MOST Analysis

Mission Statement

The first 30 days of the 90-day plan will be focused on current-state assessment. To understand what the business already has and where it is lacking in terms of IT or digital technology, it is important to carry out a thorough assessment of the current business state. Only when we know where we are starting from will we be able to map out the path to the future goal that we want to attain. A current-state assessment for IT transformation will have to take into account all aspects of the business. It has to evaluate the current processes, systems, and operations in the business. The current-state assessment will also study the organization’s structure, culture, and approach towards change. The assessment will also review the roles of the different people working in the organization in an attempt to see how their skills can be better utilized and if some reshuffling can benefit the transformation process. This current-state assessment will bring forward the opportunities for improvement and pain points that need to be addressed during the IT transformation program. One of the major reasons for failure in IT transformation projects is that companies do not review their current state and assume that the existing technology can simply be migrated to a new platform, or new technology can directly be implemented to improve the efficiency and productivity of the organization. This approach does not help because it does not tell what to prioritize or which areas require more attention. A complete current-state assessment helps make informed strategic decisions that ensure that the IT transformation will add more value to the organization.

---

Objectives

01. How to Perform an Internal IT Audit: departmental SWOT analysis; strategy research & development. Time Allocated: 1 Month
02. Auditing Tech Controls in Support/Service Model; departmental SWOT analysis; strategy research & development. Time Allocated: 1 Month
03. Understanding Business IT Requirements; departmental SWOT analysis; strategy research & development. Time Allocated: 1 Month
04. Security Risk Assessment of Current and Future IT Investments; departmental SWOT analysis; strategy research & development. Time Allocated: 1 Month
05. Conducting Performance Reviews of In-House IT Teams; departmental SWOT analysis; strategy research & development. Time Allocated: 1 Month
06. Efficiency of Outsourcing IT Requirements; departmental SWOT analysis; strategy research & development. Time Allocated: 1 Month
07. Assessing Current Readiness for IT Integration: departmental SWOT analysis; strategy research & development. 1 Month
08. Effectiveness of Measuring ROI for IT Innovations: departmental SWOT analysis; strategy research & development. Time Allocated: 1 Month
09. Optimizing and Improving IT Dependency: departmental SWOT analysis; strategy research & development. Time Allocated: 1 Month
10. Cost Analysis of IT Transformation: departmental SWOT analysis; strategy research & development. Time Allocated: 1 Month
11. Use of Information Technology to Enhance Customer Experience: departmental SWOT analysis; strategy research & development. Time Allocated: 1 Month
12. Current Challenges in IT Use and Implementation: departmental SWOT analysis; strategy research & development. Time Allocated: 1 Month

---

Strategies

01. How to Perform an Internal IT Audit: Each individual department head to undertake departmental SWOT analysis; strategy research & development.
02. Auditing Tech Controls in Support/Service Model: Each individual department head to undertake departmental SWOT analysis; strategy research & development.
03. Understanding Business IT Requirements: Each individual department head to undertake departmental SWOT analysis; strategy research & development.
04. Security Risk Assessment of Current and Future IT Investments: Each individual department head to undertake departmental SWOT analysis; strategy research & development.
05. Conducting Performance Reviews of In-House IT Teams: Each individual department head to undertake departmental SWOT analysis; strategy research & development.
06. Efficiency of Outsourcing IT Requirements: Each individual department head to undertake departmental SWOT analysis; strategy research & development.
07. Assessing Current Readiness for IT Integration: Each individual department head to undertake departmental SWOT analysis; strategy research & development.
08. Effectiveness of Measuring ROI for IT Innovations: Each individual department head to undertake departmental SWOT analysis; strategy research & development.
09. Optimizing and Improving IT Dependency: Each individual department head to undertake departmental SWOT analysis; strategy research & development.
10. Cost Analysis of IT Transformation: Each individual department head to undertake departmental SWOT analysis; strategy research & development.
11. Use of Information Technology to Enhance Customer Experience: Each individual department head to undertake departmental SWOT analysis; strategy research & development.
12. Current Challenges in IT Use and Implementation: Each individual department head to undertake departmental SWOT analysis; strategy research & development.

---

Tasks

01. Create a task on your calendar, to be completed within the next month, to analyze How to Perform an Internal IT Audit.
02. Create a task on your calendar, to be completed within the next month, to analyze Auditing Tech Controls in Support/Service Model.
03. Create a task on your calendar, to be completed within the next month, to analyze Understanding Business IT Requirements.
04. Create a task on your calendar, to be completed within the next month, to analyze Security Risk Assessment of Current and Future IT Investments.
05. Create a task on your calendar, to be completed within the next month, to analyze Conducting Performance Reviews of In-House IT Teams.
06. Create a task on your calendar, to be completed within the next month, to analyze Efficiency of Outsourcing IT Requirements.
07. Create a task on your calendar, to be completed within the next month, to analyze Assessing Current Readiness for IT Integration.
08. Create a task on your calendar, to be completed within the next month, to analyze Effectiveness of Measuring ROI for IT Innovations.
09. Create a task on your calendar, to be completed within the next month, to analyze Optimizing and Improving IT Dependency.
10. Create a task on your calendar, to be completed within the next month, to analyze Cost Analysis of IT Transformation.
11. Create a task on your calendar, to be completed within the next month, to analyze Use of Information Technology to Enhance Customer Experience.
12. Create a task on your calendar, to be completed within the next month, to analyze Current Challenges in IT Use and Implementation.

---

Introduction

Assessments are necessary for the smooth operations of the IT department. Assessments need to be conducted by the right personnel so that they can gather the best possible results and help maintain your competitive advantage in Information Technology.

Information technology is an important part of the work structure today and organizations need to be technologically advanced to compete with competitors and better serve customers. Today, many organizations spend exuberant sums of money on IT and tech resources to reap the benefits of enhanced data and cyber security. The key methodology here is to ensure that IT systems are reliable and do not break down when faced with cyber attacks and threats.

Most organizations today have invested heavily in their business IT department and are in a continuous cycle of identifying IT requirements and making investments where they can for the future. Budgets allocated for the IT department are often more comprehensive and detailed than any other department and allow businesses to align with the prevalent technology around them.

A popular practice in most businesses today is to have the Chief Financial Officer (CFO) oversee the responsibilities and requirements of the IT department. There are several reasons why following this structure could help your organization and make sense in the long run.

1. Most organizations today have a substantial percentage of the total budget allocated for the IT department. However, not many IT executives and managers are well versed with techniques and strategies to manage financial responsibilities that come with a large budget. A CFO is usually well-suited to manage budgets and can help set IT progress and requirements in line with the money allocated for the department.

2. Most Chief Financial Officers are also in a better position to control structures and set financial objectives that are needed for the IT department to act in line with the intentions set by the management. Since CFOs are tasked with allocating funds and setting budgetary objectives, they are well aware of management intentions and can translate that into their management style when managing the IT department.

3. Most Chief Financial Officers come with a strong sense of organizational skills and project management aptitude. These skills can come in handy to ensure that key IT projects and requirements are completed in time, within the specific business requirements, and within the budget set for them. This helps the organization move forward in its progress towards IT dominance and strategic objectives and goal setting.

Many organizations have started trusting CPAs and CFOs with the requirements of their IT department. And, while these CFOs have the budgetary aspect of it all covered, this chapter covers some of the steps and techniques they can follow to understand business IT requirements and evaluate new IT technologies.

---

Steps for Building an Effective IT Department

There are certain steps that CFOs assigned with leading an IT department to success can follow in their managerial style. These steps include:

IT Objectives Should Always be Aligned with Company Objectives

The way IT departments function has significantly changed during the last couple of decades. In the past, we saw that many IT departments were left to devise and develop their own strategies for coming periods and years. This was because business leaders weren’t well versed with the ever-changing techno babble mentioned by IT heads and because the IT department wasn’t seen as strategic and as important to the overall development and strategic goals of the organization.

However, the business environment is more comprehensive and developed today than ever. The IT department plays a comprehensive role in determining how companies achieve their objectives and move towards overall success. IT departments today are considered to be key enablers for multiple business objectives and are leading the wave of change forward. Organizations and the executives tasked with leading them today realize that almost all business objectives can only be achieved through reliable and well-functioning systems managed by the IT department.

Therefore, organizations wishing to build an effective IT department that eventually inspires the business forward should ensure that all IT objectives and functions are aligned with the goals set by the organization. To align both IT objectives and business objectives, organizations should write their objectives on paper and make them clear.

Both the organization and the IT department should have well-defined goals and objectives that are documented and written down for almost everyone in the organization to view and comprehend. Obviously, since water trickles down, the company’s objectives and goals should be defined and written down first, before the IT department jots its objective. The objectives and goals set by the IT department should be heavily influenced by the goals set by the company itself.

For instance, if an organization wishes to expand to new international markets and mentions this down as a goal, the IT department should ensure they follow it up with strategic backing. The IT department should hence look to develop strategic applications and systems that help the business make the transition to international markets in a seamless manner.

Establish IT Governance

Perhaps the biggest point of concern and frustration for both IT management teams and business executives is the continuous inflow of complex projects and project requests that come with impossible requirements. Many IT executives have failed to monitor IT governance due to the regular inflow of projects with ridiculous requirements. The constant pressure to meet short deadlines on projects while ensuring the fluid flow of routine operations can seriously dent organizational reserves. This process can become impossible if the IT department lacks enough members and personnel.

This disconnect between the IT department and the management of projects often comes through alack of proper IT governance in an organization. IT governance is best defined as the practices businesses follow to capture, publish and regularly review all of the project requests initiated by the IT department. IT governance is achieved through regular meetings with business stakeholders, including the top management and department leaders. IT managers should provide a detailed list of all current IT obligations in this meeting, along with a list of all future projects that need to be addressed soon.

During an IT governance meeting, the top management in the organization can collectively sit together to review the obligations of the IT department and set priorities for the future. If it deems necessary, the organization will redirect the key company IT resources to a new project that is known to be of a higher priority.

This ensures better IT management and ensures that all business leaders and stakeholders are better informed of the obligations undertaken by the IT department and how it is fulfilling them. Additionally, business leaders will also know of the likely timeframe for completing IT projects, the reasons behind re-prioritization, the inability to deliver solutions, the need for more advanced IT solutions, and other IT requirements.

Good IT governance allows IT leadership teams to have a better understanding and a clear direction of how all IT resources are to be utilized in the future. This evaluation of priorities will help set a clear direction for the future and reduce the burden and stress levels exerted on IT teams.

Manage and Mitigate Electronic Risk

Information security and cyberattack management is a hot topic in most IT departments and IT firms today. As cases of identity theft, data loss, hacking and malware viruses continue to infiltrate businesses, organizations of all sizes have come to realize this as a common enemy, especially because of the bad reputation and the negative light such an attack sheds on affected companies.

The risk of data attacks, along with the increase in regulatory requirements for companies located in multiple industries, data protection laws for most global jurisdictions and the strict requirement of credit card providers, has brought attention towards data protection and cybersecurity.

Information security is an important part of IT management today and deals with measuring, identifying and managing risks related to the integrity, confidentiality and availability of IT assets to a required level. Executives should come together here and identify their role to advise and educate every member of the IT team and the management team. Security professionals can be hired to educate teams and arm organizations with the technology and the information they need to minimize the chances of such attacks in the long run.

Your organization’s security program should ideally be based on a stringent framework, including a set of documented baselines to influence risk decisions.

• Organizations can use multiple frameworks here. However, the best approach to adapt here is to realize the most common framework in your industry, as it aligns with the regulatory and legal compliance of your business environment.

• Conduct a risk assessment to strategically analyze and identify the weaknesses of your organization.

• Once you identify weaknesses, you should work on an action plan and address items that deserve high priority.

Endpoint security should also be ensured, as endpoints are most susceptible to data thefts and threats. Endpoints include PCs, laptops, tablets, and other smartphones used by employees in your organization to access the company’s ERP systems.

Measure IT Performance

IT plans for the future can be set by measuring IT performance and working on them to achieve systematic growth. If your organization makes a hefty investment in Information Technology, it does make sense for you to periodically measure the returns on the investment and evaluate the value it brings within your organization. This is, however, easier said than done.

Most organizations today would agree that perhaps the biggest indicator of IT performance today is uptime. Uptime is usually a measure of just how much time systems are up online to support and recognize business transactions. However, organizations and IT managers need to realize that IT systems need regularly planned downtimes for patching, upgrades, and general maintenance. Besides systematic downtimes for system maintenance, your business applications should be up and running.

Another way to measure IT progress is to check the way they’re working on key projects. IT governance meetings—outlined above—can help check whether milestone dates are being consistently achieved or if the department is slacking in areas that require constant attention.

If you have an IT helpline, you can measure the efficacy and the general benefits of this helpline through the following ways:

• The number of calls made to your helpline each month.

• The number of calls resolved by the helpline without being escalated and handed over to another department.

• The average wait time for consumers before a call is answered.

• The number of abandoned calls before someone picks up and answers.

Another way to measure the efficacy of your IT department is through vulnerability management. A well-run IT department has plans in store to manage strategic vulnerabilities and does not take system attacks lightly.

---

Factors to Help Evaluate a New Technology

A major part of understanding IT requirements is evaluating new technologies and seeing whether they really sit well with your organizational strategy and goals. Most organizations jump straight on the bandwagon when they hear about new technology and its potential in management and overall success. However, organizations should put all new technologies through diverse evaluation criteria and ask a few questions before implementing them within their system.

In this section, we study a few factors that can help you evaluate new technologies and see whether they sit well with your IT requirements:

Development Cost

The very first thing to consider in the evaluation process is how much this new technology will cost you. Get an estimate of the entire amount it will cost you to integrate this new technology within your system and start using it. Development time also matters here because time is money for most businesses today.

Besides just the cost of implementing the technology, also think of how much it would cost you to create the right ecosystem for the technology to flourish. How much more would you have to pay to developers working on this new technology than the other developers you have working for you right now?

Development costs can either make or break your decision to move to a certain technology. For instance, Forrester’s survey of over 54 autonomous car manufacturers found that the support environment required for manufacturing and integrating the technology for self-driving vehicles is still too high.

Consider Threats

IT managers should consider all facets of a change process before implementing it. In line with this, IT managers should consider the risk of implementing new technology and what it means in terms of financial aspects, security and business viability. If you aren’t sure what your technology will be like in the foreseeable future, it is likely that you will suffer due to the risks and threats involved with it.

Many organizations have ditched implementing new technology because the safety and security risks on offer are just too much for them to cover.

Capability

Perhaps the most important vector to consider before bringing in new technologies is the new capabilities they bring to the table. The new technology you go for should open up new business capabilities that you really want to achieve. Unless it opens up new doors, you shouldn’t be investing heavily in it.

Usability

Usability is another important factor to consider when moving towards new technology. The new technology that you transition to should improve usability and be easy to use. If the new technology does not address usability issues for you or your audience, is it worth the investment?

Interoperability

Interoperability is defined as the ability of software operations and new hardware technologies to exchange information between systems. How much interoperability does your new technology have? Does it help in sharing information and creating an ecosystem of growth and development? If it does, will you able to seamlessly move towards it without wasting resources or time?

Integration

Carrying on from our point above, you should also measure the ease of integrating the technology within your existing IT systems. The integration process should be flawless and as quick as possible. The quicker it is, the easier it makes for you to run the technology faster and derive the necessary benefits from it.

Legal Compliance

You should also look to consider the legal compliance this new technology offers. Scan through the regulatory requirements related to implementing this new technology and consider if there are any legal challenges involved in implementation. All legal challenges should be mitigated for proper success.

Security and Privacy

You should measure the privacy risks that come to the picture with this new technology and the security concerns that it brings. Evaluating these risks will let you know just how secure this new technology will be in monitoring your data sets and keeping your systems safe.

Investing in new technology comes with a number of risks, something that we will look at in greater detail further within this manual. For now, you can go through the factors above and determine whether the new technology your team is going gaga over is worth the investment or not.

---

Security Assessments of New Technologies

Carrying on from the point we mentioned above, security risk assessments are highly necessary for effective IT management and analysis today. Software systems are an integral asset for your organization, and you should look to minimize and manage the risks you face in regards to them. Whether you believe it or not, if you have a functional IT department, gather customer data, have an internal communication system, and store sensitive financial information, you are directly in the line of fire from threat actors online.

To that end, you should regularly conduct a cybersecurity risk assessment to measure how secure you are to combat external risks from malware and hackers and how safe your IT infrastructure is.

What is a Security Risk Assessment?

Security risk assessment includes a detailed process to identify and evaluate all risks that your business could suffer in the face of a cybersecurity attack. Businesses hold innumerable intellectual assets today, which are often under threat from fraudsters and scammers online.

During a typical security risk assessment, businesses identify the common external and internal threats facing them and the potential impact these threats can have on factors such as data integrity, data confidentiality and data availability. The analysis process also considers the total costs of a cybersecurity lapse and just how much it would take for the business to recover from it. The information gained through this risk assessment process can help businesses evaluate their current risk profile and set their sails right for a better future.

To get started with the IT security risk assessment, businesses should be ready to answer the following questions thoroughly:

• What are some of the important information technology assets currently possessed by your business? These assets could include sensitive customer data and other important systems that could lead to major downtimes in business operations when hacked.

• What are your key business operations and processes that could be impacted in the case of a cyber attack? Identify core processes that are directly in the line of cyberattacks and would face a major brunt of the impact.

• How much would the ability of your business functions be compromised in the case of a cyberattack, and how long would the downtime persist? Have an idea to know just how much attention you should put on this subject matter.

Once you realize what exactly you have to protect and the departments that need immediate attention, you can perform an elaborate risk analysis and also develop strategies in the meanwhile. However, before you set out on an IT security assessment, you should consider just how much time you’re going to be spending on it, the type of risk you’re going to address here, and whether or not you have a cost-effective approach to the risk.

Defining Cyber Risk

According to the Institute of Risk Management, cyber risk is defined as “any risk of financial loss, disruption or damage to the reputation of an organization from some sort of failure of its information technology systems”. Gartner has a more general definition of cyber risk, as it defines it as “the potential for an unplanned, negative business outcome involving the failure or misuse of IT.”

Some examples of cyber risk on the internet include:

• Hardware damage and the subsequent loss of data that results because of it

• Theft of sensitive information that was required to be regulated.

• Malware and viruses within systems owned by the organization.

• Compromised user credentials, which provide access to sensitive information

• Website failure of the company due to a hosting error.

• Natural disasters and damaged servers.

Whenever you’re noting down cyber risk, make sure that you evaluate the specific financial damage that each risk type can cause. Remember that besides the damages suffered in lost data, cyber risks also result in legal fees, lost business, customer distrust, operational downtime, and poor results in profit and loss statements.

Importance of Regular IT Security Assessments

There are numerous benefits that businesses can get from regularly assessing their IT security and finding out glitches in it. Conducting a thorough IT security assessment allows businesses to build a solid foundation for success without any weak points.

The importance of regular IT security assessments are:

• To help businesses identify IT security gaps and remediate them as soon as possible.

• To prevent data breaches and stop sensitive data from getting into the wrong hands.

• To mitigate risks.

• To prioritize the protection of different assets based on their value and risk profile.

• To eliminate unnecessary control measures that aren’t much good.

• To help in the evaluation of security partners so that businesses can pick better options.

• To help establish and maintain compliance with regulations as far as cybersecurity and data protection is concerned.

• To accurately predict future needs for the business and help determine how much the business would have to improve over the course of the future.

Components and Formula of IT Security Risk Assessment

The IT risk assessment process is made up of four key components. These key components include:

1. Threat: A threat is usually known as an event or activity that could seriously harm the assets and people within an organization. Examples of threats include website failures, natural disasters, corporate espionage and company-wide malware attacks.

2. Vulnerability: Vulnerabilities are all weak points or points of entry for a threat to infiltrate within your system and harm your processes. Vulnerabilities can come in any form and may allow malware attacks to succeed. The most common vulnerability is an outdated antivirus system in endpoint connections, as malware in one system may eventually make its way through the entire network. Other examples of vulnerabilities include aging hardware, unguarded entry points, no two-way authentication on system login and disgruntled employees who may leak private details out to the public.

3. Impact: The impact of a security threat generally indicates just how much damage the threat may end up causing. The impact can vary based on the nature of the attack. For instance, a ransomware attack may not just lead to downtime but will also require extra expenses in data recovery.

4. Likelihood: The likelihood of a threat is based on the threat of an attack and the vulnerabilities present within a system.

Risk is calculated through the following mathematical formula:

Risk = Threat x Vulnerability x Asset

The risk and likelihood of a threat actualizing are calculated by assigning values to the figures in this formula and finding an appropriate range.

---

Managing IT Teams

Besides just analyzing IT systems and processes, organizations also have to manage their human resources and find the best fit. Organizations can choose between in-house teams and outsourcing here.

Every organization and employer with an IT team strives to have the perfect in-house team of professionals – who wouldn’t want to have a stellar team that meets client requirements, sets objectives right, and is always up to the task? The problem, however, is that simply recruiting and hiring the best individuals from the industry doesn’t necessarily give you the kind of results you want and expect here.

Top recruits surely bring their acumen and superior working style to your firm, but there is no guarantee that they’ll be working with the same styles and parameters a couple of months or a year down the line. And, even if your team is performing well and meeting metrics, this doesn’t mean that you don’t have any more room for improvement.

This is where in-house team reviews come in, especially for the IT department. To look at them in the most rudimentary manner, performance reviews are evaluations done to determine how your team performs and whether any improvements can be signalled in the overall performance of the team. The performance of each employee is documented during the review and is then presented back to them during the next review to signal whatever improvements have been made during the period.

Reasons for Regular Performance Reviews of In-House Teams

Formal performance appraisals play an integral role in most organizations and should not be neglected at any cost. Unfortunately, in-house IT team reviews are underutilized and undervalued by both employees and employers.
Some of the reasons why organizations today should conduct regular in-house performance reviews for their IT team include:

Gain Oversight on Current Projects

Most IT departments are typically working on tens and hundreds of projects on a regular basis. Hence, it can be extremely difficult for managers and executives to maintain a stringent eye on all projects and be up to date with what is happening.

Formal performance reviews allow employers an opportunity to sit down with employees and gain their perspectives on different matters. Different projects often come with multiple complications and difficulties that only the employees working on them would be best aware of. While it is necessary for IT heads to maintain a thorough eye over projects regularly, performance reviews can help succinctly unearth all details. The performance review can also help clarify why certain project deadlines weren’t met and why certain systems failed to deliver as expected. However, it is best to discuss these points in the moment, rather than waiting for the performance review.

Make People Feel Valued

The formal performance review process is a good way to make your employees feel valued and to help them realize that they’re putting in good work within the organization. To be fully productive and competent, employees need to feel satisfied with the work they do. Satisfaction is known to come from sincere feedback and valuable insights from the top management.

Employees value frequent recognition and words of praise they get from their employers. This eventually helps them work smarter and better in the future. Employees appreciate that managers higher up in the hierarchy are aware of the good work they’re putting in and aren’t mincing words in giving their feedback and positive output.

Help You Choose Between an In-House Team and Outsourcing

Perhaps the most important reason for an in-house performance review in an IT department is to help organizations choose between maintaining an in-house team and opting for an outsourcing model.

With the outsourcing model becoming ever so convenient, organizations today are forced to contemplate whether their in-house teams really benefit them in the long run or whether they should go looking for more comprehensive outsourcing models.

An in-house performance review does allow you to evaluate the performance of each employee and the department as a whole. It also allows you to measure cost metrics to determine whether making the shift to an outsourcing model will benefit you in the long run. Many organizations jump to outsourcing without actually reviewing their in-house teams and identifying whether the outsourcing model really is the best one for them.

Assess Training Needs

Finally, regular performance reviews can help you assess the training needs of your employees and determine whether they need training to help them out with any new projects or technologies. Employees in the IT industry are usually open to training and appreciate that the employer is introducing them to new technologies and solutions.

Refocus on Team

Regular performance reviews can be a good way to focus back on your IT team and ensure that they sing from the same hymn sheet as you. This is the time to brief employees about your values, culture and any updates on your goals.
Regular performance reviews will help sustainably build the importance of objectives in your team and allow them to fluidly be part of the culture that you want to build. A disconnect between members of the IT team and the top management can bring bad omens for the firm, as progress stalls and employees never take responsibility for their work.

Set New Goals

The most productive employees happen to be those that are constantly driven by new goals and objectives. Employees that are unrelenting in their pursuit of new goals and objectives tend to be motivated and driven in their work.

Regular performance reviews allow the management to set achievable targets that every employee can follow. Employees will be intrinsically driven to meet those objectives and will eventually up their game as well.

The IT department is all about setting achievable targets to help the organization get actionable output. The objectives of the IT department should be aligned with those of the organization, while the objectives and goals set for each specific employee should be aligned with the objectives of the IT department. This popular strategy is known as ‘Management by Objectives’ and helps teams achieve their objectives.

Chance to Introduce New Technologies

Most executives and managers like to wait till performance reviews before they introduce new technologies and systems within their IT department. The performance review meeting sets an amazing platform for the introduction of new technology as all stakeholders within the IT team are present and talked to individually.

All employees can be briefed about the nature of the future investment and how the new investments will impact them. Employees can also be allowed to chip in and let the employers know if there are any brief changes they would like to see during the implementation phase.

---

Signs it is Time for You to Outsource IT Functions

There are a few signs every business gets to view when their IT department isn’t performing all functions accurately and steps need to be taken to improve the situation.

These signs include:

Inability to Meet Deadlines

Organizations will consider outsourcing their IT functions if they’re unable to meet strict deadlines. The inability to meet client requirements and follow strict deadlines can significantly dent your growth prospects and can eventually reduce your profit generation ability.

If you feel that your IT department is unable to keep pace with projects on a strict deadline and time to market is an issue, you should preferably look for an outsourced solution. Time to market is an important metric, and you will lose out on clients if you’re unable to give them the specialized output they require.

IT Presents a Burden on Business Operations

Perhaps the biggest and most visible signal for outsourcing your IT functions is when the IT department takes up unnecessary time and takes your attention away from key business functions. The more time you spend on utilizing and figuring out your IT resources, the less time you get to give to the core operations in your business.

Business managers would know that there is no end to the requirements of the IT department. So, if a manager gets involved in the processes, they will never be able to fully bring their focus back to the other departments of the firm. When you outsource your IT functions, you get to benefit from several capabilities hosted by the other firm. Rather than maintaining a single in-house resource, you will now have a dedicated team servicing your requirements from elsewhere and prioritizing your work.

Skills and Growth Gap

Growth is something that most businesses today envision achieving with time.
Expansive growth in operations and the overall structure of the firm can significantly improve your operations and can open the doors to amazing opportunities in the future.

In order to scale up in size, you will need to have a dedicated IT department with proficiencies in the new technologies you will be encountering in your journey. This can become a tad too difficult if your IT department has a skill or growth gap of sorts.

Obviously, you don’t have the budget to hire an entirely new set of developers and cannot shift your focus towards training staff members. Outsourcing comes as a viable alternative during these complicated times.

Team management, along with auditing of IT resources and security assessments, is necessary for keeping an eye on your IT department and achieving incremental growth. This introduction puts down the foundation for the learning modules to come within the course manual.

---

Executive Summary

Chapter 1: How to Perform an Internal IT Audit

This chapter introduces readers to the intricacies of an Internal IT audit and what can be done to perform one at a rudimentary level. The chapter includes core processes of an audit, and the different parts it is broken into.

The rapid pace of development in the information technology domain has significantly changed the way many organizations operate. Organizations today have dropped the pen and paper of traditional processes and adopted automated operations that not only save time but also improve efficiency.

The use of information technology across multiple business departments has improved firms’ data processing and transmission capacity and has played a considerable role in improving results. However, the emergence of IT technologies does not mean that organizations in the contemporary era are free of any vulnerability.

The incessant use of technology in key business processes has led to the rise of IT vulnerabilities and shortcomings that can blow out of proportion if not mitigated at the right time through the right approach. The use of IT in organizations needs to be controlled. Internal audits should be conducted regularly to ensure that all IT resources are utilized to their full potential, and there are no shortcomings in usage or consumption rates.

What is an IT Audit?

Regardless of the industry they operate in and the niche market they are part of, a number of organizations are investing more of their financial capabilities into building tech resources. From money to time and labor resources, organizations are investing whatever they can to ensure that the true potential of the IT revolution is realized, and their business moves towards a period of growth and development.

One of the best ways to improve investment in your organization is through a thorough information technology audit. Internal information technology audits to ensure the safety of your resources and full utilization of your tech resources. An IT audit can make a world of difference between an organization that fails to leverage IT potential and another one that uses its tech resources as a catalyst for success within the industry.

An IT audit can generally be defined as an investigation of all existing IT systems and the generation of a report related to an entity. An information technology audit is a systematic review of the IT systems, applications, data use, and management style within the firm.

IT audits are made out of different types and are broken down into multiple phases. While we will study the phases of the audit later within this chapter, let us first study what the IT audit is based on and the different types.

There are five basic types of audits for the IT department. These IT audits can strategically be broken down and segregated in two basic ways: application control review and general control review. General control review is a broad IT audit covering the entire IT operations and implementations within an organization. A general control review expands across the face of the organization. It positively reviews just how well the company is performing in context to the overall industry standard and IT spending. Application control review does not look over the overall dealings of the organization and deals with a specific application based on a computer.

To further illustrate the difference between these two, you can consider general control review as an organizational audit that considers all use of IT across departments. In contrast, an application control review is a website or application audit that reviews the computer-based application of the firm.

To help you understand the intricacies of an IT audit better, you can go through the five types mentioned below;

• System and Application Audit: A systems and applications audit is the first type of audit in our list and is concerned with the review of all systems and applications under the control of an organization. This audit goes through the backend of all websites and applications to check whether they are secure and actively running without flaws. This audit will also evaluate the reliability of systems within the organization and pass a verdict on this.

• Information Processing Facilities: Information processing facility audit verifies that all processes within a system are working correctly and in order with the objectives they are meant to serve. Any disruptions or irregularities within the system and its relevant processes are found in here.

• Systems Development Audit: A systems development audit confirms the development of new systems and tech advances and ensures they are in compliance with the organizational requirements expected by legal authorities around them. Any disruptions from the organization’s destined path are minimized.

• IT Management and Enterprise Architecture Audit: An IT management audit examines the current operations and success of IT managers and teams. The audit records team satisfaction and management efficiency.

• Telecommunication Audit: This audit investigates the servers and telecommunication protocols within the firm to minimize the chances of a breach in the future. Data breaches can significantly dent customer trust in you and be bad for your reputation.

---

Chapter 2: Auditing Tech Controls in Support/Service Model

This chapter looks at the audit process to follow for assessing tech controls in both support and service models. The controls are broken down into general and application controls. The chapter also sheds light on the risks that are to be managed through proper monitoring.

Procedures and Solutions to Follow

A number of solutions and auditory procedures can be followed to minimize the dangers of poor general IT operations control and its risks.

These solutions and procedures include:

Service Level Agreements

A typical service level agreement It is a common practice in today’s changing corporate world for IT departments to enter a Service Level Agreement or an SLA with the other departments of the organization – i.e., those linked with the users. This allows the users and their interconnected departments to specifically provide the level of service they expect to receive in writing. The level of services specified and mentioned in a service level agreement will vary from organization to organization and be influenced by a number of factors.

This includes the following:

• General provisions related to the scope of the agreement, the date of the next review and the signatories that signed it

• Service hours set by the organization

• A brief description of all services

• User support levels

• Percentage availability of service and the maximum downtime for failure

• Performance metrics including turnaround times and response times

• Restrictions on the IT provider

• Security lapses and provisions to limit them

Proper Operations Documentation

All organizations should have clear documentation available for all IT systems to ensure secure and accurate operation. The documented details related to each system should include the following information:

• The correct handling and maintenance of all data files.

• The scheduling and management of system requirements.

• Instructions and other preferable methods to handle exceptions and problems which might occur when jobs are being performed.

• Support contacts to get in touch with during unexpected technical and operational difficulties.

• Special instructions for handling outputs.

• System recovery and restart procedures.

The organization should also preferably have documented proof to help with maintenance activities such as daily data backups, IT room management, and IT equipment start-up procedures, etc. Documentation can prove to be extremely beneficial for operating staff and members whenever they are about to perform a procedure, especially one that is difficult to implement.

Auditors would like to see large quantities of documentation across the board to help with the organization process. Documentation lends credibility to an organization’s IT resources and makes maintenance easier for stakeholders.

Problem Management

The IT department should have documented guidelines available at all times to help staff members detect and record anomalies within IT equipment and processes. A manual/computerized log can be used to record and work on these conditions.

Workers should also be allowed to add entries to the log without any restrictions whatsoever; however, this ability should only be extended to a few authorized workers. The IT department and workplace management should develop proper mechanisms to ensure the true maintenance of IT systems and that all outstanding errors are addressed and adequately resolved in due time.

Network Management and Control

Another suggestion to follow here is to incorporate control and improve the standard of management in network control. A new range of controls is usually required in organizations using computer networks. Network managers are usually tasked to oversee these controls and ensure that the organization performs smoothly without any threats to networks. The networks within the organization should always be protected from unauthorized users.

Some of the controls that can be implemented by the management here include:

• Segregation of duties and roles between both operations and network administrators.

• Monitoring both network availability and performance around the clock. Organizations should preferably maintain reports and systems to record utility time, response time and downtime.

• Expert management of all procedures and remote equipment. Remote equipment should be managed to avoid breaches.

• Establishing security controls that are directly related to a computer network and implement long-term solutions for them.

Areas to Be Secured Through General Controls

All resources, facilities and files that require protection through general control methods include:

• Data Files: Data files are usually the first resource to be protected through general methods of control. Data files consist of both databases of consumer data and transaction files, including financial information.

• Applications: Unrestricted access to company applications can increase the threat of unauthorized alterations and data loss. These alterations eventually lead to fraud, corruption and a dent in your reputation in the general market.

• Password Files: Every organization maintains a password file to monitor information and stop unauthorized access to them. Password files should be adequately protected and have restricted access.

• System Software and Utilities: All system software operations such as compilers, program debuggers, code editors and frameworks should be monitored. Access to these software processors and utilities should only be restricted to certain individuals. These tools can generally be used to run amendments on application software and data files.

• Logs: Log files are systematically used to record user actions and provide organization management and system administrators with an equitable and accountable method of user accountability. Inadequately protected log files can be accessed by fraudsters and hackers, who may delete and edit the actions they have committed through a user account.

---

Chapter 3: Understanding Business IT Requirements

This chapter covers the study of business IT requirements and how they can best be understood through requirements management. Requirements management is a growing business facet and concerns itself with the issues that emerge when a new solution or software system has been deployed in your IT department.

Requirements management is performed to understand the changes required to systems over time, after implementation, and oversee the level of control required to execute these changes effectively.

The core activities performed during a typical requirements management process include the following:

• Recognizing the imperative need for changes within the business environment and system solution.

• Establishing a key relationship between all stakeholders and ensuring their involvement in the requirements identification and reengineering process.

• Identifying the attributes of the requirements and tracking them for surety.

Requirements management in the IT department allows developers and managers to identify, track and control requirements through the development process. Some advantages associated with requirements management in the IT department are listed below:

• Allows Better Control of Difficult Projects: Requirements management helps give the development team a clear understanding of details related to the software delivery. This clear understanding eventually ensures that all priorities are delivered according to user requirements.

• Improved Software Quality: Requirements management ensures that the system performs in accordance with the quality requirements expected from it.

• Reduced Project Costs: Requirements management significantly reduces the cost of development and ensures that project costs are kept to a minimum.

• Improved Team Communication: Requirements management can improve communication within the team and ensure that objectives are met with proper communication between all stakeholders and team members.

Requirement Tracing

Requirement tracing is a key process followed by IT teams from the start of the process till the system is developed and delivered to users. The requirement tracing process ensures that all requirements are clearly identified and well understood. Tracing ensures that user requirements are incorporated across the software and that the system helps adjust to changing requirements.

Tracing techniques help the IT team in identifying requirements in a project that is currently under development. The information achieved through information tracing is then stored within a convenient traceability matrix. This matrix relays requirements to all stakeholders.

Additionally, there are different types of traceability tables, which are identified in the table below:

A change in one aspect of the table can help affect different aspects. Hence, these tables are necessary for traceability and identifying areas where attention is needed.

---

Chapter 4: Security Risk Assessment of Current and Future IT Investments

This chapter looks at some of the ways organizations can follow to perform a security risk assessment. This process holds true for both current IT assets and future assets. Go through the assessment procedure, which has been elaborated in the course manual, below.

Identify and Prioritize Asset Security

The first step in the process is identifying and prioritizing assets based on the risk they carry. Assets here include your client contact information, servers, trade secrets, partner documents and other sensitive data. Remember that you need to look at assets from a business’s perspective and not through your own perspective. What you consider as valuable might not exactly be as valuable when considered through t