Securing Financial Resources

"Four years," the young woman had said, "maybe five. But you'll need to begin searching for replacement funding before then."

Mr. Johnson looked at the figures on the budget sheet before him and sighed. Every year it was the same thing, asking people for more money. There was always something that needed to be done, something that came along to steal his time and sap his strength. He had always intended to get it done-tomorrow.

No one provided grants for operating costs.

He looked over the top of the sheet and gazed out in the public area. Of his ten workstations, three had "Out of Order" signs taped to the front of the monitors. One hard drive failure, one he didn't-know-what failure, and one complete trashing. None would run the latest version of the library's public access catalog software, so he hadn't upgraded.

Where was he going to find $10,000 to replace them?

As mentioned in the Chapter One, probably the most common-and potentially most dangerous-threat to network security in small libraries is the lack of funding required to properly maintain the network. Many libraries have received the bulk of the technology equipment, software, and cabling (collectively called infrastructure) through grants. The problem is most library budgets are not sufficient to support the cost of maintaining this infrastructure. In this chapter I focus on the monetary resources required, including the costs to secure certain network components.

The Cost of Operating a Small Library Network

Costs associated with developing and operating a small library network vary from one library to another based on the purchase decisions management makes. Some entities purchase from local vendors, some from national vendors. Some purchase "business" model computers (which have features like manageability that regular workstations do not), and others purchase the least expensive equipment they can. Nevertheless, some general guidelines can be established for average costs in a small library.

Equipment Used

The following table details the major components used in creating a small library network. Workstations and servers are assumed to have a network card included in the base installation. The costs for computers shown below include shipping costs if ordered online. Computer prices may be reduced by $100 each for local purchases. The last column indicates the allocation I recommend including in the library budget for annual maintenance of the equipment, with the minimum budget allocation included in parentheses.

Table 2. Network Equipment Costs

Quantity

Description

Cost

Maintenance

6

Public Internet Workstations

$ 8,400

$ 600 (300)

2

Staff Workstations

2,800

200 (100)

1 staff


2 public

Circulation/Catalog Workstations

4,200

300 (150)

1

Automation Server

5,000

150 (150)

1

24-port Switch

1,200

100 ( 0)

1

Router

700-2,000

100 ( 50)

1

Network Laser Printer

2,100

100 ( 50)

Total:

$ 24,500

$ 1,600 (800)




One might argue that maintenance costs increase with the age of the equipment, and that the costs shown above may not be appropriate till the third or fourth year the equipment is in service. However, an opposing argument suggests using the standard industry average for an annual maintenance contract, which is 10% of original cost ($2,450 for this example). Another argument is that the annual maintenance cost shown here ($1,600) only represents between 27 hours (at $60 per hour) and 53 hours (at $30 per hour) of a technician's time-and just 13 to 26 hours if the budget is $800. Depending on the severity of the network or computer problem, this represents only 4-6 incidents during the year. This, indeed, is minimal for the normal operation of a small network.

If a security breach results in the need to call in a paid technician to resolve resulting problems, the maintenance budget gets squeezed even further. How many such breaches can the library pay to resolve?

Libraries in Texas using a regional library system TANG technician (a system staff member hired through a state Technical Assistance Negotiated Grant) for network maintenance will be able to stretch their budgets, because the TANG technician's assistance is "free" to the library. I highly recommend that libraries with access to a TANG technician use her services as often as possible. Unfortunately, this is a resource with diminishing returns. As more libraries use the TANG technician, the less available she will become-especially in emergencies. So budget funding still needs to be available to hire paid technicians.

Software Maintenance Costs

Equipment maintenance costs are not the only maintenance costs involved in operating a network. Library automation software requires a software maintenance/support contract to be renewed each year in order to receive technical support. One can also expect a software upgrade (for the operating system and also for those workstations providing MS Office to patrons or staff) to be needed during each computer's service life. Table 3 indicates common software costs a library can expect to incur during the normal lifespan of a computer.

Table 3. Software Maintenance Costs

Software Description

Update Cycle

Cost

Library Automation System (support)

Annual

$395

Automation System Web Server Module (support)

Annual

$195

Security Software Upgrade (if used)

Approx. Two Years

$30 per workstation

MS Office upgrade

Approx. Three Years

$90 per workstation

MS Windows upgrade:

NT Workstation -> 2000

Professional


NT Server 4.0 ->


2000 Server


2000 Server Client

Access Licenses, each

Approx. Three Years

. . . . . . . . . .




. . . . . . . . . .

 

. . . . . . . . . .



. . . . . $48 ($101)




. . . . . $92 ($145)

 

. . . . . . . $5.10




MS Windows and Office upgrade pricing is for the Academic Versions (no technical support provided). The pricing shown is available through the Texas Department of Information Resources as of July 1, 2001, and is subject to change. Prices in parentheses include the license, manual, and media, whereas the lower prices include the license only. In most cases only one copy with new media and manuals is required. The remaining computers require a license, but can be upgraded physically from the same master CD. Some libraries may require multiple copies of media and manuals.

Services

Various services, from cable installation and workstation configuration during the initial creation of the network to Internet access costs incurred during its use, contribute to the annual cost of offering Internet access and automated library systems. Table 4 shows approximate costs of these services (cabling and configuration costs will apply to any future workstations added to the network as well). The estimates shown are "average" costs, with high-end costs displayed in parentheses.

Table 4. Service Costs

Software Description

Cost

Cost after 70% E-Rate Discount

Ongoing Annual Cost

Cabling and Configuration,


Per "drop"

$150 ($250)

-

-

ISDN Line

$60 ($120) / month

$18 ($36)

$216 ($432)

128K Internet Access (ISP)

$50 ($300) / month

$15 ($90)

$180 ($1,080)

Total:

$396 ($1,512)

<

Equipment Replacement

The most difficult cost to deal with, however, is the cost for equipment replacement. This cost is deceptive because replacement is not an immediate need. It's easy to put off, but replacement must be planned if your network services are to continue. The sooner you prepare your replacement plan, the better.

Future costs represented by equipment replacement are easily figured. All equipment has to be replaced after a number of years of service for three common reasons:

  • it will fail through normal use

  • it will become obsolete, unable to perform the functions we need

  • the manufacturer will declare it beyond useful life and cease to support it

  • In most cases, the useful life for equipment in public libraries is longer than it would be in the business environment because of the need to stretch funds. Productivity and competitive advantage will be of lesser strategic advantage in libraries than in businesses. Nevertheless, even given a longer lifecycle, costs associated with equipment replacement are large.

    For public libraries, I recommend a four-to-five-year replacement cycle (current business practice sets obsolescence at about three years). Patrons may begin to see the equipment as "old" and outdated after four years, especially if office software is provided but hasn't been upgraded.

    Four years of ownership represents a critical time period because technology may have evolved enough to make an upgrade undesirable. The processor package may have changed enough that updating the processor means replacing the motherboard as well. More RAM, or a different type of RAM, may be needed with a new motherboard. The video card may also need to be replaced. The combined cost of the parts, plus the cost of installing them, usually ends up being just a little less than the cost of buying a new unit. Considering a new system has a complete, three-year warranty, buying new looks much more attractive than upgrading. So the fifth year may be one when the library limps along, knowing that waiting a year and purchasing a new system is more feasible than upgrading this year.

    Table 5 illustrates the estimated replacement period for various components of a small library network. It includes the number of years you may expect a particular component to serve before needing to be replaced.

    Table 5. Equipment Replacement Costs

    Equipment

    Replacement Period

    Expected Replacement Cost

    Annualized Replacement Cost

    Public Internet Workstations (6)

    4-5

    $ 6,000

    $ 1,500 ($1,200)

    Staff Workstations (2)

    4-6

    2,000

    500 (333)

    Circulation/Catalog Workstations (3)

    5-6

    3,000

    600 (500)

    Automation Server (1)

    6-8

    4,800

    800 (600)

    24-port Switch (1)

    7-9

    1,000

    144 (111)

    Router (1)

    7-9

    500-1,500

    71 (46)

    Network Laser Printer (1)

    5-7

    1,800

    360 (257)

    Total:

    $19,600

    $4,046 ($3,093)




    Obviously, it's impossible to forecast hardware failures, so these periods are just estimates. The annualized replacement cost includes dollar estimates for both the optimal and a maximum (protracted) replacement period.

    The Cost of Securing a Small Library Network

    In terms of dollars, the purpose of security is to spend a little up front in order to keep from possibly having to spend a great deal later on. So it's important to quantify the potential cost of not securing the network. Some costs are easily estimated and quantified:

  • staff time required to handle problems related to altered workstation desktops

  • staff time required to reconfigure such desktops, and deal with vendors supplying technical support

  • the cost of having a vendor reconfigure or repair a workstation configuration

  • However, there are other factors for which cost is not so easily quantified:

  • patron disappointment and upset feelings when a workstation is not available or working properly

  • the library's loss of use of its automation system for a period of time if catalog stations or the server is tampered with

  • the negative publicity generated by an attack or someone using the workstations for an illegal purpose

  • Given these limitations, we are left with vague guesses about the cost of security breaches. But the dollar cost of implementing network security, on the other hand, is much easier to estimate. There are several variables that affect the cost:

  • the number of workstations and servers to be configured and tested

  • the number of security measures to be implemented on each workstation and server (determined in consultation with the library director)

  • whether a public server (such as a web, DNS, or mail server) is to be secured

  • the complexity of the router and firewall used

  • how much of the work can be performed by local staff or volunteers (such as configuring backup software to perform scheduled backups of important data, including the library's bibliographic database and director's documents directory, and making sure physical security is addressed)

  • the experience of the vendor representative (in working in a public environment) contracted to secure the network

  • Table 6 provides a sample cost summary, with estimates of the time required to perform the various activities. To arrive at the cost range for security configuration, I make two assumptions:

  • a technician with little experience configuring workstations and servers for security will take considerably longer to complete the task, but charge less for the time spent

  • router/firewall configuration will be performed by a network technician experienced in such configurations, at a higher hourly rate

  • Table 6. Security Implementation Costs

    Security Service

    Est. Hours

    Cost

    Securing workstation configuration (per workstation; 6 total)

    0.5 - 2

    3 - 12

    $38 - $100

    $225 - $600

    Securing LAN server (1)

    2 - 4

    $150 - $200

    Securing Internet server (web, ftp, mail-if used)

    4 - 8

    $300 - $400

    Securing low-end router/firewall

    0.5 - 4

    $50 - $200

    Testing configurations and resolving problems

    2 - 3

    $150 - $150

    Installation of lockable equipment cabinet

    1 - 1.5

    $38 - $75

    Total (without Internet server):


    Total (including Internet server):

    8.5-24.5


    12.5-32.5

    $613-$1,225


    $913-$1,625

    In keeping with these, the time to configure a workstation or server is represented in two increments: less time for an experienced technician and more time for one who is inexperienced. Likewise, two hourly rates are used: $75 per hour for an experienced technician ($100 for router/firewall configuration) and $50 for a less experienced technician. The cost range is determined by multiplying the inexperienced technician's rate times the estimated completion time to arrive at one cost, then multiplying the experienced technician's time and hourly rate.

    Take these figures as vague estimates only. Actual costs can vary greatly from this sample, depending on the factors listed above.

    If all the major components are contracted to a vendor, the cost could easily range from $500 for a tiny library network to $5,000 for a "moderately sized" small library. The good news is that much of this configuration, if not all of it, can be paid for through grant funds.

    Before we quit, let's return to the notion I mentioned earlier of paying up front to keep a service functional and save time, frustration, and money down the road. Let's assume the six-workstation, one-server configuration above costs $1,000 to secure. Is security worth the price?

    Leaving the network unsecured might result in various attacks that could compromise the network server, leaving it unusable until someone can reconfigure it. That will take time and money. How many days will the automation server be down? Zero? Ten? Is it worth $1,000 to provide a reasonable level of assurance that it will remain operational? There are also other types of "attacks" involving illegal activities through a public workstation. This may result in the workstation being impounded as evidence in a criminal investigation. How long will it be unavailable? A week? A month? A year? Will the library be able to replace it?

    When we look at the possible results of security breaches, the $1,000 cost of a security project appears well worth the money.

    The Cost of Maintaining Security

    Unfortunately, the cost of original implementation is not the only cost associated with securing a network. At the very least, operating systems installed on workstations and servers need to be updated periodically. So a good security program budgets ongoing costs for security administration and staff time for managing backups, monitoring anti-virus updates, monitoring server logs, and resolving small workstation issues as they arise.

    Here is a partial list of "costs" the library may expect as part of its security program:

  • Costs for training staff/volunteers in basic procedures for securing workstations or servers

  • Staff time used in resolving minor workstation problems or arranging for outside technical support

  • Staff time in reviewing security logs; alternatively, funds for contracting for outside monitoring of security logs

  • Staff time in reviewing backup reports and automatic anti-virus updates

  • Staff time in downloading and applying workstation and server operating system patches on a regular basis; alternatively, funds for contracting for operating system updates (costs may be $35-70 per hour, including travel time if required)

  • Restricted services; patrons may be restricted from certain activities, such as using chat or e-mail facilities, or writing to a hard drive, floppy drive, or CD-RW drive

  • The Cost of Auditing Security

    As we've discussed in previous pages, network security is a process. It also has scope. Some libraries will decide to implement security measures that other libraries have declined to implement. Each library is encouraged to examine its community, operating environment, budget, and other local funding constraints to determine the best course for securing its network. In many tiny libraries this may comprise just basic physical and server security and significant workstation security measures.

    Regardless of the scope of its security project, the process needs an element of accountability. A security audit will provide this accountability. The library should consult with a network technician either before or during its deliberations to review the library's options and opinions regarding security. Once final decisions have been made specifying which measures to implement, and the implementation is performed, then an outside agency should be hired to audit the security implementation, based on decisions made by the library.

    An audit will provide the library three benefits:

  • The auditor can comment on the state of security without bias, providing an independent review of a contractor's work.

  • The auditor serves as a failsafe; if a specific security vulnerability has been missed, the auditor provides a secondary resource to catch the omission and suggest implementation.

  • The auditor will also serve as an independent party to voice concerns with the current implementation and make suggestions for future iterations of security implementation.

  • Unfortunately, like security implementation, the benefits are not gained inexpensively. There are four primary cost factors involved in security audits:

  • the scope of and methodology used to conduct the audit

  • number of servers, workstations, and network devices to audit, if included

  • the vendor's experience level, which relates to hourly/daily fee

  • and, the scope of methodology used to produce the audit report

  • Audits reports vary widely in their content and presentation. More information about reports and how security audits are conducted is presented in Chapter 4. For the purposes of this section we'll just say the more extensive the documentation, the higher the full audit cost will be.

    Most tiny libraries with limited infrastructure can expect audit costs to range from $500 to $1,500 plus travel time and expenses, if any. Small libraries with larger numbers of workstations, and web-based access to the library catalog can expect costs to range from $1,000 to $3,000 plus travel time and expenses, depending on the extent and complexity of the network. These ranges are vague estimates only. Table 7 details some of the costs you can expect to incur for an audit of your library.

    Add $200-$400 more if you would like to receive an extensive report.

    From this table you should be able to determine the approximate cost of an audit for your library. You can get a better estimate of the audit cost for your particular library, but you'll need to develop a request for quote (RFQ) for the audit. We'll cover this and other audit topics in Chapter 4.

    Table 7. Security Audit Costs

    Audit Service

    Rate/Cost

    Experienced network/system administrator with little to no knowledge of public access or security issues

    $300-$600


    per day

    Network/system administrator with experience in public access and security issues

    $600 - $1,000


    per day

    Certified, experienced security administrator/ auditor

    $1,000 - $1,500


    per day

    Basic audit of four to eight workstations, one to two servers, and physical (access) security

    5 - 8 hours


    (one day)

    Intermediate audit, including six to twelve workstations, one or two LAN servers, an Internet server, and network devices

    12 - 16 hours


    (1.5 or 2 days)

    Internet-based audit/probe of perimeter security

    3 - 6 hours


    (0.5 or 1 day)

    Detailed written report

    2-4 hours


    (0.5 day)




    Sample Budgets

    In this chapter we've looked at the various costs related to building your library network, keeping it going month after month, implementing a security project and maintaining it, and having a security audit performed. We've looked at them in a disjointed fashion, however. I've included all the costs in two different sample budgets in Part III. One shows the costs as they may apply to a library having more infrastructure and having to contract out its maintenance services.

    The second shows the minimum costs a tiny library can expect if the director locates a volunteer or other free source (such as the TANG technician from the regional library system office) for technical support and maintenance. This second budget also assumes that equipment replacement will be provided either through future grants or continual replacement through donated equipment approximately three years old (replacing each computer every two to three years). While maintaining a program of donations is time-consuming, it is nevertheless a valid means of sustaining services for a tiny library with very little operating budget.

    For those who may want to use them, these budgets will be available in electronic form on the web site for the PDF version of this manual (see the reverse of the title page for the web address). The budget forms, provided in Word 97 format, may be edited in any way you like.

    Summary

    In this chapter we looked at the various costs related to developing and operating a computer network in a public library. We looked at costs in the following areas:

  • Cost of Network Equipment

  • Cost of Software Maintenance

  • Cost of Network Services

  • Cost of Equipment Replacement

  • Cost of Securing the Network

  • Cost of Maintaining Security

  • Cost of Auditing Security

  • We also pointed out two sample network technology budgets for small public libraries. These are presented in Part III.

     

Page last modified: March 2, 2011