As business year-end activities and the year's sales goals compete for executive attention, it becomes a time for critical reflection and assessment. The focus - to reflect on last year's performance and to assess the company's readiness to hit next year's targets. It is important to objectively examine information technology in this reporting and planning process. An annual IT check-up reports on key vital signs and is well worth adding to your annual assurance review.
Given the growing reliance on information systems to run nearly every company operation, how is your technology doing in terms of the business? In light of the fact that most critical business information is now in electronic form, how vigilantly are your digital assets protected and secured? As with any annual health check-up, it is prudent to ask, "Are there any chronic aches and pains with your network's performance and technology support?"
A healthy technology environment, just like human health, is more than the absence of illness. Chronic network problems and support pains are symptomatic of technology problems that should be treated before they compromise business health. Chronic issues often need a specialist to ferret out the root cause, explain the diagnosis, specify a treatment plan, and fix the problem in a timely manner.
The "Annual IT Check-up" is a framework of questions that require yes, no, or maybe answers. Generally speaking "Yes" is an indicator of health while "No" can indicate either an unhealthy situation or risk that deserves management's attention. "Maybe" represents uncertainty. It is important to note that "Maybe" can provide as much risk to a business as a "No". As with any generalized assessment tool, there will always be exceptions - adjust for those. This health-check can be completed quickly and provides insights into the vital signs and overall health of your company's business technology.
Once completed, the health-check can frame meaningful discussions about the current condition and desired future state of the business technology. Such dialogue can be particularly productive if it includes the executive team, key user groups, technology management, stakeholders, and, at times, trusted outside advisors. Looking ahead, the checklist can provide business a baseline to measure technology's progress in both the months to come and from year-to-year.
The check-up is completed - what's next? Prioritize the "No's" in terms of either the risk exposure they provide the business or their cost to the company. "No's" to the data back-up and disaster recovery questions could indicate significant business risks in the event of either a hard-drive failure or disaster event; a "No" response to the network reliability and availability question may indicate costs to the company in either lost productivity or sales revenue. What amount of risk is the business willing to accept?
ID | Annual IT Check-Up |
|
|
|
A | Strategic Planning | Yes | No | Maybe |
A-1 | Is there a written strategic plan for technology? |
|
|
|
A-2 | Is technology involved in the business planning process? |
|
|
|
A-3 | Is technology aligned well with the business needs? |
|
|
|
A-4 | Is there an annual technology budget? |
|
|
|
A-5 | Is there a current architectural drawing of the network? |
|
|
|
A-6 | Add other questions specific to the business:
|
|
|
|
|
|
|
|
|
B | Information Technology | Yes | No | Maybe |
B-1 | Is the technology infrastructure adequate to run the business? |
|
|
|
B-2 | Is information technology in compliance with all regulatory legislation? |
|
|
|
B-3 | Are passwords used to authenticate system users? |
|
|
|
B-4 | Are network operating system security patches and fixes current? |
|
|
|
B-5 | Is a firewall solution in place for external connections? |
|
|
|
B-6 | Is anti-virus software in place? |
|
|
|
B-7 | Is anti-virus software current? |
|
|
|
B-8 | Is a network intrusion detection system in place? |
|
|
|
B-9 | Is automatic logoff in place? |
|
|
|
B-10 | Add other questions specific to the business:
|
|
|
|
|
|
|
|
|
C | Policies & Procedures | Yes | No | Maybe |
C-1 | Is a procedure in place to determine that personnel access to sensitive information is appropriate? |
|
|
|
C-2 | Is there a published technology use policy? |
|
|
|
C-3 | Is there a procedure for reporting security breaches? |
|
|
|
C-4 | Are there procedures for responding to security breaches? |
|
|
|
C-5 | Is there a procedure for changing user accounts? |
|
|
|
C-6 | Is there a procedure for workstation lock-out or password protected screen savers? |
|
|
|
C-7 | Is there a procedure for password management? |
|
|
|
C-8 | Is there a procedure for system access verification? |
|
|
|
C-9 | Add other questions specific to the business:
|
|
|
|
|
|
|
|
|
D | Contingency Plan | Yes | No | Maybe |
D-1 | Have all business applications been analyzed for criticality? |
|
|
|
D-2 | Is all data analyzed for criticality? |
|
|
|
D-3 | Is the analysis of applications and data documented? |
|
|
|
D-4 | Is there a formal data back-up plan? |
|
|
|
D-5 | Is there a disaster recovery plan for technology that is tested on a recurring and scheduled basis? |
|
|
|
D-6 | Is there a contingency plan for the business that is tested on a recurring and scheduled basis? |
|
|
|
D-7 | Are there revision procedures for the contingency plan? |
|
|
|
D-8 | Add other questions specific to the business:
|
|
|
|
|
|
|
|
|
E | Change Management | Yes | No | Maybe |
E-1 | Is there a scheduled, documented review of system access authorizations? |
|
|
|
E-2 | Is there a scheduled, documented review of personnel changes? |
|
|
|
E-3 | Is there a computer hardware inventory? |
|
|
|
E-4 | Is there a computer software inventory? |
|
|
|
E-5 | Is there a network devices inventory? |
|
|
|
E-6 | Is there supervision of personnel implementing system access changes? |
|
|
|
E-7 | Are records of system access changes maintained? |
|
|
|
E-8 | Are automated system and application change control systems in place? |
|
|
|
E-9 | Add other questions specific to the business:
|
|
|
|
|
|
|
|
|
F | Organization & Staff Development | Yes | No | Maybe |
F-1 | Is there a defined IT organizational structure? |
|
|
|
F-2 | Are there regular performance reviews? |
|
|
|
F-3 | Are there written job descriptions? |
|
|
|
F-4 | Are training plans in place for technical staff? |
|
|
|
F-5 | Are background checks conducted on IT staff? |
|
|
|
F-6 | Add other questions specific to the business:
|
|
|
|
|
|
|
|
|
G | Accountability & Reports | Yes | No | Maybe |
G-1 | Are back-up logs monitored with errors reported to management? |
|
|
|
G-2 | Are firewall logs monitored with incidents reported to management? |
|
|
|
G-3 | Are regular server maintenance reports provided to management? |
|
|
|
G-4 | Are regular status reports on project work provided to management? |
|
|
|
G-5 | Is IT staff time tracked and utilization reported to management? |
|
|
|
G-6 | Add other questions specific to the business:
|
|
|
|
|
|
|
|
|
H | Satisfaction Levels | Yes | No | Maybe |
H-1 | Are network systems reliable and routinely available for business use? |
|
|
|
H-2 | Are all user groups satisfied with technology support? |
|
|
|
H-3 | Is management confident in disaster recovery capabilities? |
|
|
|
H-4 | Is the network free of recurring or chronic problems? |
|
|
|
H-5 | Does IT, visible to the outside world, speak well of the company? |
|
|
|
H-6 | Add other questions specific to the business:
|
|
|
|
© 2005 R.DORSEY+COMPANY INC. | ||||
Review your prioritized items from the check-up with the executive team and technology manager. Work together to quantify the potential financial impact of the risks and costs identified. Determine which exposure and cost items will be addressed, who will be responsible, desired outcomes, and completion dates. Build a detailed action and staffing plan for each item that needs attention. Don't be afraid to go outside for advice and expertise on these technology management issues - it can save time, money, and headaches in the long-run.
Consider that data back-ups are every bit as important as the financial statements, which are audited with regularity. Why not request an outside audit of your company's back-up system? This is a straight forward objective way to quickly verify how well your business data "is" or "is not" being protected.
Conducting this annual check-up gives executives and management alike an IT progress report from year to year. Everyone can see if selected problem areas were resolved or improved upon in the last year as planned. If things remained unchanged or fell short, then those items should be reviewed again to verify that they're still a business priority to the company in the coming year. If so, then the real reasons for lack of progress need to be ferreted out and addressed with those responsible. Management can then reset the IT directives moving forward and then monitor progress on these vital signs to improve results in the coming year.
Digital data is a critical asset key to the well being of the business - wouldn't it be nice to know that the company's technology has a clean bill-of-health? If there are problem areas, the annual IT check-up identifies them and acts to focus management and resources on vital areas for improvement during the next year and budget cycle.
R.DORSEY+COMPANY, a technology consulting firm, specializes in network infrastructure, information security, data back-up, and disaster recovery. The firm provides trusted technology advice to both large and small companies in many business, health care, and governmental sectors.
Executive management occasionally nees an outside opinion about business technology issues of concern. Tim Cook of R.DORSEY+COMPANY will assist you in setting up such as confidential conversation. He can be reached at (614)486-8900 x223 or at trcook@dorseyplus.com.