Policies and Guidelines

Departmental IT Best Practices

Last Updated: June 10, 2011

Purpose

Per Manual of Administrative Policies and Procedures (MAPP) 10.03.06, each college and division is responsible for the development and implementation of an information technology (IT) resource management plan to control and safeguard departmental IT resources.

Where to Start

To comply with MAPP 10.03.06, an IT Resource Management Plan must be created that reflects each department's strategy for managing their IT resources. The plan should include departmental policies and assigned roles and responsibilities for managing departmental systems.

The acronym D.A.R.E. illustrates the four steps of the process of developing an IT Resource Management Plan:

Available Tools and Templates

To assist in this effort, the following tools have been provided.

Best Practices Web Site

This web site was designed using a "tree structure" approach to providing detail of each practice area.

Project Plan

The Excel spreadsheet below is pre-populated to reference all practice areas. Use this documentation tool to capture strategy, task assignments, outcomes, etc.

Risk Assessment

There are multiple ways to conduct a risk assessment. However, a relatively simple methodology was presented in a course offered by The State Auditor's Office, "Risk Assessment and Management." The methodology includes a defined process for brainstorming activities at risk within an organization, and a simple process for assessing risk.

IT Resource Management Plan

The template below is designed to allow for more detailed documentation than the project planning tool described above.

Practice Areas

The IT practices to be addressed by each department are as follows:

Risk Management (formerly part of Business Risk and Continuity Planning)

Testing and Maintenance of the Recovery Plan is applied to Departmental Management
What is it?
Annual exercises to validate the effectiveness of the Recovery Plan. Updating the Recovery Plan as result of testing and/or operational changes.
Why is it important?
To ensure that the Recovery Plan results in effective business recovery.
WHAT NEEDS TO BE DONE:
Develop testing strategies and conduct tests annually. Regularly review and update the Recovery Plan.


Resource Security

Information Security is applied to Departmental Management
What is it?
Requirements for securing data
Why is it important?
To ensure confidentiality, integrity, and availability of information resources.
WHAT NEEDS TO BE DONE:
Develop a plan for safeguarding information assets.

Desktop and Server Security is applied to Departmental Management
What is it?
Requirements for securing departmental desktops and servers.
Why is it important?
To minimize security vulnerabilities and ensure confidentiality, integrity, and availability of information resources.
WHAT NEEDS TO BE DONE:
Develop a plan for securing desktops and servers.

Data Backup is applied to Departmental Management
What is it?
Requirements for data backup and recovery.
Why is it important?
To prevent loss of critical data.
WHAT NEEDS TO BE DONE:
Develop a plan for backing up data.


Service Continuity Management (formerly part of Business Risk and Continuity Planning)

Business Continuity Planning is applied to Departmental Management
What is it?
A detailed plan to reestablish essential business functions in the event of a disaster.
Why is it important?
To minimize financial and personnel losses, outage downtime, and general disruption to normal business operations.
WHAT NEEDS TO BE DONE:
Identify risk and develop a Recovery Plan.


Resource Management

Lifecycle Management is applied to Departmental Management
What is it?
Purchasing or leasing, maintaining, and retiring computer hardware and software.
Why is it important?
To achieve optimal efficiency and effective use of computer resources.
WHAT NEEDS TO BE DONE:
Develop a departmental lifecycle management plan that addresses the acquisition, maintenance and disposal of hardware and software.

Resource Maintenance is applied to Departmental Management
What is it?
Requirements for operational maintenance and use of desktops and servers.
Why is it important?
To maximize individual and departmental use of computer resources while minimizing disruptions to other campus organizations.
WHAT NEEDS TO BE DONE:
Develop a departmental strategy for the proper use and maintenance of information resources.

Data Backup and Retention is applied to Departmental Management
What is it?
Requirements for data backup, recovery, and record retention.
Why is it important?
To prevent loss of critical data and to preserve records in accordance with state guidelines.
WHAT NEEDS TO BE DONE
Develop a plan for backing up, storing and retaining data.

Education and Training is applied to Departmental Management
What is it?
Educating personnel on the use of computer resources and how to properly safeguard IT assets.
Why is it important?
To ensure that departments have skilled personnel that properly use and maintain computer resources.
WHAT NEEDS TO BE DONE:
Develop a departmental strategy for educating personnel on the safe and proper use of software and hardware.