INTRODUCTION
Managing
Information Communication Technology (ICT) resources will enable organizations
to get more out of their current equipment and also to make better decisions
around the purchase of new equipment and ICT developments
ICT
ICT covers any product that will store, retrieve, manipulate, transmit
or receive information electronically in a digital form. For example,
personal computers, digital television, email, robots
Define Business
Objectives as Related to ICT
This Activity defines the steps
needed to establish Policies and Goals for using its current and projected ICT
Systems. This Activity also assesses the degree to which
business/organizational plans and ICT plans are aligned. It determines the appropriateness
of the mechanisms for establishing the priorities of ICT investments (New
projects, changes to existing systems, etc). It establishes the governing rules
and structure of the ICT unit as a whole. Of critical importance is an
assessment of ICT spending.
Questions such as the
following should be asked and answered:
• What does the
Department expect from each system?
• How do the systems
impact the general strategy of the Department?
• Who are the
beneficiaries of the Department’s ICT Systems?
• What are the
Technologies selected for current and projected systems
• What are the
challenges facing the ICT Systems?
Initiate and
Plan the Good Practices Project
The Good Practices Project
is an ongoing process. The Department will benefit from an ongoing application
of Good Practices. The Good Practices to be implemented in the Department
should form part of a long term Project that is well planned, executed
and monitored. The objectives of this Activity are to plan the Good Practices
Project according to modern project management techniques.
Collect
Documents Relevant to the Project
To collect
all documents that will be of use during the various stages of the Good
Practices project. Such documents should be verified to be correct and up to
date.
E.g. Department
charter, various lists and registers
Strategies for
reaching such goals
Establish Proper
Communication Schemes
Since the Project relies
heavily on following “Quality” practices, it follows that Communication between
all concerned parties has to be properly defined for the overall project. The
objective of this Activity is to define the Communications schemes of the Good
Practices Project.
Risks:
should the Department not have a proper Communications scheme for the Project,
the following risks may arise:
• Improper implementation
of the Project Plan
• Lost information
Setup a
Performance Measurement Process
Performance
Measurement is one of the key managerial techniques in the Modern world of
organizations. What a Department can measure, it can manage. This Activity presents
how a Department can prepare various metrics needed for Performance measurement
of ICT Systems.
How to Implement
Standards
ICT goes regularly through
phases of confusion followed by standardization. Many aspects of ICT processes
need to conform or comply with some established standard. This Activity provides
some Good Practices regarding the compliance with Standards.
HOW TO MANAGE
ICT PROJECTS
Project Management is an
organizational discipline that is becoming more and more accepted as part of
ICT life. A major area of inefficiency in ICT Units is the lack of proper
Project Management. This Activity emphasizes the role to be played by Project Management
in ICT Projects, specifically that of the Project Manager.
Responsibilities of the Project Manager: It is
necessary that the Supplier appoint a fully responsible Project Manager no
matter what size or scope the agreement has. It is also critical for the
Department to appoint its own Project Manager.
These two persons
will work as counterparts jointly assuring the success of the project.
The following is a
list of responsibilities or functions a Project Manager has,
Irrespective of
whether the post is on the side of the Supplier or the Department:
• Reports to Senior
Management
• The Manager is the
Primary Driver of the Overall Project completing such activities as: planning,
execution, monitoring and control
• Coordinates between
all parties
• Manages product
scope and specification
• Manages resource
allocation
• Manages project
scheduling
Modern
Project Management techniques: Project Management
principles apply to all types of projects. Essentially, general Project
Management is not very different from ICT Project Management. The main
differences lie in the management of the scope of the products, ie, technical
issues. ICT Projects require the following additional principles and methods:
• The use of business
modeling for systems analysis and design
• The use of standard
Software Development Processes
• The implementation
of team structures is very specific to ICT processes, especially those that
handle software development.
Project
Management Software: Even if Project Management principles are not learnt with
proficiency, it is still highly recommended that the team use standard Project
Management software such as Microsoft Project 2000™.
Managing ICT
Human Resources
Human Resources are one of
ICT’s major problems. The Technology is changing. Staffs are not progressively
trained. Job Classifications are faulty and neither reflects the Department’s
needs nor the qualifications of the recruits. Responsibilities, generally horizontal
in the ICT environment, are not clearly understood nor efficiently implemented.
All of the above lead to inefficiencies and risks such as:
• Poor performance in
all areas of ICT
• Errors, rework,
reruns, etc.
• High turnover of
staff
• Demotivated staff
• Regressing
technical knowledge and competence
• Problems within
Project Management due to improper staff responsibility allocations
The
following sets of Activities provide some Procedures and Good Practices related
to ICT Human Resources.
Organize the
Structure of the ICT Unit
To define the Organizational
Structure of the ICT Unit according to modern principles. Different periods in
ICT history have required different types of personnel with different
relationships. Different organizations operating in different environments have
also constantly had to change their structures. Hence, the Guide will not be
able to propose a standard Organization Chart for ICT Units. The Guide will
propose a generic Organizational structure that can be used as the basis for
specific Units in each Department.
Identify Actual
Competency Levels of all Staff
To analyze the education,
experience, competence and project history of all staff. From this analysis,
the Department would get a list of the Actual Competencies each person has.
Later on, this can be used to compare the staff’s actual competencies with the
expected competencies as defined in the previous Activity.
This would provide
the Department with a solid basis for reaching the following:
• Evaluating the
Performance of Staff
• Planning their
Training
Analyze
Competencies to Identify Training Requirements
To identify the training
requirements of staff so that the training can be budgeted for, approved,
planned and completed. Having completed the two previous Activities of
Identifying the required competencies per position and Identifying all staff competency
levels, the next step would be to analyze the “Balance” or the “Gap” between
what Competencies are required and what each staff actually has.
Identify
Training Resources
To
setup and maintain a register of available training. There are many institutes
offering training courses, workshops and programs in the field of ICT. With the
advent of the Internet, many sites also offer free or chargeable online
training.
Manage Training
Material
This Activity presents some
Good Practices that aim at maintaining a list of all training material: documents, CDs, tutorials, web sites, etc.
Different persons will attend different workshops or courses and bring back
training material with them. Invariably, such material gets spread around the
Department and will not be shared
resulting in lost
resources.
Maintain
Training Records
To setup and maintain a
Training Control Database. Training control systems have wide functions.
However, it can be a simple matter to maintain a set of Training records for
the ICT Unit staff. The main purpose would be to plan training, assign courses
to staff and track the results of training per person and per institute or instructor.
The application would cover
the following functions by setting up the following records:
Staff members, Training institutes or training resources, Available
workshops/courses Required Competencies, Actual Staff Competencies, Planned
training (Workshops, courses, etc), Records of the actual results with
evaluations of courses, instructors and attendants
Define
Recruitment Standards
To standardize recruitment
practices and get the best out of recruitment of staff. This Activity suggests
a way to automate the Recruitment process. It also recommends the maintenance
of an applications register that allows the Department to review its applicants
and follow up on their recruitment.
Relationships
with Suppliers
Due to the wide variety of
products and services needed by ICT Processes, suppliers become a major part of
the ICT Processes supplying the Department with such a variety of products and
services as the following :
• Hardware
• Networking
components
• Telecommunications
Services
• Web based services
• Software of all types: operating, tailored, off the shelf
applications, office technology, networking, development tools, database
engines, etc
Prepare a List
of Supplier Products and Services
To setup a list of Suppliers
with their offered products and services. Suppliers are no more specialized as
they were in the 80s and 90s. Suppliers that only sold one type of product can
now sell hardware, software, web services and consulting. Setting up a list of
Suppliers on a minor database will allow the Department to easily locate
suppliers by product or by service. Furthermore, this list can be used to
maintain a history of the relationship with the supplier evaluating their performance,
prices and general quality.
Prepare an
Agreements Register
To prepare a list of all
current agreements between the Department and any outsourced services. The
purpose would be to consolidate the location of such agreements, monitor and
track their performance as well as their other terms such as renewal, expiry
and payment schedules.
Evaluation of
Suppliers, Products, Projects or Alternatives
This Activity presents a
summarized procedure on how to compute Weighted Indices that combine various
evaluation criteria into one number or index. When evaluation criteria of
proposals are not clear, Suppliers will unbalance their offers to ensure that
get selected.
Recommended
Issues to Consider in ICT Agreements
Many attempts have been made
to develop Standard Agreements between customers and suppliers. Due to the
changing nature of technology, the different circumstances surrounding each
agreement and the various policies and strategies followed in different
Departments, it becomes very difficult to develop such Standards. This is a
fairly long Activity. It discusses a variety of problematic issues that may
arise while preparing Agreements and proposes solutions to such issues.
Scope
of usage: the typical Agreements that will be considered are the following:
• Purchase Agreements
• Requests for
Proposal
• Support Agreements
• Maintenance
Agreements
• Warranties
Software
Upgrades and Updates
Software often goes through different releases and versions
resulting in major upgrades
Or minor updates.
1) Agreements should clearly specify whether the Supplier is
responsible for supplying such upgrades and updates and at what cost.
Otherwise, the Supplier would be under no obligation to provide the Department
with such upgrades / updates.
2) It is critical in an agreement to specify the duration during
which the Supplier is obliged to provide such upgrades and updates.
3) Upgrades or updates may require conversion of databases or some
rework on the data. It should be clearly spelt out in the Agreement as to who
is responsible for such conversions.
4) Upgrades or updates may also require the updating of source
code in developed applications. The Department should clearly cater for this situation:
who is to redevelop the software, at which cost and how long that would take.
The
Supply of Source Code
Source code is always
an issue in Software Contracts.
Maintenance
and Warranty Services
In some cases,
Maintenance is a continuation of the Warranty. In others, the services
Offered in each are
different.
Warranties
and Maintenance on Equipment
1) The Department
must have the Supplier clearly spell out what parts of the equipment can be
replaced free of charge. Generally, parts that are fixed and subject to failure
would be while consumables or items that are under heavy usage such as print
heads are not cover by warranties.
2) Duty cycles should
be observed and defined. Invariably, one does find a small line of print that
limits the usage of a specific product to so many hours of non-stop work.
Warranties
and Maintenance on Software
Generally, here are the services generally provided as part of the
Warranties and Maintenance of Software items:
1) Correction of errors: the term “Error” should be clearly
defined. Generally, errors are undisputable discrepancies such as:
Wrong totals or computations, Misalignments, Actions that promise
a result and do not perform it (Buttons, menus, etc), Crashes or application
hangs, misleading error messages
All spelling mistakes and typographic errors, Improper sequencing
of work (Links that send you to the wrong place)
2) Supply of missing functions: should any function defined
in the Technical Specifications not be available in the delivered software,
then this may be subject to Maintenance terms. The Supplier would have to
supply it.
3) Performance issues: generally, performance is difficult
to specify. However, there are accepted rules of thumb as well as clear
technical specifications.
4) Upgrades and updates are often included as part of Warranty and
Maintenance Services.
Terms
Applying to Both Hardware and Software
1) Specify clearly
when the Supplier can be called. Usually, a business shift is specified so that
calls outside it are either not answered or are chargeable at different rates.
2) Specify clearly
how long a Supplier can take before responding to the first call.
3) Having taken the
first call, specify clearly how long a Supplier can take before resolving the
problem.
4) Specify clearly
what contingency plan the Supplier has if the problem cannot be solved.
An example for
hardware maintenance would help:
• Maintenance Hours:
8:00 till 14:00
• Calls made after
14:00 will be charged at an agreed upon rate.
• Calls should be
responded to by a visit within 8 working hours from the time the call was
placed.
• Any problem should
be resolved within 16 working hours (2 days) of the response.
Support Agreements
Many agreements confuse
support with maintenance and often combine the two. This Eventually leads to
disputes.
Maintenance aims at retaining the system in the
working state which it was supposed to have been delivered in. It is the
responsibility of the Supplier.
Support is any additional effort the Supplier has to put to support the
Department. Support includes such effort as:
• Additional training
• Resolving problems which are outside the control of the Supplier
such as breakdowns due to damages, power failures, force Majeure, etc.
• Assisting users in activities which are outside maintenance
• Developing minor reports, modifications and enhancements year,
closings, etc
• Undertaking activities that are outside any agreed upon work
such as upgrades, migration, re-installing software, trouble shooting, etc.
Copyrights
and Intellectual Property
Various problems arise when
Suppliers supply systems with software that is not legally
licenses for that system. This often happens with built in
databases or software that is
inadvertently left on the installed systems.
Specification
Qualification (SQ)
The purpose of Specification
Qualification is to show that the controls required to specify the design have
been addressed and agreed upon by an authorized party. The objective of this
Activity is to provide an SOP for the Qualification of a wide
Variety of Specifications (SQ).
Installation
Qualification (IQ)
Before an ICT System is
brought into use, it should be properly installed and confirmed as being
capable of operation. The objective of this Activity is to provide an SOP for
the Qualification of installation of a wide variety of systems. This is essentially
a delivery process and should not be confused with operational qualification to
be discussed in the next Activity.
Performance
Qualification (PQ)
Performance is a measure of
various parameters in a system such as speed, response, capacity, power, etc.
Performance Qualification (PQ) ensures that the total system performs as
intended in the specified operating range. The aim of this Activity is to
develop a Standard Operating Procedure that allows the Department to verify
that its systems are performing the way they should.
Logical
System Access and Security
ICT Systems need to be
secured so that specific functions can only be accessed by
specific staff. This is called the Logical System Access facility
and is different from the Physical access to the ICT Systems site.
Why
should ICT Systems be Secured?
1) ICT Systems process information of a confidential nature.
(Example : the health sector may have storage of disease history for citizens
which are confidential).
2) Some processes are the responsibilities of specific persons and
must therefore not be processed by others. For example, posting vouchers should
be identified by the person who posted them. This creates the necessary
transparency.
3) Some procedures can only be executed by persons with the proper
background and training.
4) Some information procedures may put the Department under a
liability and hence should be secured.
Identify
Functions to be Secured
In order to control logical
access to the ICT systems, the Department has to prepare a complete list of all
functions that are to be secured. For each item in the functions list there would
be a definition of the kind of accesses that may be allowed.
Assign Privileges
and Access Rights
Having
identified the functions to be secured on the ICT systems, the next Activity is
that of determining the staff who can access the various functions and assign them
these privileges.
Assign,
Distribute and Control Passwords
Once the list of all
functions is prepared and all staff are given the proper privileges of
accessing the ICT systems, it is time to setup the procedure for assigning passwords
to staff. This Activity presents an SOP that ensures that the process itself is
safe.
ISO Standards
for Security
ISO has established a
standard for security (ISO17799) which is slowly getting implemented in a
variety of ICT systems. This Activity introduces this standard and prepares for
its implementation.
What
is ISO17799?
ISO17799 is a comprehensive
set of controls comprising best practices in information security. It is an
internationally recognized generic information security standard.
What
is the use of ISO17799?
The standard is intended to
serve as a single reference point for identifying a range of
controls needed for most situations where ICT systems are used in
industry and commerce facilitation of trading in a trusted environment
Infrastructure –
Server and Other Rooms
Should the ICT Unit be
hosted in a dedicated building, the Building would have its own Physical
Protection and Access schemes. However, these are so similar to measures and
practices taken for other computer rooms that the Guide has grouped them
together. The objective of this Activity is to list the various items that fall
under Server Rooms and other Computer locations and identify the threats and
related countermeasures need to avoid them.
Infrastructure –
Cabling
Cabling of ICT Systems
covers all cables and passive components of networks. Their scope is from any
existing delivery point of an extraneous network (telephone, ISDN) to the
terminal points of network subscribers. The objective of this Activity is to
list the various items that fall under cabling and identify the threats and related
countermeasures need to avoid them.
Infrastructure –
Networks
Networking of ICT Systems
covers all components of networks. The objective of this Activity is to list
the various items that fall under networking and identify the threats and
related countermeasures need to avoid them.
Assign Physical
Access Privileges
To
determine the staff who can access the various areas in the Computer Center and
assign them these privileges.
Assign,
Distribute and Control Passwords
In
some cases, Physical Access to ICT locations may require passwords. Such
schemes as password protected door locks and cards require issuing policies.
This Activity aims at setting up the procedure for assigning passwords and/or
distributing access cards to staff.
Information Integrity:
Backup / Archiving and Data Protection
One of the most frequent
causes of damage or the highest risks in ICT Systems is loss of
data or its corruption. The reasons are many: equipment breakdown,
operator error, software bugs, etc. The only effective measure that can be
taken to ensure that Information Integrity is maintained in an acceptable state
is to have a rigorous Backup and Archiving policy.
Backup is
the storage of data, source code, software products, scripts, etc., on a separate
medium that can be used to restore the data to its initial form if need be.
This could be a regular or an ad hoc activity.
Archiving: This term is essentially the same as
Backup. However, some centers use it to signify removal of the data or cyclical
backup that is not very frequent. In all cases, the procedures are the same as
for Backup, so this Guide will not differentiate between the Backup and
Archiving.
Purging: Removing data from the initial medium to make space or reduce database
size. Example : transactions are kept within the operational database for the
current and the most recent 3 years. On completion of each year, the ICT Unit
would need to purge the oldest year from the database.
Checkpoints: These
are points in time where the Department has to take a full backup so that
disaster recovery schemes can be used to restart the system from such Checkpoints.
Identify What is
to be Backed Up and When
The
purpose of this Activity is to document the data and software that needs to be
backed up and/or purged.
Backing Up
To prepare a Backup
procedure observing all backup requirements stated in the Backup Definition
List and to ensure that there is a record of all backups taken for all types of
information. This is the most crucial Activity to be carried out by the Department
and it aims at maintaining Information in total integrity. It may be time consuming
and it may be costly, but it is an insurance against data loss or corruption.
Identify What is
to be “Restore Tested” and When
Many centers face major
upsets upon realizing that their backed up media is badly backed up or is
corrupted. The main reason for such a state is the lack of testing of the
backed up media. Sometimes, it is a matter of deterioration of the backed up media
or its environmental corruption. This Activity presents a procedure that
defines what media is to be “Restore Tested”, how frequently and what the tests
are.
Restore Testing
This
Activity presents a procedure that allows the Department to reduce the risk of
bad backup media through regular Restore Testing.
Protection
Against Viruses
Viruses are increasing in
their damaging capability as well as the way they carry out such damages. The
aim of this Activity is to provide Good Practices that reduce the problems associated
with Virus infection to a minimum.
Software
Application Development
Using a Software
Development Process
Most ICT Units suffer from
not having a defined and documented Software Development Process (SPD). Suppliers’
delivery customized software applications to the Department may suffer from a
similar shortcoming. Selecting and adapting an SDP is not a simple matter. The Guide
will not present such a procedure. However, this Activity will define software development
processes, emphasize their importance and provide guidelines on how to select them.
Software
Development Tools
Various development tools
and platforms (Database systems) can be used to assist the software development
process. This Activity highlights the importance of using such tools. It also
presents some of them and emphasizes the need to justify them operationally and
financially.
Programming
Standards
With the large number of
development platforms, and due to the hurried nature of development itself, the
development profession has not been able to standardize its work. There are
many reasons for this shortcoming that the Guide shall not go into. However,
the Guide will recommend a set of Good Practices that serve to establish
programming standards.
Selecting
Software Applications
When selecting software
applications, a methodology should be followed different from the selection of
other information resources such as equipment and networking items. There
should be a logical and manageable progression through the selection process in
order to stress on making the selection process Quantitative rather than
Qualitative. This Activity presents a Standard Operating Procedure for the
selection process.
Operations
Management
There
are various Procedures and Good Practices that should be followed by the Operations
Unit to meet the above objectives.
Logging
Maintenance and Support
One of the main causes of
disputes between the following parties is that lack of coordination on Support
and Maintenance: users, third parties supporting or maintaining systems,
Suppliers and the ICT Unit. This Activity presents a procedure that defines the
means of logging all support calls for the purpose of tracking, analysis and control.
Control
Dissemination of Hard Copies and Distribution
One of the major
responsibilities of the Operations Department is the dissemination of the
information being processed by the various systems. More and more, such
information is being converted from paper form to screen displays. However, there
is a need to plan and control such dissemination. The objective of this
Activity is to prepare a Procedure that allows the Department to plan the
distribution and dissemination of reports applying security whenever this is
crucial.
Managing
the Supplies of the ICT Systems
To present a set of Good
Practices that allow the Department to better manage the supplies needed for
the various ICT Systems. Essentially, these aims at ensuring that supplies have
the right quality, capacity, standard and availability.
Documenting Data
Entry Procedures
Generally,
most work done on improving the standards of data entry covers the entry of
data for operational, financial or administrative applications. These are
either developed for the Department or acquired as Commercial products. This Activity
presents some Good Practices for ensuring that all data entry procedures are properly
documented.
Standard Data
Entry Checks and Controls
When developing or acquiring
software applications, it is important to ensure that the data being entered is
properly checked. This Activity presents guidelines for data entry checks and
controls.
Using and
Supporting Office Technology Products
Many governmental processes
are based on Office Technology Products (OTP) that are end user programmable.
For example, a certain Ministry may use a word processor to prepare various
authorizations or certificates. Another may use a spreadsheet to prepare
budgeting exercises. Should the use of such products not be organized properly,
damages may result and worse still, the products will be underutilized. This
Activity covers a variety of recommendations, many of them related to
standardization of work by the users.
Environment
Management
Most large computer centers
require specific environmental conditions so that the equipment is maintained
in proper running order. This is an Information Process that Covers the
definition of environmental conditions, the drivers used to maintain such conditions
within the correct operating zones and the testers needed to warn against such
conditions going out of their operating zones.
Define the
Required Environmental Conditions
This
Activity presents a Procedure that defines the technical specifications required
of the environment of the site where various ICT systems reside.
Monitor
Environmental Behavior
To monitor the various
environmental factors affecting the environment in which the ICT Systems
operate and to ensure that the environment is maintained running within its
allowable zones.
CONCLUSION
ICT
is a fantastic tool however there are some risks and legal requirements
associated with using it. The article ICT
Risk Assessment outlines some of these and will
help you identify and manage risks appropriately.
No comments:
Post a Comment