Governance and Managing IT Projects – Part V

To effectively report performance for a given investment, entities should utilize preconceived Systems and Infrastructure Life Cycle Management (SILCM) outcomes to enable multiple measurements so the positive impact that an investment contributes is visible. Though SILCM performance reporting can include many indicators, its value is not in the sheer number of indicators. As with other IT programs, the effective utilization of performance reporting requires identification of a critical few measurement indicators in each of the relevant measurement areas to draw the “line of sight” from the IT initiative to the processes and activities it supports (and, by extension, the user results and mission as well as business results it enables).

“View Part I of the Governance and Managing IT Projects series here“

Governance and Managing IT Projects – Part IV

IT project managers are typically individuals presumed to have in-depth technical skills. However, technical aptitude is not the primary key to successful project management. Specifically, IT projects generally will not succeed unless they are managed by professionals who have an adequate combination of business as well as technical communication skills.

Considering one project management model definition; Project Communications Management are the processes impacting timely and appropriate generation, collection, dissemination, storage and ultimate disposition of project information. Within this context, planning a formal communications network, with purpose clarity and policy distinctiveness, is essential for IT projects. Furthermore, disseminating IT project information is considered fundamental to practicing structured project management. Wherefore, providing effective and efficient information distribution and storage normally requires a technology-based project management information system.

“View Part I of the Governance and Managing IT Projects series here“

Governance and Managing IT Projects – Part III

Tactically, a project is a structured set of activities concerned with delivering a defined capability (that is necessary, but not sufficient, to achieve a required business outcome) to the entity; based on an agreed-upon schedule and budget. Additionally, a project is a temporary endeavor — having a defined beginning and end — undertaken to meet particular goals and objectives; usually to bring about beneficial change or added value.

The temporary nature of projects stands in contrast to on-going operations — which are repetitive, permanent or semi-permanent functional work to produce products or services. Consequently, in practice, the management of these two systems is often found to be quite different, and as such requires the development of distinct technical skills and the adoption of separate administration.

“View Part I of the Governance and Managing IT Projects series here“

Governance and Managing IT Projects – Part II

Managerially, oversight of IT-enabled investment portfolio assets should be performed throughout their life cycle. Operationally, portfolio management takes a holistic view of an entity’s overall IT strategy, while sustaining clear and active linkage between the entity’s strategy and the portfolio of IT-enabled investments. Whereby, when properly deployed, IT portfolio management can assist in gaining control of IT projects and deliver meaningful value to the entity’s lines of business.

The IT portfolio should be managed like a financial portfolio. Thus, riskier IT investments should be balanced with more conservative investments, and the mix constantly monitored to assess: which projects are on track, which need remediation and which should be shut down. Often portfolio management involves establishing scorecards for projects, infrastructure, and applications to enable decisions on a measurable basis.

“View Part I of the Governance and Managing IT Projects series here“

Governance and Managing IT Projects – Part I

Depending on the entity, accountability for defining IT project governance can reside within a single person or group. As with IT Governance and Information Security Governance, entity executives should provide quality leadership when defining and activating IT project governance. Whether a single person or a group, IT project governance leadership normally requires vision as well as a potent organizational structure to ensure an effective and efficient IT architecture.

In most situations, IT project governance responsibility and accountability can be enhanced through portfolio management. Theoretically, IT portfolio management encompasses at least three distinct, yet cross-dependent, concepts: project portfolio management, infrastructure portfolio management, and application portfolio management.

Effective Employment Practices for Protecting IT – Part VIII

Technology is an enabler, not a solution, for deploying and executing a sound information assets protection (IAP) strategy. Responsibility for executing IAP should be shared across the entity, making all employees accountable as part of a well defined and articulated information security risk management program. Derivatively, the IAP risk assessment objective is to enable recommendations maximizing confidentiality, integrity, and availability protection; while maintaining information functionality and usability. This objective addresses major risk management elements; therefore, key objective conveyance to and acceptance by an entity’s employees can increase the probability for an adequate IAP risk management program.

“View Part I of the Effective Employment Practices for Protecting IT series here“

Effective Employment Practices for Protecting IT – Part VII

Requiring periodic confirmation by employees of their safeguarding responsibilities will not only reinforce IT security policies, but potentially deter individuals from committing illegal acts and might identify problems before they become significant. Such confirmations should include statements that the individual understands the entity’s expectations, has complied with the conduct code, and is not aware of any conduct code violations other than those the individual lists in the response. Although individuals with low integrity and ethical values may not hesitate to sign a false confirmation, most people avoid written misrepresentations due to potential evidentiary utilization during an assertion veracity verification proceeding; whereas, honest individuals are more likely to return an information security confirmation and disclose noncompliant behavior. As a result, conformation response follow-up activities may reveal significant information assets protection issues.

“View Part I of the Effective Employment Practices for Protecting IT series here“

Effective Employment Practices for Protecting IT – Part VI

Formal, documented entity-centric job (position) descriptions should exist for each entity employee that clearly conveys duties, prohibitions, and reporting relationships. Typically, position descriptions are prepared based on job analyses — systematic procedures for observing work and determining what tasks should be accomplished to achieve organizational goals. Position descriptions should include definitions of technical knowledge, skills, and abilities required for successful performance in the relevant job and should be useful for hiring, promoting, and performance evaluation purposes. Furthermore, itemized duties should indicate responsibilities assumed during emergency situations. An entity’s human resources department should be accountable for ensuring all organizational positions are reviewed for assignment sensitivity level relative to security requirements. Individually, an approved position description should match an employee’s assigned duties.

“View Part I of the Effective Employment Practices for Protecting IT series here“

Effective Employment Practices for Protecting IT – Part V

Stepwise, due care infers activity responsibility; whereby due diligence infers activity continuality. Often considered the ‘prudent person’ rule for professionals, discerning individuals engage due care to ensure everything rationally possible is done to aid in operating an entity utilizing sound, legitimate and ethical practices. Consequently, prudent persons are diligent in exerting due care.

When professional due care and due diligence are applied to an entity’s human resources recruitment efforts; hiring practices should render reasonable assurance that a potential employee’s competency, reliability, and integrity are aligned with the position’s responsibilities. Furthermore, at the activity-level, an entity’s standard human resources practices should consistently demonstrate recruiting the most qualified individuals – with emphasis on training background, prior work experience, past accomplishments, and evidence of integrity and ethical behavior.

“View Part I of the Effective Employment Practices for Protecting IT series here“

Effective Employment Practices for Protecting IT – Part IV

Usually, it is easier to purchase an automated solution addressing IT control practices than to change an entity’s culture. Nevertheless; even the most secure system will not achieve a significant degree of protection if utilized by “ill-informed, untrained, careless or indifferent personnel.” Thus, all entity employees should be instructed in practicing due care and due diligence of information assets. Furthermore, a well structured IT function, staffed with appropriately qualified individuals, forms the foundation for high-quality performance and is the basis for providing positive safeguarding assurance to interested parties.

“View Part I of the Effective Employment Practices for Protecting IT series here“