How healthy is your company's IT strategy? Are some areas stronger than others? How do you know whether you're making progress or targeting the right area? As an IT manager, you probably spend a lot of time thinking about these questions. Believe it or not, that feared end-of-the-year report card you got in elementary school might hold the answers—with a few tweaks, of course. That's right—report cards for the network, although I call them scorecards. Scorecards are a convenient way to assess your IT services and staff and measure improvement over time.

The Policy-Driven IT Model
The IT scorecard that I discuss is based on a policy-driven IT model developed by members of Microsoft's Trustworthy Computing team. The model enables organizations to better tie their IT systems to business requirements and encourages institutional control of IT. The fundamental theory behind the model is that you create policies depending on your business requirements and build your IT services according to those policies.

As you can see in Figure 1, the policy-driven IT model starts with written policies. Policies are the fundamental rules by which an IT service must operate to meet business objectives. After you establish policies—for network password security or Web site availability, for example—you determine the processes and procedures that you'll use to administer and govern the IT services that facilitate the policy. For network password security policies, for example, these processes might include account provisioning and deprovisioning.

At this point, and not before, you choose the enabling technologies (hardware and software) for the IT service. For network password security, these technologies might include software for directory password synchronization or hardware for multiple-factor authentication. Determining policies, processes, and procedures before deciding on technologies ensures that you don't let technology drive your IT services at the expense of business activities. Too often, IT managers base the types of IT services they provide on the enabling technology that they've already selected rather than searching for the best available solution.

After you select the most appropriate technology for the service, you can then design, configure, and deploy the technology in the model's implementation phase. Near the end of the implementation phase, you begin to document the inner workings of the service and create the structure for its day-to-day operation, including training, problem resolution, and regular maintenance. Each IT area (e.g., procedures, implementation) of the model eventually traces back to the initial policy that your company created, giving IT managers and executives a complete view of their IT operations. For example, an IT manager could review the network password security model and see how strong the ties are between operations and policy.

The IT Scorecard
This policy-driven model also makes it convenient to assess the completeness and performance of services that the IT department provides. To do so, you'll create a scorecard that assesses each IT area of the model for each IT service policy that you have. You need to determine in advance the criteria by which you'll assess the IT service within each area to ensure a consistent standard by which all IT services are evaluated.

You might want to create separate scorecards for major IT commitments, such as availability or security, to narrow your assessment criteria. Also, timing assessments in advance of major business or employee review cycles lets management use the results to show improvements or deficiencies. Although you can use a more sophisticated method of assessment and reporting, I've found that a simple method of scoring generally is more effective when communicating the results of the assessment to both executive management and IT professionals. After you evaluate the completeness and compliance of each policy according to your predefined criteria, give each policy a score. I typically use the following key to assign a score (and associated color) for each policy:

  • 3—OK (green)
  • 2—Needs improvement (blue)
  • 1—Poor (yellow)
  • 0—Nonexistent (red)

Create a color-coded spreadsheet, like the one Figure 2 shows, to display your results. The colors let you easily concentrate on the blue, yellow, and red areas, which need improvement. Add the scores for each row to determine the policy score, and add the scores for each column to determine the IT area score. These scores let you rank which IT services are more effective than others and which areas of the IT model your organization is more effective at fulfilling.

The scorecard in Figure 2 shows that the most effective IT service in this example is the wireless network, which has a policy score of 17; the least effective area is the network access policy for guests, which has a policy score of 4. From the IT area score, you can see that the area that needs the most attention is documentation, which likely will come as no surprise considering how much IT professionals love to produce documentation. The color coding makes the scorecard quick and easy to read and understand, which is important when you communicate with executive management.

Creating the scorecard is only the beginning. To drive improvements to the IT services that you identify as needing attention, answer the following questions for each IT area that requires improvement:

  • Policy—What changes in the organization's IT services policies will be required, either directly (as a result of changes in business goals) or indirectly (as a result of changes in technology or other areas)?
  • Process—What processes and procedures will your organization need to create or modify to improve the IT services? How will these changes affect other areas of the IT model, such as operations?
  • Technology—What technology will you use for the solution? Does the technology that you require exist in Commercial Off-the-Shelf (COTS) software, or will you need to build a custom technology?
  • Implementation—How will you implement the recommended improvements, technical or nontechnical, and how can users or administrators comply with the recommendations? What architectural or configuration changes will you need to make?
  • Documentation—What must you add, modify, or remove from network diagrams or system documentation as a result of the changes?
  • Operations—How will the daily maintenance and management of IT systems change? Is training required? How will the changes affect staffing?

Ongoing Evaluations
The IT scorecard lets you create performance goals for your IT staff. For example, according to the sample scorecard, you might set a performance objective for the staff that manages passwords to improve its operations score from 1 to 3 by the end of the year. Then, you'll work with the staff to determine specific actions to take and the success criteria that you'll measure in future assessments.

As you repeat the assessment over time, you can compare the scorecard from previous evaluations to show how you, as an IT manager, have been successful at improving the IT services you provide to the organization. Going to executive management with clear illustrations about how you've improved the IT department's ability to meet business goals and how you've measured the improvements will not only help demonstrate your effectiveness as a manager, but also might thicken your wallet. If different groups or people are responsible for different IT services or areas, you can use this model and scorecard as the basis for determining the relative strengths and weaknesses of your IT staff.

Using this method of IT management and assessment, you can begin to drive continued, structured improvement to the IT services your department provides to the organization and have an easily digestible way of displaying that improvement over time. Unlike the yellow report cards that you received in grade school, you might actually look forward to this report card.