Sunday, June 21, 2009

Chapter 15 Article: "Issue: Getting Along with Suppliers" from Business Week (2 September 2008)


Travel agencies have done well with developing internet travel sites such as Expedia.com to allow customers to book their leisure or business travel at a great price anywhere in the world. However, this advancement for the travel industry did come about without a reformed centralized global business strategy. InterActive Corporation, Chairman Barry Diller, acquired Expedia.com and became successful along with other travel discounters like Hotels.com and Hotwire in the post 9/11 travel slump where hotels needed to unload their empty rooms at low prices.

However, by 2005, the travel industry became more prominent and hotels were less inclined to offer low deals. The new company Expedia started their business without the best relations with its suppliers. About this time, Hotels.com had taken an aggressive approach with their hotel suppliers. Expedia adopted these practices too. If the hotel companies refrained from paying higher margins, then they would not get equal treatment on the travel sites. This approach to doing business strained supplier relationships.

Besides the strained relationship, Expedia had 15 different groups that worked externally with suppliers. Each group performed their own independent negotiations or contracts that fit the needs of that unit. Thus, large global hotel chains would need to work with 15 different Expedias. The hotels viewed these groups with uncertainty because of the chaotic nature in which to conduct business.

By the end of 2005, several hotel suppliers threatened to withdraw from Expedia. The hotels said that they would rather take the risk of losing revenue rather than doing business with Expedia.

Investors were hearing the frustrations from suppliers so Paul Brown, president of Expedia North America met with his senior managers and stated clearly they need to take a new business strategy to their current operations if the company is to survive in the long term. He said, "If we don't have good inventory and great prices on our shelves, our customers proposition will erode over time."

Expedia decided to form a central group that could smooth out relationships wit suppliers so as to alleviate the negative perceptions. The company formed a single entity that allowed for Expedia to present one face to hotel chains that complained about having to deal with 15 different Expedias. This new approach gave Expedia an overall view of the each hotel chain's total business. Thus, to make the new central "partner services group" work, the tame had to spend a lot of time meeting with Expedia country heads, account managers, and hotel representatives in different global markets to acquire concerns. New experts from the airline and hotel industry were brought in to identify standard metrics and policies that could be implemented across the company. Thus, all of the employees working in different parts of the business were accountable to the same performance standards.

Three years after implementing a centralized business group for Expedia, supplier relationships have certainly strengthened based on mutual trust that allowed the company to grow. About 11,000 new merchant hotels have been added to Expedia's inventory and its price competitiveness has remained strong. Paul Brown is pleased that the company offers the broadest selections and the best inventory. The outcome of a new global systems strategy has allowed the company to become more competitive in the global market and it happened with having the right relationships with suppliers as mentioned in Chapter 15 of the where the core business processes need to be clearly defined.

Reference: Jena McGregor (2008, September 2). Issue: Getting Along with Suppliers. Business Week. Retrieved from: http://www.businessweek.com/managing/content/sep2008/ca2008092_371191.htm

Chapter 15 Case Study: Nestle Tries for All-for-One Global Strategy

Question #2: What type of global business and systems strategy did Nestle adopt? Was this strategy appropriate for Nestle's business model?

Based on the case study, it appears that Nestle initially adopted a multinational decentralized strategy that concentrates financial management and control out of a central home base while decentralized production, sales, and marketing options to business units in other countries. The products and services on sale in different countries are adapted to suit local market conditions. However, this strategy was not appropriate for Nestle's business model because the inconsistencies and inefficiencies of 14 countries using an older enterprise resource planning software resulted in diminishing profits for the company.

Question #3: What management, organization, and technology challenges did Nestle have to deal with to standardize its business process and systems?

Management determined that a decentralized strategy of 80 different information technology units running multiple midrange computers created inefficiencies and extra costs that prevented the company to compete effectively in electronic commerce. Facilities in 14 countries all ran software differently using different schemes for formatting data and management forms. The challenge was to was to launch a $2.4 billion initiative to compel market heads around the world to adopt a single set of business processes and systems for procurement, distribution, and sales management. As a result, Nestle launched the Global Business Excellence (GLOBE)that would harmonize processes, standardize data, and standardize systems. All of Nestle's worldwide business units were to use the same processes for making sales, commitments, establishing factory production schedules, billing customers, compiling management reports, and reporting financial units. The greatest challenge of GLOBE was more personal in implementing a policy that would be accepted by highest-ranking executives. Managers resisted the idea of giving up control of their business processes to participate in a centralized solution.


Question #4: What strategies did Nestle management use to deal with these challenges? How successful were these strategies? Explain your answer.

Chris Johnson, who was charge of Nestle's Taiwan market was asked to lead the GLOBE initiative. In July 2000, Johnson formulated a team 12 senior executives with various backgrounds to help establish a GLOBE policy of converting 70 percent of the business to a common set of practices and systems by December 2003. However, the schedule was changed to establish a GLOBE-enabled organization by the end of 2005 rather than 2003. Johnson expanded his team to 400 executives with diverse backgrounds at Nestle covering 40 different countries. The core group formulated a GLOBE Best Practices Library and documented the best way to perform their core processes based on their initial weaknesses.

The biggest challenge was not a technical one, but a personal one because many of the high ranking executives were reluctant to give up their decision making authority. Johnson met with executives and market heads several times until the managers eventually endorsed the benefits of GLOBE. To help the rollouts, Johnson asked each country to name a GLOBE manager who would facilitate the operation and adoption. There were some technical challenges along the way and by the end of 2005, Nestle have converted 30 percent of its business to GLOBE. Each country has a data manager to ensure that data entering GLOBE's streamlined data centers are accurate and complete. Challenges, Nestle has successfully implemented its goal of standardizing all processes, data, and systems so as to better serve its customers. I think that the strategies implemented were successful because Johnson succeeded in changing the culture of the various business units. The benefits of applying GLOBE at Nestle have provided a more efficient business model, reduced maintenance costs, and gained profits. This strategic approach has resulted in a better use of global supply chain management.

Saturday, June 6, 2009

Article: What's Your Company's Risk Culture? (Business Week, May 2009)


CEO's and top managers take considerable interest in their company's risk management programs. They make assessments to identify the most significant risks factors that challenge their organization and focus on updating their risk mitigation plans. However, one key factor that is not always considered in their risk management program is the "risk culture." It is a critical element of risk management that top managers should understand. Risk culture influences how managers and employees make decisions based on risks and benefits.

A company's risk culture is a critical element that can ensure that "doing the right thing" wins over "doing what it takes." Based on results from KPMG International Survey, more than half of corporate Board members and internal auditors said that their company's employees have little or no understanding of how risk exposures should be assessed for impact to their organization. One-third of the respondents said that the key leaders in their organization have no formal training in risk management or guidance. Thus, employees need to understand how to make educated risk-related decisions to ensure that risk behavior is consistent throughout the organization. Managers and employees without training will be unable to apply critical thinking and judgment to better make decisions. A strong risk culture results in a more collaborate enterprise that benefits the survivability of the organization.

There are several steps that Board members need to take to assert risk culture. First, the management team needs to establish the true "tone at the top" and "in the middle." The management team needs to establish good leaders who can set the example that other will follow. Leadership is a real driver for changing the risk culture. Management needs to follow their own risk management policies s that the employees can fully understand that non-compliant behavior will not tolerated.

Second, leadership must effectively communicate acceptable ethical behavior throughout all levels of the organization. Ethical behavior is a key element of a strong risk culture. A Code of Conduct should establish the organization's core values, ethical standards and expectations for its employees. It can introduce how risk management should be incorporated in the day-to-day conduct of employees.

Third, organizations can build a strong risk culture using a consistent and repeatable approach to risk when making key business decisions. This approach includes a discussion of risk and a review of risk scenarios that help management and Board members understand the inter-relationship and impacts of risks. A discussion of risk in the formal decision-making process can help executives feel more comfortable about the decisions they make, thus allowing them to make more assertive decisions.

An company with a strong risk culture means that the employees are aware what the company stands for, and the boundaries in which they can operate. They should be allowed to address risks openly in a formal discussion, thus to help mangers achieve the company's long-term strategic goals. A risk culture that can be communicated effectively to all employees as part of their daily responsibilities is critical to the company's success and survival.

The article has some key recommendations to manage risk through mitigating a risk culture within the organization. It is closely related to the concept of implementation where the development team of new information system requires technical experience of risk management. The concept of making changes to human behavior is significant to making project management work more effectively.

Reference: Farrell, John Michael and Angela Hoon, What's Your Company's Risk Culture? Business Week, 12 May 2009.
Website: http://www.businessweek.com/managing/content/may2009/ca20090512_720476.htm

Friday, June 5, 2009

Ch 13 Case Study: Can the U.S. Army Reserve Pay Soldiers Correctly?


Question #1: Write a systems analysis report about the U.S. Army pay system. What have been the problems with existing systems? What management, organization, and technology factors caused the problems? What was the impact of these problems? What are the objectives and information requirements of a new systems solution?

System Analysis Report: Defines the problem; identify its causes, specifies the solution, and identifies the information requirements that must be met a system solution.

(1) Problems with existing systems: The Defense Finance and Accounting Service (DFAS) that uses the Defense Joint Military Pay System (DJMS) that consists of separate systems for active duty and reserves were not working well together. The Web-based Regional Level Application Software system that tracked when reservists participated in their drills, which skills they lerarned, and how long they were called up on active duty is suppose to work with the DJMS, but the two systems were not well integrated. As a result, there were inconsistencies in payment of reservists with injuries and non-injuries as well hazardous and non-hazardous pay.

(2) Factors causing the problems: Legacy systems required constant changes and patches that had already been applied, and a lack of documentation. Thus, this is a configuration management issue. Updating payroll software with DFAS required manual updates to records which caused more data-entry errors. Implementing a new system in 2006 called the Defense Integrated Military Human Resources System (DIMHRS) was delayed as a result of multiple agencies having influence on management of the project and inconsistent support from senior management. There was a substantial turnover of leadership and a lack of understanding of the goals of the program.

(3) Impact of the Problems: DFAS workarounds and temporary fixes proved to be unreliable because there were still inconsistencies in payment of soldiers who had moved from hazardous duty to un-hazardous duty. There were still problems with unit commanders not being able to report changes in a timely manner so the there were still mistakes with manual data entry, thus further delaying automated processing. The impact of the problem is that the reservists were not paid appropriately to their length of time served and whether the duty was hazardous or non-hazardous.

(4) The objectives and information requirements of a new system solution is to provide a clear Leave and Earnings Statements for soldiers, instantaneous updating of pay records, and better capabilities for updating state tax rates. DFAS rolled out the Forward Compatibility Payroll (FCP) as an interim solution until a more comprehensive solution could be rolled out. This provided a more automated solution to keep track of mobilization of soldiers called up for active duty.

Question #2
: As part of your report, diagram the Forward Compatible Payroll business process for paying Army reservists. How should this process be improved?

Forward Compatible Payroll Process
Step (1): Army Reservist - Provide hazardous duty status and mobilization orders to company commander.

Step (2): Company Commanders - Submit a hard copy of mobilization order to administrator.

Step (3): Financial Administrator - input beginning and ending dates of deployment. Update mobilization application into web browser. Submit pay rate report to company commanders for approval.

Step (4): Company Commanders - Review and sign pay rate. Submit approval report to Administrator.

Step (5): Administrator - Makes updates to the personnel system in the Web browser. Submits pay rate into the Microsoft SQL Server database at Reserve HQ at Fort McPherson, GA.

Step (6): SQL Server - Formats data so that the Reserve Payroll System can process data.

Step (7): Pay Process Center Staff - Uses Web browser software to upload local server and review pay records. They review and export soldier tour of duty dates and pay data to Reserve payroll system.

Step (8): Reserve Payroll System - Pays soldiers.

The system can be improved by making changes into the payroll and personnel that are permanent. The DIMHRS should be capable of replacing 30 legacy applications in the Army branch of the Armed Forces. The Defense Department needs to take immediate action to ensure that the payroll system is fully functional to reduce the number of mistakes.

Question #3
: Describe the role of end users and technical specialists in analyzing the problem and developing a solution.

End users and technical specialist should be allowed to participate in the way the payroll system is upgraded. The project management team should work extensively with Northrup Grumman to establish a configuration management plan. The software development phases should include dates where end users can provide immediate feedback to the developers of the system. The Government should establish a configuration control board where the fixes and enhancements can be fully implemented into the payroll system. This process will allow for immediate improvements to the system and give the Army reservists the pay they are entitled to.

Saturday, May 30, 2009

Article: Harrah’s Use of Business Intelligence Software to Improve Customer Loyalty and Operations



Harrah’s Entertainment, Inc. is the world’s largest gaming company having more than 80,000 employees. It operates several branded casino entertainment under the Harrah’s, Caesars, and Horseshoe brand names domestically and internationally. The company has grown through development of new properties, expansions, and acquisitions since it started in Reno, Nevada about 70 years ago. Harrah’s is committed to building loyalty and value with its customers through great service, operational excellence, and technical leadership. The need to attract and retain customers is critical to the success because customer loyalty can make or break a business. Harrah’s has succeeded in gathering data about its 40 million customers through its Total Rewards program that keeps track of guest gaming activities from restaurants to gaming tables and slot machines at any of its brand name casinos. It rewards guests and customer incentives through offering free room nights, free shows, free dining, and free gifts. Harrah’s already collects high volumes of transactions made by its customers. Harrah’s biggest challenge is to understand, analyze, and leverage raw data to maximize the lifetime value of their customers ultimately maximizing the return on investment, thus to better plan its strategic growth.

Harrah’s needed a system that could be managed from a central location and accessible from any of its properties and newly acquired companies. The solution needed to be user friendly for its corporate and property-level managers, and provide insights and analysis that could be applied to performance metrics at any of its properties.

As a result, the company chose to invest into Teradata and IBM Cognos Business Intelligence software to establish a closed-loop marketing system and to better achieve its marketing and customer loyalty and improve its business operations. Teradata is a single enterprise data warehouse and IBM Cognos business intelligence software allows users to drill further and deeper into customer data.
The company can now better profile and segment customers and use the data to develop targeted market strategies to drive customer behavior. For example, Harrah’s might reach out to customers who have not visited their property in more than six months and offer them incentives to bring them back to their favorite property. Through the use of IBM Cognos business intelligence solutions, managers can acquire detailed reporting and analysis capabilities that can be used to measure the effectiveness of new marketing campaigns against control groups. Specifically, the closed-loop system helps the organization with all aspects of the campaign such as indentifying and segmenting customers, implementing marketing strategies, tracking execution, documenting incentives, and measuring effectiveness.

Harrah’s has successfully deployed the IBM Cognos software from its corporate data center and provide access to the data from any property site. The intuitive interface made it easier for managers to interact with the software regardless of software experience. Thus, the company has developed standard marketing campaigns that drive activities for specific customer segments. Individual property managers can access these programs to determine which of the campaigns or combinations of campaigns can achieve their business operation goals for their specific location.

The implementation of this business intelligence software has resulted in a more focused communication and with customers, thus achieving better customer relationships. As a result of Harrah’s deployment of the system, customer spending has increased from 30 percent to nearly 50 percent. The outcome is that Harrah’s has cut down on employment costs by avoiding hiring new analyst on their properties. The centralized deployment strategy has made it easier for the company to identify new locations and support future growth and acquisitions. Harrah’s now has the ability to analyze historical data to predicting future performance of its marketing campaigns, which is a critical factor in sustaining a competitive market advantage.

Reference: IBM Case Study, Harrah's Entertainment, Inc., 27 February 2009.
Website: http://www-01.ibm.com/software/success/cssdb.nsf/cs/LWIS-7PNLEC?OpenDocument&Site=cognos&cty=en_us

Chapter 11 Case Study: Can Knowledge Systems Help Boeing Trounce Airbus?


Question #2: What is the relationship of knowledge management to Boeing's business strategy? How is Boeing using knowledge management systems to execute its business model and business strategy?

Knowledge management, which is the set of business processes developed to create, store, transfer, and apply knowledge closely resembles Boeing's business strategy. Boeing's strategy is to fly travelers from their own city nonstop to their destination using smaller airplanes that will fly quickly and inexpensively, enabling passengers to fly nonstop from departure to destination, thus bypassing the larger hubs. Boeing sees a strong expansion of smaller jet sales rather than larger jumbo jets sales that Airbus is developing.
Boeing implemented a "paperless design" model to replace its manual design to computerize the design and production of its 777 aircraft. The Boeing 777 carries 300 to 400 passengers at lower operating and maintenance costs, lower fuel costs, and lighter materials. Boeing implemented the Dessault Systems CATIA computer-aided design software to enable engineers to access any of the airplanes parts modify them, fit them into the surrounding structure. This allows other engineers to make adjustments without making extensive modifications. The airplane was designed entirely on a computer screen and assembled without expensive mock-up models. The implementation of computer aided design (CAD) software is an example of a knowledge work system.


Question #3: Evaluate Boeing's new business strategy. What management, organization, and technology issues will Boeing face as it attempts to implement the strategy? What role will knowledge management play in this strategy. How successful will Boeing be in pursuing this strategy?

Boeing's new business strategy was to lower costs by using technology to reform inefficient business process. Boeing's plan was to roll out the 787 aircraft using a new production process of outsourcing the design and construction of about 80 percent of the aircraft to hundreds of other companies outside the United States. Boeing and its key suppliers are using software that allows designers to collaborate in designing components and manufacturing processes. Instead of airplanes being produced under one facility, the 787 is being built in a modular assembly process.
Although Boeing implemented the Dessault Systems to help manage its global supply chain, the system required additional features to its planning and design software. Boeing expanded its use of Dessault's version 5 Product Life Cycle Management software from 1,000 to 6,000 licenses. These software tools enable designers to use a single set of data and to simulate the digitally the plane's life cycle from design through production and modeling changes in design, thus, to reduce errors and eliminate redundancy of work. Outsourcing the 787 required Dessault to improve integration of its CAIA, Enovia, and Delmia modules for Boeing. Boeing need custom tools to handle designs with carbon-fiber composite materials. Thus, the role of knowledge management is to quickly resolve issues from significant technical and production problems that could threaten the delivery of the 787. Software programs designed by a variety of vendors had trouble "talking" to one another.
I am uncertain if Boeing will be be able to successfully implement their new business strategy of outsourcing their new airplane design and production because of the required software updates and the lack of communication among the vendor's software solutions.

Question #4: Using the facts presented in this case, what role has knowledge management played in Airbus's business strategy and business performance.

For Airbus, the role of knowledge management was to launch its A380 jumbo jet to meet the predicted demand of increased mass of passengers without increasing operational costs. It envisions a hub-and-spoke model of air travel where jumbo jets transport passengers to a small number of hub cities where passengers can transfer to smaller connecting flights to their destinations. However, the application of knowledge management was not fully implemented to better streamline the design and production of the A380. Airbus announced later delivery schedules due to the complexity required to wire the aircraft for in-flight entertainment and communication units requested by airlines. There appears to be issues with supply chain management of Airbus, because any design changes to wiring results in further delays. Airbus ran into other issues with design changes to the A350 to widen its cabin and windows and provide appropriate cabin humidity. The A350 is not expected to enter service until the year 2012, four years after the 787 is rolled out. Thus, Airbus did not adequately address knowledge management as adequately as Boeing. The outcome is that the business performance is not going to meet its customers expectations unless significant knowledge management is implemented to streamline the production process.

Saturday, May 16, 2009

Article: MLB's Real Competitive Advantage by Jay Yarow, Business Week (2 September 2008).


The article describes how Major League Baseball Advanced Media (MLBAM), an interactive media and internet company, has helped Major League Baseball (MLB) to become a profitable business both through e-commerce and m-commerce. MLB makes about $450 million per year. About half of the income comes from fans that pay $120 per season to watch games live over the Internet. The rest of the income comes from advertising of free content related to major league baseball teams. The business has grown significantly for MLB which is roughly $6 billion in total revenues. The market strategy for MLB is the implementation of online content business. MLB.com offers fans complete baseball information on the web such as up-to-date statistics, game summaries, historical background of the ball players, MLB events and programs, ticket sales, baseball memorabilia and collectibles, fantasy games, video webcasts of every game, and real-time pitch-by-pitch enactments of every game. The MLB Website offers more live events on the Internet than any other game in the world. Bob Bowman who is chief executive at MLBAM said, “Somehow the strategy of putting baseball games on every device that has a plug or a battery has worked for the business partners. Even more important, it has worked for our fans.”

MLBAM is now focused on the mobile phones as the next big opportunity for revenue. It has already built customized applications for a number of phones such as the BlackBerry from Research In Motion (RIMM). As of September 2008, MLBAM has implemented software that allowed individuals of the iPhone to acquire statistics from the Gameday Web site. This technology is likely to be followed by other similar applications for other phones such as Nokia, Motorola, and Sony-Ericsson. MLBAM hired a separate team to design mobile Web sites and applications. The MLB mobile site now receives about more than 10 million page views per day and it has more than 25 mobile applications. Right now the revenue generated from mobile phones is roughly $10 to $12 million so it is not a significant business for MLB. However, the revenue from mobile technology is expected to increase as Bowman mentioned, “I’m not sure it is for anyone, but those days will come.”

MLBAM understands that it could increase revenue from advertising if it develops a strategy for placing ads on its mobile Websites. However, it is still trying to determine the best course of action. They determined that advertising for wireless mobile phones is not robust because of the small screen, but as the technology becomes further developed, and the video becomes easier to use on all devices, then the technology will certainly become more profitable. Bowman’s strategy is that “If you serve the fans, you care of your business.” As a result, MLBAM will most likely become the lead in sports entertainment through m-commerce.

I like the article because I am a fan of Major League Baseball. I have made several trips to Dodgers Stadium. The technology described will certainly help me to better understand the significance of MLBAM through the internet to better provide mobile service to series fans.

Reference: Jay Yarow, "MLB's Real Competitive Advantage," Business Week Online, September 2, 2008, p26. Website: http://www.businessweek.com/technology/content/aug2008/tc20080828 _061722.htm.

Case Study: Limited Brands Consolidates Its Supply Chain Management


Question #1: Describe the supply chain management problems encountered by Limited Brands in this case. What wast their business impact?

One of the significant problems to the supply chain management occurred when a traffic jam of 400 merchandise trailers moved into a parking lot distribution center that was only designated to hold 150 trailers. This logistics problem caused a major bottleneck along a main highway. The problem also amplified when it created a public relations issue during the beginning of a sales period. The problem occurred because of poor planning systems, corporate executives made assumptions, and different segments of the enterprise were not communicating with each other. There was no accountability or tracking of the original inventory. The impact on business is the loss of sales revenue to the company. Another problem identified was that sixty major systems were already in place with hundreds of applications running a variety of platforms such as computers and servers from IBM, Hewlett-Packard, Sun Mircrosystems and Tandem. As a result it was difficult to make supply chain information flow between applications to coordinate with the supply chain of Limited Brands. The business impact was the lack of an enterprise-wide view of the supply chain.

Question #2: What management, organization, and technology factors were responsible for these problems?

Management factors include a lack of visibility of inventory, lack of adequate tracking of inventory, lack of adequate communications, and a lack of an enterprise view of the supply chain. Organizational factors were a lack of infrastructure flexibility such as scheduling issues and processing delays resulting from overly simple point-to-point interfaces that linked one system to another. For example, a shipping facility needs to be linked to a distribution center. The software interfaces were hard-wired point-by-point to different application programming interfaces (APIs). Information data was transmitted between one system and another on a batch schedule, thus lacking infrastructure flexibility. Technological factors included were a lack of real-time reporting and communications with delivery agents. Another technological factor was a broken segment of its brand’s technology operations under a central tracking system.

Question #3: How did Limited Brands solve these problems? What management, organization, and technology issues were addressed by the solution?

Rick Jackson, Executive Vice President of Limited Logistics Services (LLS), which supplies global logistics management and leadership for the supply chains used by Limited Brand’s, launched several cross-functional projects to enhance their credibility. They built regional docking centers on the East Coast and the West Coast to distribute products directly to stores, thus reducing costs and time by as much as 10 days. Tibco, the leading vendor of enterprise application integration software was contracted to develop a global application platform for Limited Brands. The outcome is that the newly developed technology helped to improve the company’s ability to track and manage the flow of information through its worldwide supply chain. Another solution was that Tibco worked in coordination with Limited Brands to install real-time reporting and communications with delivery agents. They integrated the supply chain accountability and reporting (OSCAR) application with the logistics applications. This allowed new delivery agents to enter the supply chain, thus allowing for better flexibility of the network. This technology allowed for enhanced shipment tracking and order visibility of Limited Brand’s partners using a booking information module.

The management, organizational, and technology issues were resolved through these solutions. The impact to the supply chain was that it was better aligned with the goals of the board members and with the share holders. The outcome was that the supply chain became more focused on the needs of the customers, thus improving overall profitability.

Thursday, April 23, 2009

Article: U.S. Government Calls for Better RFID Security by Jon Brodkin, PC World


In this article appearing in PC World, the U.S. Government stated that the use of RFID devices by firms can create security and privacy risks. Thus, best practices should be implemented for retailers, manufacturers, hospitals, and federal agencies to alleviate security risks. The primary concern is that unlike desktop computers or other devices overseen by a company's network security crew, an RFID tag may be used by a multiple firms. That is, firms may use a different techniques to maintain their chain-of-custody than other firms. The National Institute of Standards (NIST) of the Department of Commerce released a report that mentions how suppliers, manufactures, retailers, and different organizations acquire the same data from RFID tags throughout its lifecycle, but do not implement an adequate security policy to protect the data from unauthorized personnel. This situation raises privacy and security risks.

The released publication is called, "Guidelines for Security Radio Frequency Identification (RFID) Systems." The following recommendations are: (1) Organizations should use Firewalls to separate RFID databases from other databases and IT Systems; (2) Encrypt radio signals when possible; (3) Authenticate approved users of RFID systems; (4)Shield RFID tags or tag reading areas with metal screens or films to prevent unauthorized access of tag readers; (5) Use managed audit procedures, logging and time stamping to help detect a breach of security (6) Implement a procedure for tag disposal and recycling that permanently disables or destroys sensitive data.

The report was mandated by Congress under the Federal Information Security Management Act of 2002. Besides the retail industry, RFID devices are used in hospitals to match patients to lab test results. This raises a concern about unauthorized personnel who can capture sensitive data. During handling and transportation of hazardous materials, RFID tags are handled by a number of organizations to track the materials. However, the risks are rather significant because of potential threats to target vehicles containing hazardous materials; eavesdrop on tag transactions to gather information on the characteristics of the materials; damage or disable a tag, making it easier to steal or change manifest data stored on the tag. Ultimately, this risk to security of hazardous material transport could be devastating to the organization or to the community.

As a result, the recommendation is to shield vehicles and containers from electromagnetic emissions, establish a 300 ft perimeter around storage locations, and use passwords to prevent unauthorized personnel from reading tags or changing information on the tags. The report states that is a general rule, tagged items should be identified only before products are transported out to their destinations and when products are received at their destination and inventory storage, but not during vehicle transport. The challenge to supply chain management is that only authorized personnel should have access to RFID information and that specialized training is required to sustain security of the contents.

I like the article because the recommendations are closely related to the Case Study in Chapter 8 of Laudon and Laudon where the Department of Veteran Affairs failed to implement a fail safe method to protect valuable data from being stolen. Millions of sensitive records were stolen from former veterans. A VA financial analyst took home a laptop computer having millions of records of sensitive data to work on a project, but the laptop and records were stolen from the employee's home. The VA required to implement a policy to safeguard all sensitive records. My place of employment, the NAVFAC Engineering Service Center, takes special precautions to safeguard classified materials. We employees take extensive security awareness training to become aware of our responsibilities to handle sensitive information. RFID technology has certainly made supply chain management more efficient, but security and privacy issues are always a concern.

Reference: Jon Brodkin, U.S. Government Calls for Better RFID Security, Department of Commerce report says RFID raises unique security concerns. Network World, PC World, May 1, 2007.

Chapter 8 Case Study: A Stolen Laptop at the Department of Veterans Affairs: The Worst Data Theft Ever?


A financial analyst from the Department of Veteran Affairs brought sensitive personal electronic files from 26.5 million veterans’ home to work on a project, but the personal files had been stolen on May 22, 2006. The data included names, social security numbers, and birth dates of veterans who were discharged from the military starting in 1975. The data was not encrypted. The VA breach was the second largest unauthorized disclosure of social security identification data.

Question #1: List and describe the security weaknesses at the Department of Veteran Affairs.

One weakness is that the Department of Veteran Affairs (VA) failed to implement a policy that strictly prevents employees from taking home classified or sensitive financial data of veterans. It was not clear initially whether the employee was authorized to take home the files. This clearly indicates that there was a lack of a security policy that is required to protect information assets. The data stolen was not encrypted.

A second weakness is that there was a lack of disaster disaster recovery planning where a company focuses on how it can restore business operations after a disaster strikes. There was no plan of action of how to backup any lost data.

A third weakness is that there was a lack of a communication protocol on what to do if the data is lost or stolen. That is, the data was not reported in a sufficient amount of time. The department did not report the incident to law enforcement until two weeks after the incident. The Department of Justice and the Federal Bureau of Investigation stated that the delay may have allowed a more thorough investigation to solve the case.

Question #2: What management, organizational, and technology factors contributed to these weaknesses?

In reference to management factors, decentralized management exists at the agency and that it was difficult to change. Former CIO, John Gauss, stated that that the agency experience “cultural impediments” as reasons why he was unable to implement a central management of IT at the department level or a strong information security programs.

In reference to organizational factors, per recommendations of the VA audit, the VA failed to implement a centralized IT security program to ensure that employee job descriptions contained proper rules about what data they could access and to complete work on intrusion detection systems, infrastructure protection actions, and better access controls. There was a failure to implement a security policy for preventing the employee from taking home sensitive or classified data. According to a document obtained from the Veterans Affairs Committee, the employee did have authorization to take home a laptop and use a software package to work with the data. The documents revealed that the analyst was authorized to use home special software to manipulate data, to accesses social security numbers of veterans, and to remove a laptop and other accessories from the VA building for outside work. It is not clear how stringent the documents were written, but the employee violated the security policy. Apparently, the employee routinely had been transporting data to his home for three years, but unknown to his supervisors.

In reference to technological factors, the company did not implement a security policy of access control where all policies and procedures a company uses to prevent improper access to systems by unauthorized users. To gain access a user must by authorized and authenticated. It is not clear how competent the employee was on the security policy implemented by the VA. It is not clear how much training the employee received on handling classified information. It is not clear whether the employee used special passwords to access the information. Since the data was not encrypted, then the VA failed to implement an encryption policy where plain text or data is transformed into cipher text that cannot be read by anyone other than the user.

Question #3: How effectively did the VA deal with these problems?

Although the VA acknowledged recommendations from the House Committee on Veteran, the CIOs from the VA agreed that a centralized management of all IT programs and activities is required. One of the CIOs wanted a structure where there would be less susceptible to delays, budget overruns, and performance failures. The VA divided its IT operations into two domains. Thus, Congress passed a bill that gave a single executive control over the entire department’s IT spending. The CIO would be raised to rank to undersecretary and the chief information security officer be raised to the assistant secretary level. The VA planned on merging its IT domains to finally centralize IT programs and activities. It is not clear as to how these changes to a new “federated” IT management system based on reducing costs and making the department more efficient will help resolve security issues. The VA made no recommendations of making substantial changes to their security policy so the incident will never happen again. Thus, the effectiveness of how the VA dealt with the problem still vague. The VA needs to make a complete revision of their security policy to prevent any future loss of data from human or technological factors.

Thursday, April 16, 2009

Chapter 6 Case Study: Panasonic Creates a Single Version of the Truth from Its Data

Question #1: How did Panasonic's information management problems affect its business performance and ability to execute its strategy? What management organization and technology factors were responsible for those problems?

Panasonic’s operations expanded rapidly throughout Europe, Asia, and North America. In Europe, the company has 15 subsidiaries, 14 manufacturing facilities, and five research and development centers, and seven administrative offices. As a result of having so many different sources of data, the company was unable to manage its data effectively. The product and customer data was inconsistent, duplicate, or incomplete. Different segments of Panasonic used their own data management operations that were isolated or different from other locations within the company. Ultimately, this resulted in a decrease in operational efficiency and higher costs from the company. The data required to launch new products in the market are photos, product specification and description, manuals, pricing data, and point-of-sale marketing information. The employees use this data to select product information that suits the needs of the region or country. As a result, with a lack of an adequate database to manage product data, the company was unable to sustain a substantial profit and strategically market new products.

The CEO’s and managers at Panasonic did not anticipate a substantial market demand for their products. They did not seek their employee feedback to determine how the product data and inventory of services could be better managed to seek the needs of the employees, suppliers, and customers. They did not make a thorough analysis of their 5-year business strategy to access whether the company requires new services or capabilities to achieve their strategic goals. They did not perform an adequate IT strategy, infrastructure, and IT infrastructure cost to determine whether the IT strategy takes into account the firm’s five-year strategic plan. Thus, making an assessment to determine where necessary changes in data management need to be done to improve the company’s efficiency.

Question #2: How did master data management address these problems? How effective was this solution?

Panasonic implemented a “push” model to replace a “pull” model to interpret and sort data. Using a push model, a centralized data bank sends the requested information to employees in marketing and sales instantaneously and consistently. Retail partners and e-commerce vendors who are recipients of the data can view the data at all phases of a product rollout. Thus, specific employees can have better visibility of their products and services. The outcome of this push model is that customers are less likely to become confused while researching Panasonic products. Panasonic’s Europe’s data management was upgraded with master-data-management (MDM) software from IBM’s WebSphere line. The software enabled Panasonic Europe to gain better control of their data and better streamline the business process. The MDM implementation includes the business process analysis, data assessment, data cleansing, and a master data service layer. The MDM allows employees with access to view the company’s data and activities throughout the organization. The outcome of the MDM implementation is that Panasonic Europe could expedite its products to customers much faster than before. The system resulted in an increase in company sales and profits.

Question #3: What challenges did Panasonic face in implementing this solution?

Although Panasonic Europe succeeded in gaining profits, Panasonic North America had challenges of reorganizing workflow and consolidating product information. Panasonics investigated product information for Wal-Mart. Panasonic looked closely at its legacy system to determine its required data. Panasonic worked with IBM to develop an interface apparatus to acquire the data for its repository. Since the information produced by legacy systems were not available in the legacy systems, then Panasonic needed to add newer interfaces then build an application-integration layer for Wal-Mart that could be proven successful.

Another challenge was that the company had multiple facilities that made its own new products. The facilities had their own culture and information infrastructure so they were not necessarily willing to share their data with a centralized database. However, Bob Schwartz made a strong case to the corporate office in Japan that integrating a data management strategy globally would be a major benefit to the company’s infrastructure. Schwartz also needed its manufacturer partners to agree with implementing the MDM technology. Schwartz succeeded in gaining substantial profits by integrating shared data inventory among the vendors such as Best Buy and Circuit City. As a result of the implementation of the MDM, Panasonic has become more competitive and can produce new products for their global market.

Article Review: Southwest Integrated Flight Tracking System (SWIFT)

Southwest Airlines implemented a flight management tool to help manage its flight operations data and to sustain its requirement for data management efficiency. Southwest has about 3,400 daily flights requiring status data on flight route, fuel requirements, and weather information. Thus, airplanes must be in the right place at the right time. If status from flight operations cannot be updated and retrieved, then flights can be delayed or canceled. The outcome of Southwest’s requirement was the first generation of a Southwest Integrated Flight Tracking system (SWIFT). SWIFT is a flight management tool consisting of applications for managing the fleet of aircraft and dispatching flights. Although SWIFT helped to sustain better flight operations, the system could not keep up with its growth. Southwest engineers developed a real-time messaging tool that could interface with SWIFT and ensure the delivery of necessary flight data. As a result, Southwest chose TIBCO SmartSockets. This system provides real-time updates for Southwest’s fleet management and operations. It provides guaranteed message delivery (GMD) and monitoring capabilities. For example, if the system goes down for any reason, the thousands of incoming weather messages from the FAA will be queued in the system rather than being lost. Southwest uses SmartSockets’ GMD features to manage the approximately 17,000 FAA weather messages received each day that are sent out, filed in a database, and then published to several different SWIFT applications. As a result Southwest has become leader in implementing newly developed innovative IT applications to achieve its efficiency and quality of service. This newly implemented technology allows for the airline to become competitive against the larger carriers like United, American, Delta, and US Air.

I like the article because it provides a significant milestone for capturing, storing, sharing, and managing flight operations data in real time. This visibility of data allows for the flight operations personnel to make better decisions for sending airplanes to alternate airports based on unpredictable storms or harsh weather conditions. Overall, this enhanced capability has resulted in improving the safety standard for the airline.

Reference: Success Story. Southwest Airlines Flies High with Real-Time Flight Data. TIBCO Software Inc., 2007. Website: http://www.tibco.com/resources/customers/successstory_southwest.pdf

Thursday, April 9, 2009

Article: High Risk Security Threats (And How to Fix Them) from PC World Magazine (March 2009)

This article, which appeared in PC World Magazine (March 2009), provides an informative overview of how to address related threats and provides some good tips on how to protect our privacy. The article is closely related to the ethical and privacy issues discussed in Chapter 4 of Laudon and Laudon. Real threats exist to web browser caches, ATM card skimmers, PC passwords, credit cards, social networks like Facebook. Users need to be cautious with cell phone e-mails and fake anti-malware offers. I like the article because it is closely related to my annual information technology awareness training. It offers some good information on what precautions should be taken to safeguard our home PC. There are 17 threats mentioned in the article, but I will summarize four tips that I think are the most intriguing. They are: (1) Browser Cache, (2) Card Skimmer Scams, (3) Discoverable Passwords, and (4) Fake Anti-Malware Offers.

(1) Browser Cache: One of the threats mentioned is that browser caches keep copies of text, images, and cookies from web pages that are visited. We are susceptible to being profiled based on our browser history. The problem can be fixed by instructing the IE to save its cache to an external drive rather than saving the cache to the hard drive. Another option is to use a software utility program to clean up the cache after searching the browser. The article mentions that Internet Explorer 8 will the first version of IE to secure a web browsing feature called "InPrivate".

(2) Card Skimmer Scams: A second threat is that consumers are susceptible to losing their credit card information to skimmers. Criminals can place a card skimmer device into an ATM at a small convenience store, a bank or gas station. The skimmer's internal memory can retrieve data from the card's magnetic strip while another skimmer can retrieve the ATM's keypad and records the PIN code. Once the data is retrieved, then the criminal can produce a new credit card to make bank withdrawals from the victim's account. The victim has no alternative, but to cancel the bank or credit card account. Identity theft is a difficult issue to resolve because of the time required to contact the credit card companies. The fix recommended is to gain familiarity with the appearance of card slots especially around outside ATM's or gas stations. If you notice an unfamiliar component surrounding the slot, then avoid using the ATM. Make the transaction inside the bank. I have not encountered this problem, but someone at my office told me that her credit card information was stolen after she pumped gas at a local gas station in Oxnard.

(3) Discoverable Passwords: Hackers can break into Yahoo mail accounts or other e-mails that are common to various browsers. Sometimes the passwords can be retrieved by hackers who work on finding out the online security question. If the answers to the security question are too simple, then the criminal might be able to convince the Web mail's service provider to give out the password. Actually, this happened to me at work. I forgot my password so I kept requesting the password from a government website. I forgot the security question, but eventually, I was able to retrieve the security question and the password.

The recommendation is to keep changing the password. There are password management utilities that can help prevent password retrievals. The user should answer the security question with a strong answer that hackers cannot retrieve. What is your favorite team? Just answer the question with something like $df89KDod.

(4) Fake Anti-Malware Offers: The article mentions that PC users can be easily tricked into providing their personal information to on-line scams that display window alert messages. The user might see some familiar product names like DriveCleaner, WinFixer, Antivirus 2009 appear as a warning that the computer is infected by a virus. Although the advirtisement might appear legitimate, the user may be tricked to enter a website a credit card is requred to purchase the DriveCleaner software. When the software is purchased and placed on the PC, the computer is never wiped clean because the program deactivates the Registry keys or corrupts the Windows software. The recommendation is to acquire an anti-malware program from a legitimate provider. Victims of such scams should contact the Federal Trade Commission to alleviate the problem of scamming.

I actually am familiar with the fake anti-malware offers. I was enticed to purchase two anti-virus programs that appeared after I was alerted that my PC acquired a virus. However, the programs never worked well and the advertisement kept appearing on my screen. Although I spent considerable effort to remove the program from my PC, I feel that the advertisement was in fact a virus that invaded my PC. Eventually, I removed it using legitimate program recommended by my supervisor. Luckily, this incident occurred on my home PC. I am more cautious about advertisements appearing out of the blue.

Reference: Andrew Brandt, "High-Risk Security Threats (And How to Fix Them)," PC World, March 2009, Vol. 27 Issue 3, p62-70.

Wednesday, April 8, 2009

Chapter 4 Case Study: Is the Telephone Company Violating Your Privacy?

Question #1: Do the increased surveillance power and capability of the U.S. government present an ethical dilemma? Explain your answer.

Yes, our privacy rights as U.S. citizens are being challenged because of the government's implementation of the National Security Agency (NSA) to request phone companies to conduct data mining of our phone records. The government's position on acquiring phone records is that it is a necessary action to fight the War on Terror. President Bush made a statement in which he had authorized the NSA to listen on international phone calls of Americans suspected of having involvement to terrorism without a warrant. Although the Electronic Privacy Act of 1986 helps protect our citizen's privacy, it allows for business to turn over calling data to the government only in extreme circumstances. Thus, the government can easily make exceptions to rules made by prior administrations. The dilemma is that our rights to privacy and unreasonable search and seizure under the Fourth Amendment of our government is in jeopardy. Furthermore, no one is taking accountability or consequences for any actions committed by the NSA. President Bush and Vice President Cheney expressed their view that wiretapping is a necessary action against terrorism. President Bush was given a great deal of power to enforce his policy against terrorism so wiretapping has become an accepted entity regardless of our rights to privacy.

Question #2: Apply an ethical analysis to to the issue of the U.S. government's use of telecommunication data to fight terrorism.

An ethical analysis requires 5-steps (pg 136 of Ch4) so I'll break it down and briefly address each step.

1. The facts: Four of the major telecommunications companies turned over records of phone calls made by U.S. citizens in cooperation with the National Security Agent's (NSA's) anti-terrorism program. The companies were AT&T, Verizon Communications, and Bell South. The outcome is that privacy advocates and critics of the Bush Administration made public announcements of their outrage to our invasion of personal privacy. Ethical questions were raised by executives, politicians, activists, and legal experts. Despite many debates that occurred on both sides, the issue was brought up to the Foreign Intelligence Surveillance Court. The issue is whether the 1978 Foreign Intelligence Surveillance Act (FISA) which required that a court must decide whether wiretapping is done in the United States. The court reviewed whether NSA's activities had violated any privacy laws and whether wiretapping fell within the President's power to fight the war on terrorism. The court's rulings and proceedings were done in secret. As a result, the White House had achieved several rulings that favored the President's policy such as the ability to appeal the court's decisions, changing the language to allow for the administration to provide options to their programs, and a guarantee that the agreement does not block the president's power of authority. The bill which would allow FISA to rule over NSA wiretapping has not yet been approved by Congress.

2. Conflict or dilemma: There are two dilemmas: (1) the need to protect U.S. citizens from acts of terrorism and (2) the need for protecting individual privacy.

3. Stakeholders: The government supports the need to protect the U.S. citizens from acts of terrorism. Therefore, the government should take whatever steps necessary to enforce this position. President Bush and Vice President Cheney defended their position by pushing surveillance of phone calls and e-mails without a search warrant. The National Security Agency (NSA) is a stakeholder. AT&T, Verizon, and Bell South are stakeholders because the wish to support the war on terrorism by cooperating fully. The stakeholders who want to protect the privacy of citizens are: U.S. citizens, the Electronic Frontier Foundation (EFF), Senator Dick Durbin, Democrat from Illinois, Senator Arlen Spector, Republican from Pennsylvania, and Senator Lindsey Graham of South Carolina.

4. Options that I can reasonably take: I do not believe that the outcome of the Foreign Intelligence Surveillance Court resulted in anything significant that would favor the side of the right to privacy. It appears that President's Bush made every effort to instill that he was right no matter what anyone else believes. If I had to offer a course of action, I would like to see a committee rather than the President decide on what is necessary to fight the war on terror. A separate independent committee could be made up of members from Congress, the FBI, and ordinary U.S. citizens who are open to voice opinions without any scrutiny from the White House.

5. Potential consequences of my options: I think the decisions made by a committee rather than the White House Administration would have better representation to safe guard our rights to privacy. Decisions could be made without the social and political issues that seem to have challenged our country's constitutional amendments.

Question #5: State your opinion of the agreement reached by the White House and the State Judiciary Committee with regard to the NSA wiretapping program. Is this an effective solution?

I do not believe that agreement made by the White House and the State Judiciary Committee favored the rights of our U.S. citizens of protection of privacy. I understand that the internet companies keep records of our preferred websites and can distribute our information to third parties. Thus, they have the ability to profile us and there is no policy that I know of that can prevent them from turning over our private data to the government. I understand that the cell phone companies have a right to block any text messages that they define as being inappropriate. Policies for this action exist, but their policy is not specifically stated in their contracts to us. As a result, they have already invaded our privacy. The cell phone companies can drop a customer for whatever reason. The Federal Bureau of Investigation is allowed to enter chat rooms and can entice individuals into turning over inappropriate material without their knowing. Thus, we are still under surveillance by the tele-communications company and the government. The situation has not changed unless society continues to make public opposition.