Author: Mag Eric Kaltman, Senior Consultant TEMA
IT in SMEs are usually characterized by the fact that she is headed in Union function with other areas that are no in-house IT department, and that IT services from local small suppliers be purchased. The degree of standardization of hardware and software is generally low, the focus is on "permanent" and "management by incident". Service levels are not defined, budgeting and reporting of IT costs are often not present, the IT spending low anyway. In one way or another department, an employee also sits with a special affinity for IT, which - performs Access databases etc. - often in unpaid time - in the programming of MS.
This is actually ok so (!!!) , because obviously IT-structure and control are priorities between SMEs and large companies differ widely. Nevertheless, it is the "ok" only with the following exception: If
- known IT is busy bringing the deal / and whether the allocated funds are targeted?
- Does the company how much money it spends on IT and how IT procurement processes are initiated and carried out?
- employees, the company occasionally to existing IT opportunities and risks, and it meets the criteria in terms of a "license to operate" (Some applications licensed by the manufacturer maintained software - prior versions, the Data Protection Act, Civil Code, AGB, protection? unauthorized access to data, etc.)
process model
1) defining a clear objective of control measures:
Although the motivation for the improvement of IT management between small and large companies need not differ by force, can be seen but the trend that issues such as security, compliance, integrity only because of the specialization of the know-how, especially in Large companies play a role, even in the narrow sense compliance is demanded mainly limited liability companies (Basel II, Solvency, etc ...). The IT operations - especially the availability of systems and customized service levels - in fact generally "top priority", but also a thousand or more users, far more important than in small teams, often with practical workarounds.
The objective of IT governance in SMEs is proved to have the appropriated funds, the operational control of the cash flow and optimize related processes.
For the derivation of our example the following object was accepted
- Ensure that compliance with the business interests of continuous IT costs (both internal and external) is operated and the money is spent "targeted"
- It is the operating cash flow for IT - especially the procurement of hardware and software - to be regulated by appropriate measures
- As a logical consequence: IT spending should be budgeted and a current value comparison must comply.
2) identification of the IT-business processes:
literature and industrial practice indicate a range of IT governance models, which simply put all the aim to align IT with the company's strategy to minimize IT risk and to create means of suitable process models, a structural foundation for IT management. Examples include: ITIL, COBIT, MOF, ISO27001 (BS7799), etc. In particular, COBIT (Control Objectives for Information Technology) provides a very comprehensive framework that business needs and IT processes (as well as required resources) in a manageable and easily understandable context does (see, matrix). These models show their strength, especially in large companies or corporate organizations.
Nevertheless, such models are also for SMEs, at least at a point on benefit: assist you in selecting the most important or relevant control objectives and allocation of IT processes, such as, among others, matrix (Figure 1) are shown.
addition to the selection of the relevant processes and their priorities for the purpose ("red" Markers in the Priority column of the table include identifying high priority), is also on the actual situation in each company, reference and opposed the action of priority. A process can therefore have no reason to act in spite of high importance when it is precisely regulated from the perspective of IT management's okay. In our example, this applies as for the change management - ie the dispatching and implementation of requirements and their implementation - close.
A look at the "map" of the red marks in the table makes clear above all, how focused and slim one can proceed in the expression of an appropriate IT governance model for SMEs. A step of "Hobbyismus" to the well-dosed professional IT management is enforceable with little effort.
After identifying the processes, so the next step is the identification of necessary procedures or reference documents (point 3).
Figure 1: Matrix processes / business requirements
3) definition of prozesskorrelativen measures:
is the continuation of Example 3 subject areas as the focus areas for the control model:
a.) to ensure the targeted use of funds
- create an annual IT issues memory to define the coordination with the GF IT topics
- definition and design of a standard procedure for the preparation, approval, monitoring and dispatching and sharing of issues as a project
- Create a SOP IT procurement
- Create the following reference documents:
- hardware / software catalog
- roles and job types (including the description of IT equipment per job type)
- ; sharing rules for order processing (Depending on orders)
- definition of mandatory and preferred suppliers to the more "material type" / service
- Implementing an IT budget with periodic target-performance comparison.
0 comments:
Post a Comment