Ownership of IT documents / framework

We are restructuring the ownership of documents with new staff/teams being formed.

We currently have IT Applications teams (who run IT Quality Management & still running it), IT Security Governance
(new team), IT Infra Ops.

In general practice (or commonly adopted out there), which team or person owns the 4 documents below:
1. IT Application Delivery Framework :  applications PM, IT Security governance, IT Quality Managemt, or ?
2. Vendor & Contract Management Framework : applications team, IT Security governance, IT Procurement or ?
     (a mix of IT applications, infra, security vendors but most of the vendors are applications vendors)
3. Project Management Methodology : applications PM, IT Quality Management, IT Security governance or ?
4. DR Plan : We don't have a DR team;  so hv to choose betw IT Ops, applications team, IT Security governance or ?

Any authoritative references (eg: NIST, big four consulting firms papers) will be helpful.
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

sunhuxAuthor Commented:
IT Risk Management  team/function falls into a grey area.
Part of this depends on the exact roles of the Security and Quality teams. But also, there isn't a universally right answer to your question (every organization does things differently). But this is how I would go about it (and I am sure a number of companies would do the same)...

1) Apps
2) Procurement
3) If there is a project management function, I would put it there. None of the 3 groups you mentioned currently exist really make sense for this. Unless this went under IT without bein in any of those 3 functions. A number of places have a Project Management Office that would manage this.
4) I would go with Security here. Some places would place this in infrastructure.
sunhuxAuthor Commented:
Thanks, any authoritative references to back up the suggestions?
5 Ways Acronis Skyrockets Your Data Protection

Risks to data security are risks to business continuity. Businesses need to know what these risks look like – and where they can turn for help.
Check our newest E-Book and learn how you can differentiate your data protection business with advanced cloud solutions Acronis delivers

btanExec ConsultantCommented:
There will be many stakeholder involved but they don't necessary be the owner of the document and agree with expert it can be subjective. Rather, be objective and seek consensus the outcome for baseline compliance. Minimally, you can consider the RACI matrix approach.

1. IT Application Delivery Framework :  
Accountable - Process Owner (IT Governance),
Consultative - IT lead (IT Solution Architect),
Responsible - PM (project team),
Informational - CXO (management)

2. Vendor & Contract Management Framework :
Accountable - Process Owner (Procurement Governance ),
Consultative -  Procurement (IT service delivery SME, Finance & HR Department),
Responsible - PM (project team),
Informational - CXO (management)

3. Project Management Methodology : PM (Project)
Accountable - Process Owner (Project Governance ),
Consultative -  IT Department (IT security, IT Development, IT Ops development & sustenance),
Responsible - PM (project team),
Informational - CXO (management)

4. DR Plan : We don't have a DR team;  so hv to choose betw IT Ops, applications team, IT Security governance or ?
Similar to (2) as Resiliency would be part of the application development consideration.

5. IT Risk Management  team/function falls into a grey area.
This is normally subsumed under IT Governance but it can be a standalone unit. Project and ICT risk need to be considered. In fact, this team would be advising the approving authority's residual risk acceptance in the methodology. That is a critical requirement to standarise risk assessment  conducted by every project team.

One reference worth going deeper into the actual roles is from ITIL - https://wiki.en.it-processmaps.com/index.php/ITIL_Roles ( you can map roles helmed by the various team)

Other Reference (paper)  - https://ieeexplore.ieee.org/stamp/stamp.jsp?arnumber=6248659
Gerald ConnollyCommented:
4. DR Plan - This should be part of the Business continuance plan for the IT dept and that should part of the business continuance plan for the whole company
btanExec ConsultantCommented:
To clarify my point 4, I meant item 1 which IT team (infra) should be fronting the advisory to project team as they helmed the common infrastructure that include enterprise backup.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
sunhuxAuthor Commented:
Thanks very much guys.

For 2. Vendor & Contract Management Framework,
it involves Contract Managemt, Vendor Management,
Waiver (ie waiver of competition or 3 quotations etc),
so I reckon it's more for IT Procurement (we do have
an IT Procurement team though the 2 procurement
manager & officer are not 'too' literate in IT products:
they  learn along the way.

There could be 'pushing' around of the ownership
of the docs: guess could use the RACI to support.
sunhuxAuthor Commented:
For "4. DR Plan", agree it's owned by IT Dept just that between the various
teams in IT (IT apps, IT Ops, IT Security), I've seen in 2 banks and a defense
project that it's owned by IT Ops and the DR drills are organized by IT Ops.

In a large local Healthcare, each apps team is responsible for running &
drafting their individual DR as they have a myriad of apps, thus the DR
are run individually by per application systems
btanExec ConsultantCommented:
Ultimately with access matrix and RACI chart, the serves as baseline on the role and involvement. It is inevitable there are gray areas as relationship and involvement is dynamic in nature.

Agile development and DevSecOps are the next charter which the line of responsibility need to be clear but close collaboration are important for the process and development to work out seamlessly.
Gerald ConnollyCommented:
Each app team owning their own DR plan seem like a recipe for a disaster to me!
IT Ops need to own and execute, the app teams can certainly contribute though
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
IT Administration

From novice to tech pro — start learning today.