Week 2 Wrap-up: Basic IT Contols

Great job on the discussion, this is what I want to see every week.   I think you raised all the salient points but let me summarize.

To be effective an organization needs to establish as certain structure and responsibilities.  Most organizations need information systems to operate so they create an IT organization.  To be effective, that sub-organization (IT) needs certain things:

• Terms of Reference or a Charter – What is its mission? Why is it there?  What is it trying to achieve?  On this last point, the COSO list of objectives for an IT organization (Confidentiality, Integrity, Availability and so on) is a good list.  You should learn it.
• A basic organizational structure, arranged to insure that the work required to satisfy the Terms of Reference will get done.  This implies that resources are allocated to different tasks and that someone is responsible for leading each area of work.
• Monitoring – there needs to be a “culture” of monitoring, each leader should be monitoring his/her people and each level should be monitoring the work of the level below in order to make sure the required work is being done.  Monitoring also implies that when problems arise, they are addressed.
• Performance Metrics – You can only monitor if you can tell a good job from a bad job and you can only tell that if you have some way of measuring success.

If you have these things, you are off to a good start.  This coming week we will look at another level of administrative controls that all organizations have, not just IT organizations (things like budgets, HR policies, etc.

As for DentDel, you all got the point.  Even the most basic controls like assigning responsibilities and monitoring were missing.  Yes the CIO picked a technology without doing due diligence, but why?  Because there was no expectation set that due diligence should be done on every project being initiated.  I particularly like the comments about asking the client (in this case Sales) what they needed.  There was a much better project out there, but it never got visibility because there was no process to check.  Its all too easy to assume that governance at this level is being correctly, but it often isn’t.  Always ask the basic questions first and then follow where they lead.