Data (big?) part 1

Data (big?) part 1

Posted by EYHokie

I went to an event last night about “big data.”  Come to find out that is the hot topic right now.  Now I sat through an hour and 15 minutes and over 60 slides in a powerpoint presentation about “big data.”  After that, do I know what “big data” is?  The guy took a bunch of definitions that other organizations/people have said and tore them apart.  What was his idea: putting the Information back in IT.  Wow.  Deep. 

My best understanding at this point is taking all of the information that a company amasses and finding ways to use it.   Its all too easy to live in a bubble and not take into consideration what other departments are doing, what data they are storing.  If we talked together as an organization; how much more could we achieve?  The likely will never happen, atleast to the fullest extent possible. 

My concern with this whole idea is that we spend a bunch of time analyzing our data and forgetting our core.  When I write a research paper I spend a lot of time researching.  I often get lost in my research and forget where I was headed in the first place.  Might that happen with all the focus on “big data?”

What if I don’t have a lot of data to start off with?  Well, start with what you have.  As a small business owner, you most likely have a lot more data than you think you do.  Lets say your business is lighting and your job is to bid on large projects.  Should you focus on every single project available?  Probably not.  That would be a waste of your time.  You will spend too much time focusing on bids you’ll likely never get.  Which projects, historically, have you won?  Start there.  What are the characteristics of those projects?  I’ll stop here with the business side.  I’m sure I could write for hours.

Now lets start thinking of what an audit program may look like for this lighting business.

Governance:

1.       Organization

a.       Is there a clear structure and position descriptions?

b.      What is the mission of this organization?

c.       Are they in a niche market?  Do they have a direction?

2.       Talent Management – keep in mind this isn’t a large organization

a.       Are the right people hired for the right job?  Do you have qualified people making bids?

b.      For new hires, is there a mentorship program? 

c.       Is there a methodology for sharing information?

d.      Is there a clear path for career progression?

As with any governance review, there a lot more topics to cover.  Just keep in mind we are talking about small businesses so don’t go overboard.

Access: This is where its at.

1.       Administration

a.       Who is responsible for managing the applications used for bidding?

b.      Is that person qualified?

c.       What other tasks does that person do?

2.       Access to data

a.       Who has the ability to enter data?

b.      Who has the ability to change existing data?

c.       How can you change data? Is it possible?

d.      What type of application are you using to enter in bid information?

3.       View data (key part to consider):

Social Media for Small Businesses

Social Media for Small Businesses

Posted by EYHokie

Monday night we discussed auditing Social Media.  Our discussion (really my short lecture) focused on anything from twitter, facebook, LinkedIn to Google Docs.  My suggested approach focused more on a corporations and less on small businesses. For this post, lets focus on the small business.

Understanding the Organization:

The first place to start should always be to understand the business and the business processes. 

·         What exactly does the company do? 

·         What is the culture like? 

·         What are the short and long-term goals? 

·         What is the company structure? 

·         What social media formats are being used?

·         How do they align with the company goals/direction?

Understand the Business Unit

Now that you have an overall understanding of the organization, its important to understand the business units. Here we are taking one step closer to the business processes.

·         What is the breakdown of the organization (structurally) by department?

·         What are the department’s goals?

·         How do they align with the companies short and long-term goals?

·         What does the business unit do?  How do they fit into the organization?

Understand the Business Processes

This can be a difficult piece to understand.  Above we explored the organization and then dove into a specific business unit.  We know what the groups do at a high level but what does the day to day look like?  This will take some skill.  We want to get enough detail that we can identify what can go wrong with the business processes.  At the same time, we don’t want to get stuck in the details.  The conversation should be an open-ended conversation.  Repeating your understanding or drawing pictures is a great was to feel comfortable that you can speak to the department at a later date.

Porter’s Five Forces[1]

Why analyze the industry?  To fully complete any audit, I think it is important to step away from the details and take a look at the overall industry.  We can then move into the company and then down to the business processes.   There are many sites online that can help with this step.

SWOT/TOWS Matrix

Now to understand the internal company, a SWOT analysis should be completed.  This will further give guidance on the risks the company faces.  This will also help determine how the use of social media aligns with the strengths and opportunities in the organization.  Some of the notable business risks may include:

·         Disclosure of corporate assets/sensitive information

·         Violation of law/regulation

·         Loss of customer confidence

·         Loss of reputation

·         Dissemination of fake/fraudulent information

Let’s stop here.  We’ve spent a good bit of time understanding the industry, the company and the business processes.  This is a discussion on social media.  Why all the extra work?  From this point forward, we can either assume you knew all of this information or you were new to the company and needed to get a strong foundation.  By now, we’ve identified the major risks to the organization and should have determined how the use of social media fits into the organization.  If the company cannot get past this point, there is no real value in moving forward.  The company can have all the controls in the world but if it doesn’t align with the external and internal strengths, then why are they even using these tools?

Governance[2]

Surprisingly enough, the Citizenship and Immigration Canada provides an interesting audit of IT Governance.  Ok, surprisingly may be a push.  The following are some topics to consider:

·         Policies and procedures

o   Legal counsel review of all policies

o   Personal use (social media) at work

o   Personal use (social media) outside of work.  Why care?  The image portrayed outside of the work environment can have an impact on the greater image of the company.

o   Who can use the tools for business purposes

·         Strategy

o   Risk Management

§  Approval of social media projects

§  Inventory of all media outlets

o   Ongoing assessments

·         People (Office Manager)

o   HR Function

§  HR review of all policies

§  Defined violation policies (up to and including termination)

o   Training and Awareness

§  Associate/contractor/customer awareness of responsibility related to social media

·         Update training/people on a regular basis.

o   Staffing

§  Evaluate staffing levels related to support

·         Internal support (IT)

·         Customer facing (marketing)

§  Background checks

§  Employment criteria

·         Processes

o   Social media align with business/department processes

o   Brand protection

§  Protect from negative publicity

§  Response channel for negative events (hacking facebook, credit cards, internal data storage)

§  Consistency in branding

o   Monitoring of adverse posts/publicity

§  When identifies, how is this addressed? 

§  Is there a plan in place to handle such situations?

o   Access to social media data

§  Location of data (appropriateness)

§  Data encryption

§  Data classification (define the critical data)

o   Access management

§  Authorization and authentication

§  Contractor access

Technology

At this point, we should be feeling good about the company.  Now lets take the next step into the actual technology.

·         Social media technology infrastructure

o   Anti-virus software management

§  Current licenses

§  Up to date virus definitions

§  Continually monitoring for latest viruses patches

§  Update/deploy virus definitions

·         Incident response

o   Handling outages when they arise

o   Timely response to customer/associate issues

·         Content filtering

o   Are there limitations to content

§  Content the associates can view at work

§  Restricted access to content (internal and customer)

o   Web browser settings

§  Cookie retention

§  Server certifications

§  HTTPS/SSL

§  Popups

§  Java scripts

·         Monitor social media and effect on technology

o   Monitor key matrices

§  Align with business goals

§  Customer “hits”

§  Bandwidth

o   Processes for monitoring (Incident response)

o   Involvement of key stakeholders

§  Owner/President

§  Head of IT

§  Legal Council (legal retainer)

§  Office Manager

As you can see there is a lot to take into consideration.  I would suggest, if there is going to be a big investment in social media, a full FTE be brought on-staff to manage content.  Think of this as your marketing.  Do you have a full time marketer?  If so, social media is a clear interaction with your customer, good or bad.  Proper attention needs to be made.

While modified, the core structure of the last half of this post was supported by ISACA’s Social Media information.  Strategy, People, Processes and Technology

---

[1] http://www.quickmba.com/strategy/porter.shtml

[2] http://www.cic.gc.ca/english/resources/audit/governance.asp

Segregation of Duties for Small Businesses

Segregation of Duties for Small Businesses

Posted by EYHokie

Small businesses, by the nature of their size, often do not have the ability/resources to fully segregate their back-office operations.  For some companies, the visionary is driving the direction of the company and controls are not at the forefront.  The objective is to grow, grow, grow.  With success, the company continues to focus on the strategy, marketing and operations.  What about the back-office? 

Upon a quick search, I found a great SOD matrix developed by University System of Georgia.  Their definition of SOD is as follows:

“The concept of Segregation of Duties is to separate the major responsibilities of authorizing transactions, custody of assets, recording of transactions and reconciliation/verification of transactions for each business process.”[1]

A document I found from the Technology Evaluation Centers Inc. has a great matrix to use[2].  Due to the size of a small business the matrix is a bit excessive and impossible to fully implement.  Remember, we are talking about that visionary that isn’t worried about the accounting and supporting technology.  What are some of the key functions the firm should care about?  How do they handle them?  I’m going to do a bit of research and find out what some companies do.  Nothing big or formal.

---

[1] www.busfin.uga.edu/controller/Segregation_of_duties_matrix.xls

[2] http://blog.technologyevaluation.com/files/2008/09/sox-sod.xls