====== Chapter 2: Selection, implementation and management of ICT services for libraries ====== ===== Introduction ===== The Information and Communications Technology options available to libraries are unparalleled. A carefully managed project can considerably enhance the services provided by the Parliamentary library to its Clients. However, unlike engineering projects, ICT projects are notoriously vulnerable to failure. The selection of suitable software for a parliamentary library should be undertaken carefully and systematically. The business case should be situated in the context of an overall Information Strategy for development of the resources management by the library. This could also include a content strategy for management and presentation of content on the corporate intranet. This chapter provides an overview of the general principles of software selection and implementation management. A careful approach to software selection and service management can reduce the risks of project failure. Above all, it is important to understand the requirements of library current information needs of the Parliamentary members and situate these needs in the broader strategic role of the library. This chapter outlines typical approaches to reducing the risk of ICT project failure through: - preparing an over-arching Information Strategy for the Library - development of a business case situated in the current needs of the Parliamentary library stakeholders - evaluating software to be implemented in the context of the business case - developing a managed implementation which stages the delivery of services in a sustainable manner through project management. ===== Developing the Information Strategy ===== An Information Strategy is one means of improving the analysis of the current information needs of the Members, their staff. Chapter Six outlines techniques to review these information needs. The priority for selection of new systems for use in the library should be defined by an Information Strategy. An Information Strategy should then be formulated to provide an overall framework for the capture, management and delivery of information that meets the client needs. As such the Information Strategy embraces the staff and the ICT resources needed in order to gather, manage and deliver information in a consistent manner. A typical Parliamentary Library Information Strategy will include broad gaols of: * Making information more accessible * Improving the availability and effectiveness of information * Reducing the cost and effort of managing and using information * Encouraging the development of information skills so that members of the Parliamentary Library can effectively access information resources to meet their needs * Improving the quality and reliability of information delivered * Ensuring that the Parliamentary Library has information processes to meet with requirements to preserve the collective memory of the Parliament * Having systems that fulfill relevant national and international Library standards. The Information Strategy will help define priorities for the systems that are needed to meet the information needs. For example, in a high-circulation library where the priority of the members is access to the resources in the library, implementation of an improved Library Management System may the first step in implementing the Information Strategy. For a library with the most pressing need is provision of current news and guidance the improvement of the ICT support for reference services may be the first priority. ===== Making a business case ===== The development of a business case for introducing new systems and services is not only about achieving organisation commitment to funding, it is also about developing an understanding of the purpose and extent of the project. The intelligence gathered in identifying the information needs and an Information Strategy framed around these needs will support the development of an appropriate business case. ICT projects tend to be most successful where they are accompanied by a methodical process for project management. Prince2, for instance, is a product-focused project management technique for the oversight of major projects that focuses on a product-based planning approach and the organisation of projects into manageable and controllable stages to minimise risk. Methodologies such as Prince2 require development of a Project Initiation Document (PID) that defines the outcomes, resources, constraints, and risks associated with the project . Understanding your current systems and measuring your capacity for new systems is a first step in this assessment. Even if new systems are highly functional, it may be important to assess whether all elements of a system are adopted at once or whether adoption is staggered over time. ===== Evaluating software ===== Irrespective of whether software is commercial or open source, the implementation of systems to meet the needs of the libraries is attended by stages of data conversion, training and workflow adjustment that need to be carefully planned. Organisations such as the United Nations have played a key part in enhancing the ICT capabilities of libraries. Where selecting software a formal process of evaluation should be considered. This may be through formal tender processes, or informal internal evaluation. Either way, it is important to understand your requirements and situate these requirements firmly in a business case to ensure the the new systems deliver their benefits. ==== Evaluating software through tender ==== The risk of software projects can be reduced through a systematic approach to adoption that includes: * Developing from the business case a set of requirements * Evaluating the current information model and data conversion/transition requirements. Vendors will need this information in order to be able to estimate the conversion and data migration costs of the project. * Preliminary research to evaluation the availability of software that may fit these requirements * Preparation of a Request for Information or Request for Tender * Publishing the Request either to a limited set of probably candidates or more widely. This may include evaluation of solutions that can be developed or implemented internally. This could include open source solutions where the parliamentary library has suitable technical support for management and supply. * Selection of a limited set of candidates for detailed evaluation against the requirements. Evaluating software can be a time-consuming process, so a short-listed candidate list should include the minimum practical number that can be evaluated with the resources the parliamentary library has available * Review of vendor presentations (including internal proposals) * Negotiation of an implementation plan with the chosen internal or external supplier, including Service Level Agreements. Where a formal tender process is required, a request for proposal might typically have: * An explanation of the evaluation process and time-lines for response * An overview of the operation of the Parliamentary Library * Current systems and data model * Motivation for change and requirements for the new system * Your information architecture (standards, platforms, metadata framework) * Your expected project plan for delivery (estimated time-lines) * Requirements for training * Requirements for data migration Vendors should be required to identify costs (fixed and variable) as well as risks associated with their system. A more constrained Request for Information might also be sent out to selected vendors after a survey of software options. Software solutions are never "free". Whether open source, commercial or free for use, sustaining solutions over time have attendant system operational and professional development, as well as the associated development of workflow processes to situate software in the context of a particular Parliamentary Library. ==== Non-tender software evaluation ==== The Parliamentary library may not be subject to formal tendering processes. Organisations such as UNESCO and the UN can kick-start the implementation of library services by providing guidance and assistance in software implementation. It is still important to evaluate the ways in which implementing such systems will fit your particular library. When a formal tender process is not required, an internal review of software that has been selected should be undertaken that reflects on the capabilities of the selected system against the current requirements. Software may be available to the library at no charge, or with no license cost (such as Open Source). However good the software, the implementation of this system may fail if it fails to meet the current needs of the clients of the library. For this reason, it remains important to evaluate the software systematically and guide the project implementation in a manner that is focused on your own library requirements. The business case for the software should not be neglected and an internal evaluation process should also be undertaken to avoid the potential problems in project implementation. If the project implementation is not understood in the context of an internal business case that reflects on the long term relevance and sustainability of this service in the library the implementation of these systems may not yield the hoped-for benefits for Parliamentary clients. In evaluating the implementation approach an internal evaluation should at least look at: * The current systems and data model * Motivation for change and requirements for the new system * Your information architecture (standards, platforms, metadata framework) * Your expected project plan for delivery (estimated time-lines) * Requirements for training * Requirements for data migration ===== ICT project management ===== There are well defined approaches to ICT implementation that are designed to reduce the risk of project implementation. Most project management approaches divide a project into phases of: * Project initiation - Developing the business case - Defining project governance and executive sponsorship - Define the project goals and expectation - Defining project risks - Dividing the project into realistic delivery stages - Establish the reporting processes for the project - Establish a methodology for change control and issue resolution - Formulating teams to be responsible for project delivery stages * Project management - Break down the project in to definable stages - Allocate resources for each stage - Define a project plan for delivery of each stage - Define targets for each project stage - Escalate issues and change requests through the governance framework * Stage review - Review each project stage on completion for feedback into the next stage - Review each project stage when target dates for deliverables are not met * Project completion review - Assess project outcomes and follow-up work - Assess lessons learned For larger projects, a Project Steering Committee should be established. Not all projects require such a Project Steering Committee – it will depend on the cost, complexity and duration of the ICT project. A typical Steering Committee might comprise : * A business owner– an ICT, Library or Parliamentary owner of the project who has ultimate responsibility for the benefits and outcomes of the project, * Major stakeholder representatives - representing the major areas positively affected by the project, * Major supplier/vendor representatives who are participating in the project delivery, * Other subject specialists as required to bring specific knowledge and skills. The Steering Committee should be kept to the smallest practical size that allows regular, brief, review of the project governance and progress. An example of a formal methodology for project management developed for medium to large projects is the PRINCE2 project management methodology. Further information on this project management framework can be found at best-management-practice.com (http://www.best-management-practice.com/)- a portal site with information resources on Prince2. ===== ICT service delivery ===== Information Systems are dynamic and require ongoing monitoring and support. Whether managed externally or internally, a service-oriented view of this management is typically the most effective method for archiving the best practical outcome for ongoing system operation. One of the most comprehensive standards for ongoing service management is the Information Technology Infrastructure Library (ITIL), a set of principles and standard for service operation that break down ongoing service management into: * Service support - Service desk management and principles around management of a service desk - Incident management - tracking and resolving issues - Problem management - resolving ongoing issues into an overall strategy for ICT delivery - Change management - ensuring changes are communicated, discussed and agreed - Release management - ensuring system changes are implemented in a coordinated manger that minimises impact * Service delivery - Service Level Management - statements of expectation for service delivery by internal and external vendors - Capacity Management - IT Service Continuity Management - Availability Management - Financial Management With the increasing number of external providers that a library relies on, the Service Level Agreement becomes an important means of defining the responsibilities of service providers. A Service Level Agreement can define: * performance of the applications provided (for example minimum page response times for the library management system when hosted externally) * levels of technical support and support response times * maximum recovery times in case of disaster and the client or provider * data backup and retention policies * privacy policies Similar (less detailed) agreements can be useful with internal ICT departments to define quality and consistency in service delivery. ==== Methods for service delivery ==== Service delivery of systems will be in the context of the broader architecture supported by the ICT. Selection of systems to support the library need to be conscious of this framework. The library can draw on a variety of service architectures including: * **Hosted or "cloud" solutions ** where a provider delivers the entire application on their infrastructure and provides all associated software, hardware and technical support. Service delivery is usually web based. This handbook gives many examples of solutions that are offered in this way. Open source software is available from many providers on a hosted basis. A Service Level Agreement (SLA) can define ownership of data, privacy restrictions and levels of service and support. * **Virutalised servers ** Virtualisation technology allows a single large computer server to be subdivided into multiple different "virtual" servers. VMWare is the most popular example of this, but Oracle, Microsoft and Linux have Virtualisation capabilities also (XEN is an open source Virtualisation server). Virtualisation can allow your ICT area to support a range of platforms using a single hardware platforms. Some software applications come "out of the box" in a virtual server platform, so no software installation is required. Of course, software support is still required. * **Web 2.0 service solutions** Many powerful search and office productivity tools are available on the web free of charge or on a fee-basis, as illustrated in the previous chapters. There may be no individual Service Level Agreement offered, so careful inspection of the standard privacy and terms and conditions of these services is important. Libraries, where sufficiently resourced, can also take advantage of the many Web 2.0 productivity tools to develop mash-up solutions that leverage a mixture of internal systems and the above approaches to unify different systems in a single internal view for the benefit of clients. ====Privacy and Data Security==== In order to realise the tremendous benefits of services delivered over the Internet, end-users are required to entrust a growing number of service providers with more and more personal information. This information often deals with aspects of people's lives which are regarded as personal and private and may include information about their identity, physical location, contact details, among other things. The loss of personal data by a service provider may result in an interruption to the service and a degree of inconvenience to the consumer, but unauthorised access to and misuse of personal information can have longer-lasting consequences. The possession of personal information can, in some circumstances, be exploited by unethical marketers, or by criminals for fraudulent purposes. As a result the theft, selling and buying of personal data has become a issue that must be treated seriously by service providers and consumers alike. The privacy and security of personal data entrusted to any service provider must be safeguarded from loss and misuse by the service provider. Privacy requirements form an important part of the Service Level Agreement with any software and hosting providers. Most people would be aware that networked applications, unless properly managed, are vulnerable to intrusion by computer hackers. However, experience also shows that abuse of authority and trust by staff with access to computer systems is as much a problem as external intrusion. While most staff are trustworthy and careful, the concentration of personal information within a single repository provides the potential for one incident to have a large effect. The rich capabilities of Web 2.0 applications come with attendant privacy risks. When the library is building mash-up-style applications or architecting solutions that use a mix of internal client data as well as external services the library staff should be aware of some basic tenets of privacy around the design of information capture and usage policies for personal data: * Only minimal personal data should be gathered, and strictly for the purpose of the intended purpose (for example interlibrary loans) * Only the minimum information should be collected from clients to achieve the task required * Clients should have the ability to access, verify and modify any information in their profile * Access to the client functions does not confer access to the administration functions for the application ==== Responsibilities of library staff in ICT service delivery ==== The Parliamentary Library should take measures that include education of staff to their need to protect privacy, virtual and physical security measures, backup processes, robust server and network design and auditing of access to the systems which they manage. Nightly backups of data on systems should be encrypted and retained only long as necessary to ensure business continuity in the event of system failure. Staff employment terms should include privacy and non-disclosure conditions and employees should be given access to systems for which they have responsibility to the level required to undertake their tasks. The library has a responsibility to indicate the usage of any personal data managed, and should communicate these policies to any hosting agencies or departments managing their data. A basic requirement should be that service providers not sell, rent, share or otherwise communicate the parliamentary libraries client data, unless in a manner required by the library. In this context it is important to establish structures, processes and procedures to mitigate risks that may arise from within their domain of concern. The following areas need to be considered: * Accountability of staff * Education of staff * Oversight of activities * Careful handling of information * Monitoring of threats Employees should be required to be familiar with the Security Policy and terms of use for Internet resources. It is important for the library to define and promulgate a terms of use for Internet use by library staff. Such terms of use do not have to be about restriction of information flow, or research. They should however be directed to appropriate use of Internet access that is directed to fulfilling the demands of their role as information professionals. The library or ICT services of the Parliament should also define and publish Terms of Use regarding Internet access and use of library services and terminals available to library clients. ==== Risk Assessment ==== The library should undertake a risk assessment associated with its systems, and resources and assess processes to mitigate that risk. A simple example follows: ^System event^Risk^Mitigation^ |Misuse of data \\ by employees|Breach of privacy policy| Employee policy security communicated to all employees | |Virus infection|System outage & data loss or breach of privacy|\\ Anti-virus installed on all systems \\ No file shares on servers where not functionally required; \\ Patch update policy on all systems| |Hard disk failure|Loss of data due to hardware failure| Mirroring of all system and data disks \\ Nightly backups of all data \\ Weekly system mirroring of critical systems| |Hardware failure \\ Server|Loss of data due to hardware failure, client & office outage| Mirroring of all system and data disks \\ Nightly backups of all data; Weekly system mirroring of critical systems| |External Network failure|Loss of data due to hardware failure| Mirroring of all system and data disks \\ Nightly backups of all data \\ Weekly system mirroring of critical systems \\ Fail-over arrangements with servers available in the office (e.g. Linux to Linux or Windows to Windows)| |Power loss - server|Server outage and loss of data| Redundant power supplies on all servers & fault alerting| |Power loss - office|Client access outage|Hot standby servers in DRP Sites located on different network and power service| |Hardware failure - internal hubs|Office & external service outage|Hot standby hubs| |Network outage - primary data link|Office & external service outage|Maintain a separate high-bandwidth link to the office \\ Hot standby servers in DRP Sites located on different network and power service | |Fire|Office & systems outage|Technical contacts for hardware and asset recovery. Exit and assembly plans for staff | |Flooding|Office & systems outage|Technical contacts for hardware and asset recovery (for instance freeze drying for books) | |Earthquake|Office & systems outage| Exit and assembly plans for staff | The level of protection undertaken against each risk depends on the expected impact of an outage on clients and the consequent degree of disaster production redundancy that is engineered into your architecture. Fully redundant live standby servers are possible but can be very expensive to maintain. They are typically warranted where the outage interval in case of a disaster event for clients must be kept to seconds or minutes. A minimum disaster recovery profile should see off-site backup of data and well documented (and tested) steps for recovery of this data. For each risk event associated Disaster Recovery Plan steps should be in place which defines the contacts, processes and actions during and after the disaster event. It is also important to document the last successful test of this disaster plan. In locations where power supply is irregular, risk mitigation might include arrangements for mirroring services with other agencies (for example ensuring catalogue holdings are available through WorldCat). ===== Staff Training ===== Training of library staff is an essential component of ICT capability building. Training needs to be timely - too much in and advance of systems delivery or too much in arrears can leave staff struggling when they are called on to provide support for systems with which they are not familiar or comfortable. This training needs to be framed around the road map for library service delivery. For this reason a training needs analysis framed around the library services road map should be periodically reviewed. This needs analysis can also be used to identify areas of staff development, especially for those library staff tasked with forward-facing service delivery. With the transition to an increasing web-based focus on information delivery, there are a number of approaches to web-based self education on the Web 2.0 mix of tools and services. One of the most popular is the "23 things" programme that takes the learner through a Web 2.0 journey relevant to librarians (http://plcmcl2-things.blogspot.com/). ===== ICT training for members ===== A responsibility for many libraries is that of training. The sheer diversity of resources available through the library itself and on the web can be daunting. The Parliamentary library often provides induction training for newly elected parliamentary members and their staff in using library resources. This can be extended to include training in ICT-related areas such as the use of Web 2.0 resources, use of e-book readers and use of the information resources in the library itself. Such training can also be the opportunity to brief researchers on the constraints of copyright and the risks associated with plagiarism. It can also be an opportunity to undertake before and after surveys on the library to assess level of understanding and usage of library resources and assess over time what information resources the members are looking for. ===== Standards ===== There are emerging standards for Information Technology service management which give guidance on best practice in sustainable service delivery. These principles define methodologies for service delivery and business continuity using Information Communications Technology. * ITIL. http://www.itil-officialsite.com/. The Information Technology Infrastructure Library (ITIL) is a UK-based toolkit for best practice management of IT resources. It has achieved international adoption as a practical set of guidelines for business continuity, management of ICT services and IT issue management. * http://en.wikipedia.org/wiki/Information_Technology_Infrastructure_Library. Wikipedia has an article on ITIL with an example of a Service Level Agreement from Queensland, Australia. * Service Level Agreement (SLA). Libraries have to deal with many ICT suppliers. Achieving a suitable performance with them depends on defining service expectations that are agreed with the supplier. There are many guidelines for SLA preparation, including: * http://www.service-level-agreement.net - a Service Level Agreement "toolkit" * http://www.sla-world.com/framework.htm - a Service Level Agreement "toolkit" * http://www.nkarten.com/sla.html - Some commonsense ideas about Service Level Agreements * http://technet.microsoft.com/en-us/library/bb124886%28EXCHG.65%29.aspx. A checklist from Microsoft for Service Level Agreements ===== Software ===== * Microsoft Project . http://www.microsoft.com/project. Microsoft Project is a widely used Project management tool from Microsoft * Basecamp. http://basecamphq.com/. Basecamp is a low cost web-based project management & collaboration tool * Project manager. http://www.projectmanager.com/. Project manager is a web based project management and document collaboration system