Views
EReadiness:Management and Financial Resources
From NGOPedia
| EReadiness:Self Assessment Tool for NGOs |
|
A key step to deploying ICTs is to have some financial resources to:
- Buy the hardware
- Acquire software
- Maintain the systems
- Pay for connectivity
- Provide training to staff
Equally, if not more important to the continued positive impact of ICTs in an NGO, is the need to have proper management of ICTs in place. This includes the planning of future ICT adoption as well as the need to put proper procedures in place. The latter is very important because the computerisation of information exposes the NGO to a very different set of business and continuity risks than manual systems: some problems are solved but new potential problems will arise if insufficient care is taken. This section looks mainly at security and backup issues as well as some forward planning.
Question: How would you describe your organisation?
(tick all that apply)
(tick all that apply)
| Answers/Scenarios |
Level | Yes |
|---|---|---|
| We have an unstable income (‘fund stream’) and are struggling to meet costs. | 1 | |
| Some of our computers have anti-virus software installed. | 1 | |
| All our computers have anti-virus software installed and the virus signature file is updated regularly by the users. | 2 | |
| We have a fairly stable income and have our cash flow under control. | 2 | |
| We have carefully thought about the possible risks which ICTs bring to our organisation. | 2 | |
| We have made a backup of the critical organisational data on our computers at least once in the last 3 months. | 2 | |
| We have identified all the data in our organisation which is sensitive or has privacy implications e.g. financial information, bank and/or personal details of members and staff. | 2 | |
| We have examined all insurance options for physical computer systems – both desktop and mobile computer devices used outside the office (note that sometimes it may not be cost-effective to insure low-cost equipment). | 2 | |
| Our income is pretty much guaranteed over the medium term and we have a good income and expenses budgeting system. | 3 | |
| We have an action plan on what to do should our computers break down/get stolen. | 3 | |
| We make a backup of all important data on our computers at least once every month. | 3 | |
| All computers have industry-leading anti-virus software which cannot be disabled. The virus database is updated automatically on a daily basis. | 3 | |
| All sensitive and private data is stored in encrypted form on all our computers and access is by means of password. | 3 | |
| We automatically backup all organisational data and key application settings weekly. We have also tested our ability to restore the data from our backup at least once in the last six months. | 4 | |
| All sensitive and private data is encrypted, stored on a physically secure computer system, cannot be copied to unsecured locations (computers or removable media), and staff are required to have secure passwords which they need to change at least twice each year | 4 | |
| We have conducted a comprehensive risk assessment for all our ICT-related assets, including identifying human resource, data/information, business continuity and external threats etc. and have made plans or have put in place procedures to deal with most of the risks. | 4 | |
| We have examined all insurance options for computer systems including the cost of recovering data and possible business losses from lost, damaged or stolen computers. | 4 |
Level 1: Non-Existent or Basic
| Description |
Yes | No |
|---|---|---|
| Our organisation is struggling to meet expenses and has an uncertain income flow. Consequently there is no dedicated ICT budget. | ||
| Our NGO may rely on donations for hardware, which may incur longer term costs because of repairs, incompatibilities, training issues and system unavailability | ||
| There is likely to be at least some unlicensed software in use in the organisation (operating systems or applications | ||
| There is no formal planning process. | ||
| Little or no thought is given to possible security and privacy issues. Management deals with ICT problems as they arise. |
Move to the Next Level
There are creative solutions for organisations with limited funds to get an entry-level computing solution (see the notes under the computer infrastructure heading). Obviously this is not the place to give guidance to NGOs on how to fundraise (although you should be aware of the ‘chicken-and-egg’ situation whereby funds are required for ICT adoption), but ICTs can facilitate and improve income and fundraising e.g. by donor database mailing, web-based donation options, producing more professional-looking fundraising proposals, web marketing (of the NGO and giving exposure to donors/sponsors) and public relations.
| Actions | Not Possible (give a reason why) | Possible (tick where applicable) | ||
| Short Term | Medium Term | Long Term | ||
| An inventory of unlicensed software should be made and steps taken to legalise the required software and remove the other software. | ||||
| A key ICT person should be trained in data backup procedures and some budget for backup devices (e.g. removable storage) and software should be allocated. | ||||
| The information held by the organisation should be looked at to see what information is of a sensitive nature or may pose privacy issues (this is especially true about personal information on staff, members and finances). | ||||
Level 2: Early Stages
| Description |
Yes | No |
|---|---|---|
| The organisation has set aside a (limited) budget for ICT expenses, including the upgrading of hardware, software and skills training. | ||
| A number of the management issues resulting from ICT use have been considered and some of the more important ones have been addressed. | ||
| A key risk management issue is what would happen if hardware were to break down/be lost or stolen. (What are
the implications for the data/information assets of the organisation?) | ||
| One of the key procedures to consider is continuity planning which would include a regular data backup procedure. | ||
| Careful consideration is also given to the protection of sensitive/private data and basic procedures are put into place for security management. | ||
| Staff have been informed about the risk issues. They know about sensitive and private data, what computer viruses and other malicious software is, and are generally quite security conscious. | ||
| The organisation does not condone unlicensed (illegal or pirated) software. |
Move to the Next Level
| Actions | Not Possible (give a reason why) | Possible (tick where applicable) | ||
| Short Term | Medium Term | Long Term | ||
| A knowledgeable staff member should be trained in and tasked with conducting a risk analysis of the ICT assets of the organisation (hardware, software, data,
staff) with a heavy emphasis on data backup, business continuity and security issues | ||||
| Alternatively this could be done by a knowledgeable and trustworthy consultant. This would require creating a record of the ICT assets and updating it as new assets are acquired/created | ||||
| The key risks should be highlighted, assessed (in terms of probability of happening and potential losses incurred) and the cost of protecting against risks investigated. | ||||
| Procedures should be put in place for those risk areas which could either threaten the survival of the organisation, where the cost of mitigation is less than the expected loss (probability of happening times expected losses) or where the mitigation procedure costs are relatively minor (e.g. sensible password selection and encryption of sensitive data). | ||||
| Conduct staff training (ideally through personal briefing sessions) to make all staff aware of the security and risk issues and what their role is in preventing these. | ||||
Level 3: Intermediate
| Description |
Yes | No |
|---|---|---|
| A systematic and formal risk-management exercise has been done and the key issues of data management and backup as well as data access have been addressed. | ||
| Business continuity has been addressed (i.e. there is a procedure in place on how to replace information systems relatively quickly should they fail/break down/get stolen etc.). | ||
| All staff are aware and trained in basic security issues (e.g. why privacy and security is necessary, how to choose secure passwords and keep them secret). | ||
| Our organisation has an adequate budget for hardware and software. | ||
| There is a fairly complete inventory of all ICT assets, including hardware, software and information. |
Move to the Next Level
| Actions | Not Possible (give a reason why) | Possible (tick where applicable) | ||
| Short Term | Medium Term | Long Term | ||
| The ICT asset register is formalised. This means there is an electronic inventory of the organisation’s ICT assets (see under level 4 below) which is routinely updated
with the acquisition or creation of new assets such as the purchase (or disposal) of computers, installation of software, creation of new data structures, and the updating of staff skills database from staff hiring and training records. | ||||
| The ICT risk-management exercise is conducted and updated on a regular basis (e.g. once per annum), possibly as part of a wider organisational audit. | ||||
| Procedures are put in place to mitigate against the various risk factors, but these are regularly reviewed from both a cost and operational perspective (e.g. by testing the restoration of backed up data or the more encompassing organisational disaster recovery plan). | ||||
This page was last modified on 13 October 2009, at 14:49.
Content is available under Creative Commons Attribution-Noncommercial-Share Alike 2.5 South Africa License.
Content is available under Creative Commons Attribution-Noncommercial-Share Alike 2.5 South Africa License.