The IT Review Process – Part 1

by on 03/09/2009

This article is the first in a series providing best-practice guidance for an effective IT review and covers the first three of the ten topics: IT environment, IT security and Business Continuity Planning (BCP). Subsequent articles will cover the following topics: backup, IT support, environmental policy, projects, budget, strategy and IT management.

Part 2 of this series of articles can be found here and part 3 here.

A regular review of a company’s IT environment ensures maximum value for their IT expenditure and minimises the risk of IT failure.  It highlights risks and inefficiencies in the current set up and details potential savings including those brought about by deploying new systems or technology.

FITM specialises in all aspects of the IT review process and provides an independent, cost-effective and thorough review, report and recommendations.  Please contact FITM for further information.

IT Review Justification

Having a regular independent review of your IT environment is an excellent way to ensure that you are achieving the best value from your IT investment, that you are not exposing yourself to IT risks which you are not aware of and that you are taking advantage of advances in technology.

Although nothing can guarantee that you won’t suffer from IT issues, having an annual review is a cost effective way to minimise this risk and to be able to prove due diligence should anything go wrong.

An IT review will frequently result in cost savings.  It will show how to reduce system down-time, improve the performance of third-parties and highlight areas where the same or better services can be purchased at a lower cost.

Ten topics form the basis for a complete IT review.  These are IT environment, IT security, BCP, backup, IT support, environmental policy, projects, budget, strategy and IT management.  The first three of these topics are covered in this article, with the remainder being discussed in subsequent articles.

These ten topics form a complete and comprehensive view of a company’s current IT provision to stakeholders including the board of directors and other business heads.  In order to carry out an effective and worthwhile review, these topics require a wide range of IT knowledge and experience.

IT Review Topics

Topic 1: IT Environment

A company’s IT environment is critical to the speed and resilience of their IT systems.  A review should cover all aspects of the environment including:

  • network infrastructure – server hardware and software, power supplies, cabling, comms room etc.
  • desktop – desktop hardware and software, printers, scanners etc.
  • telecoms – telephone system and handsets, mobile phones, PDAs, providers and tarrifs
  • business applications
  • data providers and feeds

The review should analyse what currently exists, its age, recent performance and maintenance and support arrangements.  The review should also consider the environment as a whole to identify single points of failure as well as redundancy.  Conclusions can then be drawn about the stability of the environment and recommendations made as to cost savings and improvements.

Thorough documentation of the IT environment is a key factor in providing effective support and understanding potential issues.  A thorough IT review analyses all aspects of the environment and also highlights any differences or omissions with documentation.

The review should also evaluate a company’s environmental and green credentials.  Risk reduction, cost saving and environmental policy often go hand in hand.  For example, new technologies such as virtualisation and cloud computing can reduce a company’s exposure to single points of failure as well as save money and help to reduce environmental impact.

The IT review should provide an overview of all aspects of a company’s IT environment, highlighting potential risks and issues.  It should make a series of recommendations for reducing these risks as well as cost saving and improving support.

Topic 2: IT Security

Security is critical in today’s business environment.  A company’s data represents a tangible asset which it should guard in the same way that the company guards its physical environment.  Loss of equipment or intrusion into a company’s website or networks can cause direct financial loss, effect a company’s reputation and limit their ability to do business.

However, it is important to note that security is not simply an IT issue.  In reality, most breaches of security are caused by social engineering, the act of manipulating people into performing actions or divulging confidential information, and not by failures in IT systems.

The first step to effective security is to create a security policy which is fully endorsed by senior management and agreed to by every member of staff.  This policy should explain why security is so important, and give clear guidelines on what employees should and should not do.  One section of this document should detail IT security guidelines, for example how to use the Internet and email, precautions for use of mobile equipment, passwords, installation of software etc.

The IT review process should review the IT section of the security policy, if one exists, to check that it is up to date and complete.  It should also review system security measures, such as firewalls and encryption, as well as checking that there are procedures in place to update anti-virus programs, operating systems and other security devices to the latest versions.

The IT review should comment on the current status of IT security within an organisation as well as giving recommendations as to where that security is found to be lacking.

Topic 3: BCP

Business Continuity Planning (BCP) or Disaster Recovery (DR) planning are sometimes seen as a costly, complicated and unnecessary process.  However, when implemented pragmatically, BCP can provide a low-cost solution should a company suffer a disaster, and the process of analysing requirements and priorities is often very helpful to understanding how a business is operating.

IT is only one part of a BCP plan.  In many ways, it is the easiest part to understand and what companies often neglect is the non-IT elements of the plan.  For example, if your company suffers a disaster, will you have access to the contact details for all the people you need to contact immediately? Where are all the passwords used throughout your organisation kept?  Do you have stocks of printed stationery kept offsite?

An IT BCP plan should detail the priority of the various systems a company uses.  In the case of a disaster, systems should be restored in priority order, with system availability agreed by the business.  The plan should then have detailed technical instructions that can be followed by someone other than the author should the need arise.

A critical element of a BCP plan is testing.  Compiling a plan is a useful exercise, but only regular testing can ensure that the plan is complete and up to date.  Testing should occur at least once a year and should involve both the business and IT.

The IT review should look at the current IT BCP plan and review whether it is up to date and complete.  It should also review the thoroughness of testing and make recommendations for achieving an effective BCP process at acceptable and pragmatic cost.

FITM’s IT Review Process

FITM specialises in all aspects of the IT review process as described in this series of articles.  FITM’s consultants are experienced in all aspects of IT Management and have partner arrangements in place to provide specialised technical knowledge if required.

FITM talk to your internal IT staff or support company as well as independently reviewing all aspects of your IT.  From this they produce a report which summarises findings as well as making recommendations to reduce costs, improve performance and resilience and make cost savings.  This report provides a non-technical overview of a company’s IT, which is a useful input to board level discussions about expenditure, risk, budgets and projects.

Leave a Comment

Next post: