Twenty Questions for 2012 IT Strategy Documents
By Dan Hadaway | Friday, January 13, 2012 - Leave a Comment
Though I agree this article would have been better published in, let’s say November 2011, it wasn’t until this month that I started getting several calls from Clients asking me to review their 2012 Information Technology Strategy. So I decided that maybe everybody could benefit from what I would ask myself had you asked me to review your strategy.
- Authorization: Does the document express the policy which requires the creation of the strategy and tactical plans?
- Multidisciplinary: Does the document leave a paper trail demonstrating that a multidisciplinary approach was taken to creating the document?
- Strategy then Tactics: Does the documented strategy separate strategy (objectives, benchmarks, approaches) from tactics (plans, lists of expected achievements)? Does it have a high-level strategy that aligns with the bank’s business strategy that is then further articulated via a set of tactical plans?
- Flexibility: Are the strategic objectives written so that tactics can be flexible? Does language hedge so that an auditor won’t be able to hammer you for not achieving deadlines on time? Does language make clear that the further “out” in the plan we go, the less confident we are in the objectives we define? See “deadlines and benchmarks” below.
- Prioritization: Does the document identify high priority versus moderate or low priority? Do the deadlines expressed consider priority? Do we differentiate between urgent and important? Are prerequisites addressed?
- Board Approval: Has an executive summary of the strategy document been presented to the board. Who presented it? Was it formally approved?
- Ownership: Does the document identify ownership not only of the overall strategy but also of each tactical plan that is born from the strategy?
- Deadlines and Benchmarks: Does the document express specific deadlines? This practice does not have to clash with “keeping tactics flexible.” Deadlines can be expressed as “first quarter, second quarter, this year, second year, third year” and surrounding language could include “assuming all prerequisites are met.” Just be careful how you word your deadlines. Meanwhile, do tactics span three years? Identify what you MUST achieve this year, and everything else should be for the second and third year of the plan.
- Budget: Does the tactical plan articulate budgets, or at least speak to the financial resources required for implementation. This could be in the form of “further investigation is necessary but for now we are budgeting an allowance of $xx,xxx for this tactic. Is there a grand total for the year? For all three years?
- Business Strategy: Does the IT Strategy align with the bank’s business strategy? To be clear, does the strategy document reflect the business strategy of the bank? One way to answer this is, does it even refer to the business strategy of the bank? If you can tell what the bank’s business strategy is by reading the IT strategy, then alignment has probably occurred.
- IT Governance: Do tactics address: Awareness, Access Management, Asset Management, Branchless Banking, Business Continuity, Incident Response, Risk Management, and Vendor Management?
- Risk Management: Do the tactical plans reflect and incorporate risk remediation strategies? Does it express major concerns from audit, examination, and risk assessment findings? Does it incorporate the results of drill-down risk assessments?
- Confirmation of 2011 Strategy/Tactics: Does the document express the work left from previous plans, either to finish projects or to confirm that previous tactics have worked?
- Compliance: Do the tactical plans incorporate upcoming compliance concerns (if any)?
- Infrastructure Improvements: Do tactical plans include all planned infrastructure improvements?
- New Technologies: Does the strategy speak to the adoption of new technologies (both proprietary and generic?) Do tactics list the new technologies that will be investigated?
- New Products, Services: Does the strategy speak to the support of new products and/or services? We auditors can tell by looking at your strategy whether or not your policy (assuming you have one) requiring management to involve IT in new products and services is being enforced.
- New Process, Projects: Does the strategy speak to the support of new processes or upcoming projects?
- Supplement: Does the document address compliance with the June 2011 Supplement to the 2005 Authentication Guidance? Does it call for an authentication risk assessment, deployment of new authentication controls, vendor investigation, and deployment of detect and response on high-risk transactions?
- New Technologies: Does the document address the bank’s posture regarding the adoption of mobile banking? Social media? Virtualization? Remote Access? Remote Deposit?
Dan Hadaway CRISC, CISA, CISM
Founder and President, Infotex
“Dan’s New Leaf” is a “fun blog to inspire thought in the area of IT Governance.”
Posted in Dan's New Leaf, Risk Management, Schools
Artificial intelligence carries risk, but so does organic ignorance … Another one of those Dan’s New Leaf Posts, meant to inspire thought about IT Governance . . . . At a recent conference, I noticed two camps emerging in the debate over artificial intelligence. Some people embrace AI as a tool, while others support Elon […]
PRESS RELEASE – FOR IMMEDIATE RELEASE BUSINESS NEWS NEW EMPLOYEE FOR INFOTEX We are pleased to announce the appointment of Nathan Taylor as our new Network Administrator at infotex. “We are very excited to have Nathan join our team as a Network Administrator and look forward to his contributions to maintaining and improving our infrastructure!” […]
about artificial intelligence . . . And who will protect us from it . . . Another one of those Dan’s New Leaf Posts, meant to inspire thought about IT Governance . . . . Just watched some press on the the Senate hearings over regulating AI. The normal senator faces, Sam Altman of OpenAI, […]
The Evolution of an Inside Term Used in our Vendor Risk Report Another one of those Dan’s New Leaf Posts, meant to inspire thought about IT Governance . . . . Those who audit infotex know that our vendor risk report refers to a couple of our providers as “ransomware companies.” This reference started evolving […]
Another awareness poster for YOUR customers (and users). Now that we have our own employees aware, maybe it’s time to start posting content for our customers! Check out posters.infotex.com for the whole collection! Download the large versions here: Awareness Poster (Portrait) Awareness Poster (Landscape) You are welcome to print out and distribute this around your […]
New tools could allow unskilled attackers to launch increasingly sophisticated attacks… An article review. Imagine a world where you receive a call from your boss asking you to assist them with something… only it’s not your boss, but an AI being used by an attacker. This isn’t science fiction, it’s an actual attack that has […]
Unavailability Strikes Where it doesn’t matter anyway Another one of those Dan’s New Leaf Posts, meant to inspire thought about IT Governance . . . . So, I’m writing today’s article from a resort in the middle of Wisconsin. I want to make sure I’m staying on top of my New Leaf, which is to […]
. . . and the importance of segregated response. The latest edition of Executive Vice President, Michael Hartke’s article series! In 2007 when I first joined infotex, coming from small to medium sized business general IT support into the world of cybersecurity, the one thing that was very hard for me to internally rectify was […]
How concerts can help us understand APTs . . . Especially if you use your imagination! Another one of those Dan’s New Leaf Posts, meant to inspire thought about IT Governance . . . . My daughter reminded me of a concert Stacey and I attended way back in 2013, in Chicago. It was one […]
Mutiny! The Malicious Insider Threat Webinar Registration A Webinar-Video It is often awkward to bring up the one attack vector most of us have not addressed. The malicious insider threat. Even if we can flaunt all statistics and claim that the likelihood of an insider attack is low in our bank, the impact is still […]