CIO Standard Requirements
Source: https://store.theartofservice.com/cio-standard-requirements/
Sample Requirements:
The full extent of a given risk and its priority compared to other risks are not understood. Failure to address the most important risks first leads to dangerous exposures. Nearly all managers believe that their risks are the most important in the enterprise (or at least they say so) but whose risks really matter most?
Does your organization constantly monitor in real time your networks, systems and applications for unauthorized access or anomalous behavior such as viruses, malicious code insertion, or break-in attempts?
We have determined whether the goals, norms and rules of our organization are properly transmitting the value of the organizational culture to staff members and if there are areas for improvement
When deciding to outsource we know if the candidate services require extensive interactions between the service providers and the business's competitive and strategic resources and capabilities
Has the CIO ensured security training and awareness of all agency employees, including contractors and those employees with significant IT security responsibilities?
If services come in direct contact with the customers of customers, we have additional policies and guidelines required to handle user interactions and user information?
What impact has emerging technology (e.g., cloud computing, virtualization and mobile computing) had on your companys ITRM program over the past 12 months?
Do you have a good understanding of emerging technologies and business trends that are vital for the management of IT risks in a fast-changing environment?
Is the CIO or someone similar, responsible for strategic planning, implementation, and management of integrated systems identified by the IT infrastructure plan?
Our strategic approach to Service Design results in services that can be offered at a competitive market price, substantially reduced risk, or offers superior value?
1. QUICK EXPLORATORY SELF-ASSESSMENT GUIDE
Diagnose projects, initiatives, organizations,
businesses and processes using accepted
diagnostic standards and practices
Implement evidence-based best practice
strategies aligned with overall goals
Integrate recent advances and process design
strategies into practice according to best practice
guidelines
Use the Self-Assessment tool Scorecard and
develop a clear picture of which areas need
attention
The Art of Service
PRACTICAL TOOLS FOR SELF-ASSESSMENT
CIO
3. 2
Table of Contents
About The Art of Service 3
Acknowledgments 4
Complete Resources - how to access 4
Purpose of this Self-Assessment 4
How to use the Self-Assessment 5
CIO
Scorecard Example 7
CIO
Scorecard 8
BEGINNING OF THE
SELF-ASSESSMENT: 9
CRITERION #1: RECOGNIZE 11
CRITERION #2: DEFINE: 14
CRITERION #3: MEASURE: 17
CRITERION #4: ANALYZE: 20
CRITERION #5: IMPROVE: 23
CRITERION #6: CONTROL: 26
CRITERION #7: SUSTAIN: 28
Index 30
4. 3
About The Art of Service
T
he Art of Service, Business Process Architects since 2000, is
dedicated to helping stakeholders achieve excellence.
Defining, designing, creating, and implementing a process to
solve a business challenge or meet a stakeholder objective is
the most valuable role… In EVERY company, organization and
department.
Unless you’re talking a one-time, single-use project within
a group, there should be a process. Whether that process is
managed and implemented by humans, AI, or a combination
of the two, it needs to be designed by someone with a complex
enough perspective to ask the right questions.
Someone capable of asking the right questions and step back and
say,‘What are we really trying to accomplish here? And is there a
different way to look at it?’
With The Art of Service’s Standard Requirements Self-Assessments,
we empower people who can do just that — whether their title
is marketer, entrepreneur, manager, salesperson, consultant,
Business Process Manager, executive assistant, IT Manager, CIO
etc... —they are the people who rule the future. They are people
who watch the process as it happens, and ask the right questions
to make the process work better.
Contact us when you need any support with this Self-
Assessment and any help with templates, blue-prints and
examples of standard documents you might need:
http://theartofservice.com
service@theartofservice.com
5. 4
Acknowledgments
This checklist was developed under the auspices of The Art of
Service, chaired by Gerardus Blokdyk.
Representatives from several client companies participated in the
preparation of this Self-Assessment.
Our deepest gratitude goes out to Matt Champagne, Ph.D.
Surveys Expert, for his invaluable help and advise in structuring
the Self Assessment.
Mr Champagne can be contacted at
http://matthewchampagne.com/
In addition, we are thankful for the design and printing services
provided.
Complete Resources - how to access
The Complete CIO Self-Assessment Guide includes ALL questions
and Self-Assessment areas.
Included are all the CIO Self-Assessment questions in a ready to
use Excel spreadsheet, containing the self-assessment, graphs,
and project RACI planning - all with examples to get you started
right away. Go to:
https://store.theartofservice.com
Purpose of this Self-Assessment
This Self-Assessment has been developed to improve
understanding of the requirements and elements of CIO, based
6. 5
on best practices and standards in business process architecture,
design and quality management.
It is designed to allow for a rapid Self-Assessment of an
organization or facility to determine how closely existing
management practices and procedures correspond to the
elements of the Self-Assessment.
The criteria of requirements and elements of CIO have been
rephrased in the format of a Self-Assessment questionnaire, with a
seven-criterion scoring system, as explained in this document.
In this format, even with limited background knowledge of CIO,
a manager can quickly review existing operations to determine
how they measure up to the standards. This in turn can serve as
the starting point of a‘gap analysis’to identify management tools
or system elements that might usefully be implemented in the
organization to help improve overall performance.
How to use the Self-Assessment
On the following pages are a series of questions to identify to
what extent your CIO initiative is complete in comparison to the
requirements set in standards.
To facilitate answering the questions, there is a space in front of
each question to enter a score on a scale of‘1’to‘5’.
1 Strongly Disagree
2 Disagree
3 Neutral
4 Agree
5 Strongly Agree
7. 6
Read the question and rate it with the following in front of mind:
‘In my belief,
the answer to this question is clearly defined’.
There are two ways in which you can choose to interpret this
statement;
1. how aware are you that the answer to the question is
clearly defined
2. for more in-depth analysis you can choose to gather
evidence and confirm the answer to the question. This
obviously will take more time, most Self-Assessment
users opt for the first way to interpret the question
and dig deeper later on based on the outcome of the
overall Self-Assessment.
A score of‘1’would mean that the answer is not clear at
all, where a‘5’would mean the answer is crystal clear and
defined. Leave emtpy when the question is not applicable
or you don’t want to answer it, you can skip it without
affecting your score. Write your score in the space provided.
After you have responded to all the appropriate statements
in each section, compute your average score for that
section, using the formula provided, and round to the
nearest tenth. Then transfer to the corresponding spoke in
the CIO Scorecard on the second next page of the Self-
Assessment.
Your completed CIO Scorecard will give you a clear
presentation of which CIO areas need attention.
12. 11
CRITERION #1: RECOGNIZE
I N T E N T : B e a w a r e o f t h e n e e d f o r
c h a n g e . R e c o g n i z e t h a t t h e r e i s a n
u n f a v o r a b l e v a r i a t i o n , p r o b l e m o r
s y m p t o m .
I n m y b e l i e f , t h e a n s w e r t o t h i s
q u e s t i o n i s c l e a r l y d e f i n e d :
5 S t r o n g l y A g r e e
4 A g r e e
3 N e u t r a l
2 D i s a g r e e
1 S t r o n g l y D i s a g r e e
1. DevOps has undoubtedly arrived - but is it on
your CIO agenda yet?
<--- Score
2. A top-level manager acting as a champion. The
CIO?
<--- Score
3. How can economic sociology help?
13. 12
<--- Score
4. How Can Economic Sociology Help Business
Relationship Management?
<--- Score
5. Old product plus new technology leads to new
regulatory concerns which could be added burden,
how to do you deal with that?
<--- Score
6. What are the Key enablers to make this CIO
move?
<--- Score
7. Does the board have a conflict of interest policy?
<--- Score
A d d u p t o t a l p o i n t s f o r t h i s s e c t i o n :
_ _ _ _ _ = To t a l p o i n t s f o r t h i s s e c t i o n
D i v i d e d b y : _ _ _ _ _ _ ( n u m b e r o f
s t a t e m e n t s a n s w e r e d ) = _ _ _ _ _ _
A v e r a g e s c o r e f o r t h i s s e c t i o n
Tr a n s f e r y o u r s c o r e t o t h e C I O I n d e x a t
t h e b e g i n n i n g o f t h e S e l f - A s s e s s m e n t .
15. 14
CRITERION #2: DEFINE:
I N T E N T : F o r m u l a t e t h e s t a k e h o l d e r
p r o b l e m . D e f i n e t h e p r o b l e m , n e e d s a n d
o b j e c t i v e s .
I n m y b e l i e f , t h e a n s w e r t o t h i s
q u e s t i o n i s c l e a r l y d e f i n e d :
5 S t r o n g l y A g r e e
4 A g r e e
3 N e u t r a l
2 D i s a g r e e
1 S t r o n g l y D i s a g r e e
1. What are the requirements for information
availability and integrity?
<--- Score
2. What information (both incoming and outgoing)
is required by the organization?
<--- Score
3. What is the system-availability requirement?
<--- Score
16. 15
4. When deciding to outsource we know if the
candidate services require extensive interactions
between the service providers and the business’s
competitive and strategic resources and
capabilities
<--- Score
5. We know how we will get to offer the services
that are required to meet our long term goals
<--- Score
6. We know what capabilities and resources are
required for the organization to achieve those
services
<--- Score
7. We know services are required to meet our long
term goals
<--- Score
A d d u p t o t a l p o i n t s f o r t h i s s e c t i o n :
_ _ _ _ _ = To t a l p o i n t s f o r t h i s s e c t i o n
D i v i d e d b y : _ _ _ _ _ _ ( n u m b e r o f
s t a t e m e n t s a n s w e r e d ) = _ _ _ _ _ _
A v e r a g e s c o r e f o r t h i s s e c t i o n
Tr a n s f e r y o u r s c o r e t o t h e C I O I n d e x a t
t h e b e g i n n i n g o f t h e S e l f - A s s e s s m e n t .
18. 17
CRITERION #3: MEASURE:
I N T E N T : G a t h e r t h e c o r r e c t d a t a .
M e a s u r e t h e c u r r e n t p e r f o r m a n c e a n d
e v o l u t i o n o f t h e s i t u a t i o n .
I n m y b e l i e f , t h e a n s w e r t o t h i s
q u e s t i o n i s c l e a r l y d e f i n e d :
5 S t r o n g l y A g r e e
4 A g r e e
3 N e u t r a l
2 D i s a g r e e
1 S t r o n g l y D i s a g r e e
1. Budget and Schedule: What are the estimated
costs and schedules for performing risk-related
activities?
<--- Score
2. We get input from Service Transition on what
the implications are with each strategic choice in
terms of costs, time, and risks
<--- Score
19. 18
3. We know if extra value generated from
performing an activity inside the organization out
weighs the cost of managing it.
<--- Score
4. We know if our strategy is based on reducing
costs or improving quality
<--- Score
5. We have defined if we follow Cost Recovery,
Value Centre or Accounting Centre principles
<--- Score
6. We know which services cost us the most, and
why
<--- Score
7. Our differentiation strategy is resulting in
higher profits or revenues, lower costs, or greater
service adoption
<--- Score
A d d u p t o t a l p o i n t s f o r t h i s s e c t i o n :
_ _ _ _ _ = To t a l p o i n t s f o r t h i s s e c t i o n
D i v i d e d b y : _ _ _ _ _ _ ( n u m b e r o f
s t a t e m e n t s a n s w e r e d ) = _ _ _ _ _ _
A v e r a g e s c o r e f o r t h i s s e c t i o n
Tr a n s f e r y o u r s c o r e t o t h e C I O I n d e x a t
t h e b e g i n n i n g o f t h e S e l f - A s s e s s m e n t .
21. 20
CRITERION #4: ANALYZE:
I N T E N T : A n a l y z e c a u s e s , a s s u m p t i o n s
a n d h y p o t h e s e s .
I n m y b e l i e f , t h e a n s w e r t o t h i s
q u e s t i o n i s c l e a r l y d e f i n e d :
5 S t r o n g l y A g r e e
4 A g r e e
3 N e u t r a l
2 D i s a g r e e
1 S t r o n g l y D i s a g r e e
1. Are losses documented, analyzed, and remedial
processes developed to prevent future losses?
<--- Score
2. Have all non-recommended alternatives been
analyzed in sufficient detail?
<--- Score
3. Why identify and analyze stakeholders and their
interests?
<--- Score
22. 21
4. Have changes been properly/adequately analyzed
for effect?
<--- Score
5. Does the practice systematically track and analyze
outcomes related for accountability and quality
improvement?
<--- Score
6. Do staff have the necessary skills to collect, analyze,
and report data?
<--- Score
7. Have the concerns of stakeholders to help identify
and define potential barriers been obtained and
analyzed?
<--- Score
A d d u p t o t a l p o i n t s f o r t h i s s e c t i o n :
_ _ _ _ _ = To t a l p o i n t s f o r t h i s s e c t i o n
D i v i d e d b y : _ _ _ _ _ _ ( n u m b e r o f
s t a t e m e n t s a n s w e r e d ) = _ _ _ _ _ _
A v e r a g e s c o r e f o r t h i s s e c t i o n
Tr a n s f e r y o u r s c o r e t o t h e C I O I n d e x a t
t h e b e g i n n i n g o f t h e S e l f - A s s e s s m e n t .
24. 23
CRITERION #5: IMPROVE:
I N T E N T : D e v e l o p a p r a c t i c a l s o l u t i o n .
I n n o v a t e , e s t a b l i s h a n d t e s t t h e
s o l u t i o n a n d t o m e a s u r e t h e r e s u l t s .
I n m y b e l i e f , t h e a n s w e r t o t h i s
q u e s t i o n i s c l e a r l y d e f i n e d :
5 S t r o n g l y A g r e e
4 A g r e e
3 N e u t r a l
2 D i s a g r e e
1 S t r o n g l y D i s a g r e e
1. Does the board explore options before arriving
at a decision?
<--- Score
2. Has your organization consciously assessed the
appropriate level at which particular decisions
should be made?
<--- Score
3. Is there disagreement or conflict about a
25. 24
decision/choice or course of action to be taken?
<--- Score
4. Our positioning guides the organization in
making decisions between competing resources
and capability investments
<--- Score
5. Is the role of the CIO, for example, to build
relationships, or is this what a CIO does to
optimize value from it?
<--- Score
6. Do CIOs have the right tools and enough
information to optimize and manage their it
assets?
<--- Score
7. Do CIOs have the personnel, policies, and
procedures in place to optimize it assets?
<--- Score
A d d u p t o t a l p o i n t s f o r t h i s s e c t i o n :
_ _ _ _ _ = To t a l p o i n t s f o r t h i s s e c t i o n
D i v i d e d b y : _ _ _ _ _ _ ( n u m b e r o f
s t a t e m e n t s a n s w e r e d ) = _ _ _ _ _ _
A v e r a g e s c o r e f o r t h i s s e c t i o n
Tr a n s f e r y o u r s c o r e t o t h e C I O I n d e x a t
t h e b e g i n n i n g o f t h e S e l f - A s s e s s m e n t .
27. 26
CRITERION #6: CONTROL:
I N T E N T : I m p l e m e n t t h e p r a c t i c a l
s o l u t i o n . M a i n t a i n t h e p e r f o r m a n c e a n d
c o r r e c t p o s s i b l e c o m p l i c a t i o n s .
I n m y b e l i e f , t h e a n s w e r t o t h i s
q u e s t i o n i s c l e a r l y d e f i n e d :
5 S t r o n g l y A g r e e
4 A g r e e
3 N e u t r a l
2 D i s a g r e e
1 S t r o n g l y D i s a g r e e
1. How secure -well protected against potential
risks - is the information system ?
<--- Score
2. Does your company have defined information
technology risk performance metrics that are
monitored and reported to management on a
regular basis?
<--- Score
28. 27
3. Do you actively monitor regulatory changes for
the impact of ITRM?
<--- Score
4. Have you defined IT risk performance metrics
that are monitored and reported?
<--- Score
5. Which risks are managed or monitored in the
scope of the ITRM function?
<--- Score
6. Does your organization constantly monitor in
real time your networks, systems and applications
for unauthorized access or anomalous behavior
such as viruses, malicious code insertion, or break-
in attempts?
<--- Score
7. Can we learn from other industries?
<--- Score
A d d u p t o t a l p o i n t s f o r t h i s s e c t i o n :
_ _ _ _ _ = To t a l p o i n t s f o r t h i s s e c t i o n
D i v i d e d b y : _ _ _ _ _ _ ( n u m b e r o f
s t a t e m e n t s a n s w e r e d ) = _ _ _ _ _ _
A v e r a g e s c o r e f o r t h i s s e c t i o n
Tr a n s f e r y o u r s c o r e t o t h e C I O I n d e x a t
t h e b e g i n n i n g o f t h e S e l f - A s s e s s m e n t .
29. 28
CRITERION #7: SUSTAIN:
I N T E N T : R e t a i n t h e b e n e f i t s .
I n m y b e l i e f , t h e a n s w e r t o t h i s
q u e s t i o n i s c l e a r l y d e f i n e d :
5 S t r o n g l y A g r e e
4 A g r e e
3 N e u t r a l
2 D i s a g r e e
1 S t r o n g l y D i s a g r e e
1. How efficacious and safe is shortacting
methylphenidate for the treatment of attention-
deficit disorder in children and adolescents?
<--- Score
2. The risk culture – as a share of the company
culture – determines how the employees behave
in dealing with risks: Do they perceive the risks
consciously?
<--- Score
3. Do we test how easily an external attacker
or malicious insider could successfully attack a
30. 29
system?
<--- Score
4. Does our security and fraud analytics monitor
and manage online reputations as well as screen
and detect suspicious activities and behaviors?
<--- Score
5. Are malicious software scanning tools deployed
on all workstations and servers?
<--- Score
6. How do you ensure that systems and
applications are appropriately and sufficiently
isolated and protecting against malicious server to
server communication?
<--- Score
7. If you provide a technology service, do you
test products for malicious code or other security
flaws?
<--- Score
A d d u p t o t a l p o i n t s f o r t h i s s e c t i o n :
_ _ _ _ _ = To t a l p o i n t s f o r t h i s s e c t i o n
D i v i d e d b y : _ _ _ _ _ _ ( n u m b e r o f
s t a t e m e n t s a n s w e r e d ) = _ _ _ _ _ _
A v e r a g e s c o r e f o r t h i s s e c t i o n
Tr a n s f e r y o u r s c o r e t o t h e C I O I n d e x a t
t h e b e g i n n i n g o f t h e S e l f - A s s e s s m e n t .