Maturity Assessment of IT Environment

recently, i was roped in an exercise t0 ‘develop a maturity assessment framework for an enterprise IT landscape’.

the objective of this exercise is to develop a framework that can be used to gauge the maturity assessment of IT environment of any enterprise and define the ideal “end” goal/state over a period of ‘x’ years. the enterprise IT teams can also use it to drive budget allocation for their IT projects enabling them to move ahead on the maturity curve.

 the scope of the exercise includes developing a assessment framework comprising the following areas:-

1. IT processes
2. IT operations
3. Shared services for IT/Cross Functional Services
4. Technology Towers:-

• Unix
• Wintel
• Mainframes
• Storage
• Networks

after looking at the charter & scope of this exercise and  having engaged in initial discussions with the other team members involved in this exericise, i have my opinion on the possibility to develop a framework that will be acceptable to the customer IT management  and business heads especially to allocate budgets for IT spend.

in the next few posts, i will post my thoughts and opinion on this subject.

IT Outsourcing & Security Issues

the recent news on Word Bank and leading Indian outsourcing firm – Satyam made the news headlines a few days ago.

it was reported in media that Satyam had been banned from all offshoring work following a so called “security breach” in the World Bank IT systems which were being managed by Satyam under a total outsourcing contract between the two.

when i read the news articles and the media hype over security risks involved in outsourcing, there were couple of points that stood out and probably need a serious thought. i admit tho that i am looking at this topic purely from a services provider point of view.

broadly, there are two type of security risks when it comes to outsourcing.

1. state of security and associated risks in the service provider IT environment – usually these are are discussed in detail and evaluated during the rfp stage. a good number of articles have also been written been assessing service providers security policies and controls before and during the term of the contract. a service provider is usually asked to provide proof of the state of information security, answer certain specific questions in the rfp and in some cases provide sas 70 type I & type II reports.

2. state of security and associated risks in the enterprise IT environment now being outsourced to the service provider – this is a relatively overlooked topic by many of the enterprises who have entered or are entering an outsourcing agreement with an IT services provider. in the context of discreet and total outsourcing, this requires an in-depth understanding and a joint strategy development with the service provider.

in many cases, the enterprise, by entering into an agreement for discreet or total outsourcing engagement with the service provider tend to forgo their responsibility of maintaining, tracking the risk in their IT environment (even though it is now oursourced) and are not invited or participate in assessing the risk, formulating and implementing a suitable risk treatment plan.

with reference to point (2) above, i would like to highlight few point which, in my opinion, require attention during contract and legal discussion stages:-

1. In almost all of the outsourcing contracts, the service provider usually take over the customer IT environment on as-is basis and hence the risk due to any security (technology / process) shortcoming also gets transferred to the service provider. in most contract the ownership and accountability of this risk is not clearly mentioned in the contract.
2. there is not many engagements where a risk profiling of the enterprise by the service provider is carried out prior to begining of the outsourcing enggement as a result there is usually no coherent strategy to address the risk that is inherited by the service provider in an outsourcing engagement.
3. many a times an enterprise may not have invested in adequate set of controls (both technical and procedural) which may result in an high risk exposure for the enterprise. depending upon the level of maturity of the enterprise security organization and practices, the management may or may not be aware of this exposure.
4. even though the risk of not having necessary controls might be acceptable by the customer when the operations were in-house, they suddenly appear as un-acceptable if there is an incident post off-shoring. Again, in my opinion, this needs to have a clear mention in the contract/legal document.
5. even when additional controls to reduce the risk, usually the recommendations are side-lined either by the customer or sales teams due to due to cost implications. However, the ownership of accepting the residual risk is not clearly and is a vague area. This should, in my opinion be also addressed in the contract document.

the most important fact remains that:-

There is no guarantee that security breach will not take place either due to technology failure or personnel mis-adventure. even without outsourcing, we have seen breaches being reported.

hence a clause, which indemnifies the service provider due to technology failure or absence of a control not stated in the RFP as a mandatory requirement, needs to be incorporated in the contract/legal documents.

or

there needs to be a stage in the outsourcing project plan where the service provider assesses the information security related risks in the customer’s IT environment for which the service provider is going to manage and then jointly develop a risk treatment plan with the customer to ensure the risk is kept at a level acceptable to both the organizations.

Cross Functional Services – 3

so, what are the possible IT & enterprise functions that span or can span across multiple technologies a`nd IT functions?

Some of the topics that come to my mind those which are governance and oversight oriented and some non-core IT functions like:-

• overall IT governance for sure
• IT process management
• IT operational oversight
• IT architecture
• IT strategy
• information security
• regulatory & compliance
• bcp/dr

depending on how the following enterprise support functions are aligned in an enterprise, some of the following also get included in the cfs:-

• vendor management
• program management
• procurement
• hr
• financial management

Cross Functional Services – 2

..continued from cfs post -1

Role of Enterprise Support Functions

other than IT specific tasks, there are also a set of enterprise support functions that provide support to the IT organization within an enterprise and the nature of support is independent of the IT functional areas (infrastructure and applications)

an example of some of the enterprise support functions play in the cfs domain is shown in the figure cfs -1.

Cross Functional Services – 1

cfs, cross functional services, cross tower services..different names but ideally referring to a set of services to be performed across all the IT functions or towers (depending how the IT is referenced to) in an organization.

even though the concept is not new, lately these terms have found their way’s into rfp’s and rfi’s of enterprises who are looking to outsource and/or offhore their some or all components of IT functions.

so what is cfs? (in the post i will use cfs to refer to the topic as it is shorter and i save energy in typing it 😉 and it sounds better than cross tower services or cts..ha!)

broadly speaking IT can be categorized into two main functions – IT infrastructure and IT applications. there are some set of activitites that need to be performed within each of these functions independant of each other. however, there are few set of activities that need to be performed uniformly across these two fucntions using same set of principles.

for example – governance. the priciples to govern the IT as a single entity are independant of either applications and infrastructure functions.

another example i can think of is – compliance. even though both, applications and infrastructure functions will have their own set of activities and nuances to demonstrate regulatoty and compliance adherence, there will be only one set of defined common principles and IT objectives that will guide and drive those specific activities within each of the functions.

…more in cfs post – 2

Cross Functional Services

CFS..or..Cross Functional Services..or.. Cross Tower Services..

in the past few months, a lot of cases that i have handled have a section called – cross functional services or cross tower services.

in the posts related to this topic, i will try to pen down my thoughts about CFS and how, in my opinion, can a service provider gear up to handle these services on behalf of their customers.

the term cfs traditionally involves setting up of a team of personnel from different departments of an enterprise for new idea/initiatives etc. hence the use of cfs is a misnomer in my opinion when it is used in the context of the rfp’s/rfi’s that i have encountered in the recent past.

so what does cfs represent when used in context of it?..more in the next few posts on the subject (yawn!)…