Technology Assessment Profile

Total Page:16

File Type:pdf, Size:1020Kb

Technology Assessment Profile

Brian Bell EP Solution, LLC Vice President 4898 Ronson Ct ® Suite B San Diego, CA 92111 (858) 576-3000, Fax: (858) 576-3248 www.epsolution.com [email protected]

Document # 2 Technology Assessment Profile

Created for

The Technology Assessment Profile (TAP 7.0™) allows one to quickly baseline your company’s Information Technology (IT) status in most functional areas, and compares them to industry-accepted “Best Practices”. This assessment will allow you, the customer, an introspective look at where your IT investment dollars are going currently and, perhaps, where they should be, relative to your business objectives. The application also uncovers areas of concern, both previously known to management and oftentimes not, which provides you a proactive opportunity to review if your business is at risk for down time due to hardware failure, software issues, problems stemming from ineffective security measures or the like.

Technology Assessment Profile Page 1 Created on 03/01/2007 07:48:00 TAP™ OUTPUT REPORT PREPARED FOR:

Janice Thompson IT Specialist Sample Company 1234 Anystreet Suite 100 San Diego, CA 92123

EXECUTIVE SUMMARY (FINDINGS AND RECOMMENDED NEXT STEPS)

EP Solutions (EPS) was retained by Sample Company to perform a Technology Assessment Profile (TAP). On May 24th, a meeting was conducted between EPS and Sample's IT management and select additional Execs/Mgrs.

Overall, the organization’s IT health is:

1) Acceptable at the Strategic Planning level 2) Acceptable/Marginal at the Practice level 3) Marginal in some areas as noted below.

The HQ IT director (new in position) is generally applying well-rounded IT "best practices" in administrating the network and resources. Locally, HQ is applying standard operating procedures that cover the preponderance of issues/concerns facing organizations of similar size and scope. There are some items of concern regarding overall strategy and implementation of the next generation customer database application. Some primary items of concern/attention follow from the TAP report as requiring near-term attention.

Items specially noted from the Findings Report for Prompt consideration:

Manufacturing System (MRP) upgrade project: plan needs to take other infrastructure or dB requirements into account, such that the CRM project to follow will have sufficient resources.

CRM conversion/upgrade project: needs to be expanded to include remote office considerations and security.

Security: Company security plan is lacking in coverage and redundancy. Prevention vs. reaction not in place. Back doors and breaks in the DMZ exist and can be exploited. Additionally, certain physical security issues are present, such as relatively free access to the server consoles.

Disaster Recovery: Current plan insufficient and untested. Emergency Repair disks not current and bootable media (DLT) not present. Backups not properly tested to ensure Mailbox restore capability. Improper fail-over circuits for DSL service in case of interruption.

Storage: IT plan does not provide for sufficient growth & manageability, especially given the current projects at hand. This concern exists through backup hardware planning as well. Recent acquisition of NAS helping.

IT Planning: new IT staff need to think "holistically" vs. task-sequentially. Historically, IT practices at Sample Company have followed the typical "add-on" philosophy, such that investments in IT typically follow/build-on existing practices and infrastructure.

Technology Assessment Profile Page 2 Created on 03/01/2007 07:48:00 EPS recommends Sample's IT staff concentrate on the existing MRP and CRM project rollout, while allowing EPS to augment the functional plan of each. Additionally, EPS will provide Project quotes on addressing the Security and DR plans. The current IT staff is already addressing the storage issue appropriately. Future IT Planning can be a joint project once near-term issues are addressed.

TAP ITEMS PRIORITIZED FOR IMMEDIATE REVIEW:

Discovery 8.2. Any scheduling issues? - Yes Noted: None so far. Business Applications 1.3.2. Upgrades - No Noted: Requires weekend work. Connectivity 2.7. Is Wireless Network hardware SNMP compliant? - No Hardware 3.13.4. Removable media devices installed/working correctly? - Yes Noted: 250MB Iomega Zip drive Storage 1.1. Define the current overall design and status of the client’s storage solutions: - Company growth is forcing a review of storage policy and management. Server storage is currently "DAS" (Direct Attached Storage) within the 4 servers. As standalone units, their ability to scale is compromised. Overall storage capacity @ 80+% leaving little room for normal usage much less projects where special imaging/testing, etc., requires additional space & resources. E-Commerce 2. What does the customer’s web site provide? (Please select all that apply) - Noted: In IT office, but access door frequently unlocked. Security 2.2.1. Has the client tested their vulnerability with intrusion tools, Web application vulnerability scanner and/or 3rd party service companies? (Date, methodology, findings and current status) - No - desired Project. Will review and supply Project outline ASAP. 2.13. Master CDs, Keys, password logs, SW serial #s and access IDs securely stored? - Yes Noted: But no current inventory with extra copies kept offsite. Resources 4.2.5. Has the restore function been tested with critical files such as PSTs, MDBs, etc? - No Noted: Needs to be performed & verified at least monthly. 4.2.6. Is the backup hardware adequate for current needs and planned growth? - No Noted: Needs expansion - 15/30 GB Compaq DLT currently in use.

Technology Assessment Profile Page 3 Created on 03/01/2007 07:48:00 4.2.10. Emergency Repair Disks and date of last update? - No Noted: Out of date- unable to locate several. 4.2.11. Bootable Media and date of test/update? - No Noted: Needs to be done, such that NW can be restored by bootable DLT. 6.2. Has run-down testing verified run-time and auto-shutdown? - No Noted: Priority item. Can be done by current IT staff. 7.1. Does the customer have a written Business Continuity Plan (BCP), including disaster, resumption, recovery and contingency plans? - No Noted: Requires significant work. 7.2. Describe the overall Business Continuity Plan (BCP) including Disaster Recovery: - Needs rework. Minimal plan in place, many deficiencies relative to documentation, training and logistics. Project plan to be made ASAP.

INTRODUCTION

At the invitation of IT and Executive Management, EPS was retained to perform a Technology Assessment Profile (TAP) on the HQ office of the Sample Company. The TAP was performed primarily in the conference room of the client, May 24th. TAP is a tool that assesses (via interview format) an organization’s actual IT practices and provides insight into areas needing attention. TAP is not designed to be totally inclusive. The information provided is based on data provided at the time of the interview(s) and subsequent partial inspection (as indicated in the report) by EPS.

CURRENT SITUATION

Sample Company is a 24 year old light manufacturer based in San Diego, CA. They manufacture expansion joints and related materials for power plants and other customers that flow large amounts of heated materials through pipe systems.

Privately held by the Wilson family and certain participating investors, Sample company had enjoyed fairly stable growth and profitability until Q4 of 2001, when the "Sept 11th" catastrophe impacted much of the US economy. Following a down period lasting through the 1st half of 2003, the company began to see resumption of normal business patterns, as much of their business is booked months in advance due to the extensive supply chain scenarios common to their customers.

Historically, IT practices at Sample Company have followed the typical "add-on" philosophy, such that investments in IT typically follow/build-on existing practices and infrastructure. A recent departure of the old Director of IT, Tim White and subsequent promotion of Bob Smith as the new Director of IT has caused the company to desire an assessment of their infrastructure and practices.

DESIRED OUTCOME(S) OF TAP

Outcome 1 Provide current assessment of company infrastructure.

Company has grown from several "pockets" of IT:

AlphaMicro based MRP, NT based Back Office, Custom CRM application (Notes) and a mixture

Technology Assessment Profile Page 4 Created on 03/01/2007 07:48:00 of Office templates for other needs. The overall design is now Ethernet with a mixture of dial-up and internet based communication strategies for their supply chain, customers and field-based Sales.

Outcome 2 Provide current assessment of company IT policies.

With the departure of Tim White to a supplier of raw materials to Sample Company, EPS has been asked to review company policies and compare with industry-accepted best practices, pointing out any areas for concern. Outcome 3 Provide current assessment of company IT practices.

The company wishes to know how they may best be administrating their current installed base to maximize ROI and lessen any security issues. Additionally, company wants an assessment of their current IT project planning. Outcome 4 Provide findings report on (above) with recommended follow-up projects.

The company is aware the TAP process will review their previously identified areas of concern and produce a findings report with prioritized recommendations for next steps.

DISCOVERY

Understanding the role IT fills within a client’s organization is critical for a VAR to make recommendations based not only on "best practices" but also on company culture, risk tolerance, and management’s current strategic plans. 1. Define strategic business goals of the customer: Market, forecast, plan and manufacture specialized machine parts and certain large scale pipe fittings while maintaining high customer retention, reasonable profits and very high Q/C standards to avoid litigation risks from faulty products. IT is thought to be somewhat under-utilized in helping management execute the business plan. 2. Generally, how does the client view IT overall? Quite well. Looking for additional benefits from practical, cost effective automation steps, 2.1. Is IT viewed as an enabling component of their business? - Yes 2.2. Org Chart: 2.3. What areas "touched" by IT are mission critical? Nearly all areas are now touched by IT and most are viewed to be mission critical as measured by the adverse affect their service denial would have on each group. 3. How have they been kept up to date as far as new technology is concerned? Dependent on IT staff, input from other managers/Execs and occasional consultants. 4. Who is responsible for showing new possibilities to upper management? IT management, historically. The Wilsons view IT as an increasingly important part of the business and are taking more interest in potential offerings IT can bring the company.

Technology Assessment Profile Page 5 Created on 03/01/2007 07:48:00 4.1. How is this accomplished? Staff meeting review of trade journal articles, white papers, ideas, etc., with IT and subsequent development of projects. 4.2. At what frequency is technology reviewed for new possibilities? Ad hoc only. No formal process review plan based on timeframes. 5. Initiatives in past 12 months that touched IT (List): Initiative MRP Implementation 5.1. Was this initiative successful? - Yes 5.2. Did its implementation result in measurable return on investment? - Yes 5.3. Was it performed timely and within budget? - Yes 5.4. Was handoff to the customer done to their satisfaction? - Yes 5.5. Was documentation handed off in a complete, organized fashion? - No 5.6. Has the customer been able to maintain the changes/culture shift brought about by this initiative? - Yes Initiative Siebel Analytics 5.1. Was this initiative successful? - Unsure 5.2. Did its implementation result in measurable return on investment? - N/A 5.3. Was it performed timely and within budget? - N/A 5.4. Was handoff to the customer done to their satisfaction? - N/A 5.5. Was documentation handed off in a complete, organized fashion? - N/A 5.6. Has the customer been able to maintain the changes/culture shift brought about by this initiative? - N/A 6. How are new projects approved relative to: 6.1. Standardization (automation, common consoles, scalable, open design) Not at all. Needs holistic approach. 6.2. Virtualization (consolidating pockets of data into flexible, accessible containers) On the agenda for future consideration. 6.3. Enterprise Directories (single, comprehensive directory for rules, relationships and resources) Looking to implement as they abandon the obsolete Alpha based system. 7. Current or planned initiatives that touch IT: Nearly all. 8. Projects in Progress (List): Project Oracle Financials 8.1. Is this project managed in a unified, process development sense? - No 8.2. Any scheduling issues? - Yes

Technology Assessment Profile Page 6 Created on 03/01/2007 07:48:00 8.3. Any support issues (Management/Clients/3rd party, etc) Numerous. 8.4. What is this project's Budget? $80K (R&D) 8.5. Any Resource Issues? 8.6. Any Technical Issues? Server load. 8.7. Other Project Sales Data Warehouse 8.1. Is this project managed in a unified, process development sense? - Yes 8.2. Any scheduling issues? - Yes Note: None so far. 8.3. Any support issues (Management/Clients/3rd party, etc) No 8.4. What is this project's Budget? $20K 8.5. Any Resource Issues? No 8.6. Any Technical Issues? Server placement - NAS issues potentially. 8.7. Other No other issues at this time 9. Planned Projects (List): Project Cognos Planning and Budgeting 9.1. Planned Projects Scheduling No issues 9.2. Planned Projects Support (Management/Clients/3rd party, etc) 9.3. Planned Projects Budget TBD 9.4. Planned Projects Resources TBD 9.5. Planned Projects Technical Issues (to date) 9.6. Other Project EDI Implementation 9.1. Planned Projects Scheduling

Technology Assessment Profile Page 7 Created on 03/01/2007 07:48:00 Continuation of last year's project 9.2. Planned Projects Support (Management/Clients/3rd party, etc) Westerly (Consultants) 9.3. Planned Projects Budget $15K 9.4. Planned Projects Resources MRP rollout 9.5. Planned Projects Technical Issues (to date) None 9.6. Other N/A 10. What methods do the client use to measure ROI such as [(NPV of benefits/NPV of costs)-1]? CFO has done basic calculations on MRP & EDI. 10.1. How does the client use ROI as a decision making tool? 1st year cost and BE analysis. 11. What general "pain" issues (even ones indirectly connected to IT) are identifiable? Some fear of "unknown" with Tim White leaving the company in May. Unsure if all work is correctly documented. Company is aware current data does not extend through common databases allowing better managerial decisions. Some security issues of late (viruses). 12. Is IT (as a department) given a separate budget or is it a cost center (departmental bill back)? Separate Budget. No detailed, forward looking expense Pro-forma. 13. Have expenditures generally stayed close to budget expectations? - Yes Note: Within 10% of annual expectation for SG&A (including maintenance on installed base). Projects are separately budgeted. 14. How are project overages accounted for? 15. Discuss IT budgeting issues: Budgets capture expected operating expenses well, but always seem to under forecast service, maintenance and consulting needs. 16. Discuss key departments and their unique needs (relative to IT): Manufacturing - needs to be able to link w/ external supply chain partners Accounting - needs cross-company data Executive - desires decision support data + trending Sales - needs to link CRM with Mail system 17. Do the department managers feel that IT is accessible and helpful? - Yes Note: Currently, IT is being given the "benefit of the doubt" with the recent departure of Tim White. Bob Smith is liked and respected. 18. How are inter-departmental conflicts relative to IT managed? Describe reporting structure for IT relative to Executive

Technology Assessment Profile Page 8 Created on 03/01/2007 07:48:00 Describe involvement of Executive staff with IT List Executive issues with IT 1. What custom/legacy/franchise applications are in use? ApplicationJD Edwards Financials 1.1. Is this application current? - Yes 1.2. Does it adequately serve the business need? - Yes 1.3.2. Upgrades - No Note: Requires weekend work. 1.3. Are they satisfied with vendor support? - No 1.3.1. Patches/fixes - Yes 1.3.3. Technical support competence - Yes 1.3.4. Technical support timeliness - Yes 1.3.5. Technical support or maintenance contract value - Yes 1.4. Do this application require proprietary HW/ technology no longer considered mainstream? - No 1.4.1. If linked to proprietary HW, does the application co-exist well within the overall IT mix? - N/A ApplicationJDE MRP 1.1. Is this application current? - No 1.2. Does it adequately serve the business need? - No 1.3.2. Upgrades - No 1.3. Are they satisfied with vendor support? - No 1.3.1. Patches/fixes - No 1.3.3. Technical support competence - N/A 1.3.4. Technical support timeliness - N/A 1.3.5. Technical support or maintenance contract value - No 1.4. Do this application require proprietary HW/ technology no longer considered mainstream? - Yes 1.4.1. If linked to proprietary HW, does the application co-exist well within the overall IT mix? - No 2. Are there Business Intelligence applications in use? - Yes 2.1. If so, how are they deployed? Only with limited Exec PCs as consoles. 2.2. Are they temporary solutions? - Yes 3. Does the customer measure the performance of their applications (if yes, how)? Ability to serve needed data to all authorized users, with flexible format and minimal latency. 4. Are all the applications sufficiently documented? - No

Technology Assessment Profile Page 9 Created on 03/01/2007 07:48:00 Note: PreFab documentation clearly dated and insufficient.

Great Plains accounting SW documentation is marginal, for both original installation and subsequent customization.

Office templates up to date and fairly easy to use in most instances. 4.1. Is the documentation kept in an appropriate location with off-site copies? - Yes 4.1.1. Are the applications sufficiently supported by in-house staff? - Unsure 4.1.2. Is succession training (HR) in place for legacy applications that will stay in place? - No 4.2. For Production or Legacy applications not developed in-house, current licensing status: 4.2.1. Source-code owned? - Yes 4.2.2. Perpetual, paid-up license? - Yes 4.2.3. Annual license fee/renewal? - Yes 4.2.3.1. How are fees calculated (revenue, per seat, etc)? Great Plains calculated on concurrent users (licensed for 5). Appears to be adequate for current workload. Adding licenses easy and can be accomplished "in house" with no server re-boots. 4.2.3.2. Does the organization qualify for reduced government or no-profit pricing? - Unsure 4.2.3.3. Is there a plan to transition legacy applications to SOA (Service Oriented Architecture, leveraging standard mechanisms such as XML)? - Yes 4.2.3.4. Is there a plan for application virtualization? - Yes

NETWORK DESIGN

Analysis of the client’s overall network design may reveal both issues and opportunities. Issues may include factors limiting not only the current ability for the infrastructure to handle the current load, but also those planned near-term. Opportunities begin with taking a "holistic" view of the overall design prior to designating additional support or new money and may lead to new ways to delivering scalable bandwidth to the user community for the same or less cost per seat. 1. Define (overall) customer network design and topology (Discuss high level issues): 100MB ethernet backbone and 10/100 clients (PC & Mac). Unmanaged using 3ea 3Com Super Stack switches. Internet access via DSL to router to firewall. 1.1. Enterprise View (if appropriate): No outside connection other than VPN or internet access. 1.2. Domains Sample (others have been reserved/paid for but not currently in use) 1.3. Trusts Sample (no external) 1.4. Is the Network configuration documented? - Yes 1.4.1. Are NW Procedures Documented? - No 1.4.2. How is the documentation made available to appropriate personnel? - Yes

Technology Assessment Profile Page 10 Created on 03/01/2007 07:48:00 1.4.3. Are the documents checked for validity at least annually? - Yes 1.5. IP Address License(s) (List ranges): 1.5.1. Class A 1.5.2. Class B 1.5.3. Class C 195.31.26.XXX 1.6. Private IP Schemes and number of subnets: 1.6.1. XXX.0.0.0 1.6.2. XXX.XXX.0.0. 1.6.3. XXX.XXX.XXX.0 255.255.255.195 1.7. Number of Segments - 3 1.7.1. Average Number of clients per segment - 20 1.7.2. Is the network subnet mask for IP clients appropriate? - N/A 1.7.3. What routing protocol is in place and is it adequate? 1.7.3.1. Are all routing devices hardware routers? - Yes 1.7.4. Is segmentation done by router or switch or both (%)? Both 1.7.5. Are there any VLANs? - No 1.7.6. Is there a VLAN domain? - No 1.8. Network Protocols (percentage of LAN): 1.8.1. IP 100% 1.8.2. Other 1.9. Network Protocols/Carriers (percentage of WAN): 1.9.1. Frame Relay 1.9.2. Leased Lines 1.9.3. ATM Circuits 1.9.4. Broadband (DSL/Cable) 100% 1.9.5. ISDN 1.9.6. Dial Up / POTS (Not Individual Users) 1.9.7. Wireless 1.9.8. Site to Site VPN (excluding remote access clients) 1.9.9. (Gigaman, Satellite, etc).

Technology Assessment Profile Page 11 Created on 03/01/2007 07:48:00 1.10. Who designed the current architecture? Tim White and consultants. 1.11. Dates of major updates: Q2, 99 Last bus segment/hub removed. NW full "star" design. Q1, 02 VPN implemented for external/remote associates.

1.12. Fail Over for Critical Lines? PacBell providing fall back circuit. 1.13. Fail overs tested and connections/access verified? - N/A 2. Overall Connectivity Schema: 2.1. Switched/Unswitched Unswitched (single segment), flat network- servers to 24 port Superstack switches to router/firewall/clients. 2.2. Managed/Unmanaged Unmanaged 2.3. Copper/Wireless 100% copper 3. Are there any known operational/support or design issues with the NW at this time such as: 3.1. Oversubscribed Ports/Switches? - No 3.2. Subnetting? - Yes 3.3. Routing? - Unsure 3.4. Mail/Messaging? - No 3.5. Printing/FAXing? - No 3.6. Others NW documentation issues 4. Are there significant bandwidth issues due to: 4.1. Streaming Video or Audio - Yes 4.2. Backup - No 4.3. Video Conferencing - No 4.4. Downloads - No 4.5. FTP Support - Yes 4.6. LAN Telephony/VOIP - N/A 4.7. Large security keys? - N/A 5. Is there a current facilities floor plan that includes A/C, Drops, Panels, etc? - Yes Note: 90% complete. Manually drawn. 6. Current Network diagram (Connectivity, IP Schema)? - Yes

Technology Assessment Profile Page 12 Created on 03/01/2007 07:48:00 Note: As currently designed. 6.1. Is the map current? - No 7. Are the current LAN / WAN Design(s) meeting the bandwidth requirements of the client's current applications and projects? - Yes Note: Ok for now - will need expansion with next significant NW upgrade, especially if planned WebEx capabilities results in more DT conferencing. 7.1. If so, will it meet the expected needs for the next 2-3 years? - No Host networking 8.1. Does the customer connect PCs to large scale systems (AS400, Sun, etc.)? - No 8.1.1. Any current issues w/ connectivity, refresh, display, etc? N/A 8.1.2. How are sessions established (Network protocol, gateway, etc)? N/A 8.1.3. How is the Host system serviced and maintained? N/A 8.1.4. Is Host traffic given priority placement/queuing on WAN lines? - N/A 8.2. Any legacy terminal emulation schemes in place? (as in 5250 or 3170, not Citrix ICA or MS RDP) - No 8.2.1. If so, is there a plan to convert applications to Open System and/or TCP/IP? - N/A WAN 9.1. Is the Wide Area Network providing enough bandwidth for the clients current applications? - N/A 9.1.1. If not is there a plan to increase or redesign the WAN to improve performance or reduce bandwidth requirements? - N/A 9.2. Who is the WAN carrier (National or Regional) and is the customer satisfied with the service? N/A 9.3. How has the WAN hardware performed, and has the Vendor provided adequate support? N/A 9.3.1. What WAN technologies are in use (frame relay, ATM, Sonet, leased lines or Carrier Ethernet? N/A 9.3.2. Describe any current issues (Bridged Protocols, VLAN assigned switches, etc.) N/A 9.4. What is the WAN Carrier contact information? N/A 9.4.1. Does the WAN carrier resolve issues in a timely manner? - No 9.5. Have the WAN costs been competitively justified? - N/A

Technology Assessment Profile Page 13 Created on 03/01/2007 07:48:00 CONNECTIVITY

Historically, segmentation and cabling was relegated to "lower importance" in many businesses, where slower rate of data transfer allowed less than ideal design, installation and management. With today’s high rates of data transfer, wiring issues may present issues that can be assumed to be caused by other factors (HW faults, O/S issues, etc). Understanding how a client’s current copper, fiber and wireless infrastructure has been designed and installed is very important to assess overall suitability in a "go-forward" basis. Cabling Management 1.1. Has the cable plant been certified? If so, by whom and when? (Discuss any high level issues): Has not. Installed over time by various cabling contractors. Latest install for HQ building (1) checked out as meeting Cat 5. 1.2. Describe the overall condition and capability of the connectivity plan (copper, fiber, wireless and other- discuss any high level issues): Some installed TP originally down as 10MB Cat3 are currently running at Cat5 with no apparent issues. New lines run for all 100MB+ critical links/segments. Many lines not accessible for service inspection due to overhead placement, coverage by insulation or conduits. 1.3. Cabling type (overall percentage of installation): 1.3.1. Cat 3 or less (10MB) 10% 1.3.2. Cat 5 (100MB) 90% 1.3.3. Cat 5e/6 (GB) 1.3.4. Other (Coax, Type-1, Fiber, etc) 1.4. Are cables properly installed? - Unsure 1.4.1. Distance conforms with type? - Unsure 1.4.2. Appropriate Supports/Ties/Ladders? - Unsure 1.4.3. Proper Conduits? - Yes 1.4.3.1. Remaining room for new pulls known? - Unsure 1.4.4. EMI/RFI issues? - No 1.4.5. Cables labeled both ends? - Yes 1.4.6. Wall Plates proper type and labeled? - Yes 1.4.7. Plenum requirements and installation? - No 1.4.8. Sufficient slack for re-termination? - No 1.4.9. Any known exposures (between floors, cubicles, etc)? - No 2. Wireless 2.1. Did client conduct ROI study before to deployment (and summary of results)? N/A

Technology Assessment Profile Page 14 Created on 03/01/2007 07:48:00 2.3. What Site Surveying and Planning tools have been employed (Location Manager etc., NetStumbler, AirMagnet Surveyor, etc) and what were the overall findings? N/A 2.2. What percentage of the client’s users are wireless? What ROI studies has the client performed to justify this number relative to efficiency, direct and indirect costs, reduced office space, training and security? N/A 2.4. Installation Types: 2.4.1. 802.11a (54Mb) N/A 2.4.2. 802.11b (54Mb+) N/A 2.4.3. 802.11g (>22Mb) None installed 2.4.4. 802.11x (other) 2.4.5. High Speed (3G, WiMAX, Metro WiFi, etc) 2.4.5.1. If high speed, how was current platform selected and cost justified? 2.4.6. Define Architecture (AP or Controller based): N/A 2.4.7. Define base station types and antenna placement: Evaluation units only in IT (Enterasys). 2.4.8. Has the customer re-verified the actual usage of "popular" base station locations for possible splitting to better serve the user bandwidth requirements? - Yes 2.5. Type of Wireless encryption / Authentication per 802.11i (WPA2 – 802.1X authentication, CBC MAC, AES-CCMP, etc.) N/A 2.5.1. Default WiFi passwords changed? - No 2.5.2. Encryption security enabled and tested? - Yes 2.5.2.1. Remote users employing VPN such as IPsec, SSL or 3rd party (Net Motion) to further security? - Yes 2.5.2.2. SSID broadcasting turned off as a default? - Yes 2.5.3. MAC address filtering (or other schema) in place to address unsecured "hot spots"? - Yes 2.6. Single Vendor Wireless solution? - Yes 2.7. Is Wireless Network hardware SNMP compliant? - No Note: 2.8. Over what distance is the Wireless solution operating? N/A

Technology Assessment Profile Page 15 Created on 03/01/2007 07:48:00 2.9. Are the Wireless devices supporting end nodes, or bridging network segments? N/A 2.10. How is the system reliability measured? N/A 2.11. What "Middleware" products are in use? N/A 2.11.1. Does the middleware effectively address connection management? - N/A 2.11.2. Does the middleware offer store and forwarding? - N/A 2.11.3. Does the middleware support "push" capabilities? - N/A 2.11.4. Does the middleware support DHCP? - N/A 2.12. Cellular Data Policies 2.12.1. Define overall cellular data usage and where it fits within wireless schema: Blackberry only 2.12.2. What Smart phones are in use (Blackberry, Treo, Q phone, etc.): 3 ea by Execs and Director of Sales. 2.12.3. Separate remote-access architecture vs. mobile PCs (mobile VPNs, SSL VPNs, etc)? N/A 3. Number of Connectivity Devices and Type: Type Switch Purpose Autosensing internal network distribution OEM 3Com Quantity 3 Model/Part # Superstack 24 Comments Approx 3 years old (2) with one new unit

Type Router Purpose Routing IP to/from DSL circuit (internet) OEM Cisco Quantity 1 Model/Part # 678 Comments Recent upgrade from 2600

Type Firewall Purpose DMZ

Technology Assessment Profile Page 16 Created on 03/01/2007 07:48:00 OEM Netscreen Quantity 1 Model/Part # 5XP Comments Recent upgrade with VPN

4. Are hub and/or switch types properly matched to topology? - Yes Note: As unmanaged. 4.1. Is NW throughput appropriate for current/planned workload? - Yes 4.2. Do devices provide appropriate port density for current situation? - No 4.2.1. Port growth plans for next 12 months Additional 10-12 users, plus additional printers. 4.3. Device cable management proper and conforming to OEM and Cat 5 (+) specs? - Yes 4.4. Are components properly installed in racks, with spacing per OEM guidelines? - Yes

HARDWARE

Physical inspection of the connected hardware is essential to reveal the overall age, suitability and usage of the client’s server and PC resources. Use of automated tools to assist in the discovery process can accelerate the accurate collection of "what is where" as well as gathering data for asset registries. Some of these tools are available as shareware and are listed in the "tools" section of TAP. 1. Servers: Number, Name, Type and Hierarchy Role/Domain/Tree/Context Number 1 Name Jedi OEM Compaq Location Descript Proliant OEM PT# 5000 NOS NT 2000 Server Function PDC - IIS

1.1. Is there an asset registry (XLS, DataBase, document, etc.)? - Yes 1.1.1. Date server purchased and put in current service (if different) 12/1/03 1.1.2. Asset tags (attached, date, serial #s)? - Yes 1.2. Is physical chassis adequate for current/planned workload (slots, bays, etc.)? - Unsure 1.3. Internal components adequate?

Technology Assessment Profile Page 17 Created on 03/01/2007 07:48:00 1.3.1. CPU(s)/ L2 cache (acceptable CPU utilization) - Yes 1.3.2. RAM (sized per NOS and OEM recommendations and proper brand/type?) - Yes 1.4. All internal NICs, cards installed in correct slots and documented? - Yes 1.5. Appropriate cables used for sub-systems (Fiber, SCSI 3, etc.) - Yes 1.6. Cooling fans adequate and tested for actual thermal output? - Yes 1.7. Are external components adequate for current/planned workloads/growth? - Yes 1.8. External Sub-systems within proper distance and correctly cabled? - Yes 1.9. Proper component labeling? - Yes 1.10. Change management log for upgrades, downtime, etc.? - Yes 1.10.1. Are the logs on a per server basis? - No 1.10.2. Are the logs stored electronically or on paper? Paper/binders only 1.10.3. Reboot logs inspected monthly? 8-14, Patch application 1.11. Is server properly installed in rack, with spacing per OEM guidelines? - N/A 1.12. Is rack properly grounded and bolted to floor/ceiling, per OEM, OSHA and/or Gov’t (seismic) standards, etc.? - N/A 1.13. Is air circulation/cooling (HVAC) adequate? - Yes 1.14. Are OEM HW management tools properly installed and running? - Unsure 1.14.1. What recurring reports are being generated? ("Health" Log, 3rd party SW, etc)? Event logs, Veritas only. 1.14.2. How are reports disseminated? (Console, e-mail, etc)? Console inspection. Should be e-mailed in addition to administrator(s). 1.14.3. Who reviews reports? IT team 1.14.4. Recurring issues/trends of not? Memory utilization and disk space continuing to grow. 1.15. Utilization tested under load (Task Manager, etc)? - No 1.16. Event Viewer / Logs checked? 1.16.1. System - Yes 1.16.2. Security - Yes 1.16.3. Applications - Yes 1.16.4. How long are the logs kept (log size) before over-written? 200K as of last changes. 1.17. Services checked for status, usefulness, etc? - Yes 1.18. HW alert parameters, auto-page, etc.? - Yes

Technology Assessment Profile Page 18 Created on 03/01/2007 07:48:00 1.19. Is the network actively monitored? - No 1.19.1. If network actively is monitored, who monitors it? N/A 1.20. Is the network traffic monitored for segmentation/backbone change needs? - No 1.21. Is trend analysis used to foresee future growth and needs? - No 1.22. Server Internal Storage 1.22.1. Drive Type (Wide SCSI, IDE, etc) 7,200 RPM wide SCSI 1.22.2. Number of Drives - 5 1.22.3. Individual capacities 18GB 1.22.4. Controller Type(s? Compaq 3200 1.22.5. Checked for HW conflicts (Device Manager)? - No 1.22.6. Array (Supports hot swapping?) - Yes 1.22.7. Mirroring? - N/A 1.22.8. Duplexing? - N/A 1.22.9. Misc. Settings Number 2 Name Batman OEM Compaq Location Descript Proliant OEM PT# 3000 NOS NT 2000 Server Function Application Server - Great Plains

1.1. Is there an asset registry (XLS, DataBase, document, etc.)? - Yes 1.1.1. Date server purchased and put in current service (if different) 1-4-2002 1.1.2. Asset tags (attached, date, serial #s)? - Yes 1.2. Is physical chassis adequate for current/planned workload (slots, bays, etc.)? - Yes 1.3. Internal components adequate? 1.3.1. CPU(s)/ L2 cache (acceptable CPU utilization) - Yes 1.3.2. RAM (sized per NOS and OEM recommendations and proper brand/type?) - Yes

Technology Assessment Profile Page 19 Created on 03/01/2007 07:48:00 1.4. All internal NICs, cards installed in correct slots and documented? - Unsure 1.5. Appropriate cables used for sub-systems (Fiber, SCSI 3, etc.) - Unsure 1.6. Cooling fans adequate and tested for actual thermal output? - Unsure 1.7. Are external components adequate for current/planned workloads/growth? - N/A 1.8. External Sub-systems within proper distance and correctly cabled? - N/A 1.9. Proper component labeling? - Yes 1.10. Change management log for upgrades, downtime, etc.? - Yes 1.10.1. Are the logs on a per server basis? - Yes 1.10.2. Are the logs stored electronically or on paper? Paper (IT binder) 1.10.3. Reboot logs inspected monthly? 4-10-2003 - Microsoft patch 1.11. Is server properly installed in rack, with spacing per OEM guidelines? - N/A 1.12. Is rack properly grounded and bolted to floor/ceiling, per OEM, OSHA and/or Gov’t (seismic) standards, etc.? - N/A 1.13. Is air circulation/cooling (HVAC) adequate? - Yes 1.14. Are OEM HW management tools properly installed and running? - N/A 1.14.1. What recurring reports are being generated? ("Health" Log, 3rd party SW, etc)? System report 1.14.2. How are reports disseminated? (Console, e-mail, etc)? e-mail to admins. 1.14.3. Who reviews reports? IT team 1.14.4. Recurring issues/trends of not? Storage 1.15. Utilization tested under load (Task Manager, etc)? - No 1.16. Event Viewer / Logs checked? 1.16.1. System - Yes 1.16.2. Security - N/A 1.16.3. Applications - N/A 1.16.4. How long are the logs kept (log size) before over-written? 200K 1.17. Services checked for status, usefulness, etc? - Yes 1.18. HW alert parameters, auto-page, etc.? - Yes 1.19. Is the network actively monitored? - No 1.19.1. If network actively is monitored, who monitors it?

Technology Assessment Profile Page 20 Created on 03/01/2007 07:48:00 1.20. Is the network traffic monitored for segmentation/backbone change needs? - No 1.21. Is trend analysis used to foresee future growth and needs? - No 1.22. Server Internal Storage 1.22.1. Drive Type (Wide SCSI, IDE, etc) Wide SCSI 1.22.2. Number of Drives - 3 1.22.3. Individual capacities 18GB 1.22.4. Controller Type(s? Compaq 3200 1.22.5. Checked for HW conflicts (Device Manager)? - Yes 1.22.6. Array (Supports hot swapping?) - Yes 1.22.7. Mirroring? - N/A 1.22.8. Duplexing? - N/A 1.22.9. Misc. Settings Number 3 Name Dilbert OEM Compaq Location Descript Proliant OEM PT# 1600 NOS NT 2000 Server Function Exchange / SQL

1.1. Is there an asset registry (XLS, DataBase, document, etc.)? - Yes 1.1.1. Date server purchased and put in current service (if different) Jan, 2000 1.1.2. Asset tags (attached, date, serial #s)? - Yes 1.2. Is physical chassis adequate for current/planned workload (slots, bays, etc.)? - N/A 1.3. Internal components adequate? 1.3.1. CPU(s)/ L2 cache (acceptable CPU utilization) - Unsure 1.3.2. RAM (sized per NOS and OEM recommendations and proper brand/type?) - Unsure 1.4. All internal NICs, cards installed in correct slots and documented? - Yes 1.5. Appropriate cables used for sub-systems (Fiber, SCSI 3, etc.) - Yes 1.6. Cooling fans adequate and tested for actual thermal output? - Unsure

Technology Assessment Profile Page 21 Created on 03/01/2007 07:48:00 1.7. Are external components adequate for current/planned workloads/growth? - N/A 1.8. External Sub-systems within proper distance and correctly cabled? - N/A 1.9. Proper component labeling? - Yes 1.10. Change management log for upgrades, downtime, etc.? - Yes 1.10.1. Are the logs on a per server basis? - Yes 1.10.2. Are the logs stored electronically or on paper? Paper, IT office 1.10.3. Reboot logs inspected monthly? June, 2003 (unknown) 1.11. Is server properly installed in rack, with spacing per OEM guidelines? - N/A 1.12. Is rack properly grounded and bolted to floor/ceiling, per OEM, OSHA and/or Gov’t (seismic) standards, etc.? - N/A 1.13. Is air circulation/cooling (HVAC) adequate? - Yes 1.14. Are OEM HW management tools properly installed and running? - N/A 1.14.1. What recurring reports are being generated? ("Health" Log, 3rd party SW, etc)? Event logs only 1.14.2. How are reports disseminated? (Console, e-mail, etc)? Console only. 1.14.3. Who reviews reports? IT Team 1.14.4. Recurring issues/trends of not? Unknown 1.15. Utilization tested under load (Task Manager, etc)? - No 1.16. Event Viewer / Logs checked? 1.16.1. System - Yes 1.16.2. Security - Yes 1.16.3. Applications - N/A 1.16.4. How long are the logs kept (log size) before over-written? 200K 1.17. Services checked for status, usefulness, etc? - Yes 1.18. HW alert parameters, auto-page, etc.? - N/A 1.19. Is the network actively monitored? - No 1.19.1. If network actively is monitored, who monitors it? 1.20. Is the network traffic monitored for segmentation/backbone change needs? - No 1.21. Is trend analysis used to foresee future growth and needs? - No 1.22. Server Internal Storage

Technology Assessment Profile Page 22 Created on 03/01/2007 07:48:00 1.22.1. Drive Type (Wide SCSI, IDE, etc) Wide SCSI 1.22.2. Number of Drives - 2 1.22.3. Individual capacities 18 GB 1.22.4. Controller Type(s? Compaq 1600 1.22.5. Checked for HW conflicts (Device Manager)? - Yes 1.22.6. Array (Supports hot swapping?) - No 1.22.7. Mirroring? - Yes 1.22.8. Duplexing? - N/A 1.22.9. Misc. Settings Number 4 Name Cranky OEM Alpha Micro Location Descript AM OEM PT# 2000 NOS Alpha Micro Function Application Server - "Prefab" (MRP)

1.1. Is there an asset registry (XLS, DataBase, document, etc.)? - Yes 1.1.1. Date server purchased and put in current service (if different) - 1995 1.1.2. Asset tags (attached, date, serial #s)? - Yes 1.2. Is physical chassis adequate for current/planned workload (slots, bays, etc.)? - Yes 1.3. Internal components adequate? 1.3.1. CPU(s)/ L2 cache (acceptable CPU utilization) - Unsure 1.3.2. RAM (sized per NOS and OEM recommendations and proper brand/type?) - Unsure 1.4. All internal NICs, cards installed in correct slots and documented? - Unsure 1.5. Appropriate cables used for sub-systems (Fiber, SCSI 3, etc.) - Unsure 1.6. Cooling fans adequate and tested for actual thermal output? - Unsure 1.7. Are external components adequate for current/planned workloads/growth? - Unsure 1.8. External Sub-systems within proper distance and correctly cabled? - N/A 1.9. Proper component labeling? - N/A 1.10. Change management log for upgrades, downtime, etc.? - Yes

Technology Assessment Profile Page 23 Created on 03/01/2007 07:48:00 1.10.1. Are the logs on a per server basis? - Yes 1.10.2. Are the logs stored electronically or on paper? paper 1.10.3. Reboot logs inspected monthly? December 15 - System lockup (no cause noted) 1.11. Is server properly installed in rack, with spacing per OEM guidelines? - N/A 1.12. Is rack properly grounded and bolted to floor/ceiling, per OEM, OSHA and/or Gov’t (seismic) standards, etc.? - N/A 1.13. Is air circulation/cooling (HVAC) adequate? - Yes 1.14. Are OEM HW management tools properly installed and running? - Unsure 1.14.1. What recurring reports are being generated? ("Health" Log, 3rd party SW, etc)? None observed 1.14.2. How are reports disseminated? (Console, e-mail, etc)? Console only 1.14.3. Who reviews reports? IT team 1.14.4. Recurring issues/trends of not? Degradation of performance, reboots. 1.15. Utilization tested under load (Task Manager, etc)? - No 1.16. Event Viewer / Logs checked? 1.16.1. System - Yes 1.16.2. Security - N/A 1.16.3. Applications - Yes 1.16.4. How long are the logs kept (log size) before over-written? N/A 1.17. Services checked for status, usefulness, etc? - No 1.18. HW alert parameters, auto-page, etc.? - No 1.19. Is the network actively monitored? - No 1.19.1. If network actively is monitored, who monitors it? 1.20. Is the network traffic monitored for segmentation/backbone change needs? - N/A 1.21. Is trend analysis used to foresee future growth and needs? - No 1.22. Server Internal Storage 1.22.1. Drive Type (Wide SCSI, IDE, etc) SCSI 1.22.2. Number of Drives - 2 1.22.3. Individual capacities

Technology Assessment Profile Page 24 Created on 03/01/2007 07:48:00 1GB 1.22.4. Controller Type(s? Proprietary 1.22.5. Checked for HW conflicts (Device Manager)? - No 1.22.6. Array (Supports hot swapping?) - No 1.22.7. Mirroring? - Yes 1.22.8. Duplexing? - N/A 1.22.9. Misc. Settings 2. PC/Thin Clients Totals: 2.1. PCs - 48 2.2. MACs - 2 2.3. Thin Clients - 0 2.4. Others (PDAs, Blackberrys ™, etc) 1 (Mgmt terminal for AM) 3. Critical Desktops/Notebooks Number 1 User Name Bob Smith Location Bob's office OEM Compaq Descript Deskpro OEM PT# 500

3.1. Is there an asset registry (XLS, DataBase, document, etc)? - Yes 3.2. Asset tags (attached, date, serial #s)? On face 3.3. Any current issues (boot time, system hangs, memory leaks, etc)? Nothing out of normal - Ad-Aware(TM) also installed for spyware detection. 3.4. Temporary internet files maintained? - Yes 3.5. Programs removed properly (Add/Remove-Control Panel or 3rd party apps)? - Yes 3.6. Use of probes to monitor for spyware; I.E. Lavasoft’s Ad-Aware? - Yes 3.7. File vs. Drive compression in place, if required? - No 3.8. Automated Maintenance properly setup (Maintenance Wizard, etc.)? - Yes 3.9. Are internal components adequate for current/planned workloads? - Yes 3.9.1. CPU/cache/virtual memory appropriate for user workload? - Yes

Technology Assessment Profile Page 25 Created on 03/01/2007 07:48:00 3.9.2. 64 MB RAM (min) for each normally open application in addition to 256MB for O/S? - Yes 3.9.3. 4GB+ free on HD/Volume after applications and local folders? - Yes 3.9.3.1. Partitioning schema for older (FAT) PCs? - N/A 3.9.3.2. Conversion to NTFS planned? - N/A 3.9.4. Video subsystem appropriate for client workload? - Yes 3.9.5. Recovery console (XP) setup? - Yes 3.10. Display type (CRT, Panel and size? 17" TFT (Compaq) 3.10.1. Graphics controller set for appropriate resolution/colors? - No 3.10.2. Graphics controller set for appropriate acceleration? - Unsure 3.10.3. Latest drivers, BIOS and Apps (Direct-X, Network etc)? - No 3.10.4. Display and keyboard optimally located for visibility/ergonomics? - Yes 3.11. NICs and other cards per standard and properly installed in correct slots? - No 3.11.1. NIC configuration and protocols per standards (WINs, Gateway, DNS, etc)? - Yes 3.12. Temporary files maintained? - Yes 3.13. Are external components adequate for current/planned workloads? - Unsure 3.13.1. Appropriate interface and connections (USB, SCSI, IDE, etc)? - Yes 3.13.2. Input devices (keyboards, mouse, digitizer/scanner)? - No 3.13.3. CD and/or DVD set to correct mode(s) and working correctly? - No 3.13.4. Removable media devices installed/working correctly? - Yes Note: 250MB Iomega Zip drive 3.13.5. Local UPS for critical workstations (volt-amp calculation for sizing) - Yes 3.13.6. Is PC located properly for access, ventilation and physical security? - Yes Number 2 User Name Tom Murphy Location Tom's office OEM Compaq Descript EVO OEM PT# D500

3.1. Is there an asset registry (XLS, DataBase, document, etc)? - N/A 3.2. Asset tags (attached, date, serial #s)? (This system not checked completely) 3.3. Any current issues (boot time, system hangs, memory leaks, etc)? 3.4. Temporary internet files maintained? - N/A

Technology Assessment Profile Page 26 Created on 03/01/2007 07:48:00 3.5. Programs removed properly (Add/Remove-Control Panel or 3rd party apps)? - N/A 3.6. Use of probes to monitor for spyware; I.E. Lavasoft’s Ad-Aware? - N/A 3.7. File vs. Drive compression in place, if required? - N/A 3.8. Automated Maintenance properly setup (Maintenance Wizard, etc.)? - N/A 3.9. Are internal components adequate for current/planned workloads? - N/A 3.9.1. CPU/cache/virtual memory appropriate for user workload? - N/A 3.9.2. 64 MB RAM (min) for each normally open application in addition to 256MB for O/S? - N/A 3.9.3. 4GB+ free on HD/Volume after applications and local folders? - N/A 3.9.3.1. Partitioning schema for older (FAT) PCs? - N/A 3.9.3.2. Conversion to NTFS planned? - N/A 3.9.4. Video subsystem appropriate for client workload? - N/A 3.9.5. Recovery console (XP) setup? - N/A 3.10. Display type (CRT, Panel and size? 3.10.1. Graphics controller set for appropriate resolution/colors? - N/A 3.10.2. Graphics controller set for appropriate acceleration? - N/A 3.10.3. Latest drivers, BIOS and Apps (Direct-X, Network etc)? - N/A 3.10.4. Display and keyboard optimally located for visibility/ergonomics? - N/A 3.11. NICs and other cards per standard and properly installed in correct slots? - N/A 3.11.1. NIC configuration and protocols per standards (WINs, Gateway, DNS, etc)? - N/A 3.12. Temporary files maintained? - N/A 3.13. Are external components adequate for current/planned workloads? - N/A 3.13.1. Appropriate interface and connections (USB, SCSI, IDE, etc)? - N/A 3.13.2. Input devices (keyboards, mouse, digitizer/scanner)? - N/A 3.13.3. CD and/or DVD set to correct mode(s) and working correctly? - N/A 3.13.4. Removable media devices installed/working correctly? - N/A 3.13.5. Local UPS for critical workstations (volt-amp calculation for sizing) - N/A 3.13.6. Is PC located properly for access, ventilation and physical security? - N/A Number 3 User Name Janice Thompson Location IT office cubicle OEM HP Descript Vectra OEM PT# VL 420

3.1. Is there an asset registry (XLS, DataBase, document, etc)? - Yes

Technology Assessment Profile Page 27 Created on 03/01/2007 07:48:00 3.2. Asset tags (attached, date, serial #s)? This system not checked completely yet. 3.3. Any current issues (boot time, system hangs, memory leaks, etc)? 3.4. Temporary internet files maintained? - N/A 3.5. Programs removed properly (Add/Remove-Control Panel or 3rd party apps)? - N/A 3.6. Use of probes to monitor for spyware; I.E. Lavasoft’s Ad-Aware? - N/A 3.7. File vs. Drive compression in place, if required? - N/A 3.8. Automated Maintenance properly setup (Maintenance Wizard, etc.)? - N/A 3.9. Are internal components adequate for current/planned workloads? - N/A 3.9.1. CPU/cache/virtual memory appropriate for user workload? - N/A 3.9.2. 64 MB RAM (min) for each normally open application in addition to 256MB for O/S? - N/A 3.9.3. 4GB+ free on HD/Volume after applications and local folders? - N/A 3.9.3.1. Partitioning schema for older (FAT) PCs? - N/A 3.9.3.2. Conversion to NTFS planned? - N/A 3.9.4. Video subsystem appropriate for client workload? - N/A 3.9.5. Recovery console (XP) setup? - N/A 3.10. Display type (CRT, Panel and size? 3.10.1. Graphics controller set for appropriate resolution/colors? - N/A 3.10.2. Graphics controller set for appropriate acceleration? - N/A 3.10.3. Latest drivers, BIOS and Apps (Direct-X, Network etc)? - N/A 3.10.4. Display and keyboard optimally located for visibility/ergonomics? - N/A 3.11. NICs and other cards per standard and properly installed in correct slots? - N/A 3.11.1. NIC configuration and protocols per standards (WINs, Gateway, DNS, etc)? - N/A 3.12. Temporary files maintained? - N/A 3.13. Are external components adequate for current/planned workloads? - N/A 3.13.1. Appropriate interface and connections (USB, SCSI, IDE, etc)? - N/A 3.13.2. Input devices (keyboards, mouse, digitizer/scanner)? - N/A 3.13.3. CD and/or DVD set to correct mode(s) and working correctly? - N/A 3.13.4. Removable media devices installed/working correctly? - N/A 3.13.5. Local UPS for critical workstations (volt-amp calculation for sizing) - N/A 3.13.6. Is PC located properly for access, ventilation and physical security? - N/A Number 4 User Name John Williams Location Building 2, John's cubicle OEM HP

Technology Assessment Profile Page 28 Created on 03/01/2007 07:48:00 Descript Vectra VL OEM PT# 420

3.1. Is there an asset registry (XLS, DataBase, document, etc)? - Yes 3.2. Asset tags (attached, date, serial #s)? This system not completely checked yet. 3.3. Any current issues (boot time, system hangs, memory leaks, etc)? 3.4. Temporary internet files maintained? - N/A 3.5. Programs removed properly (Add/Remove-Control Panel or 3rd party apps)? - N/A 3.6. Use of probes to monitor for spyware; I.E. Lavasoft’s Ad-Aware? - N/A 3.7. File vs. Drive compression in place, if required? - N/A 3.8. Automated Maintenance properly setup (Maintenance Wizard, etc.)? - N/A 3.9. Are internal components adequate for current/planned workloads? - N/A 3.9.1. CPU/cache/virtual memory appropriate for user workload? - N/A 3.9.2. 64 MB RAM (min) for each normally open application in addition to 256MB for O/S? - N/A 3.9.3. 4GB+ free on HD/Volume after applications and local folders? - N/A 3.9.3.1. Partitioning schema for older (FAT) PCs? - N/A 3.9.3.2. Conversion to NTFS planned? - N/A 3.9.4. Video subsystem appropriate for client workload? - N/A 3.9.5. Recovery console (XP) setup? - N/A 3.10. Display type (CRT, Panel and size? 3.10.1. Graphics controller set for appropriate resolution/colors? - N/A 3.10.2. Graphics controller set for appropriate acceleration? - N/A 3.10.3. Latest drivers, BIOS and Apps (Direct-X, Network etc)? - N/A 3.10.4. Display and keyboard optimally located for visibility/ergonomics? - N/A 3.11. NICs and other cards per standard and properly installed in correct slots? - N/A 3.11.1. NIC configuration and protocols per standards (WINs, Gateway, DNS, etc)? - N/A 3.12. Temporary files maintained? - N/A 3.13. Are external components adequate for current/planned workloads? - N/A 3.13.1. Appropriate interface and connections (USB, SCSI, IDE, etc)? - N/A 3.13.2. Input devices (keyboards, mouse, digitizer/scanner)? - N/A 3.13.3. CD and/or DVD set to correct mode(s) and working correctly? - N/A 3.13.4. Removable media devices installed/working correctly? - N/A 3.13.5. Local UPS for critical workstations (volt-amp calculation for sizing) - N/A 3.13.6. Is PC located properly for access, ventilation and physical security? - N/A

Technology Assessment Profile Page 29 Created on 03/01/2007 07:48:00 4. Thin Client Issues 4.1. Is a terminal services application in use? - No 4.2. Is the hardware adequate? - N/A 4.3. What types of clients are in use?

4.4. Is the solution current? - N/A 4.5. How and when has the solution been updated?

STORAGE

With the escalating requirements overall for file storage, and the increasing need to archive records for long periods of time, proper storage planning starts at the server level (DAS) and may include Network Attached Storage (NAS) or even Storage Area Networks (SANs). Whether relatively inexpensive IDE or SCSI arrays within the server itself, or appliance managed, O/S independent SANs that offer a high level of fault tolerance, the overall organizational requirements for maintaining giga/tera bytes of data on-line (and replicated elsewhere) is a mission-critical function. Storage Requirements and Planning 1.1. Define the current overall design and status of the client’s storage solutions: Company growth is forcing a review of storage policy and management. Server storage is currently "DAS" (Direct Attached Storage) within the 4 servers. As standalone units, their ability to scale is compromised. Overall storage capacity @ 80+% leaving little room for normal usage much less projects where special imaging/testing, etc., requires additional space & resources. 1.1.1. What % of their storage is located in house (vs. off site replication)? 100% 1.2. Known issues and current levels of remediation: 80% (plus) capacity. Will provide proposal for NAS/SAN solution providing reliable, scalable storage at first opportunity. 1.3. How much storage capacity is needed within 6, 12 and 18 months? 500 GB near term - unknown past 6-12 months, depending on imaging requirements for new MRP system and document management. 1.4. What compliance issues are affecting storage requirements (mail and document retention, etc)? HR for potential lawsuits (e-mail) and potentially EPA for solvent usage in manufacturing. 2. NAS (Network Attached Storage) 2.1. NAS in service? - Yes 2.2. Type/OEM Overland - Ultamus 2.3. Location IT

Technology Assessment Profile Page 30 Created on 03/01/2007 07:48:00 2.4. Capacity 2TB 2.5. How (and by whom) Managed? Overland Console 2.6. Location(s) of console(s)? IT and Exec 2.7. What Backup SW is in place? Backup Exec (Server and NAS) 2.7.1. Is the backup SW current, with all updates verified? - Yes 2.7.2. Does the license count cover all users with enough extra seats for immediate growth? - N/A 2.7.3. When are the logs checked? Monthly 2.7.4. Restoration tested at least monthly, including folders, files and mail? - No 2.8. User Access, Mapping and Rights verified at least quarterly? - N/A 2.9. How is data integrity checked? Manual comparison. 2.10. What maintenance tools are in place? OEM only. 3. SAN (Storage Area Network) 3.1. Type/OEM/Appliance None 3.2. Number of Available Expansion Ports and Speed 3.3. Switched or Hub (Arbitrated Loop)? 3.4. Capacity 3.5. Location 3.6. How (and by whom) Managed? 3.7. If SAM (Storage Area Management) list vendor and description: 3.7.1. Is the SAM manageable by IT staff? - N/A 3.7.2. Is the SAM up to date? - N/A 3.8. Location(s) of console(s)? 3.9. Fault Tolerant Features? - No 3.10. Has a cluster been configured? - No 3.11. Are applications on the cluster feature aware? - No 3.12. What Backup SW is in place? 3.12.1. Is the backup SW current, with all updates verified? - No

Technology Assessment Profile Page 31 Created on 03/01/2007 07:48:00 3.12.2. Does the license count cover all users with enough extra seats for immediate growth? - No 3.12.3. When are the logs checked? 3.12.4. Restoration tested at least monthly, including folders, files and mail? - No 3.13. User Access, Mapping and Rights verified at least quarterly? - N/A 3.14. How is data integrity checked?

OS AND OFFICE SUITES

Server and Client software remains a challenging area for IT managers in many areas: licensing, operability, training, support and documentation. Most clients have several versions of server and/or desktop operating systems that add redundancy to task management, user training and the like. Servers, Number/Name: Number 1 Name Jedi

1.3. List patches/service packs applied: ApplicationWin2000 Patch/Service Pack Security Update Q311967 Date Applied 3/14/02

ApplicationWin2000 Patch/Service Pack Security Update Q320206 Date Applied 5/17/02

ApplicationWin2000 Patch/Service Pack Security Update XML-HTTP Control Date Applied 2/13/02

ApplicationWin2000 Patch/Service Pack Cumulative Security Update for 6.0a Date Applied 7/27/01

1.3.1. What patch Management software is in place (I.e. GFI)? None - manual patching via Windows update 1.4. What SW is used to manage the servers (Insight, Managewise, etc)?

Technology Assessment Profile Page 32 Created on 03/01/2007 07:48:00 Insight & Windows Server health reports (e-mailed to admin) 1.4.1. Settings optimized and tested for thresholds, paging, etc? - Yes 1.5. What application monitoring reports are setup? None on Jedi 1.5.1. How are they disseminated? N/A 1.5.2. Who reviews them? N/A 1.5.3. Current issues of note? Patching not current 1.6. Define Licensing Strategy: All servers have individual box product and appropriate # of CALs. Number 2 Name Batman

1.3. List patches/service packs applied: ApplicationWin2000 Patch/Service Pack Critical Update Date Applied 3/14/02

ApplicationWin2000 Patch/Service Pack Cumulative Security Patch Q320206 Date Applied 5/17/02

1.3.1. What patch Management software is in place (I.e. GFI)? Manual - Windows update only 1.4. What SW is used to manage the servers (Insight, Managewise, etc)? Insight 1.4.1. Settings optimized and tested for thresholds, paging, etc? - Unsure 1.5. What application monitoring reports are setup? 1.5.1. How are they disseminated? 1.5.2. Who reviews them? 1.5.3. Current issues of note? 1.6. Define Licensing Strategy: Box product and CALs in place.

Technology Assessment Profile Page 33 Created on 03/01/2007 07:48:00 Number 3 Name Dilbert

1.3. List patches/service packs applied: ApplicationExchange Server Patch/Service Pack Security update Q320206 Date Applied 5/17/02

ApplicationExchange Server Patch/Service Pack Security Update Q321232 Date Applied 5/17/02

1.3.1. What patch Management software is in place (I.e. GFI)? Windows update (manually). 1.4. What SW is used to manage the servers (Insight, Managewise, etc)? Insight 1.4.1. Settings optimized and tested for thresholds, paging, etc? - Unsure 1.5. What application monitoring reports are setup? Exchange Manager thresholds only 1.5.1. How are they disseminated? Console to Administrator 1.5.2. Who reviews them? Admin 1.5.3. Current issues of note? As noted, diskspace is chronic problem. 1.6. Define Licensing Strategy: Box product on hand plus appropriate CALs. Number 4 Name Cranky

1.3. List patches/service packs applied: 1.3.1. What patch Management software is in place (I.e. GFI)? 1.4. What SW is used to manage the servers (Insight, Managewise, etc)? 1.4.1. Settings optimized and tested for thresholds, paging, etc? - N/A 1.5. What application monitoring reports are setup?

Technology Assessment Profile Page 34 Created on 03/01/2007 07:48:00 1.5.1. How are they disseminated? 1.5.2. Who reviews them? 1.5.3. Current issues of note? 1.6. Define Licensing Strategy: PCs/Clients (standalone and networked), Number/Name: Number 1 User Name Bob Smith

2.1. O/S (WinXP, NT, Linux, MAC O/S 10 etc.) and Primary Applications 2.2. Desktop environment/toolbars per standards? - N/A 2.2.1. 3rd party toolbars permitted? - N/A 2.3. What component(s) of the O/S are required? 2.4. What component(s) of the O/S are un-installed (games, etc)? 2.4.1. Patches/Fixes up to date? - N/A 2.5. SW distribution; version, strategies: 2.6. Is all SW installed properly, licensed and accounted for? - N/A 2.7. Are critical files stored on server? - N/A 2.8. Are files placed logically in folders (vs. root directories)? - N/A 2.9. Are email, re-cycle and trash folders properly managed? - N/A 2.10. Are wallpaper, screen savers, Desktop per standards? - N/A 2.11. Are games and personal data (if allowed) appropriate and secure? - N/A 2.12. Browser configuration standards/optimized: 2.12.1. Browser window? - N/A 2.12.2. Viewing Area? - N/A 2.12.3. Toolbars/icons? - N/A 2.12.4. Page fonts/colors? - N/A 2.12.5. Links / Favorites? - N/A 2.12.6. Settings (HTML, Text, etc)? - N/A 2.12.7. Security and Privacy (cookies, etc.)? - N/A 2.12.8. Cache, Temp Internet files and History properly managed? - N/A 2.13. Printers properly setup and available? - N/A 2.13.1. How connected (JetDirect, NW Share, LPT, IP Port, Infrared, etc)? Number 2 User Name Tom Murphy

Technology Assessment Profile Page 35 Created on 03/01/2007 07:48:00 2.1. O/S (WinXP, NT, Linux, MAC O/S 10 etc.) and Primary Applications WinXP + Office 2.2. Desktop environment/toolbars per standards? - Yes 2.2.1. 3rd party toolbars permitted? - N/A 2.3. What component(s) of the O/S are required? All 2.4. What component(s) of the O/S are un-installed (games, etc)? N/A 2.4.1. Patches/Fixes up to date? - Yes 2.5. SW distribution; version, strategies: CD installed. 2.6. Is all SW installed properly, licensed and accounted for? - Yes 2.7. Are critical files stored on server? - Yes 2.8. Are files placed logically in folders (vs. root directories)? - Yes 2.9. Are email, re-cycle and trash folders properly managed? - Yes 2.10. Are wallpaper, screen savers, Desktop per standards? - Yes 2.11. Are games and personal data (if allowed) appropriate and secure? - Yes 2.12. Browser configuration standards/optimized: 2.12.1. Browser window? - Yes 2.12.2. Viewing Area? - Yes 2.12.3. Toolbars/icons? - Yes 2.12.4. Page fonts/colors? - Yes 2.12.5. Links / Favorites? - Yes 2.12.6. Settings (HTML, Text, etc)? - Yes 2.12.7. Security and Privacy (cookies, etc.)? - Yes 2.12.8. Cache, Temp Internet files and History properly managed? - Yes 2.13. Printers properly setup and available? - Yes 2.13.1. How connected (JetDirect, NW Share, LPT, IP Port, Infrared, etc)? Network assets. Number 3 User Name Janice Thompson

2.1. O/S (WinXP, NT, Linux, MAC O/S 10 etc.) and Primary Applications Win2000 2.2. Desktop environment/toolbars per standards? - Yes

Technology Assessment Profile Page 36 Created on 03/01/2007 07:48:00 2.2.1. 3rd party toolbars permitted? - N/A 2.3. What component(s) of the O/S are required? All 2.4. What component(s) of the O/S are un-installed (games, etc)? N/A 2.4.1. Patches/Fixes up to date? - No 2.5. SW distribution; version, strategies: CD installs in past 2.6. Is all SW installed properly, licensed and accounted for? - Yes 2.7. Are critical files stored on server? - Yes 2.8. Are files placed logically in folders (vs. root directories)? - Yes 2.9. Are email, re-cycle and trash folders properly managed? - Yes 2.10. Are wallpaper, screen savers, Desktop per standards? - Yes 2.11. Are games and personal data (if allowed) appropriate and secure? - Yes 2.12. Browser configuration standards/optimized: 2.12.1. Browser window? - Yes 2.12.2. Viewing Area? - Yes 2.12.3. Toolbars/icons? - Yes 2.12.4. Page fonts/colors? - Yes 2.12.5. Links / Favorites? - Yes 2.12.6. Settings (HTML, Text, etc)? - Yes 2.12.7. Security and Privacy (cookies, etc.)? - Yes 2.12.8. Cache, Temp Internet files and History properly managed? - Yes 2.13. Printers properly setup and available? - Yes 2.13.1. How connected (JetDirect, NW Share, LPT, IP Port, Infrared, etc)? Network assets. Number 4 User Name John Williams

2.1. O/S (WinXP, NT, Linux, MAC O/S 10 etc.) and Primary Applications WinXP + Office XP 2.2. Desktop environment/toolbars per standards? - Yes 2.2.1. 3rd party toolbars permitted? - N/A 2.3. What component(s) of the O/S are required? All

Technology Assessment Profile Page 37 Created on 03/01/2007 07:48:00 2.4. What component(s) of the O/S are un-installed (games, etc)? N/A 2.4.1. Patches/Fixes up to date? - Yes 2.5. SW distribution; version, strategies: CD 2.6. Is all SW installed properly, licensed and accounted for? - Yes 2.7. Are critical files stored on server? - Yes 2.8. Are files placed logically in folders (vs. root directories)? - Yes 2.9. Are email, re-cycle and trash folders properly managed? - Yes 2.10. Are wallpaper, screen savers, Desktop per standards? - Yes 2.11. Are games and personal data (if allowed) appropriate and secure? - Yes 2.12. Browser configuration standards/optimized: 2.12.1. Browser window? - Yes 2.12.2. Viewing Area? - Yes 2.12.3. Toolbars/icons? - Yes 2.12.4. Page fonts/colors? - Yes 2.12.5. Links / Favorites? - Yes 2.12.6. Settings (HTML, Text, etc)? - Yes 2.12.7. Security and Privacy (cookies, etc.)? - Yes 2.12.8. Cache, Temp Internet files and History properly managed? - Yes 2.13. Printers properly setup and available? - Yes 2.13.1. How connected (JetDirect, NW Share, LPT, IP Port, Infrared, etc)? Network assets

INTERNET

Internet access, as with Mail, has become an essential part of business strategy. From allowing basic access to providing news, competitive information, etc., no company can afford to be offline or offer marginal internet access to their corporate and/or remote based associates and customers. 1. What are the overall objectives for Internet use? 1.1. Access to WWW / messaging transport? - Yes 1.2. Presence (Web Site / Customer Portals)? - Yes 1.3. Commerce? - Yes 1.4. Remote Office support? - N/A 1.5. Remote storage? - N/A 1.6. 3rd party Management/Maintenance? - N/A 1.7. 3rd party Management/Maintenance? - N/A

Technology Assessment Profile Page 38 Created on 03/01/2007 07:48:00 1.8. Other (FTP, News, Roaming, etc.) FTP transfer built in to website. Can accommodate files up to 50+ MB. 2. Current ISP and describe any high level issues with overall Internet design/access: Qwest - fairly new provider for company. No current issues of note. 2.1. Service performed by ISP: 2.1.1. Access? - Yes 2.1.2. Site Hosting - Yes 2.1.3. Mail hosting? - No 2.1.4. Co-lo facilities? - N/A 2.1.5. Security? - N/A 2.1.6. Storage? - N/A 2.1.7. Other (define): 3. What type of DNS is in use (Microsoft, UNIX, etc)? UNIX @ Qwest 3.1. What is the DNS compatibility (bind version)? N/A 3.2. Does the DNS support Dynamic DNS? - Unsure 3.3. Does DNS feed a directory service? - Unsure 3.4. Does the DNS link to a WINS or other naming service? - Unsure 3.5. Does the DNS link to the internet or is it a root DNS? Root 3.6. Is the DNS part of the public DNS view? - No 4. Does the network have a WINS server? - No 5. Does the network use DHCP? - Yes 5.1. What information is assigned via DHCP? N/A - NAT in place for internal clients. 5.2. Required IP address/range/mask? - N/A 5.3. DHCP proxies used on each subnet? - N/A 6. Company Intranet or Extranet? - Yes 6.1. Describe any current issues: A test of HW updates (bandwidth) solved majority of visible complaints. Changing to NAT from DHCP appears to be increasing SPAM received by users.

E-COMMERCE

For most organizations, e-commerce has become a requirement for primary Sales or to backup their Sales Force, providing after hours catalog/self service, additional presence and a portal for customer access of product specifications. Some companies now generate significant

Technology Assessment Profile Page 39 Created on 03/01/2007 07:48:00 percentages of their monthly revenue from e-commerce, and a few generate all of their business as such. Care must be taken to ensure the customer "e-experience" mirrors that of the overall company culture. Additionally, recent legislation provides guidelines, regulations and even penalties for misuse or lack of security regarding customer data. 1. Relative to potential eCommerce, how does the customer describe their services and/or product offerings? No eCommerce in place of yet, other than "brochure-ware" website. 2. What does the customer’s web site provide? (Please select all that apply) 2.1. Static content or information - Yes 2.2. Forms for user to register or request information - Yes 2.3. Automated email response to users - Yes 2.4. Database connectivity - No 2.5. Catalog of service or product offering - Yes 2.6. Offline payment transaction - No 2.7. Secure Online payment transaction - No 2.8. Other 3. How often is web site content updated? At least quarterly. 4. Is a web application firewall in place? - N/A 5. Does the customer currently have, or will they require a secure "administrative" or "employee access area" of their web site? - Yes Note: Currently linking to 401K admin, some HR forms, etc. 6. How is the customer's web site currently hosted (if not by ISP)? 6.1. Co-located - N/A 6.2. Co-hosted - N/A 6.3. Dedicated hosting - N/A 6.4. Hosted in-house - N/A 6.5. Other 7. Does the customer intend to collect data from their online consumers? - Unsure 7.1. Does the customer intend to use this data for marketing / demographics purposes? - Unsure 7.2. Does the customer intend to share any of this data with third parties? - No 7.3. Privacy policy in place? - Yes 8. Usability / Customer Experience issues 8.1. Excessive graphics/flash/sound that must be downloaded? - No 8.2. Excessive Popup ads? - N/A 8.3. No physical address or complete “Contact Us” listings? - No

Technology Assessment Profile Page 40 Created on 03/01/2007 07:48:00 8.4. Incomplete product information/descriptions (needs batteries, colors, etc? - N/A 8.5. Very small print/font sizing that cannot be enlarged for readers with small screens or poor eyesight? - Yes 8.6. Links that mention products that just redirect to the front page of a vendor's website, where a new search must then occur? - No 8.7. Scripts that cause advertising animations to play over the top of the page content? - No 8.8. Forms that require irrelevant information to be selected from drop-down menus? - No 8.9. Forms that don’t specify correct data input format? - No 8.10. Misspelled words? - Unsure 8.11. Dead or mis-directing links? - Yes 8.12. News articles without posting dates or appropriate citations? - Yes 8.13. Web registration forms that require excessive mandatory or personal info? - No

COMMUNICATIONS

The need for external access and communication has become a "given" for all businesses. With deregulation and newer technologies, the overall communication schema has become an area of potential cost saving, increased NW capabilities and increased user utility if carefully planned and implemented. The days of separate data and voice along with long term (expensive) contracts with local bandwidth providers for T-1s/local loop expenses have largely given way in the primary markets. 1. Servers/Networks 1.1. Cost/benefit analysis performed on current carriers (ISDN vs. Frame/DSL/VPN)? - Yes 1.2. What type of remote LAN access system is in place (Remote Desktop, VPN, etc.)? VPN - Netscreen 5XP set up but not in use. Some Remote desktop (XP) allowed. 1.2.1. Describe any high level issues: Overall security concerns (uneasiness, especially by upper management). 1.2.2. Remote user logs maintained? - N/A 1.3. Does the customer have redundant connection or Dial-Backup for the WAN links? - N/A 2. PCs/Clients 2.1. Proper need for outside communication (other than via Network)? - Yes 2.2. Define method (VPN, Remote Desktop, dial-up, etc) and any issues: Accounting (Stacey) Int 56K modem: for Credit Card transactions HR (Dave) Int 56K modem: for "HR Link" application (internet version coming Q3) IT (Bob, Janice) Int 56K modem: testing, backup internet connectivity Manufacturing (Terry) Int 56K modem: Supply chain connectivity (now backup for network) 2.2.1. If standalone, is modem proper type and speed for connection and properly configured? - Yes

MAIL / MESSAGE SERVICES

Technology Assessment Profile Page 41 Created on 03/01/2007 07:48:00 E-Mail has become an essential, ubiquitous enabler of business communications. Businesses that have experienced outages of their mail services realize their dependence on this critical service. With the massive growth of not only PCs but secondary mail clients such as PDAs, cell phones and the like, careful planning for mail continuity is an essential part of “best practices”. 1. Are mail services internal or hosted? Internal - Exchange 2000 1.1. If hosted, are there issues with the provider (ease of use, speed, size restrictions, security, etc)? N/A 2. If internal: 2.1. Overall Strategy and current high level issues: Agency has become e-mail dependent, like most other businesses. Most business communications are preferred via e-mail for ease of forwarding, latency and efficiency. Storage capacity of Exchange server and folder management becoming issues. 2.1.1. Strategy for Unified Messaging (Voice Mail, FAX, e-Mail): 2.2. Folder setup: Individuals have folders allotted on server. Some global folder size restrictions as of yet, placed on a few individuals for saving an excessive amount of large attachments. System is set to warn, then disable send functions if folder size exceeds 250MB. 2.3. File size restrictions: 5MB in/outbound is default setting. Expanded for certain users with "need" for large file transfers. 2.4. Message/Attachment file and type restrictions: None at current other than "exe" files. 3. Are all updates applied? - Yes 4. Are client/user profiles reviewed at least annually? - Yes Note: Attempted quarterly. 5. If appropriate for size/scope/user count, has a software solution that controls message handling, especially forwarding been considered (such as Microsoft RMS)? - N/A 6. Where are client PSTs, etc., located? Local HDs, with server backup. 7. Are client profiles and message stores backed up at appropriate intervals? - Yes 7.1. Have these backup files (PSTs, etc) been actually tested with "restore" functionality? - No 8. SMTP set not to forward anonymous mail? - Yes 9. SMTP Smart / external host used? - N/A 10. External Mail connectors installed, are in use, and configured correctly? - N/A 11. Mail Root folders checked for amount/disposition of accumulated "bad" mail, queues, etc? - Yes 12. Company folders checked for size, # of items and unreasonable accumulation? - No

Technology Assessment Profile Page 42 Created on 03/01/2007 07:48:00 12.1. Individual mailboxes? - Unsure 12.2. Administrative mailboxes? - Unsure 13.3. Special mailboxes ("contact", "sales", etc)? - No 13. Special services verified, such as forwarding, auto-response, etc? - Yes Note: Not verified 14. If enabled, are RMS services verified and reviewed? - N/A

SECURITY

Security has entered the mainstream of IT management for consideration. Viruses, Worms, Trojans and other backdoor agents can not only cause loss of proprietary information, but also bring critical servers down. The actual costs to organizations for an effective security policy is minimal compared to the actual and potential costs for losing data or being forced off-line. With the emergence of legislation such as HIPPA, clients are now facing ruinous potential liability for the lack of an effective security plan. The client must be presented with an accurate assessment of their vulnerabilities as well as remediation strategies that balance availability, security and investment. 1. Is the overall design of the client’s security system reactive or preventive? Reactive - HIPS issues under discussion now - potentially part of TAP follow-up. 1.1. What HIPS (Host Intrusion Prevention) systems are in place or being considered: 1.1.1. Network Usage - N/A 1.1.2. Application protection - N/A 1.1.3. Memory protection - N/A 1.1.4. Application profiling - N/A 1.1.5. Process control - N/A 1.1.6. Peripheral control - N/A 1.1.7. Other 1.2. What protection schemes are in place: 1.2.1. Network Level (Firewall, Network Inspection) - Yes 1.2.2. Application Level (Anti-virus, hardening and inspection) - Yes 1.2.3. Execution Level (Application control, Resource shielding and Behavioral issues) - N/A 1.2.4. Other 2. Data 2.1. Does the customer have a written security policy as part of their IT documentation that addresses: 2.1.1. Employee productivity issues: Employee manual discusses need for security to prevent events from happening (virus attacks, etc.) and the resulting impact on company productivity. 2.1.2. Compromised company resources / bandwidth:

Technology Assessment Profile Page 43 Created on 03/01/2007 07:48:00 Covered in employee manual. 2.1.3. Data Security (blended threats, Denial of Service, backdoor Trojans, Keyboard loggers, etc): Covered in employee manual. 2.1.3.1. Identity Security (Phishing, etc): 2.1.3.2. Application Security (Encryption, 3rd party tools, etc): 2.1.3.3. Physical Security (Access to systems and documentation, employee practices, etc): Covered in employee manual. 2.1.4. Legal repercussions (including hostile work environment issues): Yes- starting with Employee Agreement, and followed up with continual HR training. 2.2. Vulnerabilities: 2.2.1. Has the client tested their vulnerability with intrusion tools, Web application vulnerability scanner and/or 3rd party service companies? (Date, methodology, findings and current status) No - desired Project. Will review and supply Project outline ASAP. 2.2.2. Applications - N/A 2.2.3. Windows / Shell code - Unsure 2.2.4. FTP - No 2.2.5. IE / browsers - Yes 2.2.6. Backdoors - Yes 2.2.7. SMTP/SNTP Issues - Unsure 2.2.8. Useless/out of date services - No 2.2.9. Is there an enterprise rights management system in place (Authentica, Navisware, etc)? - No 2.2.10. Are there network extrusion prevention products in place to notify of data copying/exporting? - No 2.2.11. Are HTTPS tunnels (port 443) monitored? - Yes 2.2.11.1. Gateway scanning for encrypted malware? - No 2.2.11.2. Outbound content control (OCC)? - Unsure 2.2.11.3. Using unencrypted protocols (telnet, etc) when managing systems, routers, firewalls, etc. - No 2.3. Are users trained to protect passwords (phone solicitors, posting passwords in plain sight)? - Yes 2.3.1. Are passwords stored in complex configuration - Required numbers and letter mix with a minimal length? - No 2.3.2. Are password changes systematic? - Yes 2.3.3. Are service passwords excluded from changes? - Yes 2.3.4. Does a centralized password / single sign-on system exist? - No

Technology Assessment Profile Page 44 Created on 03/01/2007 07:48:00 2.4. Is anti-virus SW current and correctly installed on clients (drives, folders, mail, etc)? - Yes 2.4.1. Is anti virus software a corporate or consumer level product? Consumer- Symantec NAV 8.0 2.4.2. Is there a centralized management feature for updating clients and scanning? - Yes 2.4.2.1. What are the frequency settings for auto-updates of managed and un-managed antivirus SW and virus definitions? Weekly. 2.4.3. Does the in place solution include gateways and mail services? - Yes 2.4.4. Does the in place Antivirus Solution provide reports? - No 2.4.5. What categories and data are reviewed? - Yes 2.4.6. Audit trail setup for connections/devices? - Yes 2.4.7. Can the in place Antivirus solutions support lockdown from user control? - Yes 2.4.8. Is an Anti-Spam Solution installed? - Yes 2.4.8.1. Is the Anti-Spam Solution server based? - Yes 2.4.8.2. Is the Anti-Spam Solution appliance based? - N/A 2.5. Encryption used for mail/messaging? - No 2.6. Does proper firewall HW or SW exist? - Yes 2.6.1. Routers/Proxy Servers/Firewall properly configured? - Unsure 2.6.1.1. Operating Systems, Firmware, etc., up to date? - Unsure 2.6.1.2. Does the Firewall also terminate VPN? - N/A 2.6.1.3. Is a separate VPN Concentrator Installed? - N/A 2.6.1.4. Are there other security appliances in place (URL/File blocking, content filtering, etc? - No 2.6.1.5. Does the appliance scan at an appropriate bandwidth? - N/A 2.6.1.6. Are all appropriate protocols scanned (POP, FTP, SMTP, SNMP, etc? - Yes 2.6.2. Security Gateways of multi-tiered design? - N/A 2.6.3. Servers providing data to the outside located within DMZ? - Yes 2.6.4. Does component failure result in Services stop vs. unsecured traffic? - Unsure 2.6.5. Un-used services add (such as ftpd, finger, rpc, etc) disabled? - Unsure 2.6.6. Dual NW cards in servers for inside/outside NW segments? - Yes 2.7. If in use, RAS/dial up access set to "call back" (set by or preset to mode)? - Yes 2.7.1. If in use, are Terminal Services / Remote Desktop encryption enabled (RSA RC4)? - N/A 2.8. Account lockout enabled after 3-5 bad login attempts? - No 2.9. Critical files password protected or read-only? - Unsure 2.10. OEM default passwords all changed at install? - Unsure 2.11. Naming Standards in place? - No

Technology Assessment Profile Page 45 Created on 03/01/2007 07:48:00 2.12. Group definitions in place, if applicable? - No 2.13. Master CDs, Keys, password logs, SW serial #s and access IDs securely stored? - Yes Note: But no current inventory with extra copies kept offsite. 3. Physical 3.1. Are servers and critical subsystems, data and backups safe from casual contact? - Yes 3.2. Are power-off safeguards or cabinet locks in place? - No 3.3. Are lockdown devices (if specified) in use? - N/A 3.4. Are notebooks ordered with lockdown and/or security systems? - No 3.5. How are USB drives managed (DIY, Policy, Port Control SW, etc)? Wasn't thought to be a significant issue. Not widely in use. 3.6. Are Remote Security Management services in place (IP cameras, auto-notify, etc)? - N/A 4. Hardcopy 4.1. Are critical documents scanned/preserved on network? - No 4.1.1. Are documents safe from casual contact? - Unsure 4.1.2. Is there a secure shredding/recycling/disposal service in place? - Yes 4.1.3. Are multiple copies of critical documents serialized and stamped "do not copy"? - Unsure 4.2. Is there a Document Management system in place? - No 4.2.1. Does it include an Audit trail log for confidential document handling/possession? - N/A 4.3. Is there a need to manage paper documents electronically for backup, security and/or search purposes? - Unsure 4.4. Describe Electronic Document Integration services, if applicable: None in place as of yet. In discussion. 4.4.1. Imaging HW N/A 4.4.2. Associated SW (Capture, OCR, etc) N/A 4.4.3. NW support/standards TBD 4.4.4. Availability of data to appropriate associates TBD 5. Compliance 5.1. Is the client subject to compliance demands outside of normal Federal/State requirements? - Unsure 5.2. Has the client been subject to lawsuits/penalties as a result of non-compliance? - No 5.2.1. In what specific areas?

Technology Assessment Profile Page 46 Created on 03/01/2007 07:48:00 5.3. What new standards have been put in place (XBRL, etc)?

RESOURCES

Managing client resources impacts not only the "steady state" but critical projects and dynamic issues such as moves, adds and changes (MAC). Those clients that maintain proprietary applications and/or have significant software development capabilities in house are especially vulnerable to impacts from a lack of resource planning. The location, capabilities, duty cycles and training requirements of peripherals may greatly impact the client’s Total Cost of Ownership (TCO) if significant redundancy of action, “walk around time”, etc., isn’t effectively managed. 1. Change Management 1.1. Describe overall plan for resource management and any high level issues: Servers are purchased. Applications are bought or licensed on case by case example. PCs/peripherals are normally expensed/depreciated per IRS schedule guidelines.

1.2. Does customer maintain a change log (prior to setups)? - Yes 1.3. Is beta testing done prior to large scale changes and "off-network"? - Yes 1.4. Are changes planned for non-business hours? - Yes 1.5. Affected user checklist used, including clients, customers and suppliers? - Yes 1.6. Are all clients then re-checked prior to start of business? - Unsure 1.7. Is there a change management form? - Yes 1.8. Is there a change management notification list? - Yes 2. Printing 2.1. Is the number/ location of printers appropriate for number of users and workload? - No 2.1.1. How are they accessed ? Ethernet - IP via JetDirect(tm). 2.2. Are the printers installed appropriate for the workload (duty cycle)? - Yes 2.3. Are correct accessories installed and properly used (envelope feeders, etc.) - Yes 2.4. Need for color output? - Yes 2.5. Need for high volume print capabilities? - N/A 2.6. Need for duplexing or large format? - N/A 2.7. Need for print headers/sender I.D.? - N/A 2.8. Toner density set appropriately? - No 2.9. Recycling/refilling of cartridges if appropriate? - N/A 3. Fax 3.1. Are the Fax resources adequate for current/planned workloads? - Yes 3.2. Are network based FAX solutions in use? - Yes 3.2.1. Are network FAX tools properly used at client level? - Yes 3.2.2. Are Fax's reviewed prior to printing? - Unsure

Technology Assessment Profile Page 47 Created on 03/01/2007 07:48:00 3.2.3. Are error/paper out messages properly routed and attended to? - Yes 4. Backup 4.1. Servers 4.1.1. Describe backup plan (schedule, overwrite vs. append, media rotation, etc.) Veritas 8.6 installed in Batman server. Internal 15/30GB DLT drive. Split volumes due to capacity. Certain drives/folders backed up on certain days. Media sets correct. Append setting in place, with verify. Backup logs checked. Alpha Micro has proprietary system (out of scope for TAP - known issue). 4.1.1.1. Replication hardware in place (vs. Tape) IE: periodic, asynchronous, synchronous? Not currently. Looking for input on this. 4.1.1.2. For replication schema, describe HW type (iSCSI, etc), capacity and management N/A 4.2.1. Are daily backups taken of critical files? - Yes 4.2.2. Logs reviewed for exclusions? - Unsure 4.2.3. Are weekly backups taken of non-critical files/programs? - Yes 4.2.4. Has the restore function been tested with current versions? - Yes 4.2.5. Has the restore function been tested with critical files such as PSTs, MDBs, etc? - No Note: Needs to be performed & verified at least monthly. 4.2.6. Is the backup hardware adequate for current needs and planned growth? - No Note: Needs expansion - 15/30 GB Compaq DLT currently in use. 4.2.7. Are backup copies stored off-site? - Yes 4.2.8. Is the labeling schema of all backup media current and appropriate? - No 4.2.9. Critical media location known to all members of IT and Disaster Recovery team? - Yes 4.2.10. Emergency Repair Disks and date of last update? - No Note: Out of date- unable to locate several. 4.2.11. Bootable Media and date of test/update? - No Note: Needs to be done, such that NW can be restored by bootable DLT. 4.2.12. Original Server Config and Application(s) CDs? - Yes 4.2.13. Are backups completed in the proper timeframe? - No 4.2.14. Is the media capacity still adequate (multiple volume requirements, etc.)? - No 4.2.15. Are the proper backup agents such as for SQL, Exchange, etc being used? - Yes 5. PCs/Clients 5.1. Is critical data copied to server for backup? - Unsure 5.2. If not, is there local backup (USB, Zip Drive ™, CDR, etc.) with appropriate schema? - Unsure 5.3. Has restore capability for clients / remote users been tested? - No

Technology Assessment Profile Page 48 Created on 03/01/2007 07:48:00 6. Power 6.1. Correct sizing and deployment of UPS equipment for servers and critical PCs? - No 6.2. Has run-down testing verified run-time and auto-shutdown? - No Note: Priority item. Can be done by current IT staff. 6.3. UPS SW settings verified? - No 6.5. Authorized Access to all devices? - Unsure 6.6. A/C input sensitivity properly set? - Yes 6.7. Operating temperature range verified? - Unsure 6.8. Are batteries serviced (if appropriate) per OEM recommendations? - Yes 6.9. Battery replacement date recorded and type/OEM of supplier? - Yes 6.10. Are vital hubs, switches, routers, etc., protected by UPS? - No 6.11. Correct type and deployment of surge suppressors? - Yes 6.12. Is appropriate power saving strategy (blank screen savers, Energy Star compliance) in place? - Yes 6.13. Panels, circuit breakers, conduits, connectors, Molex, etc. to code? - Unsure 7. Disaster Recovery 7.1. Does the customer have a written Business Continuity Plan (BCP), including disaster, resumption, recovery and contingency plans? - No Note: Requires significant work. 7.2. Describe the overall Business Continuity Plan (BCP) including Disaster Recovery: Needs rework. Minimal plan in place, many deficiencies relative to documentation, training and logistics. Project plan to be made ASAP. 7.2.1. Does the BCP plan accommodate the customer’s Recovery Point Objective (cost of data loss/downtime vs. investment? - N/A 7.3. Can critical systems be restored same day on re-entry to facilities? - No 7.4. Are critical systems redundant (and separately located if appropriate)? - Yes 7.4.1. Is data replicated? - No 7.4.1.1 Real-time or cached? 7.4.1.2. Local system or remote? 7.4.1.3. Includes applications w/ auto failover? - N/A 7.4.1.4. Fail over sites maintained with accurate and complete images? - N/A 7.5. Fixed asset registries all current and kept at separate, secure location? - No 7.6. Is Disaster Recovery an interdepartmental plan? In other words, is there a complete DR plan and does it include IT, Facilities, Finance, HR? - Unsure 7.7. Does the Disaster Recovery plan include appropriate 3rd parties (Insurance, landlords, service providers, suppliers, etc)? - Unsure 7.8. Has the Disaster Recovery plan been tested? - Unsure 7.8.1. Data - N/A

Technology Assessment Profile Page 49 Created on 03/01/2007 07:48:00 7.8.2. Access - N/A 7.8.3. Security - N/A 7.9. Has the Disaster Recovery plan been scaled for growth/change in company assets? - No 8. Telephone System 8.1. Owned key systems or Centrex? Cost/Benefits analysis performed when? 8.2. Phone System OEM, Type and Model? Mits 2000 class (out of scope for this TAP) 8.2.1. Define configuration and special features (ACD, IVR auto attendant, GUI Admin tools, etc): Basic phone with voice attendant 8.2.2. Dates of Upgrades: Logs not checked 8.2.3. Voice Mail system/SW/features and current issues: Basic with navigation, 24/7 availability. 8.3. Is the phone system integrated into the network? - No 8.4. Does the voice mail system integrate with the Email service? - No 8.5. Does the network switch support voice over IP services? - Unsure 8.6. Are there any issues with the phone system? - No 8.7. Does the phone service offer WAN or IP integration? - Unsure 8.8. Are any toll saving features utilized in the phone system? - No 8.9. Does the phone system provide for POTS lines such that individual lines are not required for every user? - Yes 8.10. IP based PBX? - N/A 8.11. What kind of interface does the phone system support for Voice over IP Communications (Typically E and M or Proprietary Trunking). Unknown.

MANAGEMENT ADMINISTRATION

No effective IT assessment can overlook the "human factor" in the design and management of effective systems. Training, continuity and succession planning are all part of successful IT practices. 1. IT Staffing 1.1. Are critical IT personnel cross-trained on all relevant technology? - Yes 1.2. Does the IT department do "succession planning" for associate turnover? - Yes 1.3. Do flow charts exist on all critical processes? - No 1.4. Are training/vacation coverage calendars maintained? - Yes 1.5. Is the customer covered by 3rd party backup? - No 1.5.1. If not, is there a schema to walk / coach such a person through an issue? - No

Technology Assessment Profile Page 50 Created on 03/01/2007 07:48:00 1.6. Is an associate always on hand who can down services and re-boot network resources? - Yes 1.7. Are remote locations covered with remote monitoring/Services and within their time zones? - N/A 2. Training (Clients) 2.1. Are new users/employees properly on-boarded by system administrator (or peer?) - Yes 2.2. What help desk support is in place? Minimal - IT responds in person generally to most user issues. 2.3. Who administers the help desk? IT 2.4. Describe any help desk tools/systems. dBase setup in Access to log calls/resolution. 2.5. List recurring support issues. PreFab (out of TAP scope), some notebook data issues from non-backups to server, typical "user" issues with application software. 2.6. Is current training adequate as measured by help desk calls and user errors? - Yes 2.7. Does employee handbook contain relevant information for IT, such as: 2.7.1. Security? - Yes 2.7.2. Safe guarding/replacement of assets? - Yes 2.7.3. Internet policy? - Yes

MAINTENANCE

Maintenance costs may exceed the original CapEx expenditure for long-lived assets if they are not properly maintained, especially in "heavy duty" conditions. 1. Hardware 1.1. Is all appropriate hardware under warranty? - Yes 1.1.1. Are the terms of both warranties and service contracts known? - Yes 2. Are critical assets on monthly inspection/cleaning schedules? - Yes Note: Some quarterly. IT logs reasonably up to date. 2.1. Backup / read-write heads for tape systems on separate cleaning schedule (marked on cleaning tapes and in IT logs)? - Yes 3. Are shared NW peripherals on monthly/quarterly inspection schedules? - Yes 3.1. Printers, copiers, FAX, scanners, etc. - Yes 3.1.1. Printer/FAX corona wires, cleaning sheets, etc - Unsure 3.2. Fans/vents on critical systems? - Unsure 3.3. Are all hard drives subject to periodic maintenance (defrag, scandisk, etc.)? - Yes 4. Any severe-duty equipment with special maintenance requirements? - Unsure

Technology Assessment Profile Page 51 Created on 03/01/2007 07:48:00 Note: Logs incomplete. Servers OK, critical DTs are not.

LIFE CYCLE PLANNING

1. Hardware 1.1. Buy versus leasing options understood? - Yes 1.2. Describe asset acquisition policy (purchasing, leasing, etc.) Applications are bought or licensed on case by case example. 1.3. Does customer have an upgrade and "cascade" policy for older equipment? - Yes 1.4. Is IT procurement performed within IT? - Yes 1.4.1. If not, does IT maintain control over standards, suppliers, etc? - Yes Is the client providing adequate training and education for IT staff? Yes, on all appearances.

SPECIALTY

Here the VAR can add free-form question matching their own unique skills. Reserved for unique VAR capabilities Reserved for VAR use Reserved for VAR use

Technology Assessment Profile Page 52 Created on 03/01/2007 07:48:00

Recommended publications