Friday, January 29, 2010

Information Systems Security Assurance Management at Municipal SoftwareSolutions, Inc.(Report). USA, LLC

Computer Security, originally uploaded by MINI Wombat.

Microsoft Store

ArabicChinese (Simplified)Chinese (Traditional)DeutchEspanolFrenchItalianJapaneseKoreanPortugueseRussian

Based on an actual company, this case focuses on Business Continuity Planning issues for a small but growing software company, Municipal Software Solutions, Inc. (MSS). The firm experienced a catastrophic fire which completely eliminated all aspects of the information systems infrastructure, including the software product code repository, the client access infrastructure, the hardware operations center, and the software design facility. Fortunately, no one was harmed, and the firm survived despite the fact that it did not have a formal disaster recovery plan in place. MSS was very lucky. The case can he used in conjunction with coverage of risk assessment concepts in the context of the availability component of systems reliability and trust of services management. Accordingly, it is appropriate for use in courses covering information systems security, accounting information systems, or IT audit. [Article copies are available for purchase from]

Keywords: Business Continuity Planning; Disaster Recovery Planning; Information Assurance Management; Instructional Case

Full Text :COPYRIGHT 2009 IGI Global

Effective disaster recovery planning, execution, and testing are essential to manage the risk of business interruption that arises from a myriad of sources such as fire, natural or manmade disasters, sabotage, or technical or human operational failures. The Municipal Software Services, Inc (MSS) case describes a company that was faced with a catastrophic fire. The MSS case provides arealistic and easy-to-understand context for discussing risk management and systems reliability--two very important topics within the Management Information Systems curriculum.

The MSS case is based on the experiences of a real company. It includes photographs of what fire damage can do to information systems equipment which enhances the realism for the students. The fire at MSS completely eliminated all aspects of the information systems infrastructure, including the software product code repository, the client access infrastructure, the hardware operations center, and the software design facility. Fortunately, no one was harmed, and the firm survived despite the fact that it did not have a formal disaster recovery plan in place. MSS was very lucky. It is often cited that 40 percent of businesses that face a disaster do not reopen, and 25 percent fail within two years. (1)

Information systems and IT auditing textbooks provide students with general information about physical security threats and vulnerabilities and disaster recovery planning. The MSS case provides students with an opportunity to apply that knowledge in a realistic setting.

The MSS case has been used successfully in both undergraduate MIS and accounting courses and graduate level courses in MBA and Master of Professional Accountancy (MPA) programs using two main approaches: reading followed by class discussion, and as a basis for a writing assignment followed by class discussion.

The remainder of the article is organized as follows: Section 11 provides the case narrative and Section III is the Teaching Note.


Case Introduction

Municipal Software Solutions, Inc., or MSS, is a small, privately held software firm located in Cleveland, OH that supplies tailor made financial and personnel management software for large and small municipal governments in the US and Canada. MSS, Inc. is the acknowledged leader in the municipal software market. Through hard work, price competition, and a superior product, competitors have been reduced from a field of many down to a field with only two strong contenders for dominance. MSS is currently in the lead in terms of market share in the US within this niche industry. MSS revenues range from $2 million to $4 million annually, and the company employs a staff of 21. The firm has evolved over a twenty five year time period from its original inception as a systems consulting business, to a hardware solutions provider, to a LAN networking firm in the early '90s, but has settled into the specialized municipal market software engineering role for well over a decade. This case discusses the firm's business strategy, their operations and organizational structure.

MSS Background

The firm is owned, financed and managed by the 57 year old President, assisted by a senior management staff as shown in Figure 1.

The company's evolution to market leadership is a testament to the excellence of the management team, and in particular to the long range visionary skills of the President and CEO, Paul Teitelbaum. Paul was originally an employee of PricewaterhouseCoopers, with an Industrial Engineering degree from MIT. Early career moves in many large corporations gave him the ability to know and understand complex systems issues from an implementation and operational perspective, both successful and unsuccessful in nature. Paul is a strong personality, tall and thin, and quick to smile. He is also quick to assign credit to others for the firm's success. He is congenial and seems to genuinely enjoy his company, his employees and his business.

Paul spent years growing his business; yet there were several unprofitable years off and on before the company reached its current level of predictably positive revenue streams. In a discussion with the founder, Paul volunteers that some management decisions were made by the "seat of the pants," but the last decade has been one of unprecedented growth and stability. Also, the last decade was one where the senior management team formally selected the vertical market niche and narrow focus of the company into municipal markets. During a strategic planning retreat eight years ago, the senior members of the firm decided to focus on becoming the very best vendor of municipal software management programming available. That strategy has finally paid off for the firm. This tactic was a conscious and targeted approach that would allow the firm to avoid some of the cyclicality of business ups and downs in the manufacturing based Cleveland and Great Lakes regional area that had previously been their commercial client base. Municipal clients, although not glamorous or deep pocketed, usually have stable budgets from year to year, unlike traditional production businesses. Still, although the firm is no longer associated with the more virulent market turbulence of the prior decade, the firm is currently focused in one narrow applications programming niche, with a single targeted product line. Indeed, their software sales eggs are all in one basket.

The President and CEO is approaching retirement sometime in the next five to seven years. The Senior VP has been groomed to step into the senior job, but clearly there are succession issues as in any privately held company. The good news is that the firm may obtain a patent in the next two years from the US Patent Office for a product that would mean that the firm had access to a large asset, perhaps in the $15 million range in value. On the other hand, Municipal Software might not obtain the patent. Some offshore software project work is done in China to save on production costs and reduce cycle times, and copyright and patent protection legal expenses typically run about 10 percent of annual firm expense.

Paul is supported by a loyal management team, many of whom have been at the company for 15 or more years. Two of the senior team members on the technical side are also slated for retirement in the next five to seven years. Most of the staff wear many hats. For example, a person who is in sales may have skills in web design, while an operations manager may also be heavily involved in design or new implementations. Strategic planning is not comprehensive or done on a routine schedule, but it does occur when the senior staff has an off site meeting from time to time to discuss the big picture and future directions. Some of the newer staff are less experienced, but related to Mr. Teitelbaum.

The firm's culture is one that rewards and encourages each team member taking responsibility for their own areas. There is an unusual level of task delegation and assigned individual responsibility at the firm. This directed task ownership is surprising, given that the small company is run by a President with such a forceful personality and personal investment in its success. Many of the employees have community college and local university technical degrees of one type or another, and most of the employees are hard working with a 'can do' kind of attitude. The employees update their skills on a regular basis. The firm routinely makes available new technologies for the employees to test and try out in an effort to allow employees to always be on top of the latest new software and hardware platforms. Many of the employees pride themselves on being technologically astute, and enjoy this aspect of working at the firm. Both hardware and software tools are kept up to date. Employees may seek funding to learn a new technology, and employees are encouraged to learn and understand changes in the high tech environment.

The atmosphere of the firm seems to be a place of quiet professionalism mixed with pride in accomplishment and technical competence. The offices are bright with windows overlooking leafy trees, but has nothing overtly flashy or expensive in terms of furnishings. There is a full kitchen and space for lunch, and on site parking is free. Most employees live in the general area. A bus line is nearby that connects easily to the city, and there are shops handy for ease of accomplishing after work tasks such as picking up the dry cleaning. The firm has two main rooms with a four foot dividing wall between the rooms, and one side is dedicated for operations, while the other side is used for development work. Interactions between operations and development are facilitated by the low, four foot wall dividing the two spaces. Michele is capable in her role of Senior Director of Operations, and part of her responsibilities includes office management duties. The employees seem to be pleasant and get along well with each other as they do their work. The programmers interact with the technical customer representatives, so new product code writing reflects the issues that the customers may have raised with the reps. Over the years, the product has improved and strengthened as this iterative process has unfolded. It can be argued that the MSS software is leading in the market segment due to its superior software design.

Cash flow, sometimes a major issue for small companies, seems to be under control and well managed, although there were problems with cash flow in the firm's earlier, growth years. Outside financing has been kept to a minimum, allowing the President and CEO to retain full ownership of the firm and of its senior management structure. Teitelbaum is sole owner, and debt is currently kept very low. There is a small business line of credit to cover bumps in customer payments, although Municipal Software makes an effort to not access that financial tool.

Software Development at MSS, Inc.

The software development processes seem to occur in a library like atmosphere, and, to a large degree, client crises and emergencies are few and far between. It is no surprise that this firm has established itself as the leader, given the level of professionalism in the corporate offices.

The software product runs on the municipal servers, thus reducing the network push requirements from the MSS, Inc. server room. At present, the firm has 95 clients, with a current "hot" list of five major, significant deals in process. In 2004, the company had 80 clients. Marketing occurs with an emphasis on word of mouth and a heavy presence at trade shows within the specialized market for their product. The company is known for offering and delivering a high quality product at a fair price, but they are not usually the low cost vendor. The company is also known for professionalism in the areas of support and for product development. Early in the client life cycle, the client will require a three day to one week long site visit, intense home office support, and some degree of customization work to fit the product to the municipal location needs. Income before expenses runs between approximately $150,000 to $200,000 per month, with some minor issues related to the smoothness of payments and cash flow. The billing cycle follows the classic model, with one third of billings from new license fees, one third from the annual license fee, and one third for time and billing for software customization and special project work for clients.

MSS products originally ran in the DOS environment with Paradox, evolved to an Access platform running in Windows, and now are built using a Microsoft approach with SQL, VB and, giving users a friendly web based front end for simplicity of data access. The CEO believes that it is easier to sell a Microsoft based product, given the nature of their client base and their typically non technical boards of directors. This strategy is a marketing decision because any non-Microsoft platform requires too much explaining to the potential buyers, according to Paul. Nearly 85 percent of clients host their own MSS products on their own municipal servers, but smaller municipalities operate on MSS servers behind a Citrix server in a classic DMZ arrangement, after running through a firewall for the remote host solution on the firm's public web server. Brian Elkins and Andy Katula believe that their back end heavy applications run far too slowly in the remote hosted environment, but offer the hosted solution as a courtesy to smaller (less than 10 users) locations. Still, Paul Teitelbaum offers that he feels that their hosted clients are an investment in the future. Servicing the smaller clients is a way of leveraging already expended intellectual capital for very little cash outlay, although these clients do not contribute to revenues in any significant way for the firm, as shown in Figure 2.

Disaster Strikes at MSS

On the morning of July 11, 2004, a Sunday, Teitelbaum was out of town. Brian Elkins received an early morning call that a fire originating in another business had swept through the MSS rental offices, destroying the server room completely. He did not call Andrew Katula, who had responsibility for backups, but rather jumped in his car and drove to Andy's home to see if he had done the backups of all data, applications and servers. Andy was at home, out in the yard cutting the grass. Brian ran up to Andy and said, "Tell me you have backups?" Teitelbaum's first question after hearing the news was also to ask about the status of the backup tapes. He knew that the future of his small firm rested in the answer to that question. Fortunately, every night for years and years, Mr. Katula had done a full backup of all systems at the end of the day. He used a variety of backup tools, including a 40 Gigabit Exabite drive, 40 Gigabit Seagate tape drives, and two older type tape drives. Each backup device was assigned to different files, and these tapes were taken home each evening by Mr. Katula for safekeeping off the premises. When Brian and Andy went to the MSS offices, they saw complete devastation at the software company's offices as shown in Figure 3.

Teitelbaum returned from out of town by late afternoon that Sunday, and the employees met in the parking lot on Monday morning at the burned out office building to determine the best course of action. Teitelbaum's instructions to his employees were that they were to take charge of their assigned responsibilities, and to complete their aspect of the reconstruction tasks without asking for permission from anyone. For example, Brian went to Sam's Club and bought new servers and 8 personal computers. Michele met with Verizon and forwarded the central office line to a designated employee's cell phone who then routed the calls appropriately. In fact, it was almost a year before most clients were even aware that the company had had a fire. Teitelbaum met with a business associate with seasonally available extra office space, and a short term rental agreement was written out and signed on a paper restaurant placemat. Teitelbaum and the business owner with the office space had made an informal agreement years earlier that they would agree to work together if problems arose in either of their firms. On Tuesday morning, employees met at Teitelbaum's house for a logistics meeting. Remarkably, by Thursday morning, employees were at their desks in a new, temporary office space with fully functioning phones, servers, computers and management structure, having answered client questions from their cell phones over the prior few days. Although MSS was insured, Paul Teitelbaum estimated that uncompensated losses from the fire were about $30,000. He stated in an interview that he was fortunate that the company had enough resources to make the payments that were necessary to keep the firm functioning before the insurance checks were received. NISSspent about $68,000 in unexpected expenditures within the two week timeframe after the fire, including expenditures on laptops for employees, a new server, and office equipment. Teitelbaum also believed that his suppliers went over and above normal response times because the company had experienced a fire, and he was impressed with this.

The new server room is constructed with space between the servers in the racks for air cooling, and two temperature sensors are installed in the server room to monitor for excessive threshold temperatures, as shown in Figure 4.

If a temperature threshold is exceeded, special fans are switched on and an alarm is triggered, although no fire suppression equipment is located in the switch room itself. The servers are single purpose only, and the phone switch choice was driven by the phones that had to be purchased to work at the temporary office location, an Avaya system.

Continuing Challenges

Today, the firm continues to lead in the municipal software markets in the United States, and is well poised to continue to land new and larger clients in many areas of the country. International products are under consideration in the same market niche, and the US Patent Office has been attentive and receptive about the patent pending information for a MSS product design for seven years. Teitelbaum is increasingly absent on international travels with his wife, and no firm succession plans have been established. The company must decide on the next technological platform to use going forward, including their use of web hosting and web services. At the new location, Andy still backs up each evening, and he still takes the tapes home for safekeeping. Perhaps that continues to be a good strategy for MSS, Inc., as the server room ceiling has several sets of marks indicating probable, earlier water damage over the rack mounts for the dedicated mail server, application server and web server, as well as the firewall equipment.


Evaluate the effectiveness of disaster recovery planning at MSS, Inc. Provide a qualitative assessment of the potential business impact of any weaknesses noted and make a convincing argument to support any recommendations you make. Also, identify and discuss any other business issues that may affect MSS's future viability, referring to Figure 5.


(1) US Chamber of Commerce, Business Civic Leadership Center, "The Corporate Citizen," August, 2003,see: bclc/resources/newsletter/2003/0308fulltext. htm.

(2) Note: The name of the company, the names of the employees and the nature of the software sales have been disguised to protect the anonymity of this privately held firm. Otherwise, all other details are accurate and true. The authors wish to express their appreciation for the "MSS, Inc." employees, who gave up time for several interviews about the case.

Virginia Franke Kleist, West Virginia University, USA

Bonnie Morris, West Virginia University, USA

James W. Denton, West Virginia University, USA

Virginia Franke Kleist is an associate professor at the College of Business and Economics at West Virginia University. Her research area includes investigating the information goods industries and cost versus benefit issuesofbiometrics,networksecurityandknowledgemanagementtechnologies. Recent publications include work on modeling technological based electronic trust and security in the digital economy and research on the adoption, assessment and payoff of electronic information systems projects. She holds a BA from Duke University in economics, an MBA from Marquette University, and an MA in economics, MS in MIS and PhD in MIS and telecommunications from the University of Pittsburgh. Dr. Kleist spent 10 years as a manager of technology systems applications, including responsibility for multimillion dollar budgets and 24/7 operations. Dr. Kleist was awarded the 2000 ICIS Best Doctoral Dissertation Award, the 2003 WVU Foundation Outstanding Teaching Award, and was recently the Chair of the WVU Faculty Senate.

Bonnie Morris is the Co-Mart professor of accounting information systems in the College of Business and Economics at West Virginia University. Dr Morris' research interests are in the areas of forensic accounting, IT audit, and privacy policy compliance. Recent research projects have focused on continuous auditing, privacy issues, auditing electronic data interchange (EDI) systems, financial EDI, and case-based reasoning systems for auditing and financial statement analysis. She teaches courses in accounting systems; information systems auditing, and fraud data analysis. Dr. Morris holds a PhD in accounting with a minor in artificial intelligence from the University of Pittsburgh, as well as an MBA from the University of Pittsburgh and a BA in mathematics from West Virginia University.

James W. Denton is an associate professor in the College of Business and Economics at West Virginia University where he has taught courses, in basic information systems, programming, operations research and operations management. Prior to receiving his PhD from Kent State University, Dr. Denton worked in Engineering and Quality Assurance in several industrial settings. He has previously published research on neural networks and information systems education in the Journal of Computer Information Systems, the European Journal of Operational Research, Accounting, Management, and Information Technologies, the Journal of Information Systems Education and others.

Source Citation
Kleist, Virginia Franke, Bonnie Morris, and James W. Denton. "Information Systems Security Assurance Management at Municipal Software Solutions, Inc." International Journal of Information Security and Privacy 3.2 (2009): 1+. Computer Database. Web. 29 Jan. 2010. .

Personalized MY M&M'S® Candies(Web-Page) (Album / Profile)
leonard.wilson2008@hotmail.comShop the Official Coca-Cola Store!Click here for the Best Buy Free Shipping Offers
ArabicChinese (Simplified)Chinese (Traditional)DeutchEspanolFrenchItalianJapaneseKoreanPortugueseRussian

No comments: