FINAL Management Responses - Audit of IT Function

11 pages

English

FINAL Management Responses - Audit of IT Function

Vion - Nbb

Le téléchargement nécessite un accès à la bibliothèque YouScribe
Tout savoir sur nos offres

11 pages

English

Le téléchargement nécessite un accès à la bibliothèque YouScribe
Tout savoir sur nos offres

A propos
Informations
Extrait

Description

AUDIT OF INFORMATION TECHNOLOGY Management (Action Plan) Responses February 2005 # PRIORITY DESCRIPTION MANAGEMENT RESPONSE Ref: Chapter 3.1 GOVERNANCE FRAMEWORK – Information Technology Steering Committee 1.1 HIGH An Information Technology Steering Committee (ITSC) ISD agrees that a governing body to oversee the should be established to connect end-users and senior strategic orientation and vision of ISD is a good idea; management with the ISD organisation, oversee the however, the suggestion that an additional committee strategic orientation and vision for IT by approving the is required to do so is questioned. IT plan, vision, and policies, appraise the viability and worth of IT projects to be undertaken, and recommend The need to create an Information Technology priorities and funding to the Management Committees. Steering Committee (ITSC) for the purpose of approving the information technology plan, vision and policies may speak more to deficiencies and commensurate opportunities within the existing committee structures. ISD proposes to explore the idea of expanding the terms of reference and mandates of the SSHRC Electronic Services Delivery and the NSERC eBusiness Steering Committees to fulfill the requirements identified for an ITSC. To be completed by the end June 2005. 1.2 HIGH Formal terms of reference (TOR) should be developed Agreed. for the ITSC and describe the ITSC’s goal, objectives and scope, deliverables, membership, ...

Sujets

Publié par	Vion
Nombre de lectures	70
Langue	English

Extrait

AUDIT OF INFORMATION TECHNOLOGY

Management (Action Plan) Responses

February 2005

PRIORITY

DESCRIPTION

MANAGEMENT RESPONSE

Ref: Chapter 3.1

GOVERNANCE FRAMEWORK – Information Technology Steering Committee

1.1

HIGH

An Information Technology Steering Committee (ITSC)

should be established to connect end-users and senior

management with the ISD organisation, oversee the

strategic orientation and vision for IT by approving the

IT plan, vision, and policies, appraise the viability and

worth of IT projects to be undertaken, and recommend

priorities and funding to the Management Committees.

ISD agrees that a governing body to oversee the

strategic orientation and vision of ISD is a good idea;

however, the suggestion that an additional committee

is required to do so is questioned.

The need to create an Information Technology

Steering Committee (ITSC) for the purpose of

approving the information technology plan, vision and

policies may speak more to deficiencies and

commensurate opportunities within the existing

committee structures. ISD proposes to explore the idea

of expanding the terms of reference and mandates of

the SSHRC Electronic Services Delivery and the

NSERC eBusiness Steering Committees to fulfill the

requirements identified for an ITSC.

To be completed by the end June 2005.

1.2

HIGH

Formal terms of reference (TOR) should be developed

for the ITSC and describe the ITSC’s goal, objectives

and scope, deliverables, membership, responsibility,

accountability and authority, reporting relationship, and

frequency of meetings. Without TOR, our experience has

shown that committees lack focus and are doomed to fail.

Agreed.

This will be pursued in conjunction with the response

scribed for 1.1.

To be completed by the end June 2005.

PRIORITY

DESCRIPTION

MANAGEMENT RESPONSE

Ref: Chapter 3.2

GOVERNANCE FRAMEWORK – The IT plan and the IT vision

2.1

HIGH

Produce an IT technological vision covering the next two

to three years.

Agreed.

This is currently being drafted.

ISD will also plan to revisit its technological vision on

an annual basis as part of it fiscal planning activities to

ensure relevance and accuracy to the strategic visions

and directions of both Councils.

To be completed by April 1

st,

2005.

2.2

HIGH

ISD should produce a more comprehensive IT plan that

will include all core business projects, ISD special

projects (where applicable), office automation and

infrastructure projects.

Agreed.

This work is underway. Based on information and

requirements known at the time of writing all projects

for 05/06 have been itemized in the ISD 05/06 project

plan. The plan is currently being expanded to include

additional project detail for each initiative.

This work is scheduled to be completed by March

2005.

Ref: Chapter 3.3

GOVERNANCE FRAMEWORK – Risk management

3.1

MEDIUM

ISD should conduct a comprehensive TRA of its IT

infrastructure environment.

Agreed.

A technical architecture Threat and Risk Assessment

will be conducted during the course of 05/06.

PRIORITY

DESCRIPTION

MANAGEMENT RESPONSE

Completed by end 05/06.

3.2

MEDIUM

ISD should develop the necessary guidelines and control

measures ensuring that TRAs are systematically and

rigorously completed for every System Development

initiative, including the development of non-core

application projects.

Agreed.

This recommendation is expected to be supported by

the ISD security plan (see 4.1).

ISD will assess the need to establish in-house TRA

expertise that will permit a consistent and rigorous

follow-up for “every” system development initiative.

This will be inclusive of non-core IT application

projects including those that are not developed in-

house. ISD believes that a TRA resource should not be

considered in isolation of a like skill-set in conducting

PIAs (Privacy Impact Assessments). Depending on the

nature and complexity of the application it is often

necessary to conduct both a TRA ands PIA in parallel.

The degree to which ISD can fully comply with this

recommendation will depend on the approach

supported by senior management. Outsourced TRAs

are often subject to resource availability and

commensurate funding; however, until senior

management commitment in support of the need to

acquire or develop in-house expertise has been given,

ISD will ensure that TRAs are systematically and

rigorously completed for all system development

initiatives by investing in external consulting expertise

as required.

PRIORITY

DESCRIPTION

MANAGEMENT RESPONSE

Complete – ongoing.

Ref: Chapter 3.4

GOVERNANCE FRAMEWORK – IT security plan

4.1

LOW

ISD should articulate its IT security plan using the

information contained in the Security Compendium

document and the ISD-wide TRA exercise recommended

in chapter 3.3 – Risk Management

Agreed.

As part of its project objectives for 05/06 ISD plans to

compile a comprehensive ISD security policy.

This will be completed prior to the end of 05/06.

Ref: Chapter 3.5

GOVERNANCE FRAMEWORK – IT policies and standards

5.1

MEDIUM

In collaboration with the Administration Division, ISD

should identify the IT areas to be covered by IT policies,

assign a priority and a development schedule to each new

policy, develop each one according to the established

timeline, present them to the IT steering committee for

approval, and develop a roll out strategy to cover the

communication to staff and posting on the Intranet.

Agreed.

Policy development and review is an ongoing activity

within ISD; however, policies are only developed “as

needed” or in response to legislative requirements.

Currently, consultation with the Administration

Division does not make up part of this existing

process. ISD will adjust the process to include

collaboration with the Administration Division.

Following this consultation process, policy priorities

will be identified and the respective development

plans will be compiled in a schedule to be

communicated to the IT governing bodies (See 1.1).

Ongoing activity. Initial meeting with the

PRIORITY

DESCRIPTION

MANAGEMENT RESPONSE

Administration Division will take place before the end

March 2005.

Ref: Chapter 3.6

GOVERNANCE FRAMEWORK – The service level agreement (SLA)

6.1

HIGH

ISD should review its SLA and identify performance

targets for Network Administration, System

Development, Helpdesk Services, Internet and Intranet.

These performance targets need to be negotiated with the

clients, included in a revised SLA, monitored for

compliance, reported on a regular basis, and

communicated to the IT Steering Committee.

Agreed.

Although ISD currently identifies service response

times within its Service Level Agreement (SLA) it

does not include specific performance targets as

negotiated with the clients. As part of it annual review

of its SLA, ISD will pursue the establishment and

inclusion of performance standards. ISD does not

believe that this recommendation warrants a “HIGH”

priority but instead is more conducive to a “LOW”

rating; especially, given the fact that recommendation

8.5 lists the need to monitor performance targets as

“LOW”. Given acceptance of a “LOW” rating, ISD

will revise its SLA to comply with the

recommendations as part of its annual SLA review

cycle; this occurs each Fall.

Additionally, ISD will poll all directors and VPs in

order to determine their informational needs when

reporting on ISD performance. This activity is already

underway. These results will be incorporated into the

SLA.

Updates to the SLA will be completed in the Fall

2005.

PRIORITY

DESCRIPTION

MANAGEMENT RESPONSE

Ref: Chapter 3.7

GOVERNANCE FRAMEWORK – Disaster recovery plan (DRP)

7.1

HIGH

The Security Steering Committee should assign a

timetable to update the DRP.

Agreed.

Currently the Management Security Steering

Committee (MSSC) is overseeing the development of

a Business Continuity Plan (BCP); it is understood

that an up to date ISD Disaster Recovery Plan (DRP)

will serve as an essential component of the more

comprehensive BCP. ISD acknowledges that much of

the work required to compile a BCP and a

complementary IT DRP can be pursued in parallel.

Given the required expertise to develop a more

comprehensive DRP, ISD plans to seek consulting

assistance to complete this work. It is estimated that

the initial DRP will cost approximately 50K.

Following completion of this initial work ISD will

subsequently budget approximately 10-15K on an

annual basis in order to ensure the baseline DRP is

continually updated to reflect any changes within the

IT environment.

It is anticipated that the initial DRP will be completed

in 3 to 5 months time.

7.2

MEDIUM

The Director ISD should formally assign the

responsibility to review the existing DRP document to

one of his managers.

Agreed.

The ISD Manager of Technical Services, in his

capacity as the Councils Information Technology

PRIORITY

DESCRIPTION

MANAGEMENT RESPONSE

Security Coordinator (ITSC), has been assigned as the

lead on this initiative.

Complete.

Ref: Chapter 4

END USERS SUPPORT MANAGEMENT

8.1

LOW

ISD should investigate the advantages of creating a

central focal point for all ISD support requests.

Agreed.

ISD will analyse the possibility of consolidating the 2

ISD Helpdesks (Support Centre and eBusiness/ESD

Helpdesks) in order to create a single point of user

contact. Being that each Helpdesk serves different

client communities (external vs. internal) the rational

and corresponding recommendation to “create a

central focal point” is unclear.

Given the nature of the other ISD service areas the

business rational to consider consolidating these

within a central point of entry is unclear. However,

ISD agrees to investigate whether or not there would

be any advantage to the client communities in doing

so.

The results of the analysis will be tabled with the IT

governing bodies (See 1.1).

This analysis will be completed in late Fall 2005.

PRIORITY

DESCRIPTION

MANAGEMENT RESPONSE

8.2

MEDIUM

ISD should investigate the advantages of endorsing a

more comprehensive incident tracking system and

maintaining a single database for all service requests.

Agreed.

Evaluation of more comprehensive products for

incident tracking and maintaining a single database is

already underway.

A product that supports a more comprehensive

tracking of user requests is expected to be made by

March 2005.

8.3

MEDIUM

ISD should institute a formal escalation process to solve

more complex problems.

Agreed.

This requirement has already been identified as part of

the analysis of a new tracking system (See 8.2). A

more comprehensive tracking system will permit

greater access for Council staff; thereby, permitting

escalation and tracking of incidents outside of the

Helpdesk teams.

The new system is expected to be implemented by

June 2005.

8.4

MEDIUM

ISD should review the accountability of the ISD HD and

the eBusiness – ESD HD groups to ensure that each

group becomes accountable to track and monitor the

escalated problems until full resolution.

Agreed.

Again a more comprehensive incident tracking

software solution that accommodates this business

requirement will address this problem (See 8.3).

The new system is expected to be implemented by

June 2005.

PRIORITY

DESCRIPTION

MANAGEMENT RESPONSE

8.5

LOW

ISD should monitor the performance targets specified in

the SLA.

Agreed.

Once targets have been included in the SLA (See

recommendation 6.1) they will be accordingly

monitored.

Updates to the SLA will be completed in the Fall

2005.

8.6

LOW

ISD should ensure that performance reports are produced

to measure the attainments of objectives stated in the

SLA.

Agreed.

Currently, numerous performance reports are

generated in a systematic manner; however, they are

not directly associated with the SLA. Instead they are

produced based on user requests and personal

preference.

Once the SLA performance targets have been

established and in place, ISD will ensure that reports

are created to specifically measure performance

objectives as documented.

Updates to the SLA will be completed in the Fall

2005. (See additional comments in 6.1)

Ref: Chapter 5.3 MANAGEMENT OF INFRASTRUCTURE – Change Management and Release Management

9.1

MEDIUM

Technical Support group should implement more

rigorous change management and release management

processes to document changes to the infrastructure, and

Agreed.

ISD has already implemented a shared centralized

PRIORITY

DESCRIPTION

MANAGEMENT RESPONSE

communicate the nature of the changes to users and

provide users with information on the impact of the

implementation.

calendar recording all planned TS project activities.

This communication medium will be assessed and

improved over the next several months to ensure that

it adequately addresses the informational needs of the

impacted internal user communities.

Ongoing activity.

Ref: Chapter 6.1

SYSTEM DEVELOPMENT – Special projects

10.1

LOW

ISD should describe the term “special project”,

Agreed.

Complete (Definition will be included in the ISD SLA

during the Fall 2005).

10.2

HIGH

Where the scope warrants, ISD should describe and

prioritise special projects in the IT plan.

Agreed.

Special projects, where the scope warrants, have been

included in the ISD project list for 05/06.

Complete.

10.3

LOW

ISD should ensure that a project plan is developed for

each project.

Agreed.

A project status template is currently being complied

for all 05/06 projects. Each template will clearly

highlight pertinent project plan information.

To be completed by March 2005.

10.4

LOW

Where the scope warrants, ISD should ensure that the

development process follows a formal SDLC.

Agreed.

PRIORITY

DESCRIPTION

MANAGEMENT RESPONSE

This is currently the case for ISD initiated projects;

this was not the case upon initial creation of the

Special Projects Service within ISD.

Complete.

Univers
Ebooks
Livres audio
Presse
Podcasts
BD
Documents

Livre audio en ligne - Développement personnel Livre en ligne Tout le catalogue Tous les Intérêts

FINAL Management Responses - Audit of IT Function

management

risk management

managers

YouScribe

Le catalogue

Le service

Les conditions