FINAL Report - Audit of IT Function1

FINAL Report - Audit of IT Function1

-

English
43 Pages
Read
Download
Downloading requires you to have access to the YouScribe library
Learn all about the services we offer

Description

AUDIT OF INFORMATION TECHNOLOGY FINAL REPORT Addressed to: Natural Sciences and Engineering Research Council of Canada (NSERC) Social Sciences and Humanities Research Council of Canada (SSHRC) Presented by: progestic international inc. 2650 Queensview, Suite 245 Ottawa, Ontario K2B 8H6 January 27, 2005 Audit of Information Technology January 27, 2005 TABLE OF CONTENTS 1 EXECUTIVE SUMMARY................................................................................................................................1 2 INTRODUCTION..............................................................................................................................................5 3 GOVERNANCE FRAMEWORK ....................................................................................................................6 3.1 GOVERNANCE STRUCTURE ..........................................................................................................................6 3.2 THE IT PLAN AND THE IT VISION.................................................................................................................7 3.3 RISK MANAGEMENT ..................................................................................................................................10 3.4 IT SECURITY PLAN......11 3.5 IT POLICIES AND STANDARDS............................................................................. ...

Subjects

Informations

Published by
Reads 18
Language English
Report a problem
AUDIT OF INFORMATION TECHNOLOGY FINAL REPORT Addressed to: Natural Sciences and Engineering Research Council of Canada (NSERC) Social Sciences and Humanities Research Council of Canada (SSHRC) Presented by: progestic international inc. 2650 Queensview, Suite 245 Ottawa, Ontario K2B 8H6 January 27, 2005
Audit of Information Technology
TABLE OF CONTENTS
January 27, 2005
1EXECUTIVE SUMMARY................................................................................................................................12................................................ONTIUCOD........................................................................5......................TRIN3GOVERNANCE FRAMEWORK ....................................................................................................................63.1GOVERNANCE STRUCTURE........................................................................................................................6..3.2THEITPLAN AND THEITVISION7.................................................................................................................3.3RISK MANAGEMENT.................................................................1.0................................................................3.4ITSECURITY PLAN....................11.................................................................................................................3.5ITPOLICIES AND STANDARDS21....................................................................................................................3.6THESERVICELEVELAGREEMENT.............................................................................31................................3.7DISASTER RECOVERY PLAN(DRP) ............................................................................................................154END-USERS SUPPORT MANAGEMENT ..................................................................................................175MANAGEMENT OF INFRASTRUCTURE .................................................................................................215.1MANAGEMENT OFISDINFRASTRUCTURE....................................................21............................................5.2SECURITY OF INFRASTRUCTURE................................................................................................................235.3CHANGE MANAGEMENT AND RELEASE MANAGEMENT......................................................................32........6SYSTEM DEVELOPMENT ...........................................................................................................................256.1SPECIAL PROJECTS................................................................................25.....................................................6.2SYSTEM DEVELOPMENT AND MAINTENANCE FOR CORE APPLICATIONS................................26.....................APPENDIX A: SUMMARY OF RECOMMENDATIONS .....................................................................................1APPENDIX B: AUDIT BACKGROUND INFORMATION ...................................................................................1B1:AUDITOBJECTIVES.....................................................................................................................................1B2:AUDITSCOPE1..............................................................................................................................................B3:METHODOLOGY..............................................................................................1.............................................B4:ACKNOWLEDGEMENTS.................2...............................................................................................................APPENDIX C: ISD - BACKGROUND INFORMATION....................................................................................... 1APPENDIX D: INCREASING COMPLEXITY OF IT ...........................................................................................1APPENDIX E: LIST OF PEOPLE INTERVIEWED ..............................................................................................1APPENDIX F  VISUAL REPRESENTATION OF AREAS THAT WERE ADDRESSED DURING THE NSERC - SSHRC IT AUDIT ..................................................................................................................................1Description of tables: Table 1: IT driving factors Table 2: Identification of staff involved in the development of special projects Table 3: Corporate application system development groups Table 4: Breakdown of staff and consultants in ISD Table 5: Identification of staff involved in the system development and maintenance activities
progestic international inc. report final
Page:i
Audit of Information Technology
January 27, 2005
1EXECUTIVE SUMMARY Introduction Objectives -Two audit objectives were identified for the audit of Information Technology (IT). 1.Assess the Information Services Division (ISD) management control framework to ensure that the IT function is efficiently and effectively managed. 2.Review, examine, and assess the effectiveness of all ISD lines of services, IT operational activities, technological functions, and main processes. Scope- The main focus of the audit was the ISD. The audit covered: The ISD management control framework, and operational IT functions, services, processes, and activities.All Observations concerning the ISD management control framework A formal IT governance structure is not in place in NSERC and SSHRC. Adopting a strategic approach to governing IT in NSERC and SSHRC will complement current ISD management practices and is necessary if both Councils are to achieve their business objectives. Some of the key issues missing in the current ISD governance framework are a governing body responsible to make strategic decisions for IT, the availability of an IT vision and a comprehensive IT plan, the accessibility to a comprehensive set of IT policies, the setting of service targets to measure ISD performance, and rigorous risk management practices. As IT becomes increasingly crucial to the support, sustainability and growth of business, it is imperative for NSERC and SSHRC executive management to understand how to effectively measure IT performance. The responsibility to control the formulation and implementation of IT strategy to ensure the fusion of business and IT is called IT governance. The purpose of IT governance is to direct IT endeavours to ensure that ISDs performance meets the following objectives: the Councils businesses and realises the expected benefits,IT is aligned with IT exploits opportunities and maximises benefits, IT resources are used responsibly, and IT risks are managed appropriately. Areas of improvementsof improvements are required to ensure that the NSERC Several areas and SSHRC IT function provides all the expected benefits. Each area of improvements is specified in the next paragraphs along with our recommendation. 1.has not been developed to oversee theAn appropriate governance structure and process vision and strategic orientation for IT, review and approve IT policies, and set the priority of IT projects.Our analysis led us to conclude that ISD does not have a formal discussion forum to share concerns with IT services, express satisfaction level with corporate applications and/or IT services, set priorities for IT projects, and participate in the strategic IT decisions.
Progestic International Inc. final report
Page: 1
Audit of Information Technology
January 27, 2005
We recommended that an Information Technolo Steerin Committee ITSC be established to connect end-users and senior mana ement with the ISD or anisation, oversee the strate ic orientation and vision for IT b a rovin the IT lan vision and olicies a raise the viability and worth of IT projects to be undertaken, and recommend priorities and funding to the Management Committees. 2.For the current fiscal year and past fiscal years ISD has not completed a comprehensive IT plan describing all its projects (system development, infrastructure, procurement, etc.). Furthermore, an IT vision has not been developed to identify the general technological directions ISD intends to follow in the next two to three years.Each year, ISD produces an IT Plan based on the evolution of the core business applications (eBusiness, ESD, NAMIS, and AMIS). Even if the annual fiscal year budget process identifies and account for all IT projects, we noticed that the IT plan does not include all the infrastructure projects required to support the business projects or enhance the current network, office automation or telecommunication infrastructure. We recommended that ISD roduce a more com rehensive IT lan that will include all core business ro ects, ISD s ecial ro ects where a licable , office automation or infrastructure projects and that an IT technological vision covering the next two to three year be developed. 3.risk assessment (TRA) to determine the vulnerabilitiesISD has not completed a threat and associated to sensitive information, assets and employees and select risk-avoidance options to implement cost-effective safeguards.While some TRAs were completed for selected system development projects, TRAs were not rigorously completed on all system development initiative and ISD operational activities to assess risks and vulnerabilities. We recommended that ISD conduct a com rehensive TRA of its IT infrastructure environment.4.has not yet been produced to justify, identify, prioritise,A comprehensive IT security plan schedule, and estimate all IT security projects. Our examination of current operations revealed that security projects take place each fiscal year. However, NSERC and SSHRC Management teams are not always aware of the overall costs and effort related to these security projects and do not currently participate in the establishment of priorities for each one. We recommended that ISD articulate an IT securit lan usin the information contained in the Security Compendium document and the ISD-wide TRA exercise. 5.ISD has not developed all necessary IT policies and standards to set the rules and regulations for the IT managerial, operational, and administrative frameworks. ISD published few policies related to IT: the Acceptable Use of Electronic Network Policy, the Telework Policy, and the computer room access policy. Furthermore, ISD has not yet completed the development of its own IT security policy. Treasury Board Secretariat clearly states in its Management of Information Technology Standard (MITS) document that every federal organisation shall develop its own IT security policy based on the Government Security Policy.
Progestic International Inc. final report
Page: 2
Audit of Information Technology
January 27, 2005
We recommended that ISD identif the IT areas to be covered b IT olicies and that a priority and a development schedule be assigned to each new policy. 6.Service Level Agreement (SLA) between ISD, CASD, NSERC andThe document entitled SSHRC dated March 2004 contains very few service targets leading to the measurement of ISD performance.In March 2004, ISD reviewed and renegotiated its SLA with its three main user communities: CASD, NSERC and SSHRC. Our review of the SLA document revealed that in its current form, the SLA has not established service targets leading to the measurement of ISD performance. We recommended that ISD review its SLA and identif erformance tar ets for Network Administration, System Development, Helpdesk Services, Internet and Intranet. 7.The current Disaster Recovery Plan (DRP) document lacks operational details allowing a structured, orderly and timely recovery of IT operations.Even if some security measures currently in place could be used to recover IT services, we concluded that should a major disaster strike the computer room, the continuation of IT operations could be compromised. Our analysis of the current DRP document led us to conclude that in its present state, the DRP does not contain all the essential procedures allowing a timely recovery of IT operations. Consequently, we concluded that should a disaster strike the computer room, the continuation of NSERC and SSHRC business operations is at risk. We recommended that the Security Steering Committee assign a timetable to update the DRP and that ISD review the existing DRP document. Observations related to the ISD operational activities. System development-ISD uses several System Development Life Cycle (SDLC) and Project Management Frameworks during the development of NSERC and SSHRC core business applications. Our analysis led us to conclude that each SDLC provides good controls to develop, manage, track, test changes, and implement the applications. In any given year, several smaller system development initiatives are completed in addition to the development of the core application systems. Other system development projects sometimes classified as special projects respond to specific business needs or services such as the Intranet, Business Object reports, FDSR, Common CV, Family Album, IMEP, eCIMS, eScoring etc. Considering that ISD has not yet provided a definition to the term special project, we described it as are system development projects that are either initiated by an ad-hocSpecial projects user request or initiated and justified by ISD, not controlled by any user committee, and not following any particular SDLC. Approximately 15 staff are involved supporting non-core application projects. However, it is important to note that many of these staff supporting special projects have other duties and the development and maintenance of special projects is only one of their responsibilities.
Progestic International Inc.
final report
Page: 3
Audit of Information Technology
January 27, 2005
Our audit revealed that special projects are not developed and managed with the same rigour as system development related to core applications, that the IT plan does not yet describe or prioritizes these special projects, and their development processes do not follow any standard methodology.We recommended that ISD Describe the term s ecial ro ect, Where the sco s rioritise warrants, describe and e lan, ects in the IT ro ecial  lan is develo ro ect ro ect, and ed for eachEnsure that a ensure that the development process follows a formal SDLC.Where the scope warrants, End users support services- Nine ISD groups provide end user support services. All interviewees indicated that they were satisfied with services received from each group especially the ones provided by the ISD Helpdesk group responsible to support and manage the desktop environment (600 desktops and 100 printers) and provide office automation support services to NSERC and SSHRC users. Following our analysis we concluded that ISD does not capitalise on the benefits of using a single point of contact to provide end-user support services and capture information on each end user service request.Only two support groups (ISD Helpdesk and eBusiness Helpdesk) use the Remedy incident tracking system to record information on service requests. A formal escalation process has not been established to track problems until satisfactory resolution outside of the two aforementioned areas. We also noticed that insufficient information is captured in the Remedy database to measure ISDs performance related to end users support services. Consequently, several recommendations were formulated. Three of these are: Investi ate the advanta a central focal es of creatin ort re oint for all ISD su uests,  of endorsin es the advantaInvesti ate incident trackin rehensive more com a and stem, s Institute a formal escalation process to solve more complex problems. Technical Services- The Technical Support group manages the infrastructure environment adequately.It maintains approximately 90 servers. Given the operational importance placed on operational servers, they are kept current and software licenses are adequately managed and properly inventoried. One of the major strengths of Technical Services is the implementation and maintenance of security measures to protect the data, the infrastructure, and the office automation environment. We did observe that Technical Support group does not use rigorous processes to document and track the infrastructure changes, and then communicate these changes to users prior to implementation.We recommended that Technical Su ort rou im lement more ri orous chan e mana ement and release mana ement rocesses to document chan es to the infrastructure, and communicate the nature of the changes to users and provide them with information on the impact of the implementation.
Progestic International Inc. final report
Page: 4
Audit of Information Technology
2 INTRODUCTION
January 27, 2005
The audit objectives, scope and methodology are described in Appendices B1, B2 and B3 respectively.A detailed description of the Information System Division (ISD) is provided in Appendix C. It includes information on the ISD budget, its clients and lines of services, its organizational structure, and the breakdown of staff and consultants between the six responsibility centres. In Appendix D, we have included the difficulties of managing an IT organization in the Year 2005. The auditors views and opinions are provided to explain: the increasing complexity of the Information Technology world, the increasing need for security measures, and the increasing pressures on an Information Technology Organisation.
Progestic International Inc.
final report
Page: 5
Audit of Information Technology
January 27, 2005
3 GOVERNANCE FRAMEWORK Introduction- Over the past decades, IT organisations have migrated from commodity service providers to a strategic partners. IT organisations are now viewed as a tool for increasing business growth rather than just an expense. The primary goal for IT governance is to assure that the investment in IT generates value while mitigating associated risks. This can be done by implementing an organisational structure with clear roles for the responsibility of information, business processes, applications, infrastructure, etc. General observationA formal IT governance structure is not in place in NSERC and SSHRC. Adopting a strategic approach to governing IT in NSERC and SSHRC will complement current ISD management practices and is necessary if both Councils are to achieve their business objectives. Some of the key issues missing in the current ISD governance framework are a governing body responsible to make strategic decisions for IT, the availability of an IT vision and a comprehensive IT plan, the accessibility to a comprehensive set of IT policies, the setting of service targets to measure ISD performance, and rigorous risk management practices. 3.1 Governance structure Observation An appropriate governance structure and process have not been developed to oversee the vision and strategic orientation for IT, review and approve IT policies, and set the priority of IT projectsAnalysis From our interviews, we have concluded that users do not have a formal comprehensive discussion forum to share concerns with IT services, express satisfaction level with corporate applications and/or IT services, set priorities for IT projects, and participate in the strategic IT decisions. A more comprehensive IT governance process would ensure that users are more actively involved in the management of IT activities and actively participate in the development of its orientation. In many organisations, an ITSC (Information Technology Steering Committee) has been established to connect end-users with the IT organisation. With time, it has become the main communication medium allowing end-users and the IT organisation to formally exchange information relative to users needs, priorities, and satisfaction levels. Furthermore, the ITSC would oversee the strategic orientation and vision for IT by approving the IT plan, vision, and policies, appraises the viability and worth of IT projects to be undertaken, and recommends priorities and funding to the Management Committees. The main role that needs to be fulfilled by the ITSC relates to IT governance. Business and Administration representatives must be positioned to challenge the actions, proposals and decisions of ISD. The attributions related to this role entail making sure IT priorities are properly assigned, essential IT management activities are undertaken and IT projects progress according to plan and budgets. The main objectives of an ITSC are to: monitor the development of strategic IT projects to ensure adherence toCo-ordinate and priorities, objectives and budgets approved in the IT Plan;
Progestic International Inc. final report
Page: 6
Audit of Information Technology
January 27, 2005
Appraise the viability and worth of IT projects to be undertaken, and recommend priorities and funding to the Management Committees; Provide strategic planning direction for the exploitation of IT resources (link business strategy to IT strategy, set objectives); and Recommend to Management Committees the long range IT plan, budget and priorities, IT policies and standards. Conclusion In the absence of an ITSC there is no formal discussion forum to regroup NSERC and SSHRC senior management and discuss common IT issues, share concerns, exchange and communicate essential information on IT issues. In todays business environment, we strongly advocate the need of users to be actively involved in the management of IT activities and to participate in the development of technological orientations. The ITSC would serve as the glue that will connect and cement end-users and ISD. It is the main communication channel allowing end-users and ISD to exchange information relative to users needs, priorities, and satisfaction levels. Recommendation 11.An Information Technology Steering Committee (ITSC) should be established to connect end-users and senior mana ement with the ISD or anisation, oversee the strate ic orientation and vision for IT b a rovin the IT lan, vision, and olicies, a raise the viabilit and worth of IT ro ects to be undertaken, and recommend riorities and fundin to the Mana ement Committees. 2.Formal terms of reference ed for the ITSC and describe the ITSCs TOR should be develo oal, ob ectives and sco e, deliverables, membershi , res onsibilit , accountabilit and authorit , re ortin relationshi , and fre uenc of meetin s. Without TOR, our ex erience has shown that committees lack focus and are doomed to fail. 3.2 The IT plan and the IT vision Observation For the current fiscal year and past fiscal years ISD has not completed a comprehensive IT plan describing all its projects (system development, infrastructure, procurement, etc.). Furthermore, an IT vision has not been developed to identify the general technological directions ISD intends to follow in the next two to three years. Current situation with the IT planan IT Plan based on the- Each year, ISD produces evolution of the core business applications (eBusiness, ESD, NAMIS and AMIS). Even if the annual fiscal year budget process identified and account for all IT projects, we noticed that the IT plan does not include all the infrastructure projects required to support the business projects or enhance the current network, office automation or telecommunication infrastructure. On a yearly basis, the Technical Support group completes numerous infrastructure projects; however, the descriptions and justifications of these projects are not included in the IT plan and a priority was not assigned to each one.
Progestic International Inc. final report
Page: 7