As business year-end activities and the year's sales goals compete for executive attention, it becomes a time for critical reflection and assessment. The focus - to reflect on last year's performance and to assess the company's readiness to hit next year's targets. It is important to objectively examine information technology in this reporting and planning process. An annual IT check-up reports on key vital signs and is well worth adding to your annual assurance review.
Given the growing reliance on information systems to run nearly every company operation, how is your technology doing in terms of the business? In light of the fact that most critical business information is now in electronic form, how vigilantly are your digital assets protected and secured? As with any annual health check-up, it is prudent to ask, "Are there any chronic aches and pains with your network's performance and technology support?"
A healthy technology environment, just like human health, is more than the absence of illness. Chronic network problems and support pains are symptomatic of technology problems that should be treated before they compromise business health. Chronic issues often need a specialist to ferret out the root cause, explain the diagnosis, specify a treatment plan, and fix the problem in a timely manner.
The "Annual IT Check-up" is a framework of questions that require yes, no, or maybe answers. Generally speaking "Yes" is an indicator of health while "No" can indicate either an unhealthy situation or risk that deserves management's attention. "Maybe" represents uncertainty. It is important to note that "Maybe" can provide as much risk to a business as a "No". As with any generalized assessment tool, there will always be exceptions - adjust for those. This health-check can be completed quickly and provides insights into the vital signs and overall health of your company's business technology.
Once completed, the health-check can frame meaningful discussions about the current condition and desired future state of the business technology. Such dialogue can be particularly productive if it includes the executive team, key user groups, technology management, stakeholders, and, at times, trusted outside advisors. Looking ahead, the checklist can provide business a baseline to measure technology's progress in both the months to come and from year-to-year.
The check-up is completed - what's next? Prioritize the "No's" in terms of either the risk exposure they provide the business or their cost to the company. "No's" to the data back-up and disaster recovery questions could indicate significant business risks in the event of either a hard-drive failure or disaster event; a "No" response to the network reliability and availability question may indicate costs to the company in either lost productivity or sales revenue. What amount of risk is the business willing to accept?
ID | Annual IT Check-Up |
|
|
|
A | Strategic Planning | Yes | No | Maybe |
A-1 | Is there a written strategic plan for technology? |
|
|
|
A-2 | Is technology involved in the business planning process? |
|
|
|
A-3 | Is technology aligned well with the business needs? |
|
|
|
A-4 | Is there an annual technology budget? |
|
|
|
A-5 | Is there a current architectural drawing of the network? |
|
|
|
A-6 | Add other questions specific to the business:
|
|
|
|
|
|
|
|
|
B | Information Technology | Yes | No | Maybe |
B-1 | Is the technology infrastructure adequate to run the business? |
|
|
|
B-2 | Is information technology in compliance with all regulatory legislation? |
|
|
|
B-3 | Are passwords used to authenticate system users? |
|
|
|
B-4 | Are network operating system security patches and fixes current? |
|
|
|
B-5 | Is a firewall solution in place for external connections? |
|
|
|
B-6 | Is anti-virus software in place? |
|
|
|
B-7 | Is anti-virus software current? |
|
|
|
B-8 | Is a network intrusion detection system in place? |
|
|
|
B-9 | Is automatic logoff in place? |
|
|
|
B-10 | Add other questions specific to the business:
|
|
|
|
|
|
|
|
|
C | Policies & Procedures | Yes | No | Maybe |
C-1 | Is a procedure in place to determine that personnel access to sensitive information is appropriate? |
|
|
|
C-2 | Is there a published technology use policy? |
|
|
|
C-3 | Is there a procedure for reporting security breaches? |
|
|
|
C-4 | Are there procedures for responding to security breaches? |
|
|
|
C-5 | Is there a procedure for changing user accounts? |
|
|
|
C-6 | Is there a procedure for workstation lock-out or password protected screen savers? |
|
|
|
C-7 | Is there a procedure for password management? |
|
|
|
C-8 | Is there a procedure for system access verification? |
|
|
|
C-9 | Add other questions specific to the business:
|
|
|
|
|
|
|
|
|
D | Contingency Plan | Yes | No | Maybe |
D-1 | Have all business applications been analyzed for criticality? |
|
|
|
D-2 | Is all data analyzed for criticality? |
|
|
|
D-3 | Is the analysis of applications and data documented? |
|
|
|
D-4 | Is there a formal data back-up plan? |
|
|
|
D-5 | Is there a disaster recovery plan for technology that is tested on a recurring and scheduled basis? |
|
|
|
D-6 | Is there a contingency plan for the business that is tested on a recurring and scheduled basis? |
|
|
|
D-7 | Are there revision procedures for the contingency plan? |
|
|
|
D-8 | Add other questions specific to the business:
|
|
|
|
|
|
|