high number of practitioners. Project boards are in place, development plans are communicated via the Intranet and customer review meetings are held. This is let down by the lack of awareness of departmental requirements who have their own budgets to spend, and do not use project management in the manner intended. The Council reported to SOCITM that only 5 out of 7 recent projects were reviewed to determine if any benefits had materialised.

Centralised and streamlined purchasing procedures

The capital expenditures of computer hardware and software can be greatly improved by centralising the purchasing of all assets, and obtaining maximum cost savings through volume license and hardware purchasing agreements. However, centralised purchasing can cause issues and cause the user to circumvent the system if too many restrictive policies are introduced coincident with the project. It is vital to balance the cost savings against the natural tendency to restrict control and flexibility.

�aThe Council does have centralised purchasing arrangements in place. However the use of devolved budgeting reduces the potential for cost savings that could be achieved.


Version 1.0 - 68 -

Process Good practice Position at Wiltshire Measured service levels

By reducing costs it is often the case that organisations do so at the expense of service to the business units and users they are supporting. As part of any cost reducing projects that you implement, service levels should be monitored and minimum required service levels should be established. A cost reducing program that drops service levels beyond the minimums is one that should be re-considered establishing a written service level agreement and monitoring the quality of the delivered services is essential.

�aThe performance of Vivista is monitored regularly, and we are informed that KPIs are generally achieved. The were also told that the Council does not think the KPIs portray the real end-user experience, and further work to develop more meaningful KPIs is needed.

Capacity planning and load balancing

Adequate scaling of resources and allocation of computing power to meet user and customer needs is essential. Too often, resources are purchased and managed for capacities that may be too low, or too high. This causes mis-appropriation of hardware and software expenses, and worse, downtime or over-management of resources that are heavily taxed and are over-capacity. By monitoring the capacity and performance requirements of the business and users, resources can be allocated and maximised for needs.

�rThe fragmented approach to ICT procurement at server level means that the scope of Capacity planning is limited. Operational capacity planning is performed on disk utilisation, availability, memory and process utilisation. Automated monitoring and alerting is in place using BMC Patrol. All major servers are continuously monitored for both capacity and performance by Vivista with regular analysis and recommendations made to the Council

Change Management and Control

Vendors and users are continually putting pressure on the IT organisation for change. This demand is only going to increase over time. It is essential that an IT organisation realise that change demands are continuous and put in place a system to control and manage change in an orderly and planned fashion, avoiding users from skirting the system to implement the systems and applications they require because IT can't keep up. It is key to embrace, manage and control change rather than fight it.

�aA Change Management procedure was implemented by Vivista at the beginning of the contract and has been maintained to-date by Vivista. Greater adherence to this procedure by all parties is required.

Upfront investments in the right systems

An organisation that invests more in technology up-front can eliminate costly upgrades later on. Buying an extra 512 Mbytes of memory per machine can cost £50 per system today. But an upgrade later will require not only the purchase of the memory, but the labour associated with purchasing and installing the memory, an estimated expense of £150 to £500 per computer. Similar expenses can occur by under-specifying hard drives, monitors, multi-media, network resources, printers, and other similar assets. Spending up front for the right systems can eliminate costly labour expenses later.

�aThe Council buys good standard desktops with adequate capacity for future use; however the current departmental funding arrangements for servers and storage means that inappropriate equipment is acquired in the context of a corporate approach to storage issues.


Version 1.0 - 69 -

Process Good practice Position at Wiltshire Cycle technology to match the useful lifecycle

Typical organisations attempt to hold onto computer assets for as long as possible. The extra expense of troubleshooting, repairing, upgrading and maintaining older computer assets for many organisations far outweighs the benefit of a four to five year lifecycle. It is recommended that desktop computers should be replaced after three years and mobile computers be replaced every 18-24 months. This extra capital expense will have returns in lower administration and support expenses, and should yield gains in productivity as the new PCs are able to run newer operating systems and applications. Leasing is also a viable option to assure that initial capital outlay is low, and technology is cycled on a continuous basis to match the lifecycle. Many leasing companies offer good rates, track assets, and include maintenance contracts for minimal fees.

�aWCC have a 3 year lifecycle on most desktops. However, there are certain departments within WCC where this is not done, thus the ageing equipment causes support issues for Vivista. Some sections of the Council have no concept of equipment life cycle. Hardware purchases are treated as one off costs with no plans for replacement. It must be accepted within the Council that computer equipment has a finite life cycle and that planning for replacement is vital.

Software usage monitoring and licensing

How many of the applications are really being used by end users? Many IT professionals do not know who is using the installed software and how many licenses are purchased that didn't need to be. By monitoring usage, consolidating the software, and negotiating usage based licenses, you can optimally purchase software licenses and reduce software expenses.

�aThe Vivista software inventory tool – Centennial performs software usage monitoring on all networked units. Licensing is not covered within the Focus Contract.

TCO Lifecycle Management

By measuring TCO on a regular basis, tracking the cost issues, progress of cost reductions, and verifying returns from IT investments you can optimise budgets and spending.

�rThe fragmented nature of the Council’s server infrastructure, a consequence of a tactical approach to ICT investment management, means that TCO management is not achievable at present.

End user training

Training is one of the most important ways to increase productivity and reduce both direct and indirect IT costs, particularly helpdesk and peer/self support. You may wish to consider requiring formal training prior to new application or platform rollouts, and implementing a just in time training system to provide the skills and help information when a user needs it on operating systems, network, and applications.

�aEnd-user IT training is not the responsibility of central IT, and therefore this limited evidence of central co-ordination taking place in respect of the identification of basic training needs as part of the overall training strategy. Training is opportunistic and based on individual departmental budget considerations rather than a collective view of corporate need.


Version 1.0 - 70 -

Process Good practice Position at Wiltshire IT training and certification

Support personnel must be trained on the operating systems, computers, network and applications they are supporting to adequately provide value added services. You should review certifications and implement incentive programs to increase the number of certified team members. When outsourcing of application platform and operating system rollouts, skills that are gained during these experiences are not transferred to the help desk and administration staff. It is vital to re-tool skills as the network changes and to be sure that outsourcing is performed in a cooperative way to assure knowledge transfer.

�gVivista encourages and supports IT Accreditation. There are currently 5 MCSE Accredited Engineers and an ITIL Accredited Contract Manager on-site. An ITIL programme is being put in place to ensure industry best practice guidelines are followed.

IT Security Policy

Implementation of BS7799/BS17799 policy, procedures and controls. �g

Policy and procedures implemented corporately together with e-mail, intranet and computer usage policy. Risk Register maintained and IT Security Team recently targeted to audit all sites and ensure that proper security processes and procedures are implemented throughout the Council.


Version 1.0 - 71 -

Recommendations The Council should take action to address the areas above which were assessed as ‘red’ and ‘amber’.


Version 1.0 - 72 -

AAppppeennddiixx BB AAccttiioonn PPllaann

In support of the ICT strategy an action plan framework has been developed to assist the Council in determining its priorities and processes for future action this is detailed below. Priority= High/Medium /Low Timescales=Tactical 6-12 months Short term 12-24 months Medium term 24-36 months Action Priority Owner Target date The Council should review its ICT spending and staffing levels when formulating its long-term financial strategy.

H CPG Tactical(T)

The Council should review its ICT recharging policy to ensure that it is equitable and within the BVACOP guidelines.

M County Treasurer(CT)

Short Term(ST)

Adopt an ‘enterprise architecture’ where information can be shared, and single instances of corporate applications fulfil the Council’s administrative needs.

M CT ST

Create a senior second-tier post with overall responsibility for ICT management and governance.

H CPG T

Consider if some form of partnership with the private sector would be beneficial in helping to meet the Council’s investment needs.

M CPG ST

Develop a corporate ICT strategy with a rolling five-year funding horizon.

M CPG ST

Define technical information architecture as part of the corporate ICT strategy.

M CT ST

Define core standards as part of the corporate ICT strategy and ensure these are communicated and enforced.

M CT ST

Refine the ICT support structure so that it shaped around user requirements rather than technical ICT disciplines.

M CT ST

Enforce a corporate process for investment appraisal which identifies long-term costs and benefits.

M CT ST

Introduce a corporate process for benefits realisation which makes individuals accountable for the delivery of benefits.

M CT ST


Version 1.0 - 73 -

Action Priority Owner Target date Centralise ICT budgets so that investments are made for the ‘corporate good’ rather than for the benefit of a single department.

H CPG T

Develop communications capability as part of the corporate ICT strategy development process.

M CT ST

Develop a process to measure user satisfaction systematically.

M CT ST

Maximise the benefit of risk management by ensuring that the corporate ICT strategy includes the requirement for regular consideration of the risks it faces.

H CT T

Ensure that the corporate ICT strategy requires formal project management processes to be enforced.

M CT ST

Conduct a feasibility study to ensure that MetroVPN can be successfully rolled out throughout the Council’s geography and that it has sufficient resources to complete and sustain the project.

H CT T

A review of the basic training requirements of end users should be undertaken as part of an agreed overall corporate strategy for ICT training.

M CT ST

A detailed project plan to rollout MetroVPN to all WCC offices within a 12-18 month timeframe should be established.

M CT ST

Facilities for mobile and home working should be made available through the use of MetroVPN at an early stage in the project’s implementation.

M CT ST

Establish a “Refresh Policy” which ensures that operating systems on servers are updated every three to four years.

H CT T

An analysis of requirements for testing should be made, and funding should be made available for the procurement of these servers.

H CT T

The life of all equipment which forms part of WCC’s corporate ICT infrastructure should be considered and a financial model should be constructed which creates the necessary budgets to refresh equipment before it becomes life-expired.

H CT T

A corporate strategy for the deployment of Thin Client architecture should be determined and followed in all new procurements.

M CT ST


Version 1.0 - 74 -

Action Priority Owner Target date WCC should establish, at the earliest available opportunity, a project to implement Active Directory, including the required upgrades to other elements of the infrastructure.

H CT T

WCC must ensure that a refresh policy which ensures that all PCs are running (and are fit to run) either the current or “current minus one” version of the Microsoft Windows operating system.

H CT T

The process of rationalising the number of images in use needs to be continued.

H CT T

The capacity for Vivista to build PCs needs to be increased.

H CT T

It is essential for WCC to create a central Asset Register which robustly logs PCs in use, and reliably records devices which enter and leave service and also records changes to use where these affect licensing, location, support, etc.

H CT T

A Change Management process which supports the Asset Register should be implemented corporately. This process should also underpin WCC’s records of Licensed Software in use, to ensure that there is compliance with licensing conditions.

H CT T

WCC must be able to independently verify the number of PCs in use, and hence the charging mechanism for the Vivista contract.

H CT T

A Printer Strategy which encourages the use of cost-efficient network printers and refresh of outdated devices should be established corporately.

M CT ST

Create a policy which is supported by appropriate third-party contracts to provide ICT equipment to homeworkers and to support this equipment.

M CT ST

The Help Desk processes need to become more efficient by ensuring that the maximum number of calls can be answered by first-line staff and the on-site staff are free to deal with issues which necessitate their attention.

M CT ST


Version 1.0 - 75 -

Action Priority Owner Target date WCC needs to consider the various aspects of Mobile Computing and deploy the technologies to support these where there is a business demand for their provision. Amendments are needed to the security policy commensurate with these requirements.

M CT ST

With the rationalisation of Desktop operating systems recommended at 1.4.1, WCC should also rationalise the versions of Microsoft Office in use.

H CT ST

Training in both basic and advanced Office functionality should be available to all users.

M CT ST

Desktop products should be implemented to promote information sharing. This may not only impact on how applications are implemented, but also on training and other infrastructure issues such as server and network strategies.

H CT T

Wherever possible users should be encouraged to have applications designed by ICT professionals, to ensure that software is both robust and secure, and follows corporate standards for ICT.

H CT T

An e-mail archiving system should be introduced to allow users to save and share business information which has been sent to them using this medium.

H CT T

E-mail restrictions need to be reviewed in the light of business need.

H CT T

E-mail issues need to be addressed across the whole Council.

H CT T

A policy for the use of e mail should be developed.

H CT T

Workflow tools, possibly linked with CRM, should be introduced to help staff deal with the processing of e mail correspondence.

M CT T

Applications must be funded to ensure that the maximum benefit can be taken from the applications and thus the Council is obtaining the maximum return on its investment and applications are kept up to date and compatible with the latest server, network and desktop operating systems and strategies

M CT ST


Version 1.0 - 76 -

Action Priority Owner Target date WCC need to set a corporate standard which means that all new applications must be capable of being run across the WAN, thereby removing this element of the “Digital Divide”.

M CT ST

There must be a mechanism to improve corporate infrastructure to standards required by departments to run specific applications which demand additional capacity; this may involve a method of some department funding be made available to corporate, e.g. to fund additional WAN bandwidth for specific purposes.

M CT ST

WCC need to instigate a project to update the Financial Systems, and to consider various options including updating current software, acquiring a new “best of breed” package or procuring an Enterprise (ERP) system.

H CT T

There needs to be better communication between the e-Government team and the departmental ICT Coordinators. e-Government “cross cuts” all of the Council’s businesses and it is important that WCC have a joined-up approach to providing all elements of e-Government including CRM and other such initiatives.

H CT/CPG T

There needs to be better liaison between the e Government team and the Departments to ensure that technologies can be used to maximum advantage. In particular there needs to be greater understanding of how e Government technologies will integrate with existing Line of Business applications.

H CT/CPG T

WCC must pursue an aggressive programme to improve Server and Network provision, particularly to outlying offices, to ensure that the current “Digital Divide” does not become an inhibitor to successful delivery of its e Government project.

H CT ST

WCC needs to develop an environment in which information can be shared across various applications without any departmental or service boundary.

H CT/CPG ST/MEDIUM(M)

WCC needs to pursue all channels for e Government and ensure that it addresses access issues.

H CT/CPG ST


Version 1.0 - 77 -

Action Priority Owner Target date Security needs to be implemented to a common standard across the entire Council.

H CT ST

A more thorough approach to Disaster Recovery and Business Continuity Processing is required, using a robust risk assessment of ICT infrastructure and systems at all WCC sites.

H CT T

A robust Change Management regime which considers all security aspects needs to be driven from the corporate centre and implemented throughout the Council.

H CT T

WCC need to develop a strategy to allow the provision of a coherent telephone infrastructure which will extend across all outlying offices and should include facilities for home working.

H CT/CPG T

In the short/medium term, WCC should provide integration between their fixed line and mobile voice networks.

M CT/CPG ST

A disaster recovery plan is required for the Voice service in advance of developing full Disaster recovery policies within the context of business continuity planning.

H CT/CPG T

A strategy to use IP technology for the delivery of videoconferencing services should be pursued.

M CT/CPG M

Take action to address all areas identified as Red and Amber in review of 21 world class standards.

H CT ST/M


Version 1.0 - 78 -

AAppppeennddiixx CC TTaaccttiiccaall//SShhoorrtt TTeerrmm aanndd MMeeddiiuumm TTeerrmm PPrroojjeecctt PPllaann

1. Telephony: Pilot IP Telephony; Common Council-Wide Telephone System

2. Big Box: Server Rationalisation at all sites

3. Video-conferencing:Trial IP based services

4. E-mail: Introduce e-mail archiving, sharing, workflow and usage policy

5. Server: Update to Current version of Exchange; Implement Directory Services

6. Disaster Recovery and Business Continuity Planning: Develop policies

7. Homeworking:Determine how equipment will be supplied and supported

8. Mobile telephony:Integration between fixed line and mobile voice technologies

1. Big Box: County Hall SAN

2. Corporate Policies:Develop Strategies

• Server/Desktop refresh

• Line of Business Application refresh

• Asset Register • Change

Management • Thin Client • Printer Strategy • Use of HR system 3. Information Sharing:

Create an environment (servers and applications) to allow information sharing

4. Mobile Computing: Develop facilities for mobile users

5. Help Desk: Introduce Efficiencies

6. Desktop: Provide training in basic and advance Office functionality

7. Financial systems:upgrade project

8. Security: Common, council-wide standard

9. Internet/Security: ISP move to MDS

1. Wide Area Network: MetroVPN Feasibility Study, Project Planning & Initial Roll Out, including VPN access

2. Desktop:• Rationalise images • Eliminate Windows

95/98 • Rationalise versions of

Office in use • Increase capacity to

build new PCs 3. Server: Eliminate old

operating systems 4. Financial Systems:

Determine how these should be upgraded

24 - 36 months

12 – 24 months

6 – 12months

MediumTerm

Short Term

Tactical

PRO

GRA

MM

AN

AG

EMEN

T

CHANGE CONTROL


Version 1.0 - 79 -

AAppppeennddiixx DD GGlloossssaarryy

I.S.P. Internet service provider-A supplier of internet based services such as BT or Pipex

S.A.N. Storage area network-A high speed network which connects a number of high-speed storage devices (disks) with associated data and application servers. The SAN is the key component of Wiltshire’s “Big Box” project, which will consolidate a large number of individual servers scattered across the Council’s offices into a consolidated, high-specification, resilient rack-mounted server and disk array located at the County Hall campus and accessible by all users throughout the Council.

Broadband High speed communications lines which allows the fast transmission of information between locations within the Council and with external partners. Broadband allows a rich variety of communications traffic to be processed including data, voice pictures, video conferencing, etc.

V.P.N. Virtual Private Network. The VPN provides a secure method to allow any authorized user to connect a PC to the Council’s network from an external connection, e.g. from home or from a hotel room. Connections are made using standard communications technology, e.g. an Internet link. The information sent and received is protected by employing a number of secure protocols within the VPN.

A.D.S.L. Asymmetric Digital Subscriber Line- A remote access technology that takes advantage of the existing network telephony infrastructure but improves performance by a magnitude in excess of 20 times. Based on using existing copper grade cable.

C.R.M. Customer (or citizen) relationship management-CRM is a series of techniques and technologies designed to allow organizations to easily gain a holistic view of its customers/citizens. At the heart of the technology is a specialist software package which when linked to other back office systems will allow a complete picture of all transactions to be developed. Customers are required to submit details once, which can then be used for a number of different transactions.

W.A.N. Wide area Network-Usually taken to mean the connection of computer systems in a number of different discreet buildings, for example County Hall, Remote Offices and Libraries.

L.A.N. Local area network-Usually taken to mean the connection of computer systems, including PCs and Printers within one building, for example the LAN within County Hall.

VoIP Voice over IP (sometimes call IP Telephony), refers to modern technology which allows voice telephone conversations to be transmitted using the same protocols as data, and thus allows data and voice to share the same physical connections within and between buildings and thus reducing costs and management overheads.


Version 1.0 - 80 -

I.P. IP –Internet Protocol, the protocol used for transmitting data over the Internet and also in common use for the transmission of data across WAN and LAN and voice using VoIP, see above.

Q.o.S. Quality of Service refers to the priority given to various different communications traffic on a WAN. For example, voice, data, CCTV and video conferencing may all be transmitted using the same WAN, but require different treatment to ensure that its quality is maintained. This is achieved by implementing QoS on the WAN which will apply the necessary prioritisation.

WiFi Wireless technology used in mobile computing utilising to connect PCs and other devices to the LAN

G.P.R.S. General Packet Radio Service allows data to be transmitted at a high speed over traditional (2G) mobile phone networks.

E.R.P. Enterprise Resource Planning-The name given to organization wide integrated business applications dealing with the key aspects of the organization such as Human Resources, Payroll, Finance, Assets ,CRM ,Procurement, Performance Management etc. These applications are sometimes referred to as Tier 1 solutions and are one application (from a technical aspect) with a series of tightly integrated modules. Common information such as names and property address are Shared between functions. These applications are underpinned by a range of mandatory business processes and are accessible across the network to remote users. The two leading suppliers to local Government are SAP and Oracle; both these products also contain Portal functionality.

Enterprise architecture

The term used to describe the practice of holding one instance of Corporate applications such as time keeping or payments. This prevents the duplication of this functionality across the organization and allows the organization to have an accurate timely and shared view of its key assets e.g. people and finance. ERP is one way of achieving this but it can also be achieved using a best of breed approach underpinned by strict corporate standards and business processes.

Corporate applications

Generally taken to mean application used by or for all departments within the Council e.g. Human resources, Payroll, Finance as opposed to applications used by discrete departments such as Social services and CareFirst.

Thin Client Thin client architecture moves information processing away from the user PC and moves it to central based servers. This form of architecture provides greater central control and reduces the need for local expertise. In many cases Thin Client can be demonstrated to reduce the total cost of ownership as simpler equipment is required at the user’s desk and management overheads are simplified. This form of architecture is bandwidth efficient, although initial costs can be higher than a traditional PC based architecture the ‘thin clients’ are considerably cheaper than PCs to purchase and support.

Bandwidth Refers to the availability of capacity within communication links for the purposes of transmitting and processing voice and data. Some applications with images and maps are bandwidth ‘hungry’, others which are ‘browser’ based using internet


Version 1.0 - 81 -

protocols and internet based languages are not.

Community Portal Internet based site which acts as a gateway to Council and other locally based services.

Servers Central systems which provide processing resource, e.g. controlling the databases used by corporate applications

Routers, Switches and Hubs

Network equipment within the LAN/WAN which routes communication across the corporate network


Version 0.3- 82 -

AAppppeennddiixx EE EEnntteerrpprriissee AArrcchhiitteeccttuurree aanndd MMiiddddlleewwaarree

final wcc 7799 - Wiltshire First (E... · 2010. 1. 7. · Commercial In Confidence NCC Group Consulting Report To ICT Strategy Version 1.0 Final 28th July 2004 NCC Group Manchester

Documents