Order

With this we arrived to another excellence criterium: this is the order. This is also an extension of one of my formerly defined excellence criteria, namely documentation, or rather, documentation is one of its very much necessary conditions [Szenes, 2010, GRC].

Just as in the case of functionality, order, as an excellence criterium, can also not be defined by itself, but I can determine, when I consider the order of something to be adequate.

Let us begin with the generalization of "documentation". My proposal for it had been in 2011:

"Every activity should be preliminarily planned, and documented at every phase of its lifecycle. The phases are those parts of the lifecycle, that are separated from each other by concrete deliveries, as milestones" [Szenes, 2011, Hack.].

This can also be considered to be the requirement of adequate documentation of operations. So let us accept it for this scope, too.

A six years long research of Melancon, described in the journal of ISACA proved, that some of those characteristics, that I take to be components of criterium "order", e.g. change management and configuration management, taking them with a scope restricted to IT, have been proved to contribute considerably to the market success of the corporates [Melancon, 2007].

Thus it seemed to be worth to extend documentation, which can greatly contribute to the effort of setting things right in an institution, towards a more general, composite "order"

requirement, for which the above "operational" documentation is "only" a special case, or a component. I chose "order" to be this composite excellence criterium. Quite a lot of important criteria can be considered as one of its components, besides "documentation", e.g. business continuity management - BCM - and incident management. This latter is not at all independent from change management.

BCM is a composite criterium by itself, containing, e.g., regular, or, preferably, continuous monitoring of the state of the assets, and the processing of the results by the means of an incident management tool, that has to have other capabilities, and so on.

IT documentation has also special cases, or, in other words, components, for example change management, release management, and configuration management. Melancon

found, that the benefit of the improving activities also complies with the Pareto Principle, 20 percent of the activities provide for the 80 of the benefits, and among these activities IT configuration management and IT change management had outstanding positions.

The generalization of change management from IT to operations is trivial, the followings are to be registered in both cases:

• the subject, the current version number of the change, if the latter can be interpreted for the case,

• the date of the submission of the change issue, and

• the date, from which it is effective,

• the requestor's name, role, place in the organizational hierarchy,

• the same information about the executor,

• the place of the change in the thing to be changed, if this can be interpreted for the case,

• the reason, and the contents of the change request,

• the permitter's name, role, place in the organizational hierarchy,

• the acknowledger's name, role, place in the organizational hierarchy,

Configuration management, if it is at all introduced in the procedures of an institution, is restricted to the IT infrastructure, at least I have not seen it to be used for any other kind of assets. To have the staff keep configuration management alive is already a very difficult task, as to use the automatisms, if any such lightening is at all available, is usually uncomfortable, so this requirement meets the resistance of the systems engineers, who have to feed the data into the inventory. Unfortunately, configuration can not at all be managed without a precise, up-to-date inventory, no matter, what kind of things belong to the actual configuration.

To generalize the so-called IT resources of COBIT 4.1, that are application, information, infrastructure, and people, would be a natural way for us to follow, in generalizing the scope of configuration management from IT infrastructure towards operations. Following this line, I extend my scope from IT towards operations with the management of HR, material, and immaterial resources. To HR management belongs, in my interpretation, shaping organizational structures to business goals, and training, too.

The management of the assets satisfying my asset handling excellence criteria to be introduced here, can be considered as a special case of this generalization.

My goal had been to align the definition of order to the market success, but, at the same time, I wanted my "order" notion to comply with the everyday meaning of the word "order"

[Szenes, 2012, MM].

The operations of an institution goes in so-called "order" - or, in other words, the order of operations is called to be adequate, if

top management takes up the responsibility for the well-being of the institution. This involves, from the one hand, the determination of the strategy, aligning it to the market success, and its continuous maintenance, and, from the other hand, to have the firm fulfill the strategic goals.

Note 1:

To achieve success on the market is needed, at least, the followings:

• the identification of both the business goals and those requirements of the social and natural environment, that have to be fulfilled,

• the periodic update of the strategy,

• the provision for those institutional conditions, that serve the fulfillment of these goals and requirements.

Note 2:

Any of these tasks can be delegated to subordinates, but the responsibility stays at the top.

Note 3:

Every idea described here is intended for use for any kind of institutions. It can be either private enterprise, or any kind of organizations of the governmental sector, just as well. The market success of this sector depends on the satisfaction of the citizens besides preserving the fulfillment of such excellence criteria, e.g., that are introduced here. Another excellence criterium, cost / effectivity, for example, is a frequent requirement in government administration.

Note 4:

Provisioning for the institutional conditions involves preparing guidelines, choosing best practice to be followed, having organizational structure created, having procedural rulebooks be written according to these, etc.

Note 5:

However, I do not want to pretend to have enumerated all of the tasks to be done in order to achieve market success, nor do I think this to be possible.

With order, and its components, we have numerous examples for the dependence of the excellence criteria on each other. One of them can belong either to the scope or to the range of an other.

The scope of documentation - that belongs to criterium "order" - preferably has intersection with every other criteria - it should be obligatory to document the level of their fulfillment.

Business continuity management, change management, and incident handling have also trivial connections, e.g. the first is impossible without the other two.

Another example can be the relation between strategy-driven goal and risk management excellence, and more or less every other excellence criterium. For years now, in the everyday life of information security departments, one of the most important goals of risk management has always been a special case of the proposals discussed here. This goal is to ensure (to a reasonable extent, of course), the fulfillment of just those the criteria, but restricted to IT scope only, that I generalized to asset handling excellence criteria, the availability, integrity, and confidentiality. These three requirements have always been in the focus of the different best practice methods, even if my suggested criteria seem to be just as important, as they are, illustrating, hopefully, the significance of my extensions and generalizations.