Commonwealth of Massachusetts Statewide Strategic IT Consolidation (ITC) Initiative Program Benefits Discussion Document for the CIO Cabinet Originally presented August 31, 2009 Monday; updated as v2 on 9/8/2009; updated as v3 on 9/21/2009; updated as v4 on 9/29/2009 DRAFT – FOR DISCUSSION PURPOSES ONLY

Agenda The Mandate – Executive Order No. 510 Objectives and Guiding Principles for Tracking Program Benefits Program Benefits Framework Supporting Measures and Metrics Sample Quarterly Dashboard Tracking Process – 1st Cut Another Level of Measurement: Consolidated IT Services Appendix: Definitions and Measurement Methods

The Mandate – Executive Order No. 510 Section 9. “The Commonwealth CIO shall report annually to the Executive Office for Administration and Finance concerning: progress made by the Executive Department towards secretariat and infrastructure consolidation; the results of such consolidation; service levels for the consolidated infrastructure services provided to the Executive Department; and the cost of such services.” Note: still need to track down legislation outlining specific reporting requirements of CCIO

Objectives and Guiding Principles T R A C K I N G P R O G R A M B E N E F I T S Short-term Objectives* Guiding Principles To create a benefits tracking process that will help collect, measure, monitor, and communicate outcomes of Executive Order No. 510 To implement the process for the remainder of FY10, including training for Secretariat owners To incorporate continuous improvement mechanisms for FY10 and beyond Focus on outcomes that matter (both measurable and anecdotal) Establish accountability within each Secretariat Keep it straightforward and ‘implementable’ Apply a phased-approach (Fall 2009 Pilot, then small and manageable rollout in FY10, then build upon in FY11) Note: obtained ‘buy-in’ from Anne * “Short-term” refers to the Phase II project timeframe – i.e., between 8/31/2009 and 9/30/2009 only.

Program Benefits Hierarchy Different types of benefits will be measured and monitored depending on the stakeholder management reporting and communication needs Benefits “Hierarchy” Stakeholder “Audience” Program Level Benefits Governor, Cabinet, CCIO, industry journals, CCIO interviews, etc. Program Level Secretariat IT Services Dashboard EOPSS EOEEA EOLWD ANF EOT EOHHS EOE SCIO town halls, Steering committees, … Added more explanatory language ITD Infrastructure Services Dashboard ITD DCCIO, ITD Executive Committee, etc.

Program Benefits Framework Reduced and optimized IT spend per unit Elimination of duplicate IT systems Improved purchasing power by combining procurements Efficiency Effectiveness Information Security Improved reliability of IT services Improved ability to align our IT resources with high-level priorities of Secretaries Improved data sharing capabilities Industry-standard delivery of IT services Improved data protection Fewer IT systems hosted at insecure locations Improved monitoring, detection, alerting, and response capabilities Note: these have been fully vetted by CCIO and CCSO

Supporting Performance Measures Efficiency To spend and invest in IT more wisely Effectiveness To deliver our IT services more reliably, and align our resources per business priorities Information Security To secure our information based on industry leading practices Reduced and optimized IT spend per unit Elimination of duplicate IT systems Improved purchasing power by combining procurements Improved reliability of IT services Improved ability to align our IT resources with high-level priorities of Secretaries Improved data sharing capabilities Industry-standard IT service delivery Improved data protection Fewer IT systems hosted at insecure locations Improved monitoring, detection, alerting, and response capabilities ↓ # of helpdesks ↓ # desktop/LAN teams ↓ % of non-compliant websites ↓ # of applications being evaluated for consolidation ↑ Service availability ↑ Level of accountability and oversight ↑ Strategic alignment ↑ Improved security incident reporting and response ↑ Improved desktop protection and local area network security ↑ Improved EO504 compliance ↓ # of data centers ↓ # of networks (WANs) ↑ # of websites hosted on Mass.Gov ↑ % of email users on MassMail ↑ Service reliability ↑ # of IT services based on industry standard frameworks ↑ # of formal IT career paths ↑ # of participants completing ITIL training courses ↑ # of security devices to deploy & maintain ↓ # of physical servers to secure GOALS BENEFITS MEASURES 9/10 Thursday 11:30am Meeting Notes UNDER EFFICIENCY: For “Reduced and optimized IT spend per unit” – draft the following 3 case studies: MassDOT Email Consolidation – need current state cost analysis from Tan Gopal and Ken Weber EOHHS Data Center Pilot Consolidation – not expecting a cost savings, but will need to focus on the value EOHHS will get for the incremental future state cost (e.g., redundant power supply, more secure buildings, other upgrades, etc.) EOEEA Portalization (and EOHHS retrospectively as a backup if EEA data not available) For “Improved purchasing power by combining procurements” – user Oracle $56M savings - reach out to Helen O’Malley for more language UNDER EFFECTIVENESS: Under “Improved data sharing capabilities” – be sure to add the following 2-3 anecdotes: EOPSS example of overseeing investments together (includes cities and towns) Identity management – all 8 Secretariats are now aligned with a common management approach EOE DESE CIO recently cited benefit around ARRA efforts – used to think about the information just in terms of compliance and what they are required to report (i.e., the bare minimum), but now are beginning to collectively be more strategic about what kinds of information is collected and monitored For “Improved ability to align our IT resources with high-level priorities of Secretaries” – add 2 more: For now – “Increase accountability and oversight” (e.g., 8 IT Steering Committees newly created balanced with both business and IT representation) Maybe for next year – “Increase strategic alignment” (e.g., 8 Annual Secretariat IT Plans to be developed in alignment with Secretariats’ business priorities and the Commonwealth’s 2-Year Strategic IT Plan; # of “leadership coalitions” created) For “Service reliability” – define this as, “Total # of SLAs and compliance requirements” For “Increase # of IT services based on industry stndard frameworks” – define this as a combination of the % of ITIL processes designed, re-designed, and / or implemented

Sample Quarterly Dashboard IT Consolidation Program – Quarterly Dashboard Reporting Period: FY10 – Q2 Efficiency Goal: To spend and invest in IT more wisely Measures & Metrics: Trend Last Qtr This Qtr Target State # of Helpdesks 48 ___ 8 # of Desktop & LAN Teams 58 % of Non-compliant Websites 18% <5% # of Apps Consolidated 50 N/A # of Data Centers 130 2 # of Networks 15 1 % of Mass.Gov Hosted Sites 80% 90% % of MassMail Users 71% Effectiveness Goal: To deliver our services more reliably, and align our resources per business priorities Measures & Metrics: Trend Last Qtr This Qtr Target State Service availability ___ Level of accountability and oversight Strategic alignment Service reliability # of services based on ind. stand. frmwks. # of formal career paths # of ITIL training participants Information Security Goal: To secure our information based on industry leading practices Measures & Metrics: Trend Last Qtr This Qtr Target State Security incident rptg & response ___ Desktop protection & LAN security EO504 compliance # of security devices to deploy & maintain # of physical servers to secure These now mirror content in Slide 7 * Note: indicates measures that require further definition Legend: Upward trend Steady state Downward trend Green indicates alignment with goal Red indicates lack of alignment with goal

Program Benefits Tracking Process – 1st Cut Here is the high-level benefits tracking process proposed for FY10 implementation beginning this Fall. Still awaiting feedback / input from 2 pilot secretariats – no feedback / comments received as of 9/20. These details will be worked into the process snapshot here, the supporting training guidance that is forthcoming, as well as the source template that will feed into a standing quarterly report template = shaded area indicates the ongoing repeated portion of the process (versus initial ramp-up activities only)

Appendix A: Definitions and Measurement Methods for Program-wide Benefits

Appendix A: Program Benefits Definitions and Measurement Methods – 9/29 Draft Under Development # Measure Definition Measurement Method Source (both file and person) M1 # of helpdesks (Secretariat level) IT contact center that includes the associated tools, processes, and staff responsible for providing internal IT services at agreed upon service levels Physical count of total helpdesks providing internal IT services only (i.e., ≥50% of its services are internally focused) Source: Secretariat Consolidation Plans located on CommonWiki Owner: SCIOs (or designate) HHS – Mark Thibault HED - TBD M2 # of desktop & LAN teams (Secretariat level) Teams who are responsible for: Physical install / move / add / change / support of PCs, state-issued handheld devices, printers (incl. workgroup and multi-function), faxes, network peripherals, phones, and file / print services # of PC images # of PC standards Physical count pulled from identified sources Source: If not already available, pull data on # of images and standards from Desktop and LAN Inventory Template (developed during Phase II of IT Consolidation HHS – Russ Murray and Agency CIOs (initially) HED – TBD M3 # of non-compliant websites (Commonwealth level) Those websites hosted on a non-Mass.Gov platform and / or those containing static content that does not match the common look, feel, and IA of Mass.Gov and those websites hosted externally to Mass.Gov Pull from existing identified source Source: Mass.Gov’s Master Inventory of Non-compliant Websites Owner: Sarah Bourne M4 # of IT app svcs being evaluated for consolidation (Secretariat level) Physical count of selected IT app services Pull from existing identified source; may also want to conduct qtrly touchpoints with app leads in each Secretariat as confirmation Source: Secretariat IT Application Services Inventory Owner: TBD by SCIO HHS – Bob Brennan, DYS CIO M5 # of data centers (Commonwealth level) Commonwealth enterprise computing resources, with the exception of file and print, in any of the following location types: Raised Floor and/or Cooled Data Centers; Server Rooms; Server/Telecom Closets; and SUD’s (‘Servers Under Desks’) Source: High-level Infrastructure Plan (for baseline); unknown source for ongoing updates – potentially the master data request from the DCCWG In the process of defining source files and “owners” which will feed into the details of the overall process

Appendix A: Program Benefits (continued) Definitions and Measurement Methods – 9/29 Draft Under Development # Measure Definition Measurement Method Source (both file and person) M6 # of networks (WANs) Physical count of total WANs Physical count of PBXs and Centrexs Pull from existing identified source Source: Network Architecture Inventory Owner: Office of the CCTO M7 % of agency sites hosted on Mass.Gov Ratio of non-portalized sites to total # of agency sites Source: Mass.Gov’s Hosting Summary Report (1-pager) Owner: Kerry Conard M8 % of email users on MassMail Ratio of MassMail users to all Secretariat email users Source: Messaging Team Inventory Owner: Office of the CCAO M9 Service availability The maximum # of acceptable outages tolerated within an agreed period of time Total # of service outages over time – be sure to specify the period of time that will be used in your calculation Source: TBD Owner: SCIOs (or designate) HHS – Russ Murray and Agency CIOs HED – TBD M10 Service reliability The total # of related Service Level Objectives (SLOs) in compliance (i.e., not escalated for non-compliance) Total # of SLOs and degree of compliance results – e.g., average X% of compliance requirements met HHS – Agency CIOs M11 # of IT services based on industry standard frameworks % of 9** target ITIL processes designed / re-designed % of 9 target ITIL process implemented Service management maturity level Should be compared to the 9 ITIL process the DCCIO is focusing on; for service mgmt maturity, complete Service Management Maturity Model Assessment Tool developed by Deloitte Consulting Owner: Office of DCCIO *Note: red font indicates measures still under development or data sources needing identification ** 9 ITIL processes being targeted for implementation across the Commonwealth include: incident mgmt, change mgmt, problem mgmt, asset and config mgmt, request fulfillment, capacity mgmt, financial mgmt, service catalog mgmt, and service level mgmt Need to identify / validate sources and owners highlighted in red (at both the ITD and Pilot Secretariat levels).

Appendix A: Program Benefits (continued) Definitions and Measurement Methods – 9/3 Draft Under Development # Measure Definition Measurement Method Source (both file and person) M12 # of formal IT career paths Total # of new formal IT career paths that flow within the 8 common functional families developed during Phase II of IT Consolidation. Pull directly from HR Change Impact Assessment Tool (also refreshed quarterly) – maintained by Secretariat CHROs / HR Directors Source: TBD Owner: Marcie Desmond and Barb Wooten, Co-chairs for Talent Mgmt Sub-committee M13 # of participants completing ITIL training courses Total # of individuals who registered, fully participated in, and – where applicable – successfully passed related testing Total # of discrete individuals completing any ITIL-related training courses offered by or through the Commonwealth Owner: Ellen Wright M14 Security incident rptg & response Under development with CCSO Lag time between reporting timeframe and response timeframe Owner: Office of CCSO M15 Desktop protection & LAN security TBD M16 EO504 compliance % of all EO504 compliance requirements met or exceeded since 7/1/2009 M17 # of security devices to deploy & maintain Is there a centralized log tracking the deployment of these across the CMW? M18 # of physical servers to secure % of all physical servers newly secured per industry standard since 7/1/2009 *Note: red font indicates measures still under development or data sources needing identification Need to identify / validate sources and owners highlighted in red (at both the ITD and Pilot Secretariat levels).

Appendix B: Consolidation Performance Measures for IT Services (developed during Phase I)

Appendix B: Phase I Consolidation Performance Measures for IT Services Please identify the source (if any) and the group or person who is currently responsible for maintaining and / or providing this information (or could be in the future) If a source does not currently exist, please indicate so with a “N/A” Pilot Secretariat: TBD IT Service Type Efficiency (Reduce cost per unit) Effectiveness (Improve service) Information Security (Protect data) Source Owner Helpdesk # of resolutions per agent  % of helpdesk data encrypted across agencies HED – TBD HHS – TBD HHS – Russ Murray and Agency CIOs Desktop and LAN # of desktops supported per technician Number of requests delivered by “need-by” date % of Desktop and LAN devices using a security standard Website Info Arch Cost per content update request Customer Satisfaction Survey Score # of incidents exposing Personal Information HHS – Sharon Wright Application HHS – Bob Brennan Secretariat IT Services *Note: red font indicates measures still under development or data sources needing identification Most of these were developed thru the EOHHS Pilot (1 KPI per benefit area), and only the Web ones have since been refined during Phase II The challenge: most Secretariats do not measure these today, so the baseline is non-existent and comparisons will have to be made from quarter to quarter to illustrate direction alignment (otherwise referred to as “proof”) The challenge: we struggled with KPIs early in Phase I before the initiative gained momentum; the pilot was somewhat useful in establishing service-specific KPIs, more clarity is needed and a program-wide focus is still needed…

Website Hosting and Portal Email and Active Directory Appendix B: Phase I Consolidation Performance Measures for IT Services (continued) Please identify the source (if any) and the group or person who is currently responsible for maintaining and / or providing this information (or could be in the future) If a source does not currently exist, please indicate so with a “N/A” Pilot Secretariat: TBD IT Service Type Efficiency (Reduce cost per unit) Effectiveness (Improve service) Information Security (Protect data) Source Owner Data & Telecom % of physical locations on the CMW network # of resources supporting network services ops Avg bandwidth Network availability % of successful network intrusions Mean time to resolve security vulnerabilities Data Center % reduction in data center footprint Total # of systems # of systems per resource Data center availability across the CMW # of secure data centers across the CMW Website Hosting and Portal # of websites supported per resource # of unique visitors to Mass.Gov* # of website security breaches Email and Active Directory Actual cost per mailbox Availability of email svcs # of email msgs penetrating firewalls (incl. spam/malware) Commonwealth IT Infrastructure Services *Note: red font indicates measures still under development or data sources needing identification Most of these were developed thru the EOHHS Pilot (1 KPI per benefit area), and have since been refined in Phase II by ITD stakeholders The challenge: most Secretariats do not measure these today, so the baseline is non-existent and comparisons will have to be made from quarter to quarter to illustrate direction alignment (otherwise referred to as “proof”) The challenge: we struggled with KPIs early in Phase I before the initiative gained momentum; the pilot was somewhat useful in establishing service-specific KPIs, more clarity is needed and a program-wide focus is still needed… *Note: contingent on cookie policy update.