AUDIT OF INFORMATION TECHNOLOGY Management (Action Plan) Responses February 2005 # PRIORITY DESCRIPTION MANAGEMENT RESPONSE



Similar documents
AUDIT OF INFORMATION TECHNOLOGY FINAL REPORT. Addressed to:

2007 Follow-Up Report on the Audit of Information Technology January 2005

SSHRC Management Response to Review of AMIS

Information Security Policy. Chapter 11. Business Continuity

Project Roles and Responsibilities

La Trobe University is committed to maintaining a comprehensive and effective Compliance Framework.

Request for Proposals Saskatchewan Real Estate Commission Brokerage Compliance Audit Project January 11, 2016

INFORMATION GOVERNANCE POLICY & STRATEGY FINAL DRAFT

Information Technology Project Oversight Framework

Migration Planning Guidance (Draft)

CHAPTER 1: BUSINESS CONTINUITY MANAGEMENT STRATEGY AND POLICY

Audit of the Test of Design of Entity-Level Controls

INTERNATIONAL AC CREDITATION STANDARDS FOR HEALTHCARE EXTERNAL EVALUATION ORGANISATIONS

Trust Board Report. Review of the effectiveness of the IM&T Committee

2014 Vendor Risk Management Benchmark Study

Risk Management & Business Continuity Manual

EXECUTIVE SUMMARY...5

CENTRAL LINCOLNSHIRE LOCAL PLAN HIGHLIGHT REPORT

LGS Project Management Methodology

Statement of Guidance

Transition and Transformation. Transitioning services with minimal risk

ENTERPRISE RISK M A NAGEMENT POLICY

PHASE 9: OPERATIONS AND MAINTENANCE PHASE

Infrastructure Information Security Assurance (ISA) Process

Queensland State Archives. Strategic Recordkeeping Implementation Plan Workbook

Audit of Contract Management Practices in the Common Administrative Services Directorate (CASD)

The University s responsibilities and its arrangements for internal audit Internal audit protocol 2014/15 to 2016/17

Request for Proposal. Supporting Document 3 of 4. Contract and Relationship Management for the Education Service Payroll

Standard 1. Governance for Safety and Quality in Health Service Organisations. Safety and Quality Improvement Guide

Internal Audit Report on. IT Security Access. January January - English - Information Technology - Security Access - FINAL.

ICT Services 2015/16 Strategy & Opportunities

Request for Proposal for Application Development and Maintenance Services for XML Store platforms

1 What does the 'Service V model' represent? a) A strategy for the successful completion of all service management projects

Audit of NSERC Award Management Information System

IT General Controls Domain COBIT Domain Control Objective Control Activity Test Plan Test of Controls Results

Information Security Program CHARTER

BSBCCO501B Develop business continuity strategy

Information Governance Management Framework

Voice Over IP Network Solution Design, Testing, Integration and Implementation Program Overview

RISK MANAGEMENT POLICY AND STRATEGY. Document Status: Draft. Approved by. Appendix 1. Originator: A Struthers. Updated: A Struthers

MEMBERS CONSIDER THE RISK STRATEGY AND RECOMMEND APPROVAL TO COUNCIL.

AUDIT REPORT. Services provided by the United Nations International Computing Centre to the UN Secretariat - Department of Field Support

TREASURY INSPECTOR GENERAL FOR TAX ADMINISTRATION

Network Support. Request for Proposals

COMMUNIQUE. Information Technology (IT) Governance Guidance

Appendix A: ICT and Information Management Strategy

Publication 805-A Revision: Certification and Accreditation

Proposed Principles to be addressed in APES GN 20 Outsourced Accounting Services

VISION FOR LEARNING AND DEVELOPMENT

INFORMATION GOVERNANCE POLICY

Recommendation Current Position and Explanation for Slippage: Target Dates:

Information Management Advice 35: Implementing Information Security Part 1: A Step by Step Approach to your Agency Project

Joint ICT Service ICT Strategy

LFRS Business Continuity Planning

UoD IT Job Description

Risk Management Policy and Process Guide

Internal Audit Report Business Continuity Planning Arrangements

PROJECT MANAGEMENT FRAMEWORK

Management Advisory Postal Service Transformation Plan (Report Number OE-MA )

Policy Document Control Page

CASE STUDY 6 SECTOR: NHS DELIVERABLE: NEW MULTIFUNCTION SERVICE DESK THE CLIENT:

Part B1: Business case developing the business case

LUKHANJI MUNICIPALITY PERFORMANCE MANAGEMENT FRAMEWORK

Human Services Quality Framework. User Guide

WEST COAST DISTRICT MUNICIPALITY IT GOVERNANCE FRAMEWORK IT CHARTER

Guidelines for Financial Institutions Outsourcing of Business Activities, Functions, and Processes Date: July 2004

IT REVIEW OF THE DISASTER RECOVERY ARRANGEMENTS

Stepping Through the Info Security Program. Jennifer Bayuk, CISA, CISM

CITY UNIVERSITY OF HONG KONG

GUIDANCE NOTE FOR DEPOSIT-TAKERS. Operational Risk Management. March 2012

CISM (Certified Information Security Manager) Document version:

River Stour (Kent) Internal Drainage Board Risk Management Strategy and Policy

SCRUTINY PANEL. 12 February 2015 REVIEW OF ICT SERVICES. Report of the Director of Resources

Advisory Guidelines of the Financial Supervisory Authority. Requirements regarding the arrangement of operational risk management

INFORMATION GOVERNANCE STRATEGY

Position Title: Nurse Education Facilitator (Statewide Cardiology Project Nurse)

VMIA Business Continuity Initiatives

R U N D O. The ECU Technology Governance Framework A brief guide

information Records Management Checklist business people security preservation accountability Foreword Introduction Purpose of the checklist

Newcastle University Information Security Procedures Version 3

Anatomy of an IT Outsourcing Deal. Bruce Laco Deloitte John Pickett IT World Canada Barry Sookman McCarthy Tetrault

QUALITY MANAGEMENT SYSTEM MANUAL

IT Service Management. The Role of Service Request Management

CITY OF SAN ANTONIO OFFICE OF THE CITY AUDITOR. Follow-up Audit of Information Technology Services Department. IT Contingency Planning

Department of Administration Portfolio Management System 1.3 June 30, 2010

University of New England Compliance Management Framework and Procedures

Business continuity management policy

COMPREHENSIVE ASSET MANAGEMENT STRATEGY

Board Charter. May 2014

How To Manage A Province Of Philippines

A Question of Balance

INTERNAL AUDIT FRAMEWORK

Standard for Business Continuity/Disaster Recovery (BC/DR) Service Providers

Guidance on the Governance and Management of Evaluations of Horizontal Initiatives

Remote Infrastructure Support Services & Managed IT Services

Office of Audits and Evaluations Report No. AUD The FDIC s Controls over Business Unit- Led Application Development Activities

Open call for tenders No 01/2102/12

CISM ITEM DEVELOPMENT GUIDE

White Paper on Financial Institution Vendor Management

Manage Compliance with External Requirements

Transcription:

AUDIT OF INFORMATION TECHNOLOGY Management (Action Plan) Responses February 2005 # PRIORITY DESCRIPTION MANAGEMENT RESPONSE Ref: Chapter 3.1 GOVERNANCE FRAMEWORK Information Technology Steering Committee 1.1 HIGH An Information Technology Steering Committee (ITSC) should be established to connect end-users and senior management with the ISD organisation, oversee the strategic orientation and vision for IT by approving the IT plan, vision, and policies, appraise the viability and worth of IT projects to be undertaken, and recommend priorities and funding to the Management Committees. ISD agrees that a governing body to oversee the strategic orientation and vision of ISD is a good idea; however, the suggestion that an additional committee is required to do so is questioned. The need to create an Information Technology Steering Committee (ITSC) for the purpose of approving the information technology plan, vision and policies may speak more to deficiencies and commensurate opportunities within the existing committee structures. ISD proposes to explore the idea of expanding the terms of reference and mandates of the SSHRC Electronic Services Delivery and the NSERC ebusiness Steering Committees to fulfill the requirements identified for an ITSC. 1.2 HIGH Formal terms of reference (TOR) should be developed for the ITSC and describe the ITSC s goal, objectives and scope, deliverables, membership, responsibility, accountability and authority, reporting relationship, and frequency of meetings. Without TOR, our experience has shown that committees lack focus and are doomed to fail. To be completed by the end June 2005. This will be pursued in conjunction with the response scribed for 1.1. To be completed by the end June 2005.

Ref: Chapter 3.2 GOVERNANCE FRAMEWORK The IT plan and the IT vision 2.1 HIGH Produce an IT technological vision covering the next two to three years. This is currently being drafted. ISD will also plan to revisit its technological vision on an annual basis as part of it fiscal planning activities to ensure relevance and accuracy to the strategic visions and directions of both Councils. 2.2 HIGH ISD should produce a more comprehensive IT plan that will include all core business projects, ISD special projects (where applicable), office automation and infrastructure projects. To be completed by April 1 st, 2005. This work is underway. Based on information and requirements known at the time of writing all projects for 05/06 have been itemized in the ISD 05/06 project plan. The plan is currently being expanded to include additional project detail for each initiative. Ref: Chapter 3.3 GOVERNANCE FRAMEWORK Risk management 3.1 MEDIUM ISD should conduct a comprehensive TRA of its IT infrastructure environment. This work is scheduled to be completed by March 2005. A technical architecture Threat and Risk Assessment will be conducted during the course of 05/06.

3.2 MEDIUM ISD should develop the necessary guidelines and control measures ensuring that TRAs are systematically and rigorously completed for every System Development initiative, including the development of non-core application projects. Completed by end 05/06. This recommendation is expected to be supported by the ISD security plan (see 4.1). ISD will assess the need to establish in-house TRA expertise that will permit a consistent and rigorous follow-up for every system development initiative. This will be inclusive of non-core IT application projects including those that are not developed inhouse. ISD believes that a TRA resource should not be considered in isolation of a like skill-set in conducting PIAs (Privacy Impact Assessments). Depending on the nature and complexity of the application it is often necessary to conduct both a TRA ands PIA in parallel. The degree to which ISD can fully comply with this recommendation will depend on the approach supported by senior management. Outsourced TRAs are often subject to resource availability and commensurate funding; however, until senior management commitment in support of the need to acquire or develop in-house expertise has been given, ISD will ensure that TRAs are systematically and rigorously completed for all system development initiatives by investing in external consulting expertise as required.

Ref: Chapter 3.4 Complete ongoing. GOVERNANCE FRAMEWORK IT security plan 4.1 LOW ISD should articulate its IT security plan using the information contained in the Security Compendium document and the ISD-wide TRA exercise recommended in chapter 3.3 Risk Management Ref: Chapter 3.5 GOVERNANCE FRAMEWORK IT policies and standards 5.1 MEDIUM In collaboration with the Administration Division, ISD should identify the IT areas to be covered by IT policies, assign a priority and a development schedule to each new policy, develop each one according to the established timeline, present them to the IT steering committee for approval, and develop a roll out strategy to cover the communication to staff and posting on the Intranet. As part of its project objectives for 05/06 ISD plans to compile a comprehensive ISD security policy. This will be completed prior to the end of 05/06. Policy development and review is an ongoing activity within ISD; however, policies are only developed as needed or in response to legislative requirements. Currently, consultation with the Administration Division does not make up part of this existing process. ISD will adjust the process to include collaboration with the Administration Division. Following this consultation process, policy priorities will be identified and the respective development plans will be compiled in a schedule to be communicated to the IT governing bodies (See 1.1). Ongoing activity. Initial meeting with the

Ref: Chapter 3.6 GOVERNANCE FRAMEWORK The service level agreement (SLA) 6.1 HIGH ISD should review its SLA and identify performance targets for Network Administration, System Development, Helpdesk Services, Internet and Intranet. These performance targets need to be negotiated with the clients, included in a revised SLA, monitored for compliance, reported on a regular basis, and communicated to the IT Steering Committee. Administration Division will take place before the end March 2005. Although ISD currently identifies service response times within its Service Level Agreement (SLA) it does not include specific performance targets as negotiated with the clients. As part of it annual review of its SLA, ISD will pursue the establishment and inclusion of performance standards. ISD does not believe that this recommendation warrants a HIGH priority but instead is more conducive to a LOW rating; especially, given the fact that recommendation 8.5 lists the need to monitor performance targets as LOW. Given acceptance of a LOW rating, ISD will revise its SLA to comply with the recommendations as part of its annual SLA review cycle; this occurs each Fall. Additionally, ISD will poll all directors and VPs in order to determine their informational needs when reporting on ISD performance. This activity is already underway. These results will be incorporated into the SLA. Updates to the SLA will be completed in the Fall 2005.

Ref: Chapter 3.7 GOVERNANCE FRAMEWORK Disaster recovery plan (DRP) 7.1 HIGH The Security Steering Committee should assign a timetable to update the DRP. Currently the Management Security Steering Committee (MSSC) is overseeing the development of a Business Continuity Plan (BCP); it is understood that an up to date ISD Disaster Recovery Plan (DRP) will serve as an essential component of the more comprehensive BCP. ISD acknowledges that much of the work required to compile a BCP and a complementary IT DRP can be pursued in parallel. Given the required expertise to develop a more comprehensive DRP, ISD plans to seek consulting assistance to complete this work. It is estimated that the initial DRP will cost approximately 50K. Following completion of this initial work ISD will subsequently budget approximately 10-15K on an annual basis in order to ensure the baseline DRP is continually updated to reflect any changes within the IT environment. 7.2 MEDIUM The Director ISD should formally assign the responsibility to review the existing DRP document to one of his managers. It is anticipated that the initial DRP will be completed in 3 to 5 months time. The ISD Manager of Technical Services, in his capacity as the Councils Information Technology

Ref: Chapter 4 Security Coordinator (ITSC), has been assigned as the lead on this initiative. Complete. END USERS SUPPORT MANAGEMENT 8.1 LOW ISD should investigate the advantages of creating a central focal point for all ISD support requests. ISD will analyse the possibility of consolidating the 2 ISD Helpdesks (Support Centre and ebusiness/esd Helpdesks) in order to create a single point of user contact. Being that each Helpdesk serves different client communities (external vs. internal) the rational and corresponding recommendation to create a central focal point is unclear. Given the nature of the other ISD service areas the business rational to consider consolidating these within a central point of entry is unclear. However, ISD agrees to investigate whether or not there would be any advantage to the client communities in doing so. The results of the analysis will be tabled with the IT governing bodies (See 1.1). This analysis will be completed in late Fall 2005.

8.2 MEDIUM ISD should investigate the advantages of endorsing a more comprehensive incident tracking system and maintaining a single database for all service requests. Evaluation of more comprehensive products for incident tracking and maintaining a single database is already underway. 8.3 MEDIUM ISD should institute a formal escalation process to solve more complex problems. 8.4 MEDIUM ISD should review the accountability of the ISD HD and the ebusiness ESD HD groups to ensure that each group becomes accountable to track and monitor the escalated problems until full resolution. A product that supports a more comprehensive tracking of user requests is expected to be made by March 2005. This requirement has already been identified as part of the analysis of a new tracking system (See 8.2). A more comprehensive tracking system will permit greater access for Council staff; thereby, permitting escalation and tracking of incidents outside of the Helpdesk teams. The new system is expected to be implemented by June 2005. Again a more comprehensive incident tracking software solution that accommodates this business requirement will address this problem (See 8.3). The new system is expected to be implemented by June 2005.

8.5 LOW ISD should monitor the performance targets specified in the SLA. Once targets have been included in the SLA (See recommendation 6.1) they will be accordingly monitored. 8.6 LOW ISD should ensure that performance reports are produced to measure the attainments of objectives stated in the SLA. Updates to the SLA will be completed in the Fall 2005. Currently, numerous performance reports are generated in a systematic manner; however, they are not directly associated with the SLA. Instead they are produced based on user requests and personal preference. Once the SLA performance targets have been established and in place, ISD will ensure that reports are created to specifically measure performance objectives as documented. Updates to the SLA will be completed in the Fall 2005. (See additional comments in 6.1) Ref: Chapter 5.3 MANAGEMENT OF INFRASTRUCTURE Change Management and Release Management 9.1 MEDIUM Technical Support group should implement more rigorous change management and release management processes to document changes to the infrastructure, and ISD has already implemented a shared centralized

Ref: Chapter 6.1 communicate the nature of the changes to users and provide users with information on the impact of the implementation. calendar recording all planned TS project activities. This communication medium will be assessed and improved over the next several months to ensure that it adequately addresses the informational needs of the impacted internal user communities. Ongoing activity. SYSTEM DEVELOPMENT Special projects 10.1 LOW ISD should describe the term special project, 10.2 HIGH Where the scope warrants, ISD should describe and prioritise special projects in the IT plan. 10.3 LOW ISD should ensure that a project plan is developed for each project. 10.4 LOW Where the scope warrants, ISD should ensure that the development process follows a formal SDLC. Complete (Definition will be included in the ISD SLA during the Fall 2005). Special projects, where the scope warrants, have been included in the ISD project list for 05/06. Complete. A project status template is currently being complied for all 05/06 projects. Each template will clearly highlight pertinent project plan information. To be completed by March 2005.

This is currently the case for ISD initiated projects; this was not the case upon initial creation of the Special Projects Service within ISD. Complete.

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information