Technology Decision Makers

last person joined: 5 hours ago 

A group for those in nonprofit IT decision-making roles to connect with peers and share best practices. This Technology Decision Makers group is for nonprofit IT or MIS Directors/Managers as well as CIOs and CTOs to connect with their peers and share best practices. Topics for discussion include, but are not limited to: hardware and software management, product reviews, emerging technology, best practices, collaborating effectively with other departments, and management conundrums. Membership is restricted to IT staff at nonprofit organizations.

Defining Scope of Oversight for an IS Department

  • 1.  Defining Scope of Oversight for an IS Department

    Posted Jan 09, 2019 15:12
    Edited by Karintha Marshall Mar 29, 2019 18:59

    I work for  a synagogue,  and they've been around long enough - and amassed enough resources -  that they've developed a microcosm community.  So the synagogue community has helped to found their own nursery school, elementary school, religious school,  summer camp (meaning they own the campground and buildings and manage the actual camps held on the grounds),  and recently founded a social services center.  Some departments cover the functions for multiples of these subunits,  other departments or positions are exclusive to their particular unit.

    I work in the Information Systems department - which serves all subunits,  There's also a shared/universal HR department, Accounting Department, Security department and Marketing/Communications department.

    Here's the situation that prompted me to post here.

    Our Security department wants to be able to access the emergency contact information for org staff easily whenever they need it.  For a variety of reasons,  the Marketing/Communications director has become the informal administrator for our schools' health information management system, which Security uses regularly for info on the students and parents.  I just accidentally found out today that several months ago,  Security, Communications, and HR got together and decided that the emergency contact information for staff should be stored in the schools' health information management system,  because Security is comfortable navigating that system.

    This raised red flags for me for several reasons, but the most prominent issues that enabled this situation to me are that
    A)  The Communications director here has administrative rights to the health management system which I don't think is right, and
    B)  The Comm director didn't seem to think that my department (Information Systems)  needed to be looped into the development and implementation of this procedure.

    My understanding/perspective is that my department should be overseeing all information systems in the org as well as any procedures concerning those systems.  My department only consists of myself and two other people - and we do much more than basic systems administration (like many nonprofits,  our roles cover many more functions than our titles imply).   So I understand that the kind of oversight I'm speaking of may seem like too much for my department as is.  But the situation described above makes me very anxious.  It's not the first time this has happenned,  and I hate to think that our department is deemed ineffective because there's not a clear understanding of the scope of responsibility for this department.

    If you've made it down here, thanks for reading.  My questions I guess are:
    a. Is my perspective on the purpose/responsibility of my department appropriate,  or am I misguided here?
    b. Assuming that my direct supervisor - who is an exec staff person - agrees with my position,  should I be providing him with arguments to make the case to other exec staff who need to support this scope of responsibility?  If so,  what arguments have you employed for situations like this that worked?
    c. Does a conversation like this typically happen only at the exec staff level or extend to the Board?  If it extends should I be preparing a different set of points to make the case to that audience?

    Any other points that you think should be considered for a situation like this are most welcome.  Thanks again and in advance for any suggesstions/advice.
    Tech Accelerate

  • 2.  RE: Defining Scope of Oversight for an IS Department

    Posted Jan 09, 2019 15:27
    Hi, Karintha!

    I am a nonprofit CIO currently doing two part-time CIO jobs with a long resume behind them, and the case that I always make to leadership early on in any engagement is that technology projects fail under two conditions:

    1. IT isn't involved
    2. It's delegated completely to IT.

    My argument is that IT owns the platform and should have veto authority over software and hardware standards, and information system structure and integration.  Users own the functionality, and should have veto power over selection of applications that don't support their business processes properly (to the extent that there are systems that do so).

    Leadership should grasp the concept that, if technology is something that each manager manages independently for their own department, then they are fostering a platform of redundant, complex data sources and systems, wasting money, and losing out on the ability to really work with organizational data, as it will all be siloed. The role of IT has moved away from installing software and maintaining servers; what we do is mange platforms and interoperability, with an eye on global organizational needs.

    Peter Campbell
    Technology Solutions Provider
    Washington DC

    Tech Accelerate

  • 3.  RE: Defining Scope of Oversight for an IS Department

    Posted Jan 09, 2019 15:38
    Thank you for your concise insight Peter,  That makes a lot of sense.

    What I'm taking away from your statement on veto authority is that,  correspondingly,  they (users) should also be deciding the processes they build around an within an implemented system.  And if the system as configured/designed isn't working,  they should be reaching out to a department like mine vs branching out and doing their own discovery.   I think in my case this would remove us completely from responsibility for data integrity.

    Am I making conclusions here that align with what you've explained,  or putting proverbial words in your mouth (which, if I've done,  please pardon!)?
    Tech Accelerate

  • 4.  RE: Defining Scope of Oversight for an IS Department

    Posted Jan 09, 2019 16:05
    I am a document management software vendor. Occasionally I see that some business units (HR/Legal/Contracts/etc.) think that a "cloud" solution is outside the scope of what their IT department should be involved with in determining if it is best fit... which typically ends in disaster when audited. I agree with your concern of permissions and access of secure data/documents. IT does not necessarily need to "own" the project.. but they should be involved and sign off on any tech-related decision.

    K. Howard Enterprise Solutions LLC
    Kyle O'Donnell

    Tech Accelerate

  • 5.  RE: Defining Scope of Oversight for an IS Department

    Posted Jan 10, 2019 08:32

    Like Peter, I have a long line of nonprofit IT Director/CIO jobs on my resume.

    Currently, I'm the IT Director for a Community Action Agency.    We've got about 20 programs ranging from Head Start to Home Weatherization and First-Time Homebuyer's classes.  

    Like you, all of these programs share a common finance, HR, and IT infrastructure.

    I agree with Peter's assessment wholeheartedly (as I normally do).

    I just wanted to share some of my experience on how to get there..  In a perfect world, the system Peter describes would be a dictate from the CEO that everyone would follow.  In my experience, you're going to have to help build a culture that makes IT the centerpiece of these discussions.  A lot of it will depend on you building relationships with the heads of these departments such that whenever the topic of technology comes up, their first thought is "let me get Karintha in on this discussion". 

    When it comes to my veto of software and hardware standards, I try to never say "No".  I say, "let me put together the best way to get you what you want."

    When it comes to users veto of functionality, I try to get into the process as early as possible.  When I run into other directors or managers in the hall, I'll actually ask them if they have any projects coming up that I need to know about "so I can make sure I schedule the appropriate resources to your project".  As soon as I am inside I lay out what IT's needs are and from there i tell them "you're the ones that will be working with this all day.  I have these needs that I can't compromise on and outside of that I'm just here to help."

    As for the C-level staff it's an easy argument to make.  Following these guidelines costs less, gets you better customer service, and no one wants to be "that agency" in the newspaper.

    Good luck, We're all rooting for you. 

    Colin Boyle
    Step Up Suncoast
    Sarasota, FL

    Tech Accelerate

  • 6.  RE: Defining Scope of Oversight for an IS Department

    Posted Jan 10, 2019 13:19
    I have some thoughts, but my very first question is "Are any of your health records subject to HIPAA, ed records to FERPA, and social service records to county/state/federal privacy laws"?

    If "Yes" to any of the above - what do your org's existing policies & procedures state about access to records? This info would guide my further responses, thanks.

    Winston Berger
    Data Systems Manager
    A Better Way, Inc.
    Berkeley, CA

    Tech Accelerate

  • 7.  RE: Defining Scope of Oversight for an IS Department

    Posted Jan 10, 2019 15:44
    Edited by Karintha Marshall Jan 10, 2019 15:46
    Hi Winston,

    The social services data is subject to HIPAA,  I haven't inquired about other data regulations.  The schools aren't subject to FERPA.


    Tech Accelerate

  • 8.  RE: Defining Scope of Oversight for an IS Department

    Posted Jan 10, 2019 15:45
    Edited by Karintha Marshall Jan 10, 2019 15:46
    Thanks for insight and well wishes.


    Tech Accelerate

  • 9.  RE: Defining Scope of Oversight for an IS Department

    Posted Jan 11, 2019 01:19
    Karintha, the issue you raise is one I'd approach through a data governance lens. Data governance is about setting parameters for how data is used, where it's stored, how it's processed, and how the quality of the data is assured so that it can inform the organization's decision-making and support its activities.

    I think we'd all agree that IS should have a role and a say in the decision of where to store sensitive data and how to control access to it. The challenge you're facing is that there isn't a framework in your organization for systematically addressing not just this issue, but these types of questions more generally - how you manage integrations, security, privacy, and more. You don't want to have a turf war between departments over who owns which systems, who is responsible to service them, and who is the client and who is the provider. What you want is a governing body - a steering committee, a working group - that is cross-departmental, that determines and coordinates these kinds of issues. You as IS shouldn't have to perform this oversight alone, nor should other departments not have a seat at the table when these kinds of issues arise.

    This may be an opportunity to consider implementing a data governance team at your synagogue, and recognizing that data management is a strategy-level concern that touches on fundraising, risk management, and organizational effectiveness.

    Isaac Shalev
    Stamford CT

    Tech Accelerate

  • 10.  RE: Defining Scope of Oversight for an IS Department

    Posted Jan 14, 2019 09:36
    In addition to managing IT, I also oversee all of our HIPAA work. This defines many of the security decisions we make, with access to identifiable data being about the largest risk. Once HIPAA is an issue, you are basically 100% under those regulations. In our case, this means many things across the organization had to change, even though only a small portion of our staff deal with the system we use. For example, even though I am the HIPAA Compliance and Security Officer, I have no access to the system where the data is stored.

    I agree with the other comments about organization and data governance.

    Happy to be a resource if you have more HIPAA related questions. Best of luck, and hope to see you at 19NTC!

    Richard Wollenberger
    Director, Information Technology & HIPAA Compliance and Security Officer
    Parents as Teachers
    St. Louis MO

    Tech Accelerate