Generally, for example, when I am requested to consult on IT, I generally look at and provide an assessment with high-level recommendations for the following areas:
- Review Gaps/Risk Exposure for the company based on technology
- Provide a high-level look at needs of the IT structure for short and long term
- Understand the value proposition and effectiveness of the current hosting environment provided by the current provider
- Look at current hardware, software and policies to ensure they meet the business needs
- Provides a high-level recommendation of where the company can invest in the future
- Provide a high-level recommendation of the future direction of IT and business connection.
- Review internal policies and processes regarding business requirements for effective use of the IT structure defined above.
As with any assessment, there will be areas where the lines between IT and business will become blurred and in some cases co-dependent to any answers or recommendations that are provided. All of the recommendations will provide at least one, if not two alternatives, that the company may make use of if so desired by the company. The recommendations will be objective and transparent as can be provided in this short duration investigation.
All the recommendations will be made based on industry available public information found on the web or other venues because no authority has been provided or taken on by the consultant to review, negotiate or investigate in depth any specific technology. Where possible, actionable steps will be provided with enough guidelines that someone within the company can execute on them given the authority, responsibility and funding necessary to complete.
It should be noted that a breach or improper use of data within the company will probably be a result of internal issues, not external. External intrusion is always a factor but companies often spend thousands of dollars on protection here, only to lose more through internal lapses. Internal areas that require attention are:
- Lack of regular training
- Lack of sensible disciplines
- Culture of disrespect for data
- Lack of enforcement of internal policies
Everything that is discussed will have an influence based on internal issues being primary.
Some tasks and solutions will have already been started as part of discussions prior to the completion of any document and that is evidence of the desire of the company to do the right thing and move ahead quickly.