Nowadays, information technology (IT) is a critical tool for factory operation in manufacturing field. Basically, IT can divided in two main aspects, i.e. technical aspect and operation management aspect. To focus on ensuring the quality of IT operation management, an up-to-standard policy, procedure, guideline, etc have to be defined and implemented. According to the standard of ITIL, ISO, ITSM, COBIT, etc, this web site collects a set of IT management documents and would like to share with you here. The main purpose of this web site is to provide useful information to those IT factory guys in order to improve the industry operation. Those documents will be classified in the following area and topics.
1. IT Control Policy
The critical and most important control document is IT policy and service agreement. We should have monthly management meeting with respect to budget control as well as review KPI reports for ICT performance evaluation. The IT Management Agenda (IT OPS) or service level agreement (SLA) should be defined and managed by using the Balanced Scorecard tool e.g. bi-monthly. IT issues should be discussed with stakeholder regularly e.g. bi-weekly, and actions/decisions are well noted in user meeting minutes.
2. Change & Operation Control
Change Control Board (CCB) should be established to review and approve any software/system change. IT and functional groups execute and ensure all change request modifications are tested by responsible key users. Decision about moving changes to the production environment is only made when user gives his written test acceptance, and to ensure there is a regular meeting communication between users and IT to ensure the continuous improvement on the System usage. For example, on aspect of Data Change operation, it should have Data Change Procedure, and Data Change Audit Report to provide a logging and tracking function.
3. Disaster Recovery Control
To ensure the continue of business operation in disaster situation, we should have disaster recovery procedure. The pre-requisition of DRP is to have a document about System Backup Procedure, Data Archive and Retention Procedure, Backup Arrangement and Data Recovery Procedure.
In respect of SoD and access restriction, Account and Access Right Application Procedure should be setup for each function group and application. Segregation of duties (SoD) is establish between users and IT organization and within IT department (Operations versus Development). The overall SoD structure is well managed by authorized group/person, and all access changes are approved therein against SoD matrix. Access reports are reviewed on a monthly basis to make sure only authorized users have access to the appropriate function. Those access right setup should have Access Right Testing Arrangement on a quarterly basis. For example, select a sample of 5 persons and check if their access rights have been properly authorized, and if their access rights are aligned with their job requirements.
5. List of IT Control Documents
- IT Service Agreement (SLA): Objectives, Organisation, Roles & Responsibilities
- IT Project Plan
- IT Availability and Capacity Plan
- IT Business Continuity Plan
- Incident Management Procedure
- Change Management Procedure
- Release Management Procedure
- Server machine maintenance SLA contract (i.e. ERP server etc)
- PC Hardware & Accessories Requisition Procedures
- PC Software & LAN Account Requisition Procedures
- Generic ICT Service Requisition Procedure
- IT Helpdesk Procedure
- Hard Disk Disposition Procedure
- Network Hardware Configuration Document (including Network Diagram, HW inventory, Password, SW inventory, License)
- Network/File/Printer Servers Backup Procedure
- Server Room Security Procedure (should include Visitor Procedure)
- General Business Principles (GBP)
- Occupational Safety and Health (Display Screen Equipment) Regulation
- IT Auditing Requirement
- Password Policy and Cracking Procedure
- Standard Letter on Password Policy
- Database Password Management Guide
- Network Security Vulnerability Scanning Procedure
- Firewall Operation Procedure
- Windows and UNIX Security Configuration & Patch Update Procedure
- Printer Configuration and Patch Update Procedure
- War-Dialing Operation Procedure
- IDS Operation Procedure
- Application Internal Control Policy
- Application Support Model / Operation Policy and Guideline
- Application Account & System Setup Procedure / Access Profile Setup Policy
- Application System Backup and Restore Procedure
- Application System Performance Measurement Guide
- Application Data Delete and Archive and Retention Procedure
- Application Disaster Recovery Plan / Disaster Recovery Test Drill
- Application Data Change Maintenance Procedure
- Application Schedule Batch Job Maintenance & Monitoring Procedure
- Application Software Change Procedure
- Application Program Migration Procedure
Note: Software Application includes ERP, BI, HRIS, DataWarehouse, EDI, etc.