Conducting an IT Assessment

Conducting an I.T. Assessment

Table of Contents

Introduction 3

Project Approach 4

Phase 1 – Project Initiation 5

Phase 2 – Data Collection and Analysis 7

Phase 3 – Recommendations 19

The Litcom Approach 20

Introduction

A typical I.T. Assessment will normally include, but is not limited to the following components:

• Is I.T. aligned to support the business goals and business operating model of the organization?

• Are the current I.T. strategies and processes appropriate and how should they evolve over the next few years to address areas such as communication, governance, and providing new solutions;

• Are there areas where I.T. can better manage support to customer and core operations;

• Is the technology platform and architecture sufficiently robust to support anticipated growth over the next few years;

• Is the current I.T. organization effectively aligned to the key business functions and are there opportunities for improvement;

• Are current I.T. expenditure levels appropriately focused on cost/benefit and what future funding levels should be anticipated over the next few years; and

• Are the I.T. risks acceptable and manageable both now and over the next few years?

Project Approach

The approach consists of three phases,

typically completed over a 4 to 6 week timeframe:

Phase 1

• Project Initiation

• Understand the business strategy, goals and operating model of the organization.

• Identify any regulatory and conformance requirements.

• Understand current I.T. capabilities, technologies, directions and plans.

Phase 2

• Data Collection and Analysis

• Evaluate the alignment of I.T. to business objectives and goals.

• Evaluate the I.T. Governance (leadership, practices, budget, organization) issues.

• Evaluate the application portfolio and technical architecture.

Phase 3

• Recommendations

• Conduct a high-level gap analysis outlining the areas of focus

• Identify project priorities, estimated investments and timelines

• Develop the 12-18 month roadmap for I.T.

Project Approach – Phase 1

This phase establishes the guidelines for the project, including project participants, scheduling of key interviewees and identifying and collecting business and I.T. related background information.

Executive level interviews are conducted to gain an understanding of the current state of the I.T. environment and the key business drivers impacting I.T.

Main activities

• Schedule key business and I.T. interviewees• Review business and I.T. background

information• Document key business strategies, goals,

regulatory requirements and the business operating model.

Deliverables

• Interview schedule• Business drivers that impact I.T.

Phase 1

Project Initiation• Understand the business strategy, goals and operating model of the organization.

• Identify any regulatory and conformance requirements.

• Understand current I.T. capabilities, technologies, directions and plans.

Business Operating Model

CO-ORDINATION Unique business units with a need to know

each other’s transactions

Key IT capability: access to shared data, through standard technology interfaces

UNIFICIATION Single business with global process

standards and global data access

Key IT capability: enterprise systems reinforcing standard processes and providing global data access

DIVERSIFICATION Independent business units with different

customers and expertise

Key IT capability: provide economies of scale without limiting independence

REPLICATION Independent but similar business units

sharing best practice

Key IT capability: provide standard infrastructure and application components for global efficiencies

Low High

Business Process Standardization

Hig

hLo

w

Bu

sin

ess

Pro

cess

Inte

grat

ion

The Business Operating Model is defined by two attributes of their ongoing operations:• How standard are the business processes across business units• How much integration is required to integrate business processes

Four operating models are shown below. Alignment of the key I.T. capabilities to the operating model is essential to the effectiveness of I.T.


The objective of this phase is to conduct on-site interview sessions with key business and I.T. staff and evaluate the following against industry best practices:

• Alignment of I.T. to Business Strategy and Goals;• I.T Direction / Leadership• I.T. Governance• Application Portfolio and Technical Architecture

Phase 2

Data Collection and Analysis• Evaluate the alignment of I.T. to business objectives and goals

• Evaluate the I.T. Governance (leadership, practices, budget, organization) issues

• Evaluate the application portfolio and technical architecture.

I.T. Models (Definitions):

Partner Player:I.T. organization is expected to create unique and competitive solutions with customers, suppliers, and internal users — plus, being a Trusted Supplier.

Trusted Supplier:I.T. organization is expected to deliver application projects on time and on budget, based on operating units’ requirements and priorities — plus, being a Solid Utility.

Solid Utility: I.T. organization is expected to provide cost-effective, high reliability with transparent, and constantly declining costs.

I.T. Alignment with the Business

Partner Player

Trusted Supplier

Solid Utility

What I.T. Model Does the Organization Require?

Current

Future

Role Core Skills Requirements Effectiveness

Managing Costs • Excellent budget planning and cost tracking• Communicating performance clearly

High / Med. / Low

Keeping the Lights On • Deliver I.T. services and security at agreed service levels• Manage daily I.T. operations cost effectively and efficiently

High / Med. / Low

Acting as an Information Broker

• Anticipate business needs and provide information quickly• Maintain sophisticated information architectures in order to be able to

access the right information at the right time.• Think “out of the box” and be creative.

High / Med. / Low

Generating Ideas and Solutions

• Continuously deliver latest and most innovative I.T. services to the business.• Develop strategic plans to achieve corporate goals.

High / Med. / Low

Delivering Transformation

• Leadership skills to drive through change in I.T..• Set and communicate the vision and strategy for I.T.

High / Med. / Low

Bringing Business Model Innovation

• Anticipate future impact of latest trends on I.T. function and the business.• Share thoughts on existing and new business models• Influence key stakeholders and winning trust and support for I.T. projects.

High / Med. / Low

I.T. Direction / LeadershipToday’s best in class Chief Information Officer performs the following roles:

• Execution – keep systems up and running and manage the organization’s overall I.T. spend.

• Enablement – act as an information broker, providing insights to help all parts of the business improve their decision-making.

• Transformation– prepare and develop the business for change and suggest new business model innovations.

I.T. leadership is evaluated across the following dimensions:

I.T. Governance

1. Plan and Organise (PO)—Provides direction

to solution delivery (AI) and service delivery

(DS).

2. Acquire and Implement (AI)—Provides the

solutions and passes them to be turned into

services.

3. Deliver and Support (DS)—Receives the

solutions and makes them usable for end users.

4. Monitor and Evaluate (ME)—Monitors all

processes to ensure that the direction provided

is followed.

Control Objectives for Information and Related Technology (COBIT) is an industry standard framework for developing, implementing, monitoring and improving information technology (I.T.) governance and management practices.

I.T. Governance is assessed using COBIT, which provides four interrelated Domain areas that are used to measure I.T. Governance.

COBIT Domain: PLAN AND ORGANISE (PO)

COBIT DOMAIN Questions Asked Evidence Reviewed

PLAN AND ORGANISE (PO)

This domain coversstrategy and tacticsand identifies ways IT can best contribute to the achievement of the businessobjectives.

• Are IT and the business strategy aligned?

• Is the enterprise achieving optimum use of its resources?

• Does everyone in the organisation understand the IT objectives?

• Are IT risks understood and being managed?

• Is the quality of IT systems appropriate for business needs?

• PO1 Define a Strategic IT Plan: IT Strategic plan alignment with business strategy.

• PO2 Define the information architecture: Information architecture, data dictionary and classification scheme.

• PO3 Determine technological direction: Technology direction plan for architecture, infrastructure & applications monitoring future trends and regulations.

• PO4 Define the IT processes, organization & relationship: IT processes, outline of clearly defined roles and responsibilities, segregation of duties and governing bodies such as IT strategy & steering committee.

• PO5 Manage the IT Investment: Effective and strong management of IT investment (IT budget, cost and benefit management).

• PO6 Communicate management aim & direction: IT policy, standards and procedures as well as enterprise risk and control framework rolled out.

• PO7 Manage IT human resources: IT staff recruitment, retention, and management of competencies.

• PO8 Manage quality: Quality management with defined IT standards and quality practices (development & acquisition standards, continuous improvement by measuring, monitoring and review).

• PO9 Assess & manage IT risks: IT Risk Management Framework (identify, assess, response with action plans) has been communicated and adopted.

• PO10 Manage projects: Project Management processes and templates.

COBIT Domain: ACQUIRE AND IMPLEMENT (AI)


ACQUIRE AND IMPLEMENT (AI)

This domain coversidentifying IT requirements, acquiring the technology, and implementing it within the company’s current business processes.

• Is the acquisition ofapplications and technology infrastructure effectively governed and aligned with business objectives?

• Are effective change management processes in place to enable the operation and use?

• Are IT resources (internal and external) in place to support new applications and technology infrastructure?

• Are changes to applications and technology infrastructure managed effectively?

• AI1 Identify Automated Solutions: analysis before acquisition or creation to ensure that business requirements are satisfied (definition of the needs, consideration of alternative sources, review of technological and economic feasibility, risk and cost-benefit analysis, and conclusion of a final decision to ‘make’ or ‘buy’).

• AI2 Acquire and Maintain Application Software: application design, development, configuration, security requirements and controls are in line with standards.

• AI3 Acquire and Maintain Technology Infrastructure: planned approach to acquisition, maintenance and protection of infrastructure aligned with agreed-upon technology strategies and the provision of development and test environments.

• AI4 Enable Operation and Use: documentation and manuals for users and IT to ensure the proper use and operation of applications and infrastructure.

• AI5 Procure IT Resources: definition and enforcement of procurement procedures, the selection of vendors, the setup of contractual arrangements, and the acquisition of resources. IT resources, include people, hardware, software and services.

• AI6 Manage Changes: All changes to production (emergency maintenance,patches, infrastructure, applications, procedures, processes, system and serviceparameters) are logged, assessed and authorised prior to implementation and reviewed against planned outcomes following implementation.

• AI7 Install and Accredit Solutions and Changes: proper testing in a dedicated environment with relevant test data, definition of rollout and migration instructions, release planning and actual promotion to production, and a post-implementation review.

COBIT Domain: DELIVERY AND SUPPORT (DS)

COBITDOMAIN

Questions Asked Evidence Reviewed

DELIVERY AND SUPPORT (DS)

This domain focuses on the delivery aspects of the information technology

• Are IT service levels defined and achieved?

• Are appropriate backup / recovery and disaster recovery processes in place and tested regularly?

• Are effective issue, incident and problem resolution processes in place and working effectively?

• Are changes to IT systems and infrastructure managed and implemented effectively?

• DS1 Define and Manage Service Levels: documented definition of and agreement on IT services and service levels.

• DS2 Manage Third-party Services: effective third-party management process with clearly defined roles, responsibilities and expectations.

• DS3 Manage Performance and Capacity: process to review current performance and capacity of IT resources.

• DS4 Ensure Continuous Service: maintenance and testing of IT continuity plans, utilising offsite backup storage and providing periodic continuity plan training.

• DS5 Ensure Systems Security: IT security roles and responsibilities, policies, standards, and procedures including monitoring and testing and implementing corrective actions.

• DS6 Identify and Allocate Cost: agreement with business users on fair allocation of IT costs and a process to capture, allocate and report IT costs to the users of services.

• DS7 Educate and Train Users: education of all users of IT systems.

• DS8 Manage Service Desk and Incidents: a well-designed and well-executed service desk and incident management process.

• DS9 Manage the Configuration: maintenance of an accurate and complete configuration repository.

• DS10 Manage Problems: identification and classification of problems, root cause analysis and resolution of problems.

• DS11 Manage Data: data requirements and a data management process to manage the media library, backup and recovery of data, and proper disposal of media.

• DS12 Manage the Physical Environment: well-managed physical facilities with processes for monitoring environmental factors and managing physical access.

• DS13 Manage Operations: operating policies and procedures for effective management of scheduled processing, protecting sensitive output, monitoring infrastructure performance and ensuring preventive maintenance of hardware.

COBIT Domain: MONITOR AND EVALUATE (ME)


MONITOR AND EVALUATE (ME)

This domain deals with a company’s strategy in assessing the needs of the company & whether or not the current IT system still meets the objectives for which it was designed and the controls necessary to comply with regulatory requirements.

• Does the current IT system meet business objectives?

• Is the enterprise achieving regulatory compliance?

• Are IT controls in place that meet the requirements of internal and external auditors?

• ME1 Monitor and Evaluate IT Performance: defined relevant performance indicators, performance reports provided in a timely and systematic manner, and process to act promptly on any deviations.

• ME2 Monitor and Evaluate Internal Control: monitoring and reporting of control exceptions, results of self-assessments and third-party reviews.

• ME3 Ensure Compliance with External Requirements: review process to ensure compliance with laws, regulations and contractual requirements.

• ME4 Provide IT Governance: defined organisational structures, processes, leadership, roles and responsibilities to ensure that enterprise IT investments are aligned and delivered in accordance with enterprise strategies and objectives.

• Applications: self-contained programs that perform business functions that increase efficiency

and meet business objectives. Applications are evaluated to ensure that they:

– Align to your organization’s strategic direction.

– Meet functional requirements.

– Have solid application architecture & application quality.

– Are cost effective.

• Technical Architecture: the technology infrastructure that has been deployed to support the

application portfolio, provide security, backup/recovery, logging, access controls and

fundamental IT Standards. The infrastructure is evaluated to:

– Ensure stability in your environment (under warranty support, running latest versions,

updates and patches).

– Identify redundant tasks for increased infrastructure resource utilization.

– Centralize and simplify the management of your IT infrastructure implementation.

– Improve risk management and compliancy.

– Improve business performance.

– Ensure it is cost effective.

Application Portfolio and Technical Architecture

Evaluation Criteria

Each area of the assessment will be evaluated with a Grade/Quality of A, B, D or D and Risk factor of L, M, or H.

Grade

A - Solid/above average; no issues identified

B - Stable/acceptable; potential enhancement needed in future

C - Needs work; adequate/functioning but areas of improvement have been identified

D - Not acceptable; does not support this function now, immediate action required

Risk

L - Low; minimal impact, no need for immediate concern

M - Medium; potential risk under certain circumstances, need to monitor

H - High; will cause a business issue if not addressed immediately

Application Portfolio

Area

Grade(1) Risk(2)

CommentA B C D L M H

Customer Facing

Web / Portal m m m m m m m

E-Commerce m m m m m m m

Operations

Sales Order Management m m m m m m m

Procurement m m m m m m m

Inventory Management / Warehousing m m m m m m m

Manufacturing m m m m m m m

Logistics / Transportation m m m m m m m

Customer Relationship Management m m m m m m m

Back Office

Accounting / Financial Reporting m m m m m m m

Human Resources / Payroll m m m m m m m

Business Intelligence / Reporting m m m m m m m

Industry Specific

Retail Merchandising / Point of Sale m m m m m m m

Case Management m m m m m m m

Other m m m m m m m

Technical Architecture

Area

Grade(1) Risk(2)

CommentA B C D L M H

Hardware

Data Center m m m m m m m

Firewalls / Routers / Switches m m m m m m m

Servers m m m m m m m

Personal Computers m m m m m m m

Telecommunications m m m m m m m

Software

Virtualization m m m m m m m

Server Operating Software m m m m m m m

Personal Computer Operating Software m m m m m m m

Databases m m m m m m m

Development Languages m m m m m m m

Networks

Corporate m m m m m m m

Intranet m m m m m m m

Communications

Telephone System m m m m m m m

Telephone Carrier m m m m m m m

Internet Provider m m m m m m m


The objective of this phase is to document recommendations and the 12-18

month roadmap for I.T..

Main activities

• Conduct high-level gap analysis

• Identify projects / improvement areas and assess priorities

• Estimate the level of effort and cost to implement projects / improvements.

• Document final report

Deliverables

• Final Report

Phase 3

Recommendations• Conduct a high-level gap analysis outlining the areas of focus

• Identify project priorities, estimated investments and timelines

• Develop the 12-18 month roadmap for I.T.

The Litcom Approach

Today, more than ever, companies are scrutinizing the value they receive from their Information Technology function. Given all the advancements in IT, it is difficult for companies to assess this value using internal resources. Litcom provides a comprehensive and thorough review of your company’s technology environment. We will appraise the complete technology landscape and provide a written evaluation and recommendation on how to use technology in order to best meet your company’s business goals and objectives. We use leading practices and industry recognized methods within our assessment. The assessment includes, but is not limited to:

Leadership, management, organization, and governance; Strategy and plans; Skills and competencies; Application and data architecture and solutions; Network and communication architecture and performance; Infrastructure and data center operations; IT processes, methods and tools; Vendor arrangements and Service Level Agreements (SLAs); Disaster recovery planning and backup solutions; Emerging technology assessment and reviews; and Budgets and investment plans.

Litcom’s IT Assessment provides a snapshot of your company’s IT environment and gives you an unbiased, third party perspective on the effectiveness of the strategy and plans, systems, staff, budget, vendors, procedures and company policies – allowing you to make the critical decisions about IT with a complete picture.

For further information or to schedule a consultation with our dedicated consultants, please contact us at [email protected].

mailto:[email protected]

Conducting an IT Assessment

Documents

Transcript of Conducting an IT Assessment