Following is a process to evaluate an IT department. Similar to project management, I find that many organizations fail at some of the basics.
- Hardware
- Inventory all hardware, particularly servers and their purpose (many companies don’t know what they own)
- Software
- Inventory software and their purpose (look for “shadow apps” – apps that people have been installed locally – these pose a greater security threat)
- Network
- Document network architecture (vulnerabilities are easier to spot if the architecture is documented)
- Information Security
- Review status of routers, firewalls, firmware updates, anti-virus software and other equipment designed for security (companies struggle to keep up with the latest versions of security devices and software)
- Hire a company to evaluate (hack) you to determine vulnerabilities
- Projects
- Document the purpose and status of every project (status of projects is likely to be worse than commonly believed)
- Align projects to strategy (some won’t align to your strategy and should be terminated)
- Evaluate business value for each project
- Help Desk
- Review help desk statistics (software is better and people are smarter – help desk requests should be trending downwards)
- Disaster Recovery
- Review the results of the latest DR test (many companies fall behind on DR testing and they fail to make changes based on the results)
- Review the restore process (the business is frequently unaware of how long it will take to restore certain operations in a disaster)
- Organization
- Review the org structure and the people in leadership roles
- Processes
- Evaluate common processes for effectiveness (PM processes, security, backups, help desk, etc.)
- Process Improvement
- Review the regular status reports that are used to measure and manage IT (ensure IT is measuring things that are important – not just things that are easy to measure)