S 2.2 Resource management
Initiation responsibility: Top Management
Implementation responsibility: Head of IT, Head of Organisation
The term resources (or supplies) refers to all working materials required to perform a given task or business process. This includes, for example, all tools, equipment, and office furnishings required. Resources for the use of IT include resources such as hardware components (computer, keyboard, printer, etc.), software (system software, individual programs, standard programs, and similar software), consumables (paper, toner, printer cartridges), and data media (magnetic tapes, hard disks, removable hard drives, CD-ROMs, and similar items). Resource management consists of performing the following tasks:
- purchasing the resources,
- evaluating the resources before use,
- labelling, and
- inventory management.
The purchasing of resources is of particular importance when using information technology. Specifying a controlled purchasing procedure especially helps to reach the goals aimed for through the use of information technology: increased performance, cost-effectiveness, and improved communication capabilities.
In addition to purely economic aspects, a controlled purchasing procedure ¿ which can be performed at a central location - can also take into account new developments and improvements in the area of information technology to an enhanced degree.
A central purchasing procedure also ensures that a "in-house standards" are introduced and maintained, which also makes it easier to train the employees and perform maintenance.
A controlled evaluation process before the use of the resources will avert various threats. Examples include:
- The completeness of deliveries should be checked (to ensure the manuals or connection cables were supplied, for example) in order to guarantee the availability of all items to be delivered.
- New PC software as well as new, preformatted data media should be scanned by a computer virus detection program.
- New software should be tested on test systems to ensure it can be used without any problems in business operations.
- The compatibility of new hardware and software components with the existing components should be checked before purchasing in order to avoid mispurchases.
It is only possible to determine how much of a resource was consumed and re-order the resources needed promptly if an inventory of the resources is maintained. Furthermore, having an inventory enables checking the inventory for completeness, checking whether any unapproved software is being used, or determining whether any resources were stolen. This includes clearly labelling the most important resources with unique identification marks (e.g. groups of sequential inventory numbers). In addition, the serial numbers of the devices available such as monitors, printers, hard disks, etc., should be documented so that they can be identified if stolen.
In order to maintain an inventory of the resources, the resources must be entered in inventory lists. Such an inventory list must be able to provide the following information:
- identification features,
.purchasing sources, delivery times, - current location of the resources,
- storage,
- rules for handing out resources, and
- maintenance contracts, maintenance intervals.
In order to prevent any misuse of data, rules must be created relating to the deletion or destruction of resources. In particular, there must be rules specifying how to handle paper collected for recycling. There must also be suitable disposal methods for consumables with high protection requirements, for example shredders for paper documents. Further details can be found in module S 1.15 Deleting and destroying data.
Review questions:
- Is it possible to determine the amounts of resources in stock and where they are located from the inventory lists?
- Are consumables not needed any more properly disposed of?
- Was a security policy for the migration phase drawn up, also taking into consideration the testing and introduction phases, which is continuously developed and substantiated?
- Is it ensured that productive data is not used as test data in an unprotected manner during the migration phase?
- Are the employees of the customer and those of the outsourcing service provider prepared for migration?
- Are all changes incorporated into the security policy upon completion of the migration phase?
- Is it ensured that all exceptions are reversed at the end of the migration phase?