This blog post was written by Amy Ahner, Director of Administrative Services, Glenview, Illinois, on behalf of the ICMA-OnBase by Hyland Advisory Panel on Technology Content.

An information technology (“IT”) assessment is a thorough analysis of an organization’s network and computer equipment and software which is then compared against industry best practices.  The assessment involves connecting an appliance to the network that gathers information on each connected hardware device.  Prior to commencement, the system administrator and/or designated staff interviews with the vendor conducting the assessment to provide a technical system overview, set expectations, determine access and establish a schedule.  The assessment output is technical and so it is typically analyzed against current industry best practices and then summarized in a report that includes recommendations to address system deficiencies and make improvements.

Organizations conduct assessments for many purposes including adherence to audit or compliance requirements (such as those for the Payment Card Industry (PCI), Health Insurance Portability and Accountability Act [HIPPA] and Sarbanes-Oxley), external and independent verification of risk, or because of a contractual requirement of an IT service provider.  In these cases, assessment is conducted on a routine basis.  Assessments can also be used to ensure vendor performance, produce network connectivity maps, and provide recommendations that can be incorporated into an IT Strategic Plan or a Request for Proposals.  Assessments are conducted on an as-needed basis for these purposes.

There are a variety of industry products for conducting an assessment and they are commonly referred to as network security scans, penetration tests, and vulnerability tests or vulnerability assessments.  The products come in the form of a hardware appliance and associated software.  The services are scalable to an organization’s needs and can include network scans, external security vulnerability scans, internal user behavior scans, and email and database scans.  They are generally compatible with any operating system. 

The mechanics of an IT assessment involve connecting the appliance to the central entry point on the network (typically a core switch behind the firewall), provisioning its network privileges and then running the scan.  The duration of a scan depends on the size of the network.  A typical scan lasts a few days in order to capture devices that are not turned on daily.  This can be extended to larger networks or when an organization has multiple locations separated by firewalls for which the appliance must be connected at each entry point and then the scan conducted.  Due to these complexities, the cost of an assessment can vary.  An organization should generally expect a $7,500-$10,000 investment for an assessment and recommendation report.

An IT assessment will:

• Identify system deficiencies such as a computer installed with an obsolete operating system, permissive file access, misapplied or unapplied operating system patches and firmware updates, and unnecessary accounts
• Assess risk of connecting to the organization’s network (valuable for shared project evaluation)
• Assist with staffing decisions such as identifying required staffing skills, assessing current performance or evaluating whether to outsource
• Pinpoint infrastructure gaps where network redundancy or equipment lifecycle replacement plans may be missing or network hardware is inappropriately scaled to the organization’s demands
• Reveal security weaknesses where password standards are not being enforced or the physical security of equipment needs improved

When embarking on an IT assessment, an organization may be challenged by the lack of cooperation from internal staff if they consider their position or integrity threatened by the evaluation.  Managers should guide the vendor to senior management to understand the purpose of the assessment and key deliverables.  Managers need be prepared to address both positive and negative system governance or performance outcomes.

An IT assessment can provide significant value to an organization.  For a relatively low cost, the results prove compliance or provide the foundation to create a plan for system and network improvement priorities.  Other benefits include assessing risk, ensuring proper update and monitoring procedures are being followed, eliminating threats and reducing network downtime, increasing security and protecting assets, and assessing preparedness to incorporate new technology.