Ownership of IT documents / framework

sunhux
sunhux used Ask the Experts™
on
We are restructuring the ownership of documents with new staff/teams being formed.

We currently have IT Applications teams (who run IT Quality Management & still running it), IT Security Governance
(new team), IT Infra Ops.

In general practice (or commonly adopted out there), which team or person owns the 4 documents below:
1. IT Application Delivery Framework :  applications PM, IT Security governance, IT Quality Managemt, or ?
2. Vendor & Contract Management Framework : applications team, IT Security governance, IT Procurement or ?
     (a mix of IT applications, infra, security vendors but most of the vendors are applications vendors)
3. Project Management Methodology : applications PM, IT Quality Management, IT Security governance or ?
4. DR Plan : We don't have a DR team;  so hv to choose betw IT Ops, applications team, IT Security governance or ?

Any authoritative references (eg: NIST, big four consulting firms papers) will be helpful.
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®

Author

Commented:
IT Risk Management  team/function falls into a grey area.
Distinguished Expert 2018
Commented:
Part of this depends on the exact roles of the Security and Quality teams. But also, there isn't a universally right answer to your question (every organization does things differently). But this is how I would go about it (and I am sure a number of companies would do the same)...

1) Apps
2) Procurement
3) If there is a project management function, I would put it there. None of the 3 groups you mentioned currently exist really make sense for this. Unless this went under IT without bein in any of those 3 functions. A number of places have a Project Management Office that would manage this.
4) I would go with Security here. Some places would place this in infrastructure.

Author

Commented:
Thanks, any authoritative references to back up the suggestions?
CompTIA Security+

Learn the essential functions of CompTIA Security+, which establishes the core knowledge required of any cybersecurity role and leads professionals into intermediate-level cybersecurity jobs.

btanExec Consultant
Distinguished Expert 2018
Commented:
There will be many stakeholder involved but they don't necessary be the owner of the document and agree with expert it can be subjective. Rather, be objective and seek consensus the outcome for baseline compliance. Minimally, you can consider the RACI matrix approach.

1. IT Application Delivery Framework :  
Accountable - Process Owner (IT Governance),
Consultative - IT lead (IT Solution Architect),
Responsible - PM (project team),
Informational - CXO (management)

2. Vendor & Contract Management Framework :
Accountable - Process Owner (Procurement Governance ),
Consultative -  Procurement (IT service delivery SME, Finance & HR Department),
Responsible - PM (project team),
Informational - CXO (management)

3. Project Management Methodology : PM (Project)
Accountable - Process Owner (Project Governance ),
Consultative -  IT Department (IT security, IT Development, IT Ops development & sustenance),
Responsible - PM (project team),
Informational - CXO (management)

4. DR Plan : We don't have a DR team;  so hv to choose betw IT Ops, applications team, IT Security governance or ?
Similar to (2) as Resiliency would be part of the application development consideration.

5. IT Risk Management  team/function falls into a grey area.
This is normally subsumed under IT Governance but it can be a standalone unit. Project and ICT risk need to be considered. In fact, this team would be advising the approving authority's residual risk acceptance in the methodology. That is a critical requirement to standarise risk assessment  conducted by every project team.

One reference worth going deeper into the actual roles is from ITIL - https://wiki.en.it-processmaps.com/index.php/ITIL_Roles ( you can map roles helmed by the various team)

Other Reference (paper)  - https://ieeexplore.ieee.org/stamp/stamp.jsp?arnumber=6248659
4. DR Plan - This should be part of the Business continuance plan for the IT dept and that should part of the business continuance plan for the whole company
Exec Consultant
Distinguished Expert 2018
Commented:
To clarify my point 4, I meant item 1 which IT team (infra) should be fronting the advisory to project team as they helmed the common infrastructure that include enterprise backup.

Author

Commented:
Thanks very much guys.

For 2. Vendor & Contract Management Framework,
it involves Contract Managemt, Vendor Management,
Waiver (ie waiver of competition or 3 quotations etc),
so I reckon it's more for IT Procurement (we do have
an IT Procurement team though the 2 procurement
manager & officer are not 'too' literate in IT products:
they  learn along the way.

There could be 'pushing' around of the ownership
of the docs: guess could use the RACI to support.

Author

Commented:
For "4. DR Plan", agree it's owned by IT Dept just that between the various
teams in IT (IT apps, IT Ops, IT Security), I've seen in 2 banks and a defense
project that it's owned by IT Ops and the DR drills are organized by IT Ops.

In a large local Healthcare, each apps team is responsible for running &
drafting their individual DR as they have a myriad of apps, thus the DR
are run individually by per application systems
btanExec Consultant
Distinguished Expert 2018

Commented:
Ultimately with access matrix and RACI chart, the serves as baseline on the role and involvement. It is inevitable there are gray areas as relationship and involvement is dynamic in nature.

Agile development and DevSecOps are the next charter which the line of responsibility need to be clear but close collaboration are important for the process and development to work out seamlessly.
Each app team owning their own DR plan seem like a recipe for a disaster to me!
IT Ops need to own and execute, the app teams can certainly contribute though

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial