Audit and Assurance

Expand all | Collapse all

Who should decide on System Ownership?

Jump to Best Answer
  • 1.  Who should decide on System Ownership?

    Posted 15 Aug, 2019 08:48
    Okay I have a scenario whereby our Customer Relationship Management system (CRMS) just went live early of the year. The system is used by a lot of departments. Problem is, who should own this system? Every system needs to have an owner to establish accountability. Example a Human Resource application is owned by the HR of the company. That is a clear cut. But whatabout CRMS? Who decides the ownership? The CEO of the company? Or must this be tabled to a committee which will unanimously decide the system owner?

    I am pretty sure if you throw this to the departments that are using the system, no one wants to own it.

    Kindly enlighten me.

    Appreciate it.

    Thanks.


  • 2.  RE: Who should decide on System Ownership?

    Posted 16 Aug, 2019 02:32

    Hi Harith,

    There are a few basic rules that provide broad guidance on defining ownership. For instance, who was the key user while the system was conceived and requirements were finalised?  Who is the most relevant user? Who is requiring the system the most? Who is updating and utilising the system the most? Whose business is impacted how much if the system is not available? Who is currently making most decisions about the system as of now? Just do similar probes and create a matrix so the highest scoring top three departments of functions become the candidate owners.

    Now you go to the steering or similar committee with all of the above information in a condensed form that they could consume (i.e. the three candidates and how did you reach to the three candidates) and then they make recommendations for the ownership which is endorsed by the CEO.

    Above may not strictly be followed but provides basic steps.

    Hope this helps.

    Faisal.



    ------------------------------
    Faisal Khan
    CISA, CISM, CISSP
    Head of Security & Business Resilience
    ------------------------------



  • 3.  RE: Who should decide on System Ownership?

    Posted 16 Aug, 2019 02:45
    Hi Faisal,
    Thanks for the response! Appreciate it. Are you saying that during the project implementation stage (Before the system went live), the Project Steering Committee (PSC) should have identified the owner of this system? Specifically the chairman of the PSC? So my case, if we are to recommend an ownership of the system, must the finding go straight to the chairman of the PSC?

    Answering your question below :

    who was the key user while the system was conceived and requirements were finalised?

    - The Customer Service unit team.

    Who is the most relevant user?

    - There are a lot of relevant users that use this application system.

    Who is requiring the system the most?

    - The relevant users from customer service team to pension operations team to query team.

    Who is updating and utilising the system the most?

    - All 3 above.

    Whose business is impacted how much if the system is not available?

    - All 3 above.

    Who is currently making most decisions about the system as of now?

    -  The system just went live on December 2018 so currently there has not been any enhancement to the system yet. But if the query team wants to enhance the system, they will do a change request with IT. Same goes with the customer service team and pension operations team.



  • 4.  RE: Who should decide on System Ownership?

    Posted 17 Aug, 2019 01:14
    Hi Harith,

    You can see from your answers, customer services department appears to be the strongest candidate for the system ownership.

    Kind regards,
    Faisal

    ------------------------------
    Faisal Khan
    CISA, CISM, CISSP
    Head of Security & Business Resilience
    ------------------------------



  • 5.  RE: Who should decide on System Ownership?
    Best Answer

    Posted 17 Aug, 2019 01:35
    I would pose another couple of questions, as I think they are more instructive in this case:

    1. What group funded the project primarily?
    2. What does "ownership" entail?

    Ownership is a term that is used differently in various contexts, and there can (and usually are) different kinds of owners. For example, a data owner might have ultimate  responsibility and accountability for what happens with the data used by the system. This would include things like specifying who has access to what data, and what type of access, whether the data may be transferred, setting retention periods etc.

    In many organizations, there is no "owner" as such. Instead, systems are built as parts of projects and initiatives, with decisions being made by a steering committee made up of representatives of the various stakeholder groups. Ultimately, the "owner", though, would be the executive sponsor of the project/initiative, from whose budget the project is funded, and whose compensation is ultimately tied up with the success or failure of the project and system.

    Jim


    ------------------------------------

    Jim Scardelis, CISA, CISSP, PCI 3DS, PCIP, CIPP/US, CIPP/C, CIPP/E, CIPT, MCSE


    ✉️ jim@jceltd.com  |�� http://www.linkedin.com/in/jimscard/

    Any views or opinions contained in this communication are solely those of the author, and do not necessarily represent those of any organizations or entities the author may be associated with.








  • 6.  RE: Who should decide on System Ownership?

    Posted 20 Aug, 2019 06:50
    I was thinking along the same lines as @James Scardelis on this one.

    Understanding who paid for the initial system is a good place to start.  Perhaps budget was allocated from all the groups, which would make ownership difficult to assign.

    The concept of ownership itself has many nuances.  Part of any implementation should include a chart of which group will provide customer support, do enhancements, and troubleshoot problems (typically IT functions), manage entitlements (privileged and user) to the system.  As to ownership, if multiple groups are involved a prioritization method for enhancements also needs to be established. If there are multiple users, who gets their enhancement requests prioritized highest? Who will pay for upgrades required to support the system in the future (hardware, internal development, or vendor support if externally hosted and/or a COTS system).​

    Defining an "owner" for the sake of applying a label to the system is not good practice; defining what "ownership" entails must come first.

    ------------------------------
    Henry Bottjer
    Lead IT Auditor
    ------------------------------



  • 7.  RE: Who should decide on System Ownership?

    Posted 26 Aug, 2019 01:52
    Edited by Mohd Aidil Mohd Harith 26 Aug, 2019 04:02
    I am about to raise this observation to the management however I want to put this as a medium risk due since

    (a) The users for this CRMS system are relevant users and that there are no unauthorised users in it.
    (b) All user IDs are active. There are no user IDs belonged to resigned staff.

    But it may lead to those if it is not addressed sooner but at the mean time, I am going to give this a medium risk.

    Anyway, I was wondering, is there a system that has few owners? Based from my experience, I have never seen one. Previously we have had a system that is used by many departments but it is still owned by one department.




  • 8.  RE: Who should decide on System Ownership?

    Posted 16 Aug, 2019 02:46
    Hi,

    you are correct in that you state it needs to be decided at senior management level.  An alternate approach would be to take the CRM away. Stop users from using or being able to access the resource.   You will soon find out who wants to own it then.

    ------------------------------
    Leon Mattear
    Security Manager
    ------------------------------



  • 9.  RE: Who should decide on System Ownership?

    Posted 21 Aug, 2019 03:22
    Edited by Mohd Aidil Mohd Harith 21 Aug, 2019 03:39
    Leon,
    I like how you write it. Direct and Straight to the point. If I were to take away the CRM, I can safely say, the Customer Relationship team is going to be effected the most considering they use the system the most. I just got ahold of the users of the CRM application.

    IT team - 6 users
    Customer Relationship Team : 23 users
    Query team - 7 users
    Pension ops team - 5 users
    Admin built-in ID for Vendor - 1 user

    I also got ahold of the Project Steering Committee which this project was presented to before it went live, and the Chairman isn't from a C-level but only the Head of Department who has retired a few months back. So should I issue a recommendation to the Customer Relationship Team to consult the new Head of Department on who should be owning this system?

    Or must they bring it up to a committee for deliberation? (E.g. Risk management committee)

    Mohd Aidil Harith
    CISA.



  • 10.  RE: Who should decide on System Ownership?

    Posted 21 Aug, 2019 04:02
    Hi Mohd,

    I think that it is a good approach to speak to the new head of CRM , tell him or her that this should have been carried out on the handover (ownership) but was missed and you want to make them aware of their responsibilities concerning the asset.   See what they say. They may just accept it or ask some questions as in why them, be ready with your answers such as your department requested it, albeit before they joined.  Your department is the biggest user therefore would miss it and they should have the use of it captured in a BIA for BCP.   If that doesn't work then go above to the board or SMT.

    ------------------------------
    Leon Mattear
    Security Manager
    ------------------------------



  • 11.  RE: Who should decide on System Ownership?

    Posted 04 Sep, 2019 17:38

    It may help if you go back to project documentation.  Who sponsored the project?  Who were the key stakeholders/users?  Whose budget paid the consultants? Might be CS or Sales, but you can check.



    ------------------------------
    Marino Mata
    Auditor
    ------------------------------