Systems Objective Scorecard

During the course of managing an IT department, it is important for IT management to understand areas of risks. There are standard best practices that can be engaged to score your department/organization. Below I have added some as a starting point. These are by no way complete.


Management and Planning

Objective 1

The staff responsibilities to information systems environment are assigned to specialized personnel.

Deficiencies in this objective could lead to not knowing and/or too many responsibilities associated to information systems.


Objective 2

The strategies about information systems, development plans and budget are mapped according to the strategic goal and company business.

Deficiencies in this objective could lead to the design, purchase/construction, development and system operations not responding to the company and business needs.


Objective 3

The selection of a service provider is based on company policies.

Deficiencies in this objective could lead to unsuitable service and inaccurate generated information, vulnerable or lack of integrity.


Objective 4

The services levels given by the provider are consistent with the Management expectations.

Deficiencies in this objective could lead to unsuitable service and inaccurate generated information, vulnerable or lack of integrity.


Objective 5

Users receive correct formation in use and handling the information systems.

Deficiencies in this objective could lead the incorrect use of information assets, which could cause generated information, were inaccurate, vulnerable or lacks of integrity.


Physical and Logical Security

Objective 1

Tools and security techniques are implemented and set up with the purpose of assuring a correct logical techniques level, narrowing the access to the programs, data and other information sources only for authorized persons.

Deficiencies in this objective could lead to unauthorized access and possible exposure, theft, modification, damage or loss of information, due to absence of proper policies, the lack of implementation of these measures on information systems and ignorance on the part of users of safety standards.


Objective 2

Tools and security logical techniques are implemented to monitor and control actions on information systems.

Deficiencies in this objective could lead to lack of control made actions on information systems, with possible impact in information confidentially, integrity and availability.


Objective 3

Information systems are correctly protected against external attacks and/or malicious codes.

Deficiencies in this objective could lead to unauthorized access and possible exposure, theft, modification, damage or loss of information.


Objective 4

Tools and security are implemented to allow access to information systems only to authorized users.

Deficiencies in this objective could lead to unauthorized access and possible exposure, theft, modification, damage or loss of information, due to an incorrect access profiles management.


Objective 5

All information resources are fixed by a correct security control, access to critical areas are restricted to authorized personnel.

Deficiencies in this objective could lead to unauthorized access and possible exposure, theft, modification, damage or loss of information, as well as failures or incidences in information systems working and other disaster or extraordinary accidents.


Objective 6

All company information resources are identified and managed.

Deficiencies in this objective could lead the incorrect of fraudulent use of equipment and/or data they have, leading in a possible exposure, theft, modification, damage or loss of information.


Applications Development and Maintenance

Objective 1

Development or maintenance applications of projects are consistent with the management’s intention.

Deficiencies in this objective could lead to the design, purchase/construction and systems development not responsive to the end users’ needs.


Objective 2

Migration process of replaced old applications is carried out accurately and completely.

Deficiencies in this objective could negatively impact information integrity and validity.


Infrastructures Operations and Maintenance

Objective 1

Infrastructure development or maintenance projects (database software, networks, equipment) are in consistent with the management’s intentions.

Deficiencies in this objective could lead to changes not responsive to the users’ needs.


Objective 2

Technological infrastructure are correctly identified and supported.

Deficiencies in this objective could lead to the changes not responses to the users’ needs, as well as a possible loss of knowledge in information assets.


Objective 3

Information systems levels of service providers are consistent with the management’s expectations.

Deficiencies in this objective could lead to the information systems not working correctly, resulting in potential risk to the availability of the information.


Objective 4

In disaster case, every essential business processes are recoverable in a defined time.

Deficiencies in this objective could lead to the information integrity and availability, due to incomplete, inaccurate or no recoverable data.


Objective 5

The information is kept in accordance to company laws, regulations and politics, could be recoverable, in case.

Deficiencies in this objective could lead to the information integrity and availability, be incomplete, inaccurate or not recoverable data.

Struggles With The Cloud

A few years back we outsourced our server backups to a vendor’s private cloud. It made sense at the time and was cost efficient based on our current data growth. As time marched forward and business grew, so did our data growth. Adding more and more growth capacity to the cloud began to cost us more than if we were to perform our own backup internally via old fashion tape. Yes, I know what you are thinking; tape is archaic and a dying technology. Well it still works as expected in conjunction with our SAN/DR and we have full control.

As we began the process to move away from our cloud solution, we discovered we had a problem. The years of data that were backed up were irretrievable. The amount of data could not be downloaded over the internet without the connection failing and even if we were able to download we estimated two weeks of 24×7 downloads to try and retrieve our data. And the data will be in a jumble without rhyme or reason. What a dilemma! The vendor proved no help. As far as they were concerned if we wanted to move, it was up to us to get our data out. In essence our data was being held hostage.

Our plan (not ideal) was to keep our data in the cloud for the foreseeable future; no additional capacity will be purchased. As equipment begin to be decommissioned, the cloud backups will be deleted in accordance with our tape backup/data retention policies.  This will help us not have to download years and years of data.

Be cautious moving things into a cloud solution. Make sure you understand the risks involved not only in the short-term but also the long very long-term.

Key Performance Indicators

Every department needs to develop key performance indicators to measure performance. IT is no exception. In fact, it is probably more important for IT to have a set of KPIs to show overall performance in the business. This supports the mission of IT to add value to the organiztion. For my department I have been tracking the following KPIs. I have been tracking on a weekly basis to keep an eye on trends that may develop. Your organization may be different but I would recommend that you track with more frequency then less.

Financial Management:

  • Percent of IT cost vs. total revenue of the
  • Percent of keeping the lights on cost compared
    to the total IT cost
  • Dollars saved due to productivity improvement
  • Average seat/resource cost trending over (Month
    to Month)(Quarter on Quarter)(Year to Year)
  • Actual spend vs. budget (Month to Month)(Quarter
    on Quarter)(Year to Year)

Project Performance:

  • Percent of projects completed within schedule
    and budget
  • Percent of projects exceeded their original
    schedule and/or budget by xx % (we use 10%)
  • Percent of project time consumed by rework due
    to defect fixes and scope changes
  • Number of known defects released to production
  • Percent of projects initiated without an
    approved business case

Operations Management:

  • Business critical system/application uptime
  • Average turnaround time for fixing production
  • Number of production incidents by severity
  • Percent of service requests/tickets closed
    within the SLAs
  • Average time to resolution for service tickets
  • Business time lost due to unscheduled downtime

Information Security:

  • Number of security breaches/incidents in systems
    and infrastructure
  • Percent of systems/applications compliant to
    security policies/standards
  • Percent of security patches applied within

The above KPIs have been graphed in Excel using the raw data collected. Again I track on a weekly basis which make it easy to slice and dice the data when asked. We have now started the process of incorporating this information into a dashboard format. We are using a product from iDashboard to help convert this data. It is recommended that a developer be involved to write scripts to interpret this data. Taking raw Excel data and importing in iDashboards was not clean and required additional coding. The end result will be to see this information in a clean graphical format wit the push of a button.

Freshman CIO – Transformation in 365 Days

I have reached the end of my one year as a freshman CIO. Having been in IT, managing projects and IT departments for the past 12 years those 3 letters in my title carries the burden of either succeeding or failing miserably. In my case, the last year has been a success.

I was hired to guide my firm through strategic changes. Having the depth of knowledge of working in start-up environments and working through a few M&As, I was able to transform a weak department and set it on a path towards value. This was not easy. The department lacked confidence and direction. I came in with new ideas on how IT should be managed. My philosophy as a CIO is simple. “It’s all about people and processes. Technology is last.”

I had a Two-Phased Plan. I wanted IT to have transparency, accountability and accessibility, I restructured everything we do to align IT with those themes and to deliver a much more customer service-oriented solution.

Such an alignment calls for change, and you cannot make fundamental change without a strategic plan.

With a greater emphasis on IT management I initiated a portfolio-management process. Using my experience working in the financial sector where streamlined IT approaches are common I took each project and developed a cost/benefit analysis showing what the business will gain from these projects. This was a victory. For the first time, the business can see and measure tangible information that IT can and will deliver.

The second phase of the strategic plan was to build a road map for what IT will do over the next year.

Projects focused on strategic and operational initiatives. I had to rebuild my environment and the only way to move forward strategically was to have a stable and scalable operational environment.

In implementing this plan the pace of change was rapid. I set organizational processes, stopped doing some things, got better at others, and started new initiatives. At the end of the day I had to balance business needs with technology needs.

CIO Blogs for November 2010

CIO BlogsCreating a vision by Don Lewis

One CIO’s “lessons learned” in managing others by Peter Kretzman

Is Project Management a skill or a technique? by Eric D. Brown

Selfishness and The Paradox of Emotional Intelligence by Andy Blumenthal

MIS Analysis Fundametals

The last few weeks I have been developing a roadmap for the remainder of the year. I am addressing issues related to strengthening the operational aspects of MIS and overall positioning the department to be strategic. In my opinion, MIS cannot be strategic with operational issues happening in the background. The departmental focus will be dealing with “putting out fires” and being reactive instead of proactive.

My analysis focuses on specific core weaknesses and how to correct them in an efficient and cost effective manner. I talk about business benefit, operational efficiency improvement, etc. but try not to mention specific products because the bigger and ultimate goal is the benefit to the business and my recommendations just happens to be a tools to help achieve those results.

From my experience, when you bring technology into the discussion people loose sight of the business benefit which is what happens during the discussion with business leaders. An analysis should focused on the business benefits only. A thereby creating a want for the benefits the solutions will deliver.

An IT Steering Committee

Companies that have not emphasized IT in the business process suffer long-term issues where IT is not seen as a value driven department.

One way to overcome this fact it to create an IT Steering Committee. The purpose of this governing group is to look at strategic initiatives and align them with overall business direction.

It is important to comprise this group with business leaders that can help sell and obtain buy in from others in the organization. Without this support major initiatives are doomed to fail.

An example of a charter should be as follows:

Function of the Executive IT Steering Committee

This Charter establishes the Executive Information Technology Steering Committee as the group responsible for providing executive leadership in the development of standards, policies, and the prioritization of various initiatives.

The Executive IT Steering Committee will provide a stabilizing influence so organizational concepts and directions are established and maintained with a visionary global view. The Steering Committee provides direction on long-term strategies in support of the company’s mandates and business vision. Members of the Steering Committee ensure that the company’s Information Technology needs and objectives are being adequately addressed. In practice these responsibilities are carried out by performing the following functions:

  • Identify and develop strategic initiatives
  • Prioritization of initiatives
  • Monitor and review initiatives at regular Steering Committee meetings
  • Develop and review standards and policies
  • Update standards and policies as emergent issues force changes to be considered, ensuring alignment with the Committee Charter as well as the objectives of the company
  • Quality of deliverables
  • Help to get buy-in across the organization
  • Act as a sounding board

IT Steering Committee Membership

The membership of the Steering Committee was designed in order to provide representation across the organization, and to include managers of both Operational (“line”) and Support (“staff”) functions. 

10 Skills Every CIO Should Know How To Do

What skills does a CIO need to have to be able to be considered well rounded? Here’s my lineup of essential skills. Did I leave anything out? Let me know?

  1. How to manage information
  2. How to reboot a server
  3. How to communicate in plain speak
  4. How to manage their staff
  5. How to negotiate with vendors
  6. How to manage a budget
  7. How to manage a project
  8. How to ask for help
  9. How to fight a battle
  10. How to network

Blogs for October 2009

A CIO's VoiceHere are some blog postings that I found interesting this month:

Managing Tough Times in 2009 – Grinding it out by Lui Sieh

Risk in IT by Mark Brewer

Conventional wisdom that fails for IT by Peter Kretzman

Good Service vs. Bad Service–A Lesson for IT by Don Lewis

Poisonous Snakes, Sharp Knives, And Angry Natives – How Much Risk Can You Handle? by Jim Anderson

Blogs for September 2009

A CIO's VoiceHere are some blog posting that I found interesting this month:

Cultural challenges and challenging cultures by A Pai Mei Guy

e-Skills: Beyond Buzzword Bingo by Ade McCormack

I am not Google – an email rant by Will Weider

4 CIO Priorities for 2010 (slideshow) by Chris Curran

When are you “ready”? by Don Lewis

Agility and The New CIO by Eric Brown

Avoiding The IT Death Spiral by Mike Schaffner

How to become a CIO by Oh I See (CIO inverted)

Characteristics of Innovative Organizations, Pt. 3 of 3 by SSP BPI Group

The Three Cs Of IT Failures by John Moore

Blogs for August 2009

Here are some blogs that I found interesting this month:

IT Management and Culture (in an Asian context) by Lui Sieh on A Bottom’s Up View From a Pai Mei (白眉) Guy

e-Skills: IT Recruitment needs to change by Ade McCormack on IT Beacon Blog

The CIO Role: One of Influence or Control? by Chris Curran on CIO Dashboard

Thoughts on technology, industry, and regulation by  Don Lewis on Strategic Intersect Blog

Project Success and Failure and The New CIO by Eric D. Brown on Eric D. Brown Technology, Strategy, People & Projects

Strategic or Operational CIO ! Making Choices on Oh I See (CIO Inverted)

Characteristics of Innovative Organizations, part 2 of 3. on SSP BPI Group

Passion Or Vocation? by Chuck Musciano on The Effective CIO

Strategic Value of the CIO

Chief Executive Officer. Chief Operating Officer. Chief Financial Officer. Chief Information Officer? Information? I have always questioned that word (information) in the title. How does one manage information? Information is something you use and generally speaking, cannot be managed. And here lies the problem with the title. What is the strategic value of the position of CIO? If the role of CIO is to have executive ownership of information, doesn’t this role come into direct conflict with the roles of  COO and CFO?

Will a CFO handover control of financial information to get it from the CIO? Or will the COO give up operational data to get it from the CIO? I don’t think so! Every C-level executive with executive responsibility demands ownership control of the information supporting them and will use this information accordingly to make appropriate business decisions. This is the fundamental problem of where in the executive structure does the CIO fit? What strategic value can the CIO bring in the boardroom?

So then what is the real strategic value of the position of CIO? If the position cannot have oversight of all information then what is the role of the CIO. The answer is “integration”.

As Chief “Integration” Officer, the CIO’s role can focus on integrating and improving process and workflow. It is only by linking different systems to streamline business process workflow and by assuming responsibility for identifying and removing bottlenecks in the chain can the function of the CIO provide real strategic value to overall business operations. The CIO now becomes the primary integrator across the firm.

The role of CIO must move away from being just the head tech guy to having a more strategic role in a company’s operations. It is only by having a more strategic role can the position of CIO provide real value.