IT Action Plan for the XYZ Ltd. Based on the
Canvas 7C IT Workshop
In the IT strategy workshop we successfully identify the company's business model, and
from that we build what we call the 7C IT Canvas. In this document we have summarized
and constructed an analysis of the results, the results of which are compiled into what is
known as an Action Plan. This is the first step in enhancing the IT strategy. In the action plan
we indicate the level of urgency and budgetary implications in needed managerial decision
issues. The potential net cost amounts are shown.
YYY Ltd.
1/15 page
The Company's Business Model Canvas
●
●
●
●
●
●
●
●
Value Proposition
○ A 20-year benchmark, and a good brand in the industrial market
○ Special requests services
○ Job well done
○ Cleaning schedules, check lists
○ Production facilities to offer special expertise
○ Services actually performed
○ The company doesn’t have something to do for the company
Customer Segments
○ Healthcare cash, school, etc. 30%
○ Homepage style and marketing direction
○ Industrial establishments 35%
○ Offices, business centers 35%
Sales Channel
○ Recommendations 90%
○ Cold calling 10%
○ Online marketing commences
Customer Service
○ C-level communication with largest clients
○ Cleaning staff are trained in communications
○ Regional manager
Key Resources
○ Group Leader
○ A mix of about 300 outsourced cleaning ladies
○ Service leader
○ Regional manager
Key Activities
○ Monitoring control points
○ Training system
○ Logistics, dress supply, purchase of equipment
○ Sherpa accounting software (XYZ is the key person)
○ A search for cleaning staff
○ Cleaning technology training, and how cleaning should be done
Key Partners
○ Payroll administration
○ Focus Computer
○ Sherpa accounting software developers
○ Tennant cleaning machines’ distributor
Price-Revenue Streams
○ Ad hoc work 30%
YYY Ltd.
2/15 page
○ Fixed monthly fee (+XXX USD)
○ Commerce
○ Largest clients: VSS Rental XXX USD, IBD Warehouse XXX USD
● Cost Structure
○ Vehicles, vehicle rental fees
○ Salaries, wages
○ IT expense
○ Outsourced accounting,
Office rental
YYY Ltd.
3/15 page
○
The Company's IT Canvas
●
●
●
●
●
Cost-effective
○ No Software Inventory
Conscious
○ The company would like to use a CRM
○ A checklist of the system should be made during work hours
Controlled
○ Managers would like to test Google Apps
○ Service Level Agreements for the Managed Service Provider
○ No data security officer
Charge
○ Cryptolocker attacks have already taken place, how does data protection
currently stand?
○ There should be a permissions audit, and active users should be reconciled
○ Web vulnerabilities, web hosting (WordPress) updates should be audited
Competent
○ The newsletter (vsfurdoszoba.hu) goes into the spam folder
YYY Ltd.
4/15 page
●
Continuous
○ Outsourced VPS servers » Risk
○ We can’t get the archived data recovery working?
○ Who and when did someone start working? Who worked at night?
○ Know-how, 1-1 contract sensitive data, protection has not been resolved
○ The data protection of the educational system has not been resolved
○ In principle there is no Sherpa accounting system backup
○ xzy.com archive backups need to be looked after
○ How is the terminal server protection?
○ How is the Local Area Network (VPN) protection from the terminal to the
server?
○ No workstation protection, workstations are not maintained
Key IT Functions
●
●
●
●
●
●
●
●
●
●
●
Document management
Exchange-based emailing
Printing (VPN)
Sherpa-based accounting (SQL)
VPS hosting based servers
CRM
Docca electronic billing (Linux)
E-learning
Remote working
Thin Clients’ management usage
Basic IT functions (Internet, AD, printing, backups, etc.)
YYY Ltd.
5/15 page
The IT Architecture and IT Maturity of the Company
It can be established that from the results of the ITCq analysis, that in the company's IT
maturity classification an attempt and regulated level in the environment can be found. The
detection and acquisition of needed control points in the regulated working operations are
the main IT targets in its maturity.
Regulated
Disciplined
Optimized
Conscientious
Conscious
Level-headed
Initiator
Defender
Innovative
Pointing at Each
Systematic
Other
Technically
Process Centric
Oriented
Impressionable
Balanced
Foggy and Dim Circumstantial
the OverConsolidated
spender
Responsibility
Conscious
Tactical
Competitive
Strategy-driven
Decisive
Cleansed
Thrifty
Value-driven
Transparent
Profit-oriented
Small-timer / The audacious
Small
potatoes
Trouble-Free
Security and
Reliability
Responsible
Undertaker
Goal Oriented
Directed
Transparent
Cost Effective
Perfunctory
Neglectful
Irresponsible
Aimless
Impetuous
A blur
the Gambler
Blunderbuss
Firefighter
YYY Ltd.
6/15 page
Through the 7C IT Canvas Workshop Dilemmas are Uncovered.
I
Outsourced servers reduce business risks
●
●
●
II
There are no service contracts
On the basis of outsourced VPS servers » Risk
There is no data security officer
Basic protection and control of data security levels
●
●
●
●
●
●
●
●
●
●
●
III
A permissions audit should be made to control active users
Web vulnerabilities and web hosting (WordPress) must be inspected
Newsletters going to spam (xyy.com)
From what distance is the terminal server protection
How Local Area Network (VPN) protection is from the terminal to the server
We can’t get the archived data recovery working?
Cryptolocker attacks have already taken place—how does data protection currently
stand?
In principle there is no Sherpa backup
xzy.com archive backups need to be looked after
No workstation protection—workstations are not maintained
There is no software inventory
Know-how protection
●
●
●
IV
Data protection education system has not been resolved
Know-how, 1-1 contract sensitive data protection has not been resolved
Who and when did someone step in? Who worked at night?
IT-based innovation
●
●
●
●
The company would like to use a CRM
A checklist of the online (electronic) system should be made during work hours
Managers would like to test Google Apps
Thin Client technology extension
Problems
Priorities
Cost
The outsourcing of servers reduce business risk
critical
low
Basic protection and control of data security levels
high
low
Know-how protection
medium
high
IT-based innovation
medium
low
YYY Ltd.
7/15 page
Proposed Solutions
I
The outsourcing of servers reduce business risk
Problems and Solutions:
The company may be of an average size, or rather a more serious IT server uses the
services. Regardless, the entire server cluster is outsourced. Moreover, there is no
ownership of any kind, but it is leased instead. At such a time, the server operating risk does
not change: the operator doesn't only do the IT operations, but is also well-equipped with a
garden of IT tools. With ownership the business risk is very high; reducing it is well worth the
effort. Basically, there are two ways to reduce risk: one way is in the regulation of contracts.
Or, one could have inspections in another way.
In this section, the following issues are addressed:
● There is no service contract
● Outsourced VPS servers based on » Risk
● There is no data security officer
The completion of the necessary preconditions:
● Cooperation with service providers
Work to be undertaken:
● The review of service contracts and the readiness for technical assistance
● Data security questions instituted into a contract
● Having manual backup and disaster recovery
Deliverables:
● Technical contents of service contracts
● Analysis of disaster recovery status (overview only)
Price quotation:
● Net XXX USD
The time required to implement the calculations through the client:
● Administration: 2 hours
YYY Ltd.
8/15 page
II
Basic protection and control of data security levels
Purpose: The fundamental control of the IT system data security and it's protection
1, The audit of a rescue, its redesign, and its performance
Problems and Solutions:
The IT server cluster is completely outsourced; therefore, since the risks of the company’s
management of its data assets is unknown, the backup--which is very critical--is done
completely without any strings attached. The recovery manual has framed the resolution.
In this section, the following issues are addressed:
● We can’t get the archived data recovery working?
● Cryptolocker attacks have already taken place—how does data protection currently
stand?
● In principle there is no Sherpa accounting system backup
● tarhely.eu archive backups need to be looked after
The completion of the necessary preconditions:
● Cooperation with VPS service providers
Deliverables:
● Backup manual
Price quotation:
● Net XXX USD – The fee is contingent on whether or not we find any fundamental
problems. If we do not, then a free audit will be provided.
The time required to implement the calculations through the client:
● Administration: 1 hour
YYY Ltd.
9/15 page
2, External and internal vulnerability scan, security audit
Problems and solutions:
The current IT infrastructure would be easy to defend, but I feel that is not protected. The
task of this audit is about external and internal attacks and phishing initializing.
In this section, the following issues are addressed:
● Web page vulnerabilities and web host (WordPress) updates must be checked
● The newsletter (vsfurdoszoba.hu) goes into spamming
● From what distance is the terminal server protection
● How Local Area Network (VPN) protection is from the terminal to the server
● No workstation protection—workstations are not maintained
The completion of the necessary preconditions:
● A test user account to the internal audit
Deliverables:
● The audit results and solutions
Price quotation:
● Net XXX USD - The fee is contingent on whether or not we find any fundamental
problems. If we do not, then a free audit will be provided.
The time required to implement the calculations through the client:
● Administration: 1 hour
YYY Ltd.
10/15 page
3, User management and the control of rights management to the document
library folders
Problems and Solutions:
The folder permissions setting is carried out by the IT group. Its accuracy cannot yet be
established, although it is a key to the defense of data. Proposed solutions to perform a onetime audit would be decided on the basis of whether the present process works effectively or
not, and whether intervention is needed.
In this section, the following issues are addressed:
● There should be a permissions audit, and active users should be reconciled
Work to be undertaken:
● The collection of users
● A single audit of folder permissions
● Consultation with Management and IT group
Deliverables:
● User inventory
Price quotation:
● Net XXX USD - The fee is contingent on whether or not we find any fundamental
problems. If we do not, then a free audit will be provided.
● If there is no current user and folder rights table, the setup for this shall be an extra
XXX USD
The time required to implement the calculations through the client:
● Administration: 1 hour
● IT group: 2 hours
YYY Ltd.
11/15 page
4, The completion of the software inventory, and outlining the process
In this section, the following issues are addressed:
● There is no software inventory
Problems and solutions:
A single measure applies to IT--and that measure applies to how the software is to be used.
Insofar as the violation does not adhere to National Criminal Code regulations, the manager
will assume the burden in the first instance. The only way of evading such a problem is to be
prepared with a proper software inventory. Our software inventory structure has been
developed in such a way that the forms provide assistance on a legal basis, and are suitable
for BSA's standards.
Price quotation:
● See the attachment!
YYY Ltd.
12/15 page
III, Know-how protection
Problems and Solutions:
Such documents that would be extremely important to data protection can be found in the IT
system. With traditional IT solutions—this is a project that might be XXX USD, proprietary
software which must be purchased, the system configured and constantly monitored.
Solutions based on the cloud are cheaper based on its scale in size; therefore, we do indeed
assimilate offers accordingly—according to the scope in size of the cloud.
.
In this section, the following issues are addressed:
● The data protection of the educational system has not been resolved
● Know-how, 1-1 contract sensitive data, protection has not been resolved
● Who and when did someone step in? Who worked at night?
The completion of the necessary preconditions:
● none
Deliverables:
● Protection software solutions
Price quotation:
● Cloud-based IT system where the data is protected.
● With traditional IT solutions, the solution may cost approximately XXX USD for the
software, as well as a conceivable labor cost estimated at XXX USD.
The time required to implement the calculations through the client:
● Administration: 2-4 hours
YYY Ltd.
13/15 page
IV, IT-based innovation
Goal: Implement innovative IT-based solutions that carry the company forward, providing
additional revenue and/or less costs.
1, Custom cloud-based solutions
In this section, the following issues are addressed:
● The company would like to use a CRM
● A checklist of the system should be made during work hours
● Managers would like to test Google Apps
YYY Ltd.
14/15 page
2, The extension of the Thin Client technology
In this section, the following issues are addressed:
● The extension of the Thin Client technology
Problems and Solutions:
The Thin Client technology can achieve significant cost-benefits. While such a solution is
currently working, and running in the background, the comprehensive package entails
additional efficiency improvements. Under the scope of these issues, we'll shoulder
additional presentations.
Work to be undertaken:
● Consultancy with the IT group
● The assessment and analysis of opportunities
● Making recommendations to management
Price quotation:
● Net XXX USD – The fee is contingent on whether or not the purchase of equipment
was procured from us. In such an event, there is no charge.
The time required to implement the calculations through the client:
● Management: 2 hours
● IT group: 4 hours
YYY Ltd.
15/15 page