The Gap Finds an IT Tool That Saves Time and Money

Welcome to Part 2 of our 5-part series on IT cost cutting. Each installment looks at money-saving IT projects that you can replicate, from Gap, Lafarge, Title Resource Group, the U.S. Department of Defense and Washington Mutual.

In Part 1, Lafarge North America learns how to negotiate from a position of strength with vendors AT&T and Hewlett-Packard, saving “seven figures” in the process.

Flaunt Your Cost-Cutting Smarts

E-mail CIO.com writer Kim S. Nash and tell her about your money-saving project. Be sure to say how much the effort cost, what the financial returns were and how soon you saw them. Bonus points for projects implemented in three months or less, with substantial returns within a year. Your project may be featured in a story on CIO.com or in CIO magazine.

Compliance. You can’t avoid it and you can’t keep failing it. The best you can do is make it cheaper and easier and good enough to pass audits.

Anyone trying to comply with PCI and Sarbanes-Oxley regulations knows that passing an audit hangs on demonstrating that you control employee access to sensitive customer and financial data.

More on CIO.com

Deadline for PCI Compliance Is Now

Why IT Is Better Off Under Sarbanes-Oxley

The ABCs of Identity Management

So it was at Gap Inc. Direct, which oversees the e-commerce efforts of Gap, Banana Republic, Old Navy and shoe outlet Piperlime. But controlling access wasn’t simple in a mixed environment of mainly Unix servers, including Linux, and various Microsoft Windows operating systems.

Gap Inc. Direct uses Microsoft’s Active Directory administrative tools. Among other features, Active Directory lets system administrators grant and control end-user permissions more easily than many Unix tools, says Jeff Arcuri, a senior manager of IT at Gap Inc. Direct.

Active Directory by itself doesn’t support Linux or Unix so Gap’s system administrators ended up having to assign employee permissions individually, to access different databases and applications, depending on the work they needed to do.

When it came time for PCI and Sox audits, auditors or system administrators had to collect the server logs manually to show who accessed what files when, for hundreds of servers. They could automate bits of the process with custom scripts but still, start to finish, the ordeal required up to 10 people working at least part-time on every audit, he says.

To automate more of the process and free up systems administrators for more valuable work, as well as make user access permissions in this mixed operating environment simpler, Arcuri deployed an identity management tool from Likewise Software. The software installation took about three months early this year and involved two to five system administrators at various points, Arcuri says. Installing identity management systems can help a company enforce policies for who can see what data.

Now the company has set up group profiles for several different kinds of employees, so administrators don’t have to configure profiles individually. Likewise also produces reports by user, by date and by server. The number of people working on a given audit has dropped to about five, Arcuri says.

“At the end of the day, we have to report on this stuff. The question was whether or not we could better our reporting,” he says. “Now we get more data in a faster time and a better return-people-to-work time.”

The implementation cost $400,000 but the company expects to see several hundred thousand dollars to $1 million per year in savings, mainly stemming from more efficient use of system administrators’ time, Arcuri says.

Part 3 in our series on IT cost cutting shows how the U.S. Department of Defense uses asset management tools to find and decommission duplicate software and hardware, saving multiple millions.