Posts Tagged audit
Two audit conversations today, one following the external auditors review of IT controls and the other the external auditors report back on their recent report on our IT policies.
In terms of the external report, this was a verbal feedback on findings from the audit visit. A more formal report will follow but as a quick heads-up it is invaluable in identifying if there are any immediate actions needed.
The internal work identifies some issues about documenting approvals and setting review periods for policies. In addition, some issues of inconsistent practice mean that there are improvements to be made in compliance. Unsurprisingly, there were also issues with understanding of policies, which mean we need to do more to ensure we communicate policies and check that they are clear and understandable.
That week flew by!
Lots of KITs this week plus a few other meetings and discussions, with auditors internal and external, updating the ICC on the Corporate Review of IT implementation (which is almost complete), about budgets as we head towards our financial year end, and meeting Chris Sexton from the University of Sheffield.
It was as busy a week as many recent ones though it was a much more ‘normal’ week with the usual ebb and flow of the day job. With much of the immediate process for implementation done, though not quite everything, it’s now about planning the transition with Service Managers, and catching up on all those things left to one side.
I’ve a queue of things that have been left until a ‘quiet time’ and I guess that this is as quiet as it is likely to get so I better get on with things.
Seemed to be the message of the day, with meetings from start to finish.
The internal auditors were reporting back on the recent policy audit they’ve undertaken for me. That was interesting and though there were few surprises, I’m hoping they will give us some places to start with as priorities. I’ll give more information later once I’ve a final version of the report.
Then a senior management team meeting to discuss transition arrangements, communications, staff development, budgets and planning.
Some feedback meetings and a project board meeting for our mobile app project before a final KIT, clearing up emails and tidying away. I’m in London tomorrow for the Janet UK Stakeholder meeting.
The start of an internal audit of IT policies today. I wanted the audit because I’m aware that we probably need to do better generally at ensuring we have all appropriate policies in place, documented, available and that we can monitor compliance. As well though, the move to a single IT service means there’s a good opportunity to ensure we have one set of policies we all work to, and that any areas of good practice get included in the new service.
A short audit won’t be able to identify everything but it will take a general look across and particularly look at some specifics. I’m expecting it to identify some areas where we need to do more and that’s the value of doing this – to point out where we need to focus attention first.
Also today, my KIT with Cliff Allan. This regular meeting is intended to be a catch-up, and I use the time to update Cliff on things in SHU or the sector more broadly that I believe will be of interest to him. Today I showed him our mobile app SHUgo, and talked to him about my ideas around virtual learning spaces and the role IS&T can play in making that a reality. We also talked about the Hefce review of JISC (Cliff is a board member), and the University Alliance representation stakeholder group for Janet UK.
Well, it really has been some time since I last blogged. However, an attempted blog entry was lost when the application I was using bombed out without saving the work in progress. Quite frustrating.
The last week and a half have almost entirely been taken up with things to do with the implementation of the new IS&T Service. Some of that has been quite visible, such as the individual consultation meetings or the informal discussions with people just wanting guidance or clarification. Some of it has been less visible around preparations for the process once it gets underway.
This week, whilst still dominated by implementation, things began to look a little more ‘normal’.
Monday saw me mostly get my overdue tasks under control and my inbox semi-tamed (for now) alongside a number of informal meetings with staff with queries about implementation.
Tuesday included a phone discussion with the internal auditors to plan the next audit. This one, around policy and compliance, should be timely as it will inform both the Information Security project and the start-up of the new IS&T Service.
Also on Tuesday, the IS&T Senior Management Team met with Ian Heath to discuss accommodation requirements now the structures are confirmed. There will need to be some more discussions around this and no doubt some compromise in the short and possibly medium term.
Discussion at SLS Exec on Wednesday really got business planning underway, and is particularly interesting given this will be the 1st year we are planning IT spend on behalf of the whole University. That throws up as many questions as it does answers but a positive approach was characterised by one faculty colleague who has said we need to take a pragmatic view – it may not be perfect in this first year of operation, but the intention is there and working together we can make sure everything that needs to happen does happen.
Today after a morning at HBP, I went to a special meeting of YHMAN and Janet UK. As I’ve blogged before, changes planned by Janet in how services are provided could have a profound impact on YHMAN and this meeting was to discuss at what the future was likely to look like. It was a very constructive discussion and there seemed to be general agreement on the options available and everybody’s preferred route forward. More on that later no doubt.
Tomorrow is another day where the review and implementation will be almost entirely the subject of what I’m involved in. Looking ahead to next week, there’s an interesting UCISA event on ‘shared services’, and another YHMAN meeting to talk about strategy, helped by today’s discussion.
Well most of this week has gone passed in a whirl.
A large part of the week has been on picking up and answering queries that have come through as we go into the final week of consultation on overall structures.
There were also the final set of open consultation meetings. Attendance at meetings has been quite different with the service area focused meetings generally better attended than the whole structure ones, which is reassuring as it suggests we made the right decision on trying something a little different. By pairing up, we were able to devote most time to issues relating to very specific areas, and this seems to have been helpful.
Other things I’ve been involved in:
Working with colleagues in FD on a revised Print Strategy – aimed at making our printing more sustainable both from an environmental point of view, something I know many staff and students will welcome, and a financial perspective.
Starting to think about annual planning in the SLS Executive and then at the Manager’s Workshop. Focus is particularly around how work Philip Martin is leading on the student experience may affect what we do but also in how we might best contribute to the kinds of changes it may mean for other areas of the University.
Meeting the University’s internal auditors to agree the priorities for audit of IT for the rest of this academic year and into early next. This will help support the transition into the new IT Service, by looking at process and policy gaps and compliance, and also later at how the IS&T governance process is working in terms of delivering business-based decisions on prioritisation.
Talking to Liz Winders about information governance broadly, and responsibilities for strategy and policy.
Lastly, the Mobile App project board agreeing the final changes needed to sign off version 1 of our SHUgo app, and a little disappointment that because of the likely time needed to get the app through the AppsStore process, launch looks likely to be the other side of Christmas. Disappointed in the sense that Alex Deck and others have worked really hard to get us here and now it will be out of our hands.
I now have a full demo version of the app and if anyone would like to see it, please just ask.
Two discussions around information security today, specifically electronic information. First with one of the security specialists from the internal auditors. This was following up some work he had done for us around reviewing our internal processes for assessing risks in our systems and infrastructure.
The second discussion was with the University’s Audit Committee. Quite a daunting meeting to attend for the 1st time, I was quite pleased to be there just for timed business although they were all very pleasant. The committee consists of internal and external auditors, governors, and members of the University Executive. Its purpose is to be assured that the organisation is being properly managed and run – a more accurate and detailed explanation is available here http://www.shu.ac.uk/about/foi/who-we-are/audit.html.
I was presenting my paper on information security improvements we plan to make over the next 12 months, following the review we’ve carried out on where we currently stand. The paper seemed well received with some specific questions around communication and compliance. Now we just have to deliver it.
A scheduled meeting with one of the internal auditors to talk about information securityÂ today reminded me that, regardless of what we do around systems security, it’s sometimes the human elements that prove to be the weak link.
The area is a secure space, accessible by swipe card and for authorised staff and visitors only. However, simply by tailgating someone coming into the area the auditor was able to get access – unchallenged – to the space and find my office. As he told me, he generally finds that he can move around pretty freely so long as he’s wearing a suit and looks like he knows where he’s going.
A cautionary tale…
Some interesting discussions today.
We’ve had an audit on part of our approach to information security and this was a discussion with the auditor to finalise the report. The audit has flagged some things we need to do, not around security per se but in terms of formalising a framework approach to managing the controls. I think some of the process changes needed are quite wide-reaching but long overdue.
Related, Chris Walton wanted some input on the SLS Risk Register and we discussed what arrangements areÂ in place around business continuity/disaster recovery. A lot of effort has gone into this, especially around the infrastructure elements. What we need to do is make sure we haveÂ taken a similar approach in other areas (some of which are more complex and require joined up working across internal and external partners) and that the plans cover all relevant areas.
And finally, a discussion actually about mobile technology rather than fruit but with something of a fruity leitmotif. An interesting exploration with Alex Deck and David WilliamsÂ on signing up as developers with the Apple iTune store and the Blackberry World apps store ahead of developing the Blackboard Connect/Learn app 1st version. A hurdle to overcome is paying via PayPal on behalf of a corporate entity, which wasn’t quite the kind of challenge we hadÂ anticipated.
After a positive end to the week last week I was hoping I’d be able to announce a really interesting new service development. Instead, I’m wondering if it will go ahead at all. It’s all very frustrating given I’ve spent weeks negotiating this.
Most of the morning was taken up with sorting out loose ends for the above. And sorting out my out of control inbox. It’s a little sad I guess but it’s now a matter of personal pride to get it down to 15 unread emails instead of the 46 as of Friday.
Then a scheduled catch-up with a faculty colleague to talk about service plans before more email.
Then a catch-up with Louise Thorpe to talk about portals and the web strategy. It seems strange to me that we talk about portal in the plural instead of singular. Shouldn’t it be one, with different roles?
Then to get feedback from the auditor on the focussed information security review. Nothing I wasn’t expecting but we need to tighten up some practices and also compliance with existing policies across the organisation.
Then on to the weekly review Comms and Process meeting, to catch up on where we are and any communications support needed.