| |
 |
|
|
|
|
|
Main
|
Securing Financial Resources"Four years," the young woman had said, "maybe five. But you’ll need to begin searching for replacement funding before then." Mr. Johnson looked at the figures on the budget sheet before him and sighed. Every year it was the same thing, asking people for more money. There was always something that needed to be done, something that came along to steal his time and sap his strength. He had always intended to get it done—tomorrow. No one provided grants for operating costs. He looked over the top of the sheet and gazed out in the public area. Of his ten workstations, three had "Out of Order" signs taped to the front of the monitors. One hard drive failure, one he didn’t-know-what failure, and one complete trashing. None would run the latest version of the library’s public access catalog software, so he hadn’t upgraded. Where was he going to find $10,000 to replace them? As mentioned in the Chapter One, probably the most common—and potentially most dangerous—threat to network security in small libraries is the lack of funding required to properly maintain the network. Many libraries have received the bulk of the technology equipment, software, and cabling (collectively called infrastructure) through grants. The problem is most library budgets are not sufficient to support the cost of maintaining this infrastructure. In this chapter I focus on the monetary resources required, including the costs to secure certain network components. The Cost of Operating a Small Library NetworkCosts associated with developing and operating a small library network vary from one library to another based on the purchase decisions management makes. Some entities purchase from local vendors, some from national vendors. Some purchase "business" model computers (which have features like manageability that regular workstations do not), and others purchase the least expensive equipment they can. Nevertheless, some general guidelines can be established for average costs in a small library. Equipment UsedThe following table details the major components used in creating a small library network. Workstations and servers are assumed to have a network card included in the base installation. The costs for computers shown below include shipping costs if ordered online. Computer prices may be reduced by $100 each for local purchases. The last column indicates the allocation I recommend including in the library budget for annual maintenance of the equipment, with the minimum budget allocation included in parentheses.
If a security breach results in the need to call in a paid technician to resolve resulting problems, the maintenance budget gets squeezed even further. How many such breaches can the library pay to resolve? Libraries in Texas using a regional library system TANG technician (a system staff member hired through a state Technical Assistance Negotiated Grant) for network maintenance will be able to stretch their budgets, because the TANG technician’s assistance is "free" to the library. I highly recommend that libraries with access to a TANG technician use her services as often as possible. Unfortunately, this is a resource with diminishing returns. As more libraries use the TANG technician, the less available she will become—especially in emergencies. So budget funding still needs to be available to hire paid technicians. Software Maintenance CostsEquipment maintenance costs are not the only maintenance costs involved in operating a network. Library automation software requires a software maintenance/support contract to be renewed each year in order to receive technical support. One can also expect a software upgrade (for the operating system and also for those workstations providing MS Office to patrons or staff) to be needed during each computer’s service life. Table 3 indicates common software costs a library can expect to incur during the normal lifespan of a computer.
ServicesVarious services, from cable installation and workstation configuration during the initial creation of the network to Internet access costs incurred during its use, contribute to the annual cost of offering Internet access and automated library systems. Table 4 shows approximate costs of these services (cabling and configuration costs will apply to any future workstations added to the network as well). The estimates shown are "average" costs, with high-end costs displayed in parentheses.
Equipment ReplacementThe most difficult cost to deal with, however, is the cost for equipment replacement. This cost is deceptive because replacement is not an immediate need. It’s easy to put off, but replacement must be planned if your network services are to continue. The sooner you prepare your replacement plan, the better. Future costs represented by equipment replacement are easily figured. All equipment has to be replaced after a number of years of service for three common reasons: it will fail through normal use it will become obsolete, unable to perform the functions we need the manufacturer will declare it beyond useful life and cease to support it In most cases, the useful life for equipment in public libraries is longer than it would be in the business environment because of the need to stretch funds. Productivity and competitive advantage will be of lesser strategic advantage in libraries than in businesses. Nevertheless, even given a longer lifecycle, costs associated with equipment replacement are large. For public libraries, I recommend a four-to-five-year replacement cycle (current business practice sets obsolescence at about three years). Patrons may begin to see the equipment as "old" and outdated after four years, especially if office software is provided but hasn’t been upgraded. Four years of ownership represents a critical time period because technology may have evolved enough to make an upgrade undesirable. The processor package may have changed enough that updating the processor means replacing the motherboard as well. More RAM, or a different type of RAM, may be needed with a new motherboard. The video card may also need to be replaced. The combined cost of the parts, plus the cost of installing them, usually ends up being just a little less than the cost of buying a new unit. Considering a new system has a complete, three-year warranty, buying new looks much more attractive than upgrading. So the fifth year may be one when the library limps along, knowing that waiting a year and purchasing a new system is more feasible than upgrading this year. Table 5 illustrates the estimated replacement period for various components of a small library network. It includes the number of years you may expect a particular component to serve before needing to be replaced.
The Cost of Securing a Small Library NetworkIn terms of dollars, the purpose of security is to spend a little up front in order to keep from possibly having to spend a great deal later on. So it’s important to quantify the potential cost of not securing the network. Some costs are easily estimated and quantified: staff time required to handle problems related to altered workstation desktops staff time required to reconfigure such desktops, and deal with vendors supplying technical support the cost of having a vendor reconfigure or repair a workstation configuration However, there are other factors for which cost is not so easily quantified: patron disappointment and upset feelings when a workstation is not available or working properly the library’s loss of use of its automation system for a period of time if catalog stations or the server is tampered with the negative publicity generated by an attack or someone using the workstations for an illegal purpose Given these limitations, we are left with vague guesses about the cost of security breaches. But the dollar cost of implementing network security, on the other hand, is much easier to estimate. There are several variables that affect the cost: the number of workstations and servers to be configured and tested the number of security measures to be implemented on each workstation and server (determined in consultation with the library director) whether a public server (such as a web, DNS, or mail server) is to be secured the complexity of the router and firewall used how much of the work can be performed by local staff or volunteers (such as configuring backup software to perform scheduled backups of important data, including the library’s bibliographic database and director’s documents directory, and making sure physical security is addressed) the experience of the vendor representative (in working in a public environment) contracted to secure the network Table 6 provides a sample cost summary, with estimates of the time required to perform the various activities. To arrive at the cost range for security configuration, I make two assumptions: a technician with little experience configuring workstations and servers for security will take considerably longer to complete the task, but charge less for the time spent router/firewall configuration will be performed by a network technician experienced in such configurations, at a higher hourly rate
In keeping with these, the time to configure a workstation or server is represented in two increments: less time for an experienced technician and more time for one who is inexperienced. Likewise, two hourly rates are used: $75 per hour for an experienced technician ($100 for router/firewall configuration) and $50 for a less experienced technician. The cost range is determined by multiplying the inexperienced technician’s rate times the estimated completion time to arrive at one cost, then multiplying the experienced technician’s time and hourly rate. Take these figures as vague estimates only. Actual costs can vary greatly from this sample, depending on the factors listed above. If all the major components are contracted to a vendor, the cost could easily range from $500 for a tiny library network to $5,000 for a "moderately sized" small library. The good news is that much of this configuration, if not all of it, can be paid for through grant funds. Before we quit, let’s return to the notion I mentioned earlier of paying up front to keep a service functional and save time, frustration, and money down the road. Let’s assume the six-workstation, one-server configuration above costs $1,000 to secure. Is security worth the price? Leaving the network unsecured might result in various attacks that could compromise the network server, leaving it unusable until someone can reconfigure it. That will take time and money. How many days will the automation server be down? Zero? Ten? Is it worth $1,000 to provide a reasonable level of assurance that it will remain operational? There are also other types of "attacks" involving illegal activities through a public workstation. This may result in the workstation being impounded as evidence in a criminal investigation. How long will it be unavailable? A week? A month? A year? Will the library be able to replace it? When we look at the possible results of security breaches, the $1,000 cost of a security project appears well worth the money. The Cost of Maintaining SecurityUnfortunately, the cost of original implementation is not the only cost associated with securing a network. At the very least, operating systems installed on workstations and servers need to be updated periodically. So a good security program budgets ongoing costs for security administration and staff time for managing backups, monitoring anti-virus updates, monitoring server logs, and resolving small workstation issues as they arise. Here is a partial list of "costs" the library may expect as part of its security program: Costs for training staff/volunteers in basic procedures for securing workstations or servers Staff time used in resolving minor workstation problems or arranging for outside technical support Staff time in reviewing security logs; alternatively, funds for contracting for outside monitoring of security logs Staff time in reviewing backup reports and automatic anti-virus updates Staff time in downloading and applying workstation and server operating system patches on a regular basis; alternatively, funds for contracting for operating system updates (costs may be $35-70 per hour, including travel time if required) Restricted services; patrons may be restricted from certain activities, such as using chat or e-mail facilities, or writing to a hard drive, floppy drive, or CD-RW drive The Cost of Auditing SecurityAs we’ve discussed in previous pages, network security is a process. It also has scope. Some libraries will decide to implement security measures that other libraries have declined to implement. Each library is encouraged to examine its community, operating environment, budget, and other local funding constraints to determine the best course for securing its network. In many tiny libraries this may comprise just basic physical and server security and significant workstation security measures. Regardless of the scope of its security project, the process needs an element of accountability. A security audit will provide this accountability. The library should consult with a network technician either before or during its deliberations to review the library’s options and opinions regarding security. Once final decisions have been made specifying which measures to implement, and the implementation is performed, then an outside agency should be hired to audit the security implementation, based on decisions made by the library. An audit will provide the library three benefits: The auditor can comment on the state of security without bias, providing an independent review of a contractor’s work. The auditor serves as a failsafe; if a specific security vulnerability has been missed, the auditor provides a secondary resource to catch the omission and suggest implementation. The auditor will also serve as an independent party to voice concerns with the current implementation and make suggestions for future iterations of security implementation. Unfortunately, like security implementation, the benefits are not gained inexpensively. There are four primary cost factors involved in security audits: the scope of and methodology used to conduct the audit number of servers, workstations, and network devices to audit, if included the vendor’s experience level, which relates to hourly/daily fee and, the scope of methodology used to produce the audit report Audits reports vary widely in their content and presentation. More information about reports and how security audits are conducted is presented in Chapter 4. For the purposes of this section we’ll just say the more extensive the documentation, the higher the full audit cost will be. Most tiny libraries with limited infrastructure can expect audit costs to range from $500 to $1,500 plus travel time and expenses, if any. Small libraries with larger numbers of workstations, and web-based access to the library catalog can expect costs to range from $1,000 to $3,000 plus travel time and expenses, depending on the extent and complexity of the network. These ranges are vague estimates only. Table 7 details some of the costs you can expect to incur for an audit of your library. Add $200-$400 more if you would like to receive an extensive report. From this table you should be able to determine the approximate cost of an audit for your library. You can get a better estimate of the audit cost for your particular library, but you’ll need to develop a request for quote (RFQ) for the audit. We’ll cover this and other audit topics in Chapter 4.
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
 
|
|
|
|
|
|
|
SITE NAVIGATION TEXT LINKS