DEVTOME.COM HOSTING COSTS HAVE BEGUN TO EXCEED 115$ MONTHLY. THE ADMINISTRATION IS NO LONGER ABLE TO HANDLE THE COST WITHOUT ASSISTANCE DUE TO THE RISING COST. THIS HAS BEEN OCCURRING FOR ALMOST A YEAR, BUT WE HAVE BEEN HANDLING IT FROM OUR OWN POCKETS. HOWEVER, WITH LITERALLY NO DONATIONS FOR THE PAST 2+ YEARS IT HAS DEPLETED THE BUDGET IN SHORT ORDER WITH THE INCREASE IN ACTIVITY ON THE SITE IN THE PAST 6 MONTHS. OUR CPU USAGE HAS BECOME TOO HIGH TO REMAIN ON A REASONABLE COSTING PLAN THAT WE COULD MAINTAIN. IF YOU WOULD LIKE TO SUPPORT THE DEVTOME PROJECT AND KEEP THE SITE UP/ALIVE PLEASE DONATE (EVEN IF ITS A SATOSHI) TO OUR DEVCOIN 1M4PCuMXvpWX6LHPkBEf3LJ2z1boZv4EQa OR OUR BTC WALLET 16eqEcqfw4zHUh2znvMcmRzGVwCn7CJLxR TO ALLOW US TO AFFORD THE HOSTING.

THE DEVCOIN AND DEVTOME PROJECTS ARE BOTH VERY IMPORTANT TO THE COMMUNITY. PLEASE CONTRIBUTE TO ITS FURTHER SUCCESS FOR ANOTHER 5 OR MORE YEARS!

Abstract

The Department of Defense Medical Exam Review Board (DODMERB) was established in 1967 as the lead government agency to collect and review physical examinations of congressionally nominated applicants to the military service academies and Reserve Officer Training Corps (ROTC) scholarship programs. Since its inception, DODMERB has been financially supported with federally allocated funding and staffed by a team of medical board certified physicians to include support personnel from all branches of the United States military services. DODMERB presently uses a robust Enterprise Architecture (EA) for managing its operations and business relationship with an external contractor to receive applicant examinations using a web-based application that is only accessible by authorized individuals located at geographically separated detachments. The DODMERB support staff receives and conducts preliminary reviews of examinations before passing them to certified physicians for final applicant physical fitness determination for entry in various officer candidate programs. While the existing EA of DODMERB is operating at optimal levels of performance, the extremely large volume of case files continues to place a heavy burden on DODMERB’s infrastructure. The purpose of this paper is to propose how DODMERB might take their EA to the next level by incorporating Cloud Computing (CC) capabilities in the organizational alignment to reduce expenses associated with large file storage, physical handing-off of exams at various processes stages, and to eliminate costly infrastructure and support personnel.

Cloud Computing by DODMERB

While the existing EA used by DODMERB has been adequate in supporting and meeting the organization’s goals and objectives, and current Information Technology (IT) has been superior, DODMERB’s workload continues to expand as the number of applicant case files increases. DODMERB must seek alternatives outside the scope of their existing EA to remain capable of meeting the demands of their customers and utilize modern technology capabilities in their EA. In their article titled Applying Frameworks to Manage SoS Architecture, the authors state “As systems become more complex, managing the development of these systems becomes more challenging.” (DiMario, Cloutier and Verma, 2008, p. 18). The concept of CC is relatively new and offers the potential for DODMERB to take advantage of this technology using shared IT resources to reduce or eliminate the need for the dependency on an organizationally owned and managed Information Systems (IS). The implementation of CC in DODMERB will permit them to concentrate on core process while transitioning IT support to specialized organizations to reduce overall IS support costs.

Introduction

DODMERB adequately meets the needs of their customers by using an efficient EA and IS; however business workload continues to steadily increase and is starting to exceed the organization’s capabilities. In their article titled Method Engineering in Practice: A Case of Applying the Zachman Framework in the Context of Small Enterprise Architecture Oriented Projects, the authors state “Enterprise architectures are generally seen as blueprints that identify the essential parts of an organization (such as people, business processes, technology, information, financial elements, and other resources) and its information systems.” (Ylimaki and Halttunen, 2005, p. 189). DODMERB must study the feasibility and potential return on

investment by migrating their supporting IS needs to the CC environment. The following business goals and objectives of DODMERB clearly indicate their desire to provide the highest level of support to applicants by concentrating on their primary core values and recognizing the need to utilize modern IS to efficiently deliver their service to the customer. Mission Statement

“DODMERB provides the highest quality of review on applicant physical exams ensuring individuals selected for a military career is capable of meeting the physical demands to protect both the individual and the investment of the military.” Vision Statement

“DODMERB will continue to meet the present and future needs of individual applicants and process physical exams by using its EA and seek to incorporate modern IS technology as appropriate while pursuing CC capabilities to maximize efficiency in the organization.”

Strategic Direction Statement

The existing EA utilized by DODMERB must continue to provide the capability for delivering the highest quality review and processing of individual physical examinations while being flexible to facilitate change, growth, and the incorporation of new IS technology to meet those needs. In their article titled Interface Description for Enterprise Architecture, the authors state “Maintaining a system’s relevance to the business process is time-consuming and expensive and this process grows exponentially difficult with the number of systems in the enterprise.” (Garg, Kazman and Chen, 2006, p. 4). The inclusion of CC functionality in the EA of DODMERB must allow the organization to concentrate on core processes while using outside resources to maximize efficiency, reduce overhead operating costs, and support the delivery of quality services to the customer while protecting sensitive information. While the inclusion of

CC in the DODMERB EA will enhance customer service and increase financial efficiency of the organization, individual and proprietary information generated by the organization must be afforded the maximum level of security and protection from unwarranted invasion.

Strengths Weakness Opportunities and Threats (SWOT)

A SWOT review was conducted at DODMERB to examine structure and posture of the existing EA and IS for compatibility with internal processes, external processes, and the CC environment. The study revealed that EA and IS structures are sufficient for meeting most of their needs; however some areas are weak and require further development. In their article titled A System of Systems Focused Enterprise Architecture Framework and an Associated Architecture Development Process, the authors state “For organizations to survive and succeed in today’s world, an e-business world, they must have the ability to quickly adapt and respond to changes of all types: changing technology, changing customers’ needs, changing customers, and changing business partners.” (Morganwalp and Sage, 2003, p. 87). Flexibility for the growth in customer numbers and service capabilities require that DODMERB consider CC capabilities in their EA and IS alignment. A graphic representation of this analysis is included in the appendix (Figure 1 - SWOT Analysis).

Strengths

The specialized services of DODMERB are provided to a limited and unique market with no present threat of competition from external sources. The organization’s primary strength is due to staffing by trained medical doctors and specialist educated in the necessary physical requirements for individuals desiring to enter the military through a scholarship program. An applicant will not be accepted in to a service academy or ROTC program with a military scholarship unless medically cleared by DODMERB. Because it is a United States military

agency, DODMERB is aligned using a combination of horizontal and vertical structures within their EA that clearly define the chain-of-command, processes, and coordination. In their article titled Supporting Strategic Enterprise Processes: An Analysis of Various Architectural Frameworks, the authors state “Executives need to balance capabilities, manage risks, and act in order to achieve desired business end-states.” (Mykityshyn and Rouse, 2007, p. 145)

Weaknesses

While DODMERB presently has a very robust infrastructure and IS, weaknesses are present due to the high dependency on an IT to communicate with customers. DODMERB is susceptible to outdated technology and legacy equipment within the IS of DODMERB which could create compatibility issues with external customers and the EA alignment. In addition, predictions of increased applicant numbers will lead to DODMERB expanding outside its IT capabilities. DODMERB’s core objective is to provide medical reviews of potential scholarship applicants and not IS support or management, although IS and EA are critical parts of the structure to keep the organization focused on their mission and efficiency. Since IT is not a primary skill of DODMERB, and associated expenses will increase as DODMERB’s clientele grows, they should consider the feasibility of migrating segments of the IS to a CC environment.

Opportunities

Most organizations have numerous opportunities for growth and improvement in their overall operations, and DODMERB is no different. DODMERB’s leadership must continue to pursue external possibilities for new customers through the inclusion of other programs, improve on existing processes, and look forward in their organizational strategy by taking advantage of newer technology as it is introduced to the market and that is commonly used by today’s IT savvy student. DODMERB’s decision to move supportive functions of their IS and IT to a CC

environment will permit them to reduce short-term and long-term overhead costs associated with IT procurement and sustainment while permitting them to concentrating on their core areas of expertise. In their article titled A Survey on Security Issues in Service Delivery Models of Cloud Computing, the authors state “Cloud computing is a way to increase the capacity or add capabilities dynamically without investing in new infrastructure, training new personnel, or licensing new software. It extends Information Technology’s (IT) existing capabilities.” (Subashini and Kavitha, 2011, p. 1). The decision by DODMERB to transition IS and IT platforms to CC could potentially speed submission and response time to customers using web- based technology.

Threats

Due to the sensitive nature of DODMERB’s business transactions involving personnel information protected under the Privacy Act of 1974 (PA) and the Health Insurance Portability and Accountability Act of 1996 (HIPAA), the threat of potential of unauthorized disclosure and attacks on the IS always exist. The methodology and replacement components that will be used during changes and modifications must be tested and deemed sufficient prior to implementation to mitigate risks and provide maximum protection to the applicant’s medical information. The volume of individual applicant case files processed by DODMERB traditionally fluctuate because of unpredictable openings at the service academies and university ROTC scholarship programs, allocated congressional nominations, and federal funding for both DODMERB operations and military scholarship programs. Although the number of applicants processed within a year is tracked, and trends can be calculated using historical information, external threats of student numbers, candidate qualifications, and congressional funding can impact the processes of DODMERB’s IS and EA.

DoDMERB’s Enterprise Architecture

The EA of DODMERB is designed to provide authorized user accessibility and sharing of real-time data pertaining to applicant medical information in the review and coordination processes. The EA is engineered and structured using documented and accepted practices in a customer service oriented environment with integration of a supporting IS. The components of DODMERB’s EA are broken down in to seven primary areas which are business, database, management, mission, organization, position and resources. The business component is further divided by events, organizations, cycle, calendar, functions and information systems to support the enterprise. The business event element is based on the target audience of DODMERB’s services and how the ability to deliver superior deliverables to the customer can be achieved. Alignment of the customer needs and DODMERB capabilities with its EA must be in harmony. Otherwise, DODMERB would be spending a lot of money and resources on processes that have no real value to the customer ultimately leading to waste and failure. The business organization element is needed to provide a structure for representation by all segments and stakeholders. DODMERB uses a mixed hierarchy of vertical and horizontal alignment in their structure. The business cycle element addresses the turn-around times between applicant physical submission, physician review, and response back to the customer. The business cycles of DODMERB can be impacted by peaks in applicant submissions to meet mandatory deadlines, unplanned infrastructure or software application disruptions, appointment scheduling, or the unavailability of medical staff to review and process applications. The business calendar element addresses what is considered as the normal times and dates of business for DODMERB that generate action for the organization. DODMERB operates, receives, and processes individual physical exams on

a daily basis. However, certain times of year create spikes in applications received due to suspense deadlines, personnel availability, and academy or university requirements. The business functions element describes who is responsible for what action within the organization and how the process is performed. The submission of an individual’s physical exam is what initially triggers action in the organization; however there is an organized sequence of events that must occur before the exam is passed to the next stage in the process. Published policy and governance outlines the order of processing and is typically adhered to unless there is a unique situation that requires processing outside the normal scope of operations. The business information systems element outlines how the DODMERB IS and associated applications are used to process physical exams. The procurement, alignment, and utilization of IT are an essential component of the EA and must be adequately used to maximize efficiency of the organization to provide accurate and timely results to the customer. The database component is further divided by domains, objective classes, and objective information systems to meet the requirements of the enterprise. DODMERB uses a complex database based on the structured query language platform to store, share, and process applicant information. The database domain element uses strong security and authentication methods to prevent unauthorized access to protect PA and HIPAA information. In addition, the database domain, object class, and information system elements are developed and structured to provide quick, reliable, and real-time access to relevant data based on the user needs and queries. Instantaneous access and retrieval of individual physical exam status is considered as one of the core objectives of DODMERB. The database is part of the EA and any modifications or changes to either must be tested before going-live to determine compatibility issues and potential unexpected actions.

The management level component within DODMERB’s EA serves to assign responsibility and oversight to individuals within the organization to ensure processes flow smoothly, issues are quickly addressed, and to stimulate innovation and future planning from within the organization. DODMERB can ill-afford to become complacent with processes and must always plan for change to meet mission objectives. In his article titled Inside the Adaptive Enterprise: An Information Technology Capabilities Perspective on Business Process Agility, the author states “Recent innovations in utility computing, web services, and service-oriented architectures, combined with a growing array of IT skills, have improved firms’ ability to be more agile in responding to change.” (Tallon, 2008, p. 21).

The EA of DODMERB, and its supporting IS, are adequately structured and aligned to meet existing needs of the enterprise and mission component. DODMERB uses a combination of vertical and horizontal structures to ensure all aspects of processes are identified and resolved. The EA and IS are optimally structured and meshed together to meet customer needs. Isolation or segmentation within DODMERB is discouraged and avoided since these prevent growth and efficiency of the EA and hamper the ability to adequately adjust to change impacting mission performance of segments or processes contained in the enterprise. The organization component is divided by performing mission and accomplishing functions in the enterprise. While the overall mission of DODMERB’s enterprise is to perform a review, process,

and submit final resolution on every physical exam submitted by applicants, each internal agency has goals and mission objectives uniquely specific to their segment. Using an umbrella approach, or a one size fits all methodology, would not adequately address individualized needs within a function that is only relevant to that process. Individual activities are brought together through the EA, with the support of the IS, and combined to support the mission of

DODMERB’s enterprise. The unification of individual activities brought through the EA allows each activity to understand what their objectives are and how they contribute to the overall enterprise. The next component, positions, outlines the required skills and experience to fill positions within the DODMERB enterprise and complimentary of the organization’s EA. Mandatory skills, experience, and knowledge criteria are identified in the organization’s Unit Manning Document (UMD) and an individual Position Description (PD). These documents were created over time using historical data for necessary skills needed and based on manpower and individual work-hour studies. While DODMERB employs people based on criteria outlined in the UMD and skills defined in the PD, they also encourage position cross-utilization when feasible to provide a wide-breadth of experience and knowledge in organizational processes to workers. This tactic allows individuals to not become stagnate in their daily routines and provides them with additional skills and knowledge of how their process fits into the EA and overall enterprise and expands the pool of experienced personnel. DODMERB additionally uses Total Quality Management (TQM) methodology to solicit individual thoughts and ideas on how the enterprise alignment or EA could be improved. The utilization of TQM in DODMERB has proven to be highly successful in stimulating innovation, worker ownership, and pride in processes. The final component, resources, defines the physical and non-tangible assets of DODMERB to meet mission objectives. The inclusion of resources in this review is important because they are the building blocks of the EA and are the elements support the structure. Resources are continuously consumed and must be replaced. The ability for DODMERB to meet customer requirements is based on the availability of resources and how they interact and support the functions of the EA. The resources acquired and consumed by DODMERB include money, manning, supplies,

physical assets, infrastructure, hardware and software. The continuous and planning, procurement, and replacement of these necessary resources must be appropriately analyzed and evaluated to determine their support in existing EA requirements and the IS to avoid shortages or compatibility issues.

DODMERB’s Concept of Operations

The concept of operations in DODMERB is based on their ability to continue to meet the demands of their customer base by receiving, reviewing, and responding to applicant physical exams in the most efficient and timely manner. Consistent processing times can be difficult to maintain due to internal and external influences that can be hard to predict or plan. However, the structure of the EA and adequate life-cycle planning can minimize the impacts of change in the enterprise. In their article titled An Assessment Strategy for Identifying Legacy System Evolution Requirements in eBusiness Context, the authors state “The diffusion of the Internet requires the evolution of traditional business models in order to include eBusiness capabilities, defined as any Internet initiative that transforms business relationships, whatever those relationships might be: business-to-consumer, business-to-business, intrabusiness, or even consumer-to-consumer.” (Aversano and Tortorella, 2004, p. 255). DODMERB should strongly study and consider the migration of their IS and IT support services to the CC environment to allow them to concentrate on their core objectives and reduce operating costs associated with IT implementation, sustainment, and support services. The transfer of IS and IT functions to CC capabilities will have minimal impact on the existing EA due to the present alignment. In addition, CC resources will permit the growth of DODMERB customers without heavily taxing an already stressed IS that is reaching its maximum capacity. The CC environment will free-up the resources needed by DODMERB to meet their customer needs without negatively impacting the EA.

Current Initial Service Agreement Assessment

DODMERB has a four-year renewable contract in place with Concorde Limited Liability Corporation (LLC) to provide a network of physicians for conducting physical examinations on applicants. Potential candidates and ROTC cadets create an account and enter their identify information in the DODMERB database via a web interface. Once the account is created, it triggers Concorde LLC to make contact with the applicant to schedule a medical exam with the closest networked provider. Concorde LLC compiles medical information on a daily basis and transmits it to DODMERB for downloading and processing. Concorde LLC submits monthly billing statements to DODMERB for validation and payment. Discrepancies and incomplete physical is resolved before payment is released.

Future Initial Service Agreement Assessment

The decision for DODMERB to move its IS and IT support functions to a CC environment would eliminate the need for DODMERB to maintain an IT staff and supporting infrastructure without significantly impacting the organization’s EA. The flow of information and processes would remain the same; however storage, servers, and applications would only be accessed and used on an as needed basis. Additionally, DODMERB should consider installing thin clients at employee workstations to save on tech refresh costs, vulnerabilities, and use the resources of the CC host. The re-alignment of DODMERB’s IS and IT to the CC environment could potentially expedite services and business transactions with Concorde LLC. In their article titled Evaluating Legacy System Migration Technologies Through Empirical Studies, the authors state “Legacy systems typically form the backbone of the information flow within organizations and are the main driver to consolidate information on their business.” (Colosimo, De Lucia, Scanniello and Tortora, 2009, p. 433). Changes in the business structure of DODMERB and its

interactions with Concorde LLC would result in a contract modification to address the new alignment ensuring all requirements were met.

DODMERB’s Primary Use Case

A comprehensive outline of DODMERB’s primary processing flow was developed to show the relationships between customers and DODMERB to process applicant medical examinations and the process flow significance in the EA. Applicant medical examination data is used to determine the fitness of an applicant in various military careers. It is critical that only qualified individuals be cleared for performing demanding duties to ensure the safety of the individual, military investments, and the people and assets under the control of the person.

Primary Data Flow

Data inputs are entered by the applicant and routed to the medical network service provider, Concorde LLC. The contractor then compiles applicant data and enters it in the DODMERB database for later downloading by support staff personnel. DODMERB employees then route the medical examinations to the appropriate internal division for initial evaluation and validation of necessary documents for further processing of the file. Once the examination is deemed complete, it is forward to a medically qualified physician in DODMERB for evaluation and determination of the physical fitness of the applicant. If it is determined that further evaluations are needed, the physician will route the package back to Concorde LLC for scheduling. Completed reviews by DODMERB medical staff are sent back to the applicant or servicing agency for additional processing and individual actions. The utilization of CC capabilities are predicted to not have any negative impact or significant changes on the existing EA used by DODMERB or on the overall flow of primary data between organizational processes.

DODMERB’s System Security Plan

DODMERB’s EA and supporting IS are managed following strict policy and governance developed and published by the Department of Defense (DOD), Defense Information Systems Agency (DISA), and United States Cyber Command (USCYBERCOM) as well as internal directives. All infrastructure, nodes, and software applications must be meet the requirements of the DOD Information Assurance Certification and Accreditation Process (DIACAP) before they are permitted to be attached to the DOD global information grid. DODMERB’s election to transition their IT support functions to the CC environment will not have any negative impact on their operations as long as the CC vendor agrees to comply with higher headquarter data protection and security directives. DODMERB has supplemented oversight agency guidance by including accepted network behavior and user education as a precursor to employment. DODMERB’s internal employees are required to use a Common Access Card/Public Key Infrastructure (CAC/PKI) token for access and authentication to DODMERB IS assets. In addition, DODMERB employees and ROTC detachment support personnel are required to conduct annual Information Assurance (IA) training to ensure they remain cognizant of security measures. External service academy applicants requesting access and Concorde LLC are required to access DODMERB’s systems using web-based authentication after creating an account. All external customer access to the DODMERB and Concorde LLC systems has limited privileges based on their needs.

Security Policy

DODMERB’s EA and supporting IS security policy mandates that internal employees follow procedures and requirements as outlined in DOD, DISA, and USCYBERCOM instructions. Adherence to security policy ensures an applicant’s sensitive medical information

is adequately protected and is afforded safeguarding as outlined under PA and HIPPA directives. External customers are only granted the level of permission necessary to conduct their business without access to other files or data outside their scope of responsibility. Data is encrypted when stored in server locations and during transmission to and from concerned agencies. Individual medical information or personal data is deleted from storage files when no longer deemed necessary for DODMERB to conduct business by trained and authorized personnel. DODMERB’s uses Data at Rest (DAR) encryption technology that has been tested and approved by the DOD, Office of Management and Budget, and in compliance with PA and HIPAA standards for protecting individual personal information. DODMERB’s DAR encryption system secures personal medical information that is processed and stored on the organization’s servers and storage-area network. Encryption and decryption actions add no significant latency in data exchanges. DODMERB’s Registration Authority creates public keys through the Certificate Authority (CA) to ensure each individual has a unique identifier associated with their token that identifies them with an individually created personal identification number to grant approved access privileges and to ensure non-repudiation. Individual credentials are loaded and maintained in the active directory container based on the level of need and access to specific folders, actions, and the data. Authentication is established when the individual logging on to the system inserts their CAC/PKI token in to a terminal linked to the DODMERB database. Trust is established between a sender and a receiver once initial connection is created and based on the keys created by the CA. DODMERB personnel receive initial and semi-annual briefings on how to prevent inadvertent disclosure of sensitive information and how to adequately protect DODMERB’s EA and IS from theft or intrusion. DODMERB’s EA and supporting IS domain are continuously

monitored by trained and trusted IT personnel to detect attacks on the network by unauthorized individuals with immediate reporting up the chain-of-command to DOD, DISA, and USCYBERCOM agencies when penetration attempts or violations occur. While there have been numerous cyber-attacks on the DODMERB domain, there have been no losses reported to date of information or breeches in the integrity of the EA or IS. DODMERB uses a culmination of encryption technology and a network Demilitarized Zone (DMZ) to protect its infrastructure IS assets from compromise or denial of service attempts. Every individual that uses the DODMERB IS for conducting business are mandated to acknowledge their responsibilities for not sharing access to unauthorized individuals with a statement that outlines penalties for violations. Users of the DODMERB system are briefed on their responsibilities for ensuring CAC/PKI cards are removed when leaving terminals and logging off when no longer requiring access. Compromises will be investigated with immediate suspension of the violator’s privileges until resolved. Gross negligence can result in permanent removal of access privileges and serve as grounds for immediate dismissal of employment. The decision by DODMERB to use CC capabilities for their IT support will not create any additional risks for threats or add any additional security reporting responsibilities.

Security Reporting Responsibilities

DODMERB’s IT applications and supporting IS are managed by a team of certified and highly qualified individuals. The IT team is led by the Chief Information Officer (CIO) who is responsible for managing DODMERB’s IS, integration and support with EA objectives, and providing periodic briefings on the health and status of the IS as well as making recommendations for future requirements. The CIO reports directly to the DODMERB Director. The primary position for managing security reporting responsibilities pertaining to the

DODMERB IS falls under the Information Assurance Manager (IAM). The IAM is responsible for ensuring all vulnerabilities to the DODMERB IS are identified and resolved by using approved techniques and methodology applying experience, knowledge, and directives. The IAM reports directly to the CIO and is required by have an extensive background in IT security methods as well as holding Security+ and Certified Information Systems Security Professional (CISSP) certifications as a minimum. The IAM must be trained and qualified with DIACAP and DOD 8570.1 directives to ensure that the DODMERB IS complies with mandated regulations for protecting DOD, DODMERB, PA, and HIPAA hardware and software applications. The IAM is responsible for managing DODMERB IA training and compliance programs to ensure personnel with access receive initial training before being granted access to the DODMERB IS assets. Additionally, the IAM tracks and monitors individual training records to ensure annual refresher training is completed 30 days prior to expiration to avoid any system lockout or potential disruptions in a user’s ability to perform their job. All users of DODMERB IS assets are required to immediately report any violations or suspicious activity to their supervisor and IAM. The decision by DODMERB to migrate their IS and IT applications to a CC environment will eliminate the need for a full-time IT support staff, the CIO, and the IAM saving substantial costs. In their article titled Enterprise Application System Reengineering: A Business Component Approach, the authors state “The variable information technology (IT) environments bring new challenges for legacy systems in the modern world.” (Huang, Hung, Yen, Li and Wu, 2006, p. 66). Any contract created with a CC support vendor must include requirements the contractor follow security and encryption methods approved by DOD, DISA, and USCYBERCOM to include incident reporting and an approved security concept of operations plan.

Security Concept of Operations

DODMERB’s EA and IS are always at risk for compromise, corruption, or denial of service attacks from both internal and external sources. However, DODMERB’s protection measurements and requirement to follow DOD, DISA, and USCYBERCOM directives and standards significantly minimizes their chance for exploitation. The position and responsibilities of the IAM in DODMERB ensure that there is direct oversight of the EA and IS to ensure employees are trained, remain cognizant, and understand violation reporting procedures. External sources that include service academy applicants, universities, and Concorde LLC are also trained and briefed on their responsibilities and requirements to remain connected to the DODMERB system. If any individual or institution refuses to comply with mandatory requirements, their access and privileges will be terminated. Internal employee access is removed when they are no longer employed or access is not needed. Only DODMERB IT support staff has direct access to servers and administrative privileges. External customers requesting access to the DODMERB database must establish an account, provide requested credentials, and acknowledge their acceptance of responsibilities for protecting the IS assets of DODMERB from compromise or inadvertent disclosure. Internal users and university personnel must use CAC/PKI tokens for access and external service academy applicants and Concorde LLC must use web-based authentication log in with an assigned user identification and password. The migration of DODMERB’s IS and IT assets will be afforded the same authentication and security measures. Internal users will be required to authenticate with their CAC/PKI and external users will be required to access the system with approved accounts and levels of access

based on their needs. The CC environment does not create any additional risks or vulnerabilities to the DODMERB EA or IS. Currently, operating system, application, and firmware updates are pushed out through

the network by the DODMERB IT staff after normal working hours using the DODMERB Local Area Network. Additionally, system maintenance and anti-virus definitions are pushed out using scripting and group policy techniques. The migration of the DODMERB IS and supporting IT to the CC environment will eliminate DODMERB’s need to continue to perform this requirement and will place the responsibility on the supporting CC vendor as outlined in the contract and DODMERB’s concept of operations requirements. In an article titled Engineering Change Through the Domains of Enterprise Architecture, the author states “Change continues to be a challenge, as organizations strive hard to change with time and with new and evolutionary processes, activities and requirements.” (Iyamu, 2011, p. 222). The DODMERB IS will continue to support and be in alignment with their EA; however all IS assets, support, maintenance, security, storage, upgrades, and protection will be shifted to the CC vendor. This initiative will require that a position be considered for creation within DODMERB to provide oversight and management for local assets as well as fill liaison requirements between the organization and the contracted support vendor.

Security Program Elements

Physical asset and data security are primary concerns of DODMERB to ensure resource protection and accountability. Compromises of PA and HIPAA information could potentially result in significant damage to an individual and subject the organization to severe penalties. Access to DODMERB IS and IT assets must always be limited to a need-to-know, tracked, and revoked when no longer necessary. All e-mail transmissions to and from DODMERB must

contain “FOR OFFICIAL USE ONLY” in the subject line with a brief title of the document and never include an individual’s complete social security number. Adoption and adherence to DOD, DISA, and USCYBERCOM policies and governance provides adequate security program elements. Internal user control is easily managed by DODMERB’s IAM while external control can be more difficult in providing oversight due to remote access. However, DODMERB’s infrastructure and utilization of a DMZ provides acceptable security measurements. Applicant medical information and user data files that contain sensitive information are appropriately removed when no longer necessary by using degaussing, deletion, shredding, or pulverizing. Data that is transmitted to and from external agencies is encrypted to provide high security protection. Data that is kept and used by the DODMERB medical staff and physicians for evaluation is kept close-hold and encrypted when being stored in data files and servers. These same levels of protection would be required if DODMERB were to migrate their IS and supporting IT applications to the CC environment. In his article titled A Framework for Information Systems Architecture, the author states “With increasing size and complexity of the implementations of information systems, it is necessary to use some logical construct (or architecture) for defining and controlling the interfaces and the integration of all of the components of the system.” (Zachman, 1987, p. 454). Vendors would be required to sign an agreement contained in the contract acknowledging their responsibilities and acceptance to these terms. Although DODMERB processes and stores sensitive medical information, they do no process or store any governmental classified material. Hardware devices that are deemed no longer working will be treated and destroyed the using the same methods that is used for data destruction. Devices that are used by the CC vendor for DODMERB operations would have to follow identical processes.

Security Operating Procedures

Currently, the IAM and CIO collect, analyze, and manage user and data logs pertaining to the DODMERB IS to look for violations, trends, and to gather data for reporting to higher headquarter agencies. The IAM is the primary individual in which trouble reporting is given to and this person is on standby 24x7x365 since external users can access the DODMERB system at any time once their credentials have been authenticated. DODMERB’s decision to migrate their IS and supporting IT applications to a CC environment will still require that they employ an individual locally to manage local devices and provide as a liaison between the CC vendor and the organization to provide hands-on maintenance when necessary. This individual would not require the same credential as the CIO or IAM; however some certifications and knowledge with IT would be beneficial. The CC vendor would provide the majority of technical information and send an on-site technician if the DODMERB IT support person were unable to resolve the issue.

Security Evaluation Procedures

Presently, on-site security evaluation procedures and IA management is controlled by DODMERB’s IAM. The IAM is responsible for interpreting and providing education and training pertaining to IS security and IA requirements that comply with higher headquarter directives, system governance, and support the integrity of the EA. The IAM is required to log, track, and administer training and education as appropriate to both internal and external customers that require access to DODMERB systems. The IAM has ultimate authority to terminate access to the DODMERB IS for non-compliance. If DODMERB elects to migrate to the CC environment, the suggested IT support person that would remain physically at DODMERB could continue to fulfill these responsibilities and work closely with the CC vendor to manage user access.

DODMERB’s Disaster Recovery Plan

DODMERB’s existing disaster recovery plan is designed to be implemented in case the primary location for supporting infrastructure, software applications, and the data warehouse become inoperable due to environmental issues or data corruption. DODMERB currently uses on off-site facility for their Continuity of Operations Plan (Co-op) that captures data using a one day delayed mode. Entries made in the DODMERB database are transferred to the Co-op during non-working hours. In the event DODMERB was required to switch to the off-site Co-op to continue operating, the most information that would be lost would be a single days’ worth. While this could be an inconvenience, the purpose is to ensure potential viruses, Trojans, or worms are not captured by the Co-op. The Co-op operations are managed remotely by DODMERB IT support staff and its functionality is periodically tested to ensure that it will function as designed if needed. DODMERB must provide accessibility to their database at all times for external customers. In the event operations switch to the Co-op, the CIO will notify users and management and keep them informed when functions go back to the primary servers. If DODMERB decides to migrate their IS and IT functions to the CC environment, Co-op considerations will need to be addressed. The CC vendor could potentially provide the same services as a Co-op and eliminate the need for DODMERB to maintain its existing backup location and require modification to their disaster recovery plan. Inclusion of the Co-op in the CC environment would be capable of providing the same disaster recovery capabilities without significant differences in the services DODMERB provides and transparent to their customers.

Conclusion

While DODMERB’s existing EA and supporting IS are adequate in meeting their needs

and provide substantial protection, DODMERB is rapidly reaching the maximum capacity of

their servers and data storage. These requirements are driving the need for DODMERB to consider expansion of their IT or to look at other possibilities. DODMERB’s primary core area of expertise is medical based by reviewing and processing physical examinations of potential applicants for the military service academies and ROTC scholarship programs. The costs associated with their existing IS and IT support staff continues to rise to meet their growing needs and is gradually leading to DODMERB becoming an organization that is unintentionally shifting their core process to IT. If DODMERB elects to migrate their IS and supporting IT to the CC environment they could significantly reduce their support costs and concentrate on their core services of providing reviews and recommendations from medical examinations. The shift of DODMERB’s IS and supporting IT applications to the CC environment would not negatively impact the organization and lead to any degradation in customer service. If DODMERB elects to use CC services, they should carefully select a vendor that can provide the services they require and in accordance with DOD, DISA, and USCYBERCOM policies and directives. The following sections briefly discuss how DODMERB could implement CC, make changes in their existing EA to align with CC capabilities, support actions that CC could provide, and how DODMERB should implement measurement and assessment techniques to validate CC is meeting their needs.

Cloud Computing Implementation

After an appropriate provider is selected and a contract is agreed on, DODMERB should notify their customers that they will be migrating to a CC environment to better support their customers based on growing needs. It is critical that DODMERB notify their customers before migration is implemented to ensure their clients that there will be some disruptions as thing transfer however the customer will receive superior service once the migration is complete. It is

important to make the customer feel that they were a part of the solution and not have change forced on them. The migration to CC by DODMERB should be done using a phased approach to ensure a process has migrated successfully before proceeding to the next phase. Policies and directives will need to be updated to reflect the new way of doing business although there will change noticed by the customer. The objective of DODMERB to migrate to CC is to relieve them of direct IT responsibilities, reduce operating costs, continue to provide superior customer service, and to maximize the efficiency of their EA.

Cloud Computing Changes

While there will be no noticeable computing changes to the customer if DODMERB elects to migrate to the CC environment, DODMERB’s entire infrastructure, IS and IT applications will move to a new location and be managed by an external vendor that specializes in CC support. DODMERB will able to concentrate on their core objectives with external IS management and support. It is imperative that the migration to CC be included in the EA and changes be made in their process alignment to reflect this new structure.

Cloud Computing Support

Cloud computing support will be provided by the contracted vendor with an additional support technician employed locally by DODMERB to provide on-site support and to act as the technical liaison and IAM to the CC provider. This person will be required to be fully qualified in security and serve as the first responder to on-site issues, manage local operational procedures, while ensuring continuity between DODMERB and the services provided by the vendor.

Cloud Computing Measurements and Assessments

DODMERB must implement techniques and methods for how they will measure and assess the efficiency of using CC services. This should be accomplished by distributing surveys

to customers for rating satisfaction with the DODMERB IS. DODMERB should analyze the CC support to ensure it is efficiently working with their EA to meet their objectives and goals while providing the flexibility to adjust to changes when necessary. DODMERB should use historical and anticipated future costs figures for IT support and compare those to the costs associated with the CC support to determine if they are receiving an adequate return on their investment and if the election to migrate CC is cost effective while meeting the customer needs.

References

  • Aversano, L. & Tortorella, M. (2004, July-October). An assessment strategy for identifying legacy systems evolution requirements in eBusiness context. Journal of Software Maintenance and Evolution: Research and Practice, 16(4-5), 255-276. Retrieved May

26, 2011, doi: 10.1002/smr.296.

  • Colosimo, M., De Lucia, A., Scanniello, G. & Tortora, G. (2009, February). Evaluating legacy system migration technologies through empirical studies. Information and Software Technology, 51(2), 433-447. Retrieved May 26, 2011, doi: 10.1016/j.infsof.2008.05.012.
  • DiMario, M., Cloutier, R. & Verma, D. (2008, December). Applying frameworks to manage SoS architecture. Engineering Management Journal, 20(4), 18-23. Retrieved May 13, 2011, from Business Source Complete database.
  • Garg, A., Kazman, R. & Chen, H. (2006, June). Interface descriptions for enterprise architecture.

Science of Computer Programming, 61(1), 4-15. Retrieved May 21, 2011, doi:

10.1016/j.scico.2005.11.001.

  • Huang, S., Hung, S., Yen, D., Li, S. & Wu, C. (2006, July-September). Enterprise application systems reengineering: A business component approach. Journal of Database Management, 17(3), 66-91. Retrieved May 26, 2011, from Business Source Complete database.
  • Iyamu, T. (2011). Engineering change through the domains of enterprise architecture.

Proceedings of the European Conference on Information Management & Evaluation,

222-230. Retrieved May 27, 2011, from Business Source Complete database.

  • Morganwalp, J. & Sage, A. (2003). A system of systems focused enterprise architecture framework and an associated architecture development process. Information Knowledge Systems Management, 3(2-4), 87-105. Retrieved May 21, 2011, from Academic Search Premier database.
  • Mykityshyn, M. & Rouse, W. (2007). Supporting strategic enterprise processes: An analysis of various architectural frameworks. Information Knowledge Systems Management, 61(1-2),

145-175. Retrieved May 20, 2011, from Academic Search Premier database.

  • Subashini, S. & Kavitha, V. (2011, January). A survey on security issues in service delivery models of cloud computing. Journal of Network & Computer Applications, 34(1), 1-11. Retrieved May 21, 2011, doi: 10.1016/j.jnca.2010.07.006.
  • Tallon, P. (2008, March). Inside the adaptive enterprise: An information technology capabilities perspective on business process agility. Information Technology & Management, 9(1),

21-36. Retrieved May 20, 2011, doi: 10.1007/s10799-007-0024-8.

  • Ylimaki, T. & Halttunen, V. (2005-2006). Method engineering in practice: A case of applying the Zachman framework in the context of small enterprise architecture oriented projects. Information Knowledge Systems Management, 5(3), 189-209. Retrieved May 13, 2011, from Academic Search Premier database.
  • Zachman, J. (1987). A framework for information systems architecture. IBM Systems Journal,

26(3), 454-470. Retrieved May 6, 2011, doi: 10.1147/sj.263.0276.

Military


QR Code
QR Code dodmerb_cloud_computing (generated for current page)
 

Advertise with Anonymous Ads