Appendix 1A Pragmatic Set of Management Practicesto Govern it in SME’S
J. Devos et al. (eds.), Information Systems for Small and Medium-sized Enterprises,Progress in IS, DOI: 10.1007/978-3-642-38244-4,� Springer-Verlag Berlin Heidelberg 2014
399
Pla
npr
oces
sP
ract
ice
Mea
sure
1.D
efine
and
com
mun
icat
ew
hat
isex
pect
edfr
omIT
(ED
M02
,A
PO
02,
AP
O11
)1.
1.C
omm
unic
ate
the
goal
sof
the
ente
rpri
sean
dst
ate
wha
tyo
uex
pect
from
ITin
supp
ort
ofth
at.
Be
clea
ron
the
bala
nce
need
edbe
twee
nco
st,
spee
d,qu
alit
yan
dri
sk
•P
erce
ntof
join
tpr
esen
tati
ons
ofso
luti
ons
•C
lari
tyof
solu
tion
s
1.2.
Req
uire
that
ITan
dbu
sine
sspe
ople
alw
ays
reso
lve
that
toge
ther
.Ens
ure
they
alw
ays
thin
kin
term
sof
valu
efo
rth
een
terp
rise
•N
umbe
rof
maj
orde
viat
ions
inIT
solu
tion
san
dse
rvic
es•
Num
ber
ofcr
itic
albu
sine
sspr
oces
ses
supp
orte
dby
obso
lete
(or
soon
-to-
beob
sole
te)
infr
astr
uctu
re1.
3.C
onsi
der
the
curr
ent
stat
eof
the
infr
astr
uctu
rean
dth
epo
tent
ial
ofne
wbu
tpr
oven
tech
nolo
gy2.
Set
upan
ente
rpri
seda
tam
odel
(AP
O03
)2.
1.O
btai
nan
effi
cien
tda
tam
odel
for
the
ente
rpri
sew
ith
rule
sfo
rit
ssy
ntax
and
for
who
can
acce
ssan
dm
odif
yth
eda
ta
•F
requ
ency
ofup
date
sto
the
data
ente
rpri
sem
odel
2.2.
Iden
tify
one
pers
onpr
efer
ably
from
the
busi
ness
who
isth
eow
ner
ofth
eda
tam
odel
•N
umbe
rof
prob
lem
sw
ith
defi
cien
tda
tadu
eto
synt
axor
acce
ssru
les
3.E
stab
lish
afl
exib
lean
dre
spon
sive
ITor
gani
sati
on(A
PO
01)
3.1.
Ass
ign
clea
rly
and
regu
larl
yre
view
IT-r
elat
edro
les
and
resp
onsi
bili
ties
,w
ith
prop
erau
thor
ity
and
reas
onab
leex
pect
atio
ns.
Pay
part
icul
arat
tent
ion
tore
spon
sibi
liti
esin
the
area
ofse
curi
tyan
dqu
alit
y.C
omm
unic
ate
thes
ere
spon
sibi
liti
esto
all
•N
umbe
rof
issu
esw
ith
confl
icti
ngor
unre
solv
edre
spon
sibi
liti
es•
Num
ber
ofre
sour
cing
confl
icts
3.2.
Ass
ess
that
peop
leha
veth
ere
sour
ces
toex
erci
seth
ese
resp
onsi
bili
ties
and
beaw
are
that
conc
entr
ated
role
san
dre
spon
sibi
liti
esca
nbe
mis
used
.In
abse
nce
ofre
sour
ces,
defi
new
here
outs
ide
cont
ract
ing
and/
orou
tsou
rcin
gca
nbe
appl
ied
and
agre
eup
fron
tho
wth
eyw
ill
beco
ntro
lled
(con
tinu
ed)
400 Appendix 1: A Pragmatic Set of Management Practices to Govern it in SME’S
(con
tinu
ed)
Pla
npr
oces
sP
ract
ice
Mea
sure
4.S
ecur
eop
tim
alva
lue
from
inve
stm
ents
inIT
-en
able
dbu
sine
sspr
ojec
ts(A
PO
05,
AP
O06
)4.
1.S
how
lead
ersh
ipin
inve
stm
ent
man
agem
ent
byap
plyi
ngap
prop
riat
ele
vel
ofan
alys
isof
pote
ntia
lin
vest
men
ts,
espe
cial
lyth
eva
lue/
risk
bala
nce.
To
this
end
requ
ire
full
busi
ness
case
sco
veri
ngco
st,
bene
fits
and
sche
dule
thro
ugho
utth
eir
full
econ
omic
life
-cyc
le
•U
p-to
-dat
ebu
dget
wit
hli
nkto
stra
tegy
•P
erce
ntof
proj
ects
wit
hbe
nefi
tsde
fine
dup
fron
t•
Per
cent
ofpo
st-p
roje
ctre
view
ofbe
nefi
ts
4.2.
Acc
ept
unce
rtai
nty
but
man
age
itby
requ
irin
gth
atas
sum
ptio
nsin
the
busi
ness
case
are
atap
prop
riat
eti
mes
re-e
valu
ated
.E
nsur
ebe
nefi
tsw
ill
bere
ceiv
edan
dif
that
isin
doub
tdo
not
hesi
tate
tost
opa
proj
ect
4.3.
Pla
nan
dm
anag
eIT
expe
ndit
ures
wit
hin
anan
nual
budg
et,i
nli
new
ith
wha
tis
expe
cted
from
ITan
dre
flec
ting
the
ente
rpri
se’s
prio
riti
es.T
rack
expe
ndit
ures
agai
nst
expe
cted
bene
fits
(con
tinu
ed)
Appendix 1: A Pragmatic Set of Management Practices to Govern it in SME’S 401
(con
tinu
ed)
Pla
npr
oces
sP
ract
ice
Mea
sure
5.D
efine
and
diss
emin
ate
man
agem
ent
aim
san
ddi
rect
ions
wit
hre
spec
tto
IT(A
PO
01,
ED
M03
)
5.1.
Whe
nm
akin
gde
cisi
ons
rela
tive
toIT
com
mun
icat
eco
nsis
tent
lyto
key
pers
onne
lfr
omIT
and
the
busi
ness
toge
ther
,ge
nera
lly
inan
info
rmal
man
ner
and
mak
esu
reth
eyca
scad
eth
em
essa
ges
dow
nin
toth
eor
gani
sati
on
•F
requ
ency
ofjo
int
mee
ting
s•
Deg
ree
ofun
ders
tand
ing
atlo
wer
leve
ls•
Num
ber
ofvi
olat
ions
ofdo
’san
ddo
n’ts
5.2.
Dis
cuss
rule
sof
use
asw
ell
asac
cept
able
and
reas
onab
lebe
havi
our,
whi
leen
cour
agin
gre
spon
sive
ness
rela
tive
tori
sks
and
exte
rnal
requ
irem
ents
(e.g
.,in
tell
ectu
alpr
oper
ty,
priv
acy
etc)
.E
stab
lish
som
esi
mpl
edo
’san
ddo
n’ts
•D
egre
eob
sole
scen
ce/u
sefu
lnes
sof
docu
men
ts
5.3.
Doc
umen
tIn
hard
copy
only
for
impo
rtan
tan
dfr
eque
ntly
used
info
rmat
ion
that
need
sto
beat
hand
(ref
eren
ceca
rds,
bull
etin
gbo
ard,
chec
klis
ts,
cust
omer
/pro
duct
data
);w
here
poss
ible
leve
rage
anin
tran
et6.
Hir
e,tr
ain
and
mai
ntai
nqu
alifi
edpe
rson
nel
(AP
O01
,A
PO
07)
6.1.
Con
side
red
ucat
iona
lex
peri
ence
and
past
resp
onsi
bili
ties
toob
tain
the
ITsk
ills
need
edto
supp
ort
the
ITin
fras
truc
ture
and
ente
rpri
sego
als
whe
nhi
ring
ITst
aff.
Ass
ign
role
sth
atco
rres
pond
wit
hsk
ills
.V
erif
yre
fere
nce
chec
ks
•P
erso
nnel
sati
sfac
tion
•P
erce
ntof
ITst
aff
mem
bers
wit
hca
reer
path
•N
umbe
rof
year
-end
job
revi
ews
6.2.
Mot
ivat
ere
gula
rly
wit
hcl
ear
care
erpa
ths
and
veri
fyan
nual
lyw
heth
ersk
ills
and
qual
ifica
tion
sar
eup
-to-
date
and
act
acco
rdin
gly
6.3.
Ens
ure
that
esse
ntia
lIT
task
sdo
not
depe
ndon
one
pers
on
(con
tinu
ed)
402 Appendix 1: A Pragmatic Set of Management Practices to Govern it in SME’S
(con
tinu
ed)
Pla
npr
oces
sP
ract
ice
Mea
sure
7.Id
enti
fy,
prio
riti
se,
cont
ain
orac
cept
rele
vant
ITre
late
dri
sks
(ED
M03
,A
PO
12)
7.1.
Ata
ppro
pria
teti
mes
,dis
cuss
wit
hke
yst
aff
wha
tca
ngo
wro
ngw
ith
ITth
atw
ould
impa
ctth
ebu
sine
ssob
ject
ives
sign
ifica
ntly
.E
spec
iall
yco
nsid
erda
tath
atar
ecr
itic
alfo
rth
esu
cces
sof
the
busi
ness
.Sta
teth
ele
vel
ofri
skth
een
terp
rise
isw
illi
ngto
take
•F
requ
ency
and
effe
ctiv
enes
sof
the
ITri
skas
sess
men
tpr
oces
s•
Num
ber
ofsi
gnifi
cant
inci
dent
sca
used
byri
sks
that
wer
eno
tid
enti
fied
byth
eri
skas
sess
men
tpr
oces
s
7.2.
Est
abli
shst
aff
unde
rsta
ndin
gof
the
need
for
resp
onsi
vene
ssin
risk
ysi
tuat
ions
•N
umbe
rof
sign
ifica
ntin
cide
nts
caus
edby
risk
sth
atw
ere
iden
tifie
dby
the
risk
asse
ssm
ent
proc
ess
7.3.
Con
side
rco
st-e
ffec
tive
mea
nsto
man
age
the
risk
sid
enti
fied
thro
ugh
insu
ranc
eco
vera
gean
dpr
otec
tion
prac
tice
s(e
.g.,
effe
ctiv
eba
ckup
,bas
icac
cess
cont
rol,
viru
spr
otec
tion
,fi
rew
alls
)
Appendix 1: A Pragmatic Set of Management Practices to Govern it in SME’S 403
Bui
ldpr
oces
sP
ract
ice
Mea
sure
1.E
stab
lish
proj
ect
man
agem
ent
that
enab
les
stak
ehol
der
part
icip
atio
nan
dm
onit
ors
proj
ect
risk
san
dpr
ogre
ss(B
AI0
1)
1.1.
Ens
ure
the
corr
ect
prio
riti
sati
onan
dco
-or
dina
tion
ofal
lpr
ojec
ts,
bycl
earl
yde
fini
ngw
hat
need
sto
beac
hiev
ed,
byw
hom
,w
hen,
atw
hat
cost
and
wit
hw
hich
bene
fits
•D
egre
eof
stak
ehol
ders
invo
lvem
ent
inpr
ojec
ts•
Com
plet
enes
sof
proj
ect
docu
men
ts
1.2.
Req
uire
that
all
proj
ects
expl
icit
lyst
ate
thei
rsc
ope,
the
fina
lac
cept
ance
crit
eria
ofde
live
rabl
es,
and
how
they
wil
lm
onit
orde
live
rabl
es,
cost
,sc
hedu
lean
dri
sks
onan
ongo
ing
basi
s
•Q
uali
tyof
the
chan
gepl
ans
1.3.
Sup
port
the
busi
ness
chan
ges
link
edto
the
proj
ect
wit
ha
prop
ertr
aini
ngpl
anfo
rth
ose
invo
lved
inth
ech
ange
2.D
efine
tech
nica
lly
feas
ible
and
cost
-eff
ecti
veso
luti
ons
(BA
I02)
2.1.
Be
clea
ron
how
the
solu
tion
wil
lch
ange
and
bene
fit
the
busi
ness
.E
nsur
eth
atth
eso
luti
on’s
func
tion
alan
dop
erat
iona
lre
quir
emen
tsar
em
easu
rabl
ysp
ecifi
ed,
incl
udin
gm
aint
aina
bili
ty,
perf
orm
ance
,re
liab
ilit
y,se
curi
tyan
dco
mpa
tibi
lity
wit
hcu
rren
tsy
stem
s.R
evie
wre
quir
emen
tsw
ith
key
pers
onne
l
•Q
uali
tyof
the
busi
ness
chan
gepl
an•
Eas
eof
turn
ing
requ
irem
ents
into
test
plan
s•T
ime
betw
een
iden
tifi
cati
onof
need
san
dde
fini
tion
ofso
luti
ons
2.2.
Con
side
rw
heth
erto
buy
orbu
ild,
and
whe
ther
toup
grad
e,do
noth
ing
orap
ply
am
anua
lso
luti
on.
Ifth
ere
isno
clea
rid
eaab
out
how
toim
prov
ebu
sine
sspr
oces
ses,
dono
tin
ject
tech
nolo
gy
(con
tinu
ed)
404 Appendix 1: A Pragmatic Set of Management Practices to Govern it in SME’S
(con
tinu
ed)
Bui
ldpr
oces
sP
ract
ice
Mea
sure
3.M
anag
esu
ppli
ers
topr
ocur
eIT
reso
urce
sin
anef
fici
ent
but
risk
-ave
rse
man
ner
(AP
O10
)3.
1.D
efine
the
appr
oach
tosu
ppli
erse
lect
ion
byob
tain
ing
are
fere
nce
chec
klis
tto
ensu
reth
atco
ntra
ctua
lar
rang
emen
tsco
ver
lega
l,fi
nanc
ial,
orga
nisa
tion
al,
secu
rity
and
perf
orm
ance
requ
irem
ents
.Inv
ite
mor
eth
anon
eve
ndor
tobi
dan
don
cese
lect
ed,
deve
lop
anop
enan
dfa
irre
lati
onsh
ip
•C
lear
agre
emen
ton
deli
vera
bles
wit
hm
utua
lsa
tisf
acti
onof
in-
and
outs
ourc
er•
Num
ber
ofch
ange
sto
the
agre
emen
taf
ter
sign
ing
the
cont
ract
3.2.
Agr
eeon
pric
ing
cons
ider
ing
cost
ofow
ners
hip,
mai
nten
ance
cost
,li
cens
efe
esan
dde
live
rybo
nuse
s/pe
nalt
ies
•N
umbe
rof
disp
utes
rela
ted
topr
ocur
emen
tco
ntra
cts
4.A
cqui
rean
dm
aint
ain
appl
icat
ion
soft
war
e,in
fras
truc
ture
and
ITre
sour
ces
(BA
I03)
4.1.
Ens
ure
wit
hth
esu
ppli
er/d
evel
oper
that
the
need
sar
ecl
earl
yun
ders
tood
:i.e
.,th
efu
ncti
onal
requ
irem
ents
but
also
ever
ythi
ngre
quir
edto
depl
oy,
oper
ate,
mai
ntai
n,su
ppor
tan
dse
cure
solu
tion
s,or
skil
ls,
capa
bili
ties
and
past
expe
rien
ces
for
inso
urce
dst
aff.
Obt
ain
com
mit
men
ton
bene
fits
expe
cted
.C
onsi
der
impa
cton
exis
ting
syst
ems
•N
umbe
rof
chan
ges
toth
ede
sign
duri
ngde
velo
pmen
tan
dte
stin
g•
Per
cent
ofus
ers
sati
sfied
wit
hth
efu
ncti
onal
ity
deli
vere
d
4.2.
Obt
ain
proc
essi
ngde
scri
ptio
nsan
dus
erdo
cum
enta
tion
for
new
solu
tion
san
den
sure
they
are
inli
new
ith
the
ente
rpri
seda
tam
odel
•Q
uali
tyof
staf
fpr
ovid
ed
5.P
rovi
deus
eran
dop
erat
iona
ltr
aini
ngan
ddo
cum
enta
tion
(BA
I08)
5.1.
Req
uire
that
know
ledg
ean
dsk
ills
for
effe
ctiv
ean
def
fici
ent
oper
atio
nan
dus
eof
new
and
curr
ent
syst
ems
are
easi
lyav
aila
ble
and
up-t
o-da
te.
To
this
end,
cons
ider
earl
yin
volv
emen
tof
key
oper
atio
nal
and
busi
ness
pers
onne
lin
the
desi
gn,
deve
lopm
ent
and
test
ing
ofso
luti
ons
•C
omfo
rtof
oper
ator
san
dbu
sine
ssus
ers
wit
hne
wso
luti
on•
Acc
urac
yan
dco
mpl
eten
ess
ofdo
cum
enta
tion
(to
beve
rifi
eddu
ring
test
ing)
(con
tinu
ed)
Appendix 1: A Pragmatic Set of Management Practices to Govern it in SME’S 405
(con
tinu
ed)
Bui
ldpr
oces
sP
ract
ice
Mea
sure
6.M
anag
eth
epl
anni
ngan
dim
pact
ofch
ange
s(B
AI0
6)6.
1.E
nsur
ech
ange
sar
eca
tego
rise
d,as
sess
edfo
rim
pact
,pr
iori
tise
d,au
thor
ised
wit
hap
prop
riat
ete
stm
ater
ial
and
impl
emen
tati
ongu
idan
ce,
wit
hth
eob
ject
ive
tom
inim
ise
erro
rs
•P
erce
ntof
tota
lch
ange
sth
atar
eem
erge
ncy
fixe
s•
Num
ber
ofba
cklo
gged
chan
gere
ques
ts
6.2.
Set
upa
proc
ess
toin
itia
tech
ange
san
dtr
ack
the
prog
ress
,ri
sks
and
bene
fits
;co
nsid
erth
eim
pact
ofal
lch
ange
son
exis
ting
docu
men
tati
onan
dtr
aini
ng
•N
umbe
rof
disr
upti
ons
orda
taer
rors
caus
edby
inac
cura
tesp
ecifi
cati
ons
orin
com
plet
eim
pact
asse
ssm
ent
6.3.
All
owfo
ran
emer
genc
ych
ange
proc
ess
(inc
ludi
ngcr
iter
iato
invo
keit
,pr
oced
ures
,et
c.)
and
ensu
reth
atev
ery
emer
genc
ych
ange
isre
cord
edan
dau
thor
ised
7.In
stal
lan
dac
cred
itso
luti
ons
and
chan
ges
(BA
I07)
7.1.
Con
side
rth
atim
plem
enta
tion
may
enta
ilda
taco
nver
sion
and
ifso
,ana
lyse
impa
ctan
dpl
anfo
rit
.Als
oco
nsid
erth
eim
pact
onot
her
appl
icat
ions
and
proc
esse
san
dth
ede
gree
ofve
rifi
cati
onre
quir
edto
ensu
reth
eyst
ill
oper
ate
corr
ectl
y
•Q
uali
tyof
the
test
ing
plan
•U
ser
com
fort
wit
him
plem
enta
tion
plan
•N
umbe
rof
sign
ifica
nter
rors
inte
sts
7.2.
Tes
tth
ene
wso
luti
onor
chan
gein
are
pres
enta
tive
envi
ronm
ent
agai
nst
all
requ
irem
ents
,in
cl.
oper
atio
nal
and
user
docu
men
tati
on,
soth
atit
isfi
tfo
rpu
rpos
ean
dfr
eeof
sign
ifica
nter
rors
.D
ono
tte
ston
the
live
prod
ucti
onsy
stem
.In
volv
efu
ture
user
san
dop
erat
ors
•N
umbe
rof
erro
rson
othe
rsy
stem
sca
used
bych
ange
sor
new
solu
tion
s
7.3.
Per
form
fina
lac
cept
ance
byev
alua
ting
all
test
resu
lts,
invo
lvin
gke
yst
aff
who
wil
lus
e,ru
nan
dm
aint
ain
the
syst
em.
Eva
luat
eag
ains
tor
igin
alac
cept
ance
crit
eria
and
orig
inal
expe
cted
bene
fits
406 Appendix 1: A Pragmatic Set of Management Practices to Govern it in SME’S
Run
proc
ess
Pra
ctic
eM
easu
re
1.D
efine
and
mon
itor
inte
rnal
and
exte
rnal
serv
ice
leve
ls(A
PO
09,
AP
O10
)1.
1.Id
enti
fyse
rvic
esde
live
red
byIT
.D
efine
,ag
ree
upon
and
regu
larl
yre
view
serv
ice
leve
lag
reem
ents
.T
hey
cove
rse
rvic
esu
ppor
tre
quir
emen
ts,
rela
ted
cost
s,ro
les
and
resp
onsi
bili
ties
,et
c.,
and
shou
ldbe
expr
esse
din
busi
ness
term
s
•P
erce
ntag
eof
serv
ices
mee
ting
serv
ice
leve
lsde
fine
din
the
SL
As
•N
umbe
rof
serv
ices
that
are
not
cove
red
byan
SL
A
1.2.
Con
side
rth
ede
pend
ence
onth
ird-
part
ysu
ppli
ers
and
mit
igat
eco
ntin
uity
,co
nfide
ntia
lity
and
inte
llec
tual
prop
erty
risk
by,
e.g.
,es
crow
,le
gal
liab
ilit
ies,
pena
ltie
san
dre
war
ds
•N
umbe
rof
iden
tifi
edan
ddo
cum
ente
dis
sues
•N
umbe
rof
SL
Are
visi
ons
afte
rpr
oble
ms
1.3.
Ass
ess
the
prof
essi
onal
capa
bili
tyof
thir
dpa
rtie
san
den
sure
they
prov
ide
acl
earl
yid
enti
fied
cont
actp
erso
nw
hoha
sth
eau
thor
ity
toac
tup
onen
terp
rise
requ
irem
ents
and
conc
erns
•T
ime
lost
inse
rvic
edi
sput
esdu
eto
uncl
ear
role
san
dre
spon
sibi
liti
es
2.M
anag
ean
dm
onit
orpe
rfor
man
cean
dca
paci
tyof
ITre
sour
ces
(BA
I04)
2.1.
Bas
edon
busi
ness
need
san
dth
ecu
rren
tan
dfu
ture
wor
kloa
ds,
defi
neth
em
inim
umav
aila
bili
ty,
perf
orm
ance
and
capa
city
requ
irem
ents
ofIT
serv
ices
and
syst
ems.
Mon
itor
acco
rdin
gly
and
act
proa
ctiv
ely
whe
repo
ssib
le
•F
requ
ency
ofca
paci
tyan
dpe
rfor
man
cead
just
men
ts•
Num
ber
ofin
cide
nts
due
toin
suffi
cien
tpe
rfor
man
ceor
capa
city
(con
tinu
ed)
Appendix 1: A Pragmatic Set of Management Practices to Govern it in SME’S 407
(con
tinu
ed)
Run
proc
ess
Pra
ctic
eM
easu
re
3.B
uild
the
capa
bili
ties
toca
rry
out
the
day-
to-
day
auto
mat
edbu
sine
ssac
tivi
ties
wit
hm
inim
al,
acce
ptab
lein
terr
upti
on.
(DSS
01,
DSS
04,
DSS
05)
3.1.
Iden
tify
crit
ical
busi
ness
func
tion
san
din
form
atio
n,an
dth
ose
appl
icat
ions
,th
ird-
part
yse
rvic
es,s
uppl
ies,
data
-file
s,et
c.,t
hat
are
crit
ical
tosu
ppor
tth
em.
Min
imis
eke
yde
pend
enci
esw
here
poss
ible
•P
erce
ntag
eof
crit
ical
busi
ness
func
tion
sw
ith
clea
rly
defi
ned
mit
igat
ion
arra
ngem
ents
3.2.
Est
abli
shba
sic
prin
cipl
esfo
rsa
fegu
ardi
ngan
dre
cons
truc
ting
ITse
rvic
es,
incl
udin
gal
tern
ativ
epr
oces
sing
proc
edur
es,
how
toob
tain
supp
lies
and
serv
ices
inan
emer
genc
y,ho
wto
goba
ckto
norm
alpr
oces
sing
afte
rth
em
ajor
even
tand
how
toco
mm
unic
ate
wit
hcu
stom
ers
and
supp
lier
s
•P
erce
ntof
succ
essf
ulus
eof
alte
rnat
ive
proc
essi
ngan
dba
ckup
proc
edur
es•
Fre
quen
cyof
test
ing
ofth
eba
ck-u
pan
dre
cove
rypr
oced
ure
3.3.
Tog
ethe
rw
ith
key
empl
oyee
sde
fine
wha
tnee
dsto
beba
cked
upan
dst
ored
offs
ite
tosu
ppor
tre
cove
ryof
the
busi
ness
—e.
g.,c
riti
cal
data
file
s,do
cum
enta
tion
and
othe
rIT
reso
urce
s—an
dse
cure
itap
prop
riat
ely.
At
regu
lar
inte
rval
s,en
sure
the
back
upre
sour
ces
are
usab
lean
dco
mpl
ete
and
that
data
cann
otbe
retr
ieve
dat
disp
osal
•N
umbe
rof
hour
sof
unpl
anne
dou
tage
•F
requ
ency
ofse
rvic
ein
terr
upti
onof
crit
ical
syst
ems
3.4.
Ens
ure
that
data
are
prop
erly
stor
ed,
arch
ived
and
disp
osed
byde
fini
ngre
tent
ion
peri
ods,
arch
ival
requ
irem
ents
and
stor
age
term
sfo
rdo
cum
ents
,da
taan
dpr
ogra
ms.
Ens
ure
that
they
com
ply
wit
hus
eran
dle
gal
requ
irem
ents
•N
umbe
rof
tim
escr
itic
albu
sine
ssin
form
atio
nw
asno
tpr
oper
lyre
cove
red
(con
tinu
ed)
408 Appendix 1: A Pragmatic Set of Management Practices to Govern it in SME’S
(con
tinu
ed)
Run
proc
ess
Pra
ctic
eM
easu
re
4.E
stab
lish
ITse
curi
typr
acti
ces
tom
onit
or,
dete
ctan
dre
solv
ese
curi
tyvu
lner
abil
itie
san
din
cide
nts.
(AP
O13
,D
SS02
,D
SS05
)
4.1.
Impl
emen
tpr
oced
ures
toco
ntro
lac
cess
base
don
the
indi
vidu
al’s
need
tovi
ew,
add,
chan
geor
dele
teda
ta.
Esp
ecia
lly
cons
ider
acce
ssri
ghts
byse
rvic
epr
ovid
ers,
supp
lier
san
dcu
stom
ers
•T
ime
itta
kes
togr
ant,
chan
gean
dre
mov
eac
cess
righ
ts
4.2.
Mak
esu
reon
epe
rson
isre
spon
sibl
efo
rm
anag
ing
all
user
acco
unts
and
secu
rity
toke
ns(p
assw
ords
,ca
rds,
devi
ces,
etc.
)an
dth
atap
prop
riat
eem
erge
ncy
proc
edur
esar
ede
fine
d.P
erio
dica
lly
revi
ew/c
onfi
rmhi
s/he
rac
tion
san
dau
thor
ity
•N
umbe
rof
acce
ssvi
olat
ions
•N
umbe
rof
acco
unts
ever
yone
can
use
4.3.
Log
impo
rtan
tse
curi
tyvi
olat
ions
(sys
tem
and
netw
ork,
acce
ss,
viru
s,m
isus
e,il
lega
lso
ftw
are)
.E
nsur
eth
eyar
ere
port
edim
med
iate
lyan
dac
ted
upon
ina
tim
ely
man
ner
•T
ime
sinc
ela
stse
curi
typa
tch
•N
umbe
rof
inci
dent
sdu
eto
unau
thor
ized
acce
ss
45.
Ens
ure
that
all
user
s(i
nter
nal,
exte
rnal
and
tem
pora
ry)
and
thei
rac
tivi
tyon
ITsy
stem
sar
eun
ique
lyid
enti
fiab
le
•F
requ
ency
ofre
view
ofth
ese
curi
tylo
g
4.4.
Impl
emen
tvi
rus
prot
ecti
on,
upda
tese
curi
typa
tche
s,an
den
forc
eus
eof
lega
lso
ftw
are.
Put
prev
enti
ve,
dete
ctiv
ean
dco
rrec
tive
mea
sure
sin
plac
eto
prot
ect
from
mal
war
e.In
stal
lan
dco
nfigu
refi
rew
alls
toco
ntro
lne
twor
kac
cess
and
info
rmat
ion
flow
(con
tinu
ed)
Appendix 1: A Pragmatic Set of Management Practices to Govern it in SME’S 409
(con
tinu
ed)
Run
proc
ess
Pra
ctic
eM
easu
re
5.Im
plem
ent
ase
rvic
ede
sk/s
uppo
rtfu
ncti
onto
resp
ond
and
reso
lve
prob
lem
san
dus
erqu
erie
s.(D
SS02
,D
SS03
)
5.1.
Set
upa
serv
ice
desk
/sup
port
func
tion
tom
onit
orin
cide
nts
and
user
call
s.E
nsur
equ
ick
resp
onse
,cl
ear
esca
lati
onan
dex
pedi
ent
reso
luti
onof
ITre
late
dpr
oble
ms
•P
erce
ntag
eof
unre
solv
edin
cide
nts
•U
ser
sati
sfac
tion
wit
hfi
rst
line
supp
ort
5.2.
Fol
low
uppr
oble
ms,
sign
ifica
ntin
cide
nts
and
recu
rrin
gus
erqu
erie
s.In
vest
igat
eth
ero
otca
use
ofal
lpr
oble
ms,
iden
tify
and
init
iate
sust
aina
ble
solu
tion
sad
dres
sing
the
root
caus
ein
ati
mel
ym
anne
r
•N
umbe
rof
unju
stifi
edes
cala
tion
s•
Per
cent
ofpr
oble
ms
for
whi
chth
ero
otca
use
was
anal
ysed
•A
vera
geti
me
betw
een
logg
ing
and
anal
ysis
ofpr
oble
ms
•N
umbe
rof
recu
rren
tpr
oble
ms
6.R
evie
wco
nfigu
rati
onof
all
ITas
sets
and
lice
nses
.(D
SS02
,B
AI1
0)6.
1.B
uild
and
regu
larl
yup
date
anin
vent
ory
ofIT
hard
war
ean
dso
ftw
are
confi
gura
tion
.R
evie
wit
ona
regu
lar
basi
sto
ensu
real
lin
stal
led
soft
war
eis
auth
oris
edan
dli
cens
edpr
oper
ly
•T
ime
sinc
ela
stup
date
ofth
eco
nfigu
rati
onin
vent
ory
•N
umbe
rof
unau
thor
ised
soft
war
ein
stal
lati
ons
•T
ime
lost
due
toin
corr
ect
inve
ntor
yda
ta7.
Ope
rate
the
ITse
rvic
esin
asu
ffici
entl
yse
cure
envi
ronm
ent
and
inli
new
ith
agre
ed-u
pon
serv
ice
leve
ls(D
SS01
,D
SS05
)
7.1.
Phy
sica
lly
secu
reth
eIT
oper
atio
nal
asse
tsan
dco
nsid
era
no-b
reak
syst
em.
Be
awar
eof
othe
ren
viro
nmen
tal
fact
ors
such
ashe
at,
natu
ral
haza
rds,
dust
and
hum
idit
yan
d,if
appl
icab
le,
obta
inex
pert
advi
ce.P
aysp
ecia
lat
tent
ion
toth
ese
curi
tyof
mob
ile
orpo
rtab
leIT
asse
ts
•N
umbe
rof
phys
ical
secu
rity
inci
dent
s•
Dow
ntim
edu
eto
phys
ical
secu
rity
inci
dent
s
7.2.
Doc
umen
tan
dre
view
basi
c,st
anda
rdIT
oper
atio
nson
are
gula
rba
sis
toen
sure
that
proc
essi
ngoc
curs
aspl
anne
d(t
imin
g,se
quen
ce,
qual
ity,
etc.
).C
heck
oper
atio
nlo
gsto
ensu
reco
rrec
tnes
san
dco
mpl
eten
ess
ofpr
oces
sing
•F
requ
ency
ofre
view
ofth
eop
erat
ions
log
•T
ime
sinc
ela
stup
date
ofop
erat
ions
docu
men
tati
on•
Num
ber
ofde
lays
due
toop
erat
ions
fail
ure
410 Appendix 1: A Pragmatic Set of Management Practices to Govern it in SME’S
Eva
luat
epr
oces
sP
ract
ice
Mea
sure
1.C
onti
nuou
sly
mon
itor
curr
ent
ITpe
rfor
man
ce,
futu
rere
quir
emen
tsan
dre
late
din
dust
rytr
ends
(ME
A01
,M
EA
03)
1.1.
Iden
tify
toge
ther
wit
hke
yIT
staf
fan
dke
yus
ers
ali
mit
ednu
mbe
rof
rele
vant
and
mea
sura
ble
resu
lts
and
perf
orm
ance
indi
cato
rsof
ITto
betr
acke
don
anon
goin
gba
sis.
Act
upon
resu
lts
wit
him
prov
emen
tin
itia
tive
s
•N
umbe
rof
impr
ovem
ent
acti
ons
driv
enby
mon
itor
ing
acti
viti
es
1.2.
At
appr
opri
ate
tim
es,
iden
tify
ifan
ythi
ngne
eds
tobe
done
toco
mpl
yw
ith
safe
ty,
heal
th,
ergo
nom
ic,
priv
acy,
lega
l,re
gula
tory
and
inte
llec
tual
prop
erty
requ
irem
ents
,el
ectr
onic
com
mer
ceag
reem
ents
and
insu
ranc
eco
ntra
cts
•N
umbe
rof
recu
rrin
gpe
rfor
man
ceis
sues
•N
umbe
rof
non-
com
plia
nce
issu
es1.
3.C
onsi
der,
but
wit
hca
utio
n,ho
wco
mpa
rabl
een
terp
rise
sad
dres
sIT
issu
esan
dm
ajor
ITde
cisi
ons
•C
ost
offi
non-
com
plia
nce
and
perf
orm
ance
issu
es
Appendix 1: A Pragmatic Set of Management Practices to Govern it in SME’S 411
Appendix 2Sourcing Guidelines for SME’S
J. Devos et al. (eds.), Information Systems for Small and Medium-sized Enterprises,Progress in IS, DOI: 10.1007/978-3-642-38244-4,� Springer-Verlag Berlin Heidelberg 2014
413
S Selection guidelines: making a request for proposal (RFP)
S1 The RFP should be driven by a strategy document with ‘‘real tangible objectives’’, such aslower cost, improved core business performance, shorter product lifecycles, highersecurity, higher availability, outsource build functions etc
S2 The RFP should not be open ended, with vague references. The issuer’s business needs to beclearly identified (prepare an information package about your company for the vendors).The expectations need to be specific which will save much iteration
S3 The RFP must have a clear purpose and scope, a validity period, and a clear processdescription for the submission, selection and awarding of the contract
S4 Issuer must focus and be clear on what he will maintain and run coupled with the reasonswhy—what he will manage and how, coupled with reasons why—what will be expectedfrom the supplier coupled with reasons why
S5 Determine a high level classification of requirements prior to developing detailedrequirements, distinguishing between ’must’ and ’want’ features. Targeted technicalrequirements (has to run on this platform), the minimum necessary requirements,support for the installation and ongoing support would be mandatory high levelrequirements. Valued high level requirements would be that the product/service hasmost of the functionality and that the vendor is financially stable. Nice-to-have criteriacould be that the product and vendor are forward looking in nature and support thefuture technical and functional direction of the enterprise
S6 The scope of the RFP should cover the product, deployment services (e.g., system andproduct installations) to bring the product to operational readiness, and support servicessuch as build tools, automated test tools, documentation and training modules for:administrative personnel; software maintenance personnel; and end users
S7 Response should include both for the Bidder and sub-contractors:• Corporate profile, including identity of shareholders, directors and managers, company
size, growth rate, business divisions, historical perspective;• Financial situation (at least the last two annual reports shall be attached, preferably the last
five)S8 The RFP should request details on the following subjects:
• Project and program management;• Risk assessment/management;• Compliance with product/service requirements;• Migration planning/execution;• Service handover/acceptance;• Knowledge transfer and documentation;• Service management and support organisation;• Total cost of ownership;• Approach to help desk, provisioning and configuration management;• Implementation plan outline demonstrating the overall timescale necessary to meet
service objectives defined;• The technology solution (software, hardware, middleware, networking etc) and how to
gear up in the future;• Future budget costing per year;• Maintenance and enhancements process, compensation and schedules
(continued)
414 Appendix 2: Sourcing Guidelines for SME’S
(continued)
S Selection guidelines: making a request for proposal (RFP)
S9 Responders should be asked to state the degree of compliance with the requirements:• Complies—The proposed solution meets the requirements exactly as stated;• Does not comply—The proposed solution does not meet the requirements;• Alternate comply—Bidder proposes alternate solution;• Will comply—The requirements will be met at a future specified date
S10 The RFP should provide clear agreements on defect definition, severity classification andresponse requirements. Response to problems should be specified in function of thisclassification, both for acknowledgement of the problem and for fixing the problem. Thefollowing table illustrates severity and response time classification
S11 The RFP should require that responders provide a quality plan covering:d Software development lifecycle, its development stages and supporting activities;d Reviews that will be carried out with objective, scope and how quality faults will be
classified;d Documentation of project files and summary of all technical documentation;d Quality targets and metrics;d Tools, techniques and methodologies concerning: project, change, integration,
configuration and development managementS12 Vendor should submit for approval, the résumés of all human resources he intends to
employ on the project and makes all reasonable endeavours to ensure that such humanresources remain on the project for the scheduled duration
S13 Agree on a clear timetable linked to the deliverables and the quality plan and include aprocess to make changes to the different plans. Also agree on a change procedure to add/delete functionality from the original specification
S14 Any development should be defined by: activities; timing of activities; milestones anddeliverables; schedule for project steering meetings
S15 Define an acceptance process based on pre-agreed test scenarios and acceptance criteria andaugmented with a process to report and handle those functions that failed to meet thetests. The RFP issuer may consider producing all acceptance test documentation,including test data
S16 Reference should be made to all documentation already exchanged prior to the RFP and allRFP documents need to be covered by confidentiality agreements
S17 RFP response scoring methods, incl. the weights of the different response elements, need tobe worked out in advance and top management’s buy-in needs to be obtained for methodand scoring before the selection starts
Appendix 2: Sourcing Guidelines for SME’S 415
E Selection guidelines: evaluating the responses to the RFP
E1 Response Assessment should include:• Ability to demonstrate an understanding of the requestor’s business and experience in
providing the same or equivalent services into other similar organisations;• Perceived alignment of the solution with the requestor’s business requirements, both
current and future;• A scorecard taking into account; security, reliability, quality, ease of migration, costs
(capital as well as operational expenditure) and requestor’s staff satisfaction;• Ability to change as business requirements change and to migrate easily to future
technologies;• Ability to demonstrate effective project management experience on similar scale projects;• Appropriateness of the management proposed to plan, implement, test and commission
the solution, and generally to manage the requirements and account;• Access to vendor’s research and development material;• Degree of understanding the issuer’s requirements
E2 Ascertain that evaluation gives the right focus and value on the (fewer) high levelrequirements (see R5) and is not skewed towards the (more abundant) detailedrequirements. Begin with matching the ‘‘Mandatory’’ requirements to the proposedproduct’s strengths
E3 Functionality provided could be evaluated in function of the degree to which it• automates the business processes,• supports the integration across business functions and• provides fast and flexible end-user access to information
E4 The solution should fit with the enterprise’s existing technical environment and shouldcover development tools for future maintenance
E5 The technical solution proposed by the supplier must be evaluated both in terms ofappropriateness for the product and with regard to the supplier’s capability with thistechnology
E6 The functions to be delivered in the form of a product must be accounted for in infinitedetail
E7 The contractor must provide historic information in regards to the company’s financialrecord for the recent past as well as its current financial stability
E8 In order to gain an understanding of the soundness of a contractor the past experiences andcompany practices of the contractor should be reviewed
E9 In order to do business with any contractor, it is imperative to understand the contractor’sbusiness, size of operation, production and delivery processes
E10 Past experiences with the contractor should be given due consideration and references mustbe checked, e.g., site visits to existing customers and calling of a number of companyreferences with a prepared questionnaire. Questionnaires should have—in addition tospecific questions—open-ended questions allowing respondents to mention problems.Third party implementers are also a good source to find out about implementation issues
E11 Ascertain the vendor adequately applies software configuration management, changemanagement functions as well as software quality functions
E12 It is important that the project management roles are clearly defined and that the vendorassigns a project/program manager to cooperate with the issuer’s project manager
E13 The milestones, responsibilities, deliverables and configuration management of thedeliverables must be clearly stated
(continued)
416 Appendix 2: Sourcing Guidelines for SME’S
(continued)
E Selection guidelines: evaluating the responses to the RFP
E14 The project plan will be used as a controlling document for managing the project and willallow issuer to track against progress and costs
E15 During the development of the product it is essential that the supplier convey appropriatestatus and reporting information to management
E16 The responders should demonstrate adequate quality management to be applied to theproject
E17 Suppliers must provide visibility of the quality aspects of their defined softwaredevelopment processes
E18 Acceptance tests shall demonstrate to issuer’s satisfaction that each and every requirementwithin the agreement is met as specified. Each requirement expressed in the product/service specifications is subject to acceptance testing
E19 The supplier should be able to provide guidance to the issuer in the planning and executionof acceptance testing by making recommendations and suggestions. During theacceptance of the product, acceptance criteria must be specified
E20 A process of provisional acceptance should be set up that will verify that the product meetsall the requirements stated in this RFP; that the product meets all the performancecriteria; that the documentation provided is complete and accurate; and that the packagecan be built from its sources and off-the-shelf components
E21 The supplier must be able to provide staff with appropriate skill to successfully complete theproject
E22 If a contractor is going to be able to develop, deliver and maintain a quality product, thecompany must provide a stable environment for its employees. Employee turnover iscritical in determining the working environment. A yearly turnover rate of greater than5 % should be construed as an indication of potential risk
E23 As changes to the product desired are inevitable, adequate change management practicesmust be in place to accommodate them
E24 The contractor must be prepared to respond efficiently to correction requestsE25 A clearly defined cost for maintenance work must be statedE26 The contractor’s responsibilities in supporting the software once it has been accepted and
placed into operation must be clearly identified. This support includes both technicalsupport and the management thereof
E27 Contingencies should be pre-definedE28 Don’t overly rely on consultants for the implementation because cost will go up and
knowledge will be lost, and certainly let them not be influencing the selection decision
Appendix 2: Sourcing Guidelines for SME’S 417
c Contract guidelines: making a contract following the selection
C1 Don’t accept vendor’s standard terms and conditions but always strive to apply—and beheard to apply—fair contract terms
C2 Insist on user based rather than CPU based pricing for licences and drop initial maintenancerate by 3–4 %. If no drop in maintenance % then insist on service increases. Negotiate a2–5% drop for being a reference
C3 Suppliers to break out each cost component, then negotiate each one piece at a timeC4 Pay in escrow, release upon deliveryC5 Always keep a second supplier for leveragingC6 Agreed standard terms and conditions should address the areas of:
• nondisclosure rules• billing• payments• arbitration rules• responsible individuals from issuer and the contractor• length of contract
C7 It should be clear the requestor is not obligated to award the contract and if so, it will besubject to duly agreed terms and conditions between the parties
C8 RFP shall not be binding on issuer, i.e., an RFP is not a promise to acquire the product orservices
C9 Agree on clear terms of agreement for terminationC10 Consider service level agreements for support after delivery including compensation and
reporting of non-complianceC11 Consider incentives and recognition for quality service provided and for exceeding service
level agreements (SLA’s)C12 Consider to appoint an independent auditor to review and conclude that the strategy can be
met and objectives not compromised. Too often vendors don’t live up to their promisesC13 Consider establishing audit rights or SAS70-like exercisesC14 Provide protection against the chosen vendors outsourcing or being taken overC15 Provide for confidentiality agreement identifying what is confidential and how it needs to be
handledC16 RFP documents to be covered under confidentiality agreements and unsuccessful Bidders
when advised in writing, to destroy all RFP documents with confirmation in writing thatthey have done so
C17 The responder has to warrant correctness of facts and opinions and to not omit relevantinformation; also to be ready to provide additional information if requested which thenbecomes integral part of RFP
C18 Make it clear that a feature response to the RFP will become part of the software deliverycontract
C19 Exclude material or fiscal responsibility for costs, etc. that may be incurred by any vendorin the preparation of their RFP response.
C20 Bidder to provide a list, description and other relevant information of all IntellectualProperty involved, used for, useful for, or relevant to the proposal :
• Intellectual property owned by bidder;• Intellectual property rights licensed or sub-licensed to the bidder;• Patents and pending patents;• Trade secrets;• Copyrights;• Trademarks;• Claims and litigation relevant to the above list;• Internal policies in relation to ownership of inventions, copyrights etc
(continued)
418 Appendix 2: Sourcing Guidelines for SME’S
(continued)
c Contract guidelines: making a contract following the selection
C21 Vendor to grant to issuer a license or transfer ownership, that is non-exclusive, worldwide,irrevocable, perpetual and royalty-free, with unrestricted right to sub-license for use, ofall Intellectual Property used for, useful for, or relevant to the product/service or anyother deliverable
C22 Make escrow agreements, i.e., vendor to deposit with e.g. a notary, all source codes, designsand documentation such that the product/service can be independently reconstructed incase of need. Define what the conditions are for access to escrow objects. All costsrelated to the escrow shall possibly (to be negotiated) be borne by the vendor. Causes foraccess to the escrowed objects could be
• default, receivership, bankruptcy or insolvency by the vendor;• issuer becoming aware of any viruses, time bombs, worms or other programming devices
or features not identified to issuer;• written permission from the vendor
C23 Vendor to adhere to the internal control and security policies of the issuerC24 Provide coverage for hidden defects and fundamental and inherent system faults (including
software design faults) relating to the product/serviceC25 Define development, maintenance and implementation location and consider requiring
access to the vendor location by issuer’s auditorsC26 Define clearly all logistics involved in the project: travel, office support, communications
etcC27 The warranty period is a safeguard to issuer in the case of a faulty productC2! The warranty must clearly state what is covered and how corrective action will be
performed. It must specify the conditions under which the warranty is invalidated. Issuershould verify whether the warranty is acceptable for the type of product/service underevaluation
C29 The warranty period should specify the duration and any items that are specificallyexcluded. It should include software, hardware, support services and free of chargecorrection of defects in line with the priority/urgency
C30 Insist on a set of traditional warranties with associated indemnities, liabilities andinsurance:
• vendor has all rights, titles, licenses, permissions and approvals necessary to perform itsobligations and grants to issuer the necessary rights ;
• the rights granted by the vendor do not conflict with the rights of a third party with whomthe vendor already has an agreement;
• all the rights to support the development, use and onward sale by issuer of the product/service have been transferred by the vendor;
• the product/service will, when delivered, be in good working order and free from defects,and will operate in conformity with the functional specifications defined;
• the support services will be provided in a professional and timely manner and for the termstipulated
C31 The contractual considerations of any project legally obligate issuer and the contractor andtherefore should be thoroughly reviewed by the appropriate legal parties. The objectiveis to ascertain that all parties will be able to agree and perform to a suitable contract
(continued)
Appendix 2: Sourcing Guidelines for SME’S 419
(continued)
c Contract guidelines: making a contract following the selection
C32 Some projects may be sensitive to certain parameters and these items should be detailed andpenalties established for non-compliance in order to avoid costly litigation. To beconsidered are:
• penalty for late delivery (one time or increasing with each day, week or month late);• measurable quality level guaranteed with a penalty for not meeting this goal;• penalty for partial delivery of the product;• penalty for the contractor breaching any non-disclosure agreement;• penalty for failure of the contractor to meet the warranty obligations
C33 The contractor should provide liability coverage in cases where excessive down-time wasincurred due to the unresponsiveness of contractor support
420 Appendix 2: Sourcing Guidelines for SME’S