Procedures and Controls Documentation Guidelines

ProcedureGuidelinesandControls Documentation
May23,2006
(rev3May16,2006)
AProposedTemplateforGovernance:ProcessDocumentationandProcessArchitecture AsalignedtoCobiTProcessManagementandDocumentationControls,ISO9001 ProcessDocumentationMethodologyandCOSOERMStandardsforEnterpriseRisk Management Author RobinBasham,M.IT,M.Ed,CISA President,PhoenixBusinessandSystemsProcess
TemplateCopyright[CompanyName]
Copyright2006,PhoenixBusinessandSystemsProcess,Inc.Needham,MA,USA, MorefromPhoenixBusinessandSystemsProcess,http://www.pbandsp.com
Page 1of 80
ProcedureGuidelinesandControlsDocumentation
RobinBasham,M.IT,M.Ed.,CISA
ProcessProfile
ProcessOwners: ProcessOwners Departments: ProcessOwnerAt Release: ReleaseApprovalList: DistributionList: DocumentAuthors: Confidential DataClassification: EffectiveDate: RevisionDate:
VersionControl
RevisionNotes Revision Code Revision Author Revision Release Date Release Approvedby
Page 1of 80
TableofContents
PurposeandScope............................................................................................................................................. 5 PolicyStatement.............................................................................................................................................. 5 Requirements .................................................................................................................................................. 5 DocumentLibraryManagementProgram .................................................................................................... 5 RolesandResponsibilities ............................................................................................................................... 6 ProcessLibrarian......................................................................................................................................... 6 SecurityorResourceAdministration ........................................................................................................... 7 BusinessUnitandDepartmentDataOwners................................................................................................ 7 AccessControl ................................................................................................................................................ 7 AudienceandAuditConsiderations ................................................................................................................. 8 WritingStandards............................................................................................................................................ 8 ChangeRequirements...................................................................................................................................... 8 KeyControls ................................................................................................................................................... 8 DataClassificationandDataOwners ............................................................................................................... 8 NamingConventions ....................................................................................................................................... 9 DocumentTypesandTheirUse ........................................................................................................................ 9 WhatTypeofDocumentDoINeedToWrite? ................................................................................................ 9 FormsandTemplates.................................................................................................................................. 9
GettingStarted: ......................................................................................................................................................1 NewObjectSupportRequest ..................................................................................................................................1
HowDoIValidateMyDocument?.............................................................................................................. 2
Figure1. ValidateaProcessObject ............................................................................................... 2
DocumentType ProcessProfile..................................................................................................................... 3 CharacteristicsofProcess ................................................................................................................................ 3 ShouldIWriteAProcessProfile?............................................................................................................... 4

Figure2. ShouldIwriteaprocessprofile?...................................................................................... 4
WhereDoIFindtheProcessProfileTemplate?........................................................................................... 1
Figure3. Whatarethestepsandcontrolsinwritingaprocessprofile? ........................................... 1
DocumentType PolicyProfile....................................................................................................................... 2 ShouldIWriteAPolicy Profile? ................................................................................................................. 3

Figure4. ShouldIwriteapolicyprofile? ......................................................................................... 3
WhereDoIFindtheTemplate?................................................................................................................... 3 DocumentType ProgramProfile ................................................................................................................... 3 ShouldIWriteAProgramProfile? .............................................................................................................. 4

Figure5. ShouldIwriteaprogramprofile? ..................................................................................... 4
WhereDoIFindTheTemplate?.................................................................................................................. 5 DocumentType WorkInstructionorSOP ..................................................................................................... 5 ShouldIWriteAWorkInstruction SOP? .................................................................................................. 6

Figure6. ShouldIwriteaWorkInstructionSOP........................................................................... 6
WhereDoIFindTheTemplate?.................................................................................................................. 6 DocumentType RunBook ............................................................................................................................. 6 WhyDoRunBooksFocusOnService?........................................................................................................ 7 ShouldIWriteARunBook?........................................................................................................................ 8

Figure7. ShouldIwriteaRunBook? .............................................................................................. 8
WhenIsARunBookComplete?................................................................................................................ 10 WhatAreTheFormatsForRunBook?....................................................................................................... 10
Figure8. RunBookProcess.......................................................................................................... 10 Figure9. ExampleInterfaceforgatheringRunBookelementsbyServiceTitle.............................. 11
WhereDoIFindTheTemplate?................................................................................................................ 12 DocumentElements ......................................................................................................................................... 12

Copyright2006,PhoenixBusinessandSystemsProcess,Inc.Needham,MA,USA, MorefromPhoenixBusinessandSystemsProcess,http://www.pbandsp.com Page 2of 80
HowDoIFindOrStoreMyDocument?....................................................................................................... 13 PAL\ ITProcessAssetLibrary .................................................................................................................. 13

Figure10. WhatisinthePAL?..................................................................................................... 13
PAL\ ITWorkProducts............................................................................................................................. 13 WhenDoINeedToCreateAWorkProduct?............................................................................................ 13 WhereDoWeKeepCurrentAndArchivedWorkProducts?...................................................................... 13

Figure11. Whataretheworkproductfolders? ............................................................................. 14
WhereDoIFindReference,BenchmarkandIndustryGuidelines .................................................................. 15
Figure12. StandardsandReferencefolders ................................................................................ 15
OtherWorkProductsandControlledDocumentation:...................................................................................... 2 ControlsEvidenceSpecifictoSoftwareDevelopmentandProductDevelopmentLifecycle: ............................ 2

Figure13. InformationCriteria........................................................................................................ 4
Whatelementsarecapturedduringtheflowdiagrammingprocess? ................................................................. 5
Figure14. ProcessInputsandOutputs,RACIChartforAI7asfoundinCobiT4.0,Copyrightof ISACA 6 Figure15. ProcessFlowDiagram:Howaresoftwaredevelopmentartifactscapturedinsystem eventlogsandsoftwaredesigntemplates? ......................................................................................... 2
ControlsandApplicationControls................................................................................................................... 2 WhendoIneedtodocumentspecificcontrolprocesses? ............................................................................. 2 Howdowemanagealltheserequirements? ................................................................................................. 2 MKSIntegrityManagerforprocessandworkflowmanagementofenterprisesoftwaredevelopment ............... 2 Howmaturedowereallyneedtobe? .............................................................................................................. 3

Figure16. MaturityToolbox,asrepresentedbyISACAandCMUasthecommonmaturitymodelor CMM 3 Figure17. Howaresoftwaredevelopmentartifactscapturedinsystemeventlogsandsoftware designtemplates?............................................................................................................................... 4
TestScripts,UtilitiesandEventTrackingSystems.......................................................................................... 5 WhatIsATestScriptOrTestTemplates? ................................................................................................... 5 WhereDoIFindQATestTemplates? ......................................................................................................... 5 Assets,InventoriesandConfigurationBaselines .............................................................................................. 5

Figure18. ShouldIdocumentacontrolledserverinoursysteminventorydatabase?..................... 6
WhereAreDevicesInventoriedAsAssets? ................................................................................................. 6 WhereDoIFindServerControlRecords? ................................................................................................... 6

Figure19. ControlledServerForm ................................................................................................. 7 Figure20. EachcontrolleditemhasassociatedsecurityexemptionsandstandardOSand Applicationbuild.................................................................................................................................. 8
WhichToolsStoreServerandApplicationInformation? ............................................................................. 8 WhereIsTheListOfToolsAndToolTypes?.............................................................................................. 9 ControlsandKeyControls.............................................................................................................................. 9 WhenDoINeedToDocumentAControlObject? ...................................................................................... 9 WhereAreControlsCatalogued?............................................................................................................... 10

Figure21. WhatProcessEngineering,AuditorsandQualityGatherRegardingCorporateKey Controls 10 Figure22. KeyControlsForm ...................................................................................................... 11
WhereDoIFindTheFormorTemplate? .................................................................................................. 11 Product,ApplicationDevelopmentandQualityTemplates............................................................................ 12 WhichToolStoresProcessandWorkInstructioninformation?.................................................................. 16

Figure23. FacilitatedComplianceManagementprovidessummaryreportsformanyobjecttypes 17 Figure24. FacilitatedComplianceManagementAllowsProcessLibrariantocaptureand catalogueallprocessobjects ............................................................................................................ 17
FlowDiagram ............................................................................................................................................... 17
WhenDoIUseAFlowDiagram? ............................................................................................................. 17
Figure25. SampleofABusinessProcess.................................................................................... 19
VisioShapesandCustomPropertiesforEvidenceofProcessControls ...................................................... 20
Figure26. ProcessObjectswithproperties .................................................................................. 23
AcronymGlossaryandDefinitions ................................................................................................................ 24 ComprehensiveGlossaryofallCorporateTerms ........................................................................................... 25 RelatedDocuments........................................................................................................................................ 25 ExtendedBibliography .................................................................................................................................... 25 RisksandAssociatedControls....................................................................................................................... 32

Figure27. WhatTypeofDocumentShouldIWrite? ..................................................................... 34
ExampleofPALContentsFileLocation,DescriptionofUse...................................................................... 35
Page 4of 80
PurposeandScope
ProcedureGuidelinesandControlsDocumentationoutlineshowtocreateandmodifyprocedures,work instructions,policies,andRunBooksastheycurrentlyexistintheircorrectlocationandformatandasalignedto therequirementsofdocumentsecurity. Changecontrol,informationassetlocation,anddocumentationformatstandardsarethecombinedresponsibility ofSecurityManagement,QualityAssurance,andProcessEngineering.Inthecontextofcreation,iteration, approval,andposting,theProcessLibrarianmanagesdocumentation. ProcessEngineeringmanagesqualityoverdocumentationasdemonstratedbydocumenttemplates. SecurityManagementdefinespolicyandaccessrulesfortherecording,adherenceto,andmonitoringof proceduresinvolvingdataintegrity,privacy,andsecurityacross anyenterpriselevelconfiguration.
PolicyStatement
Allchanges,additions,anddeletionstotheproductiondocumentationlibraryrequiremanagementapproval. ManagersshouldnotifyProcessEngineeringofchangestoproductionprocess.
Requirements
Theprimarysecurityelementsofanydocumentlibrarymanagementprocessare: Auditablechanges Evidenceofdocumentlibraryanddocumentlifecyclemanagementthatisreadilyavailableforthosewho needtomonitorthisactivity. Documentationstrategiesneedto: Reducecomplexity. Prioritizekeycontrolprocesses ReflectCOMPANYprocessarchitecture Representrealfunctionsandrealactivities
DocumentLibraryManagementProgram
AformaldocumentlibrarymanagementprogrammanagestheProcessAssetLibraryandmonitorscompliance withdocumentlifecycleobjectives(i.e.,annualdocumentreviews).Theprogrammustinclude,butisnotlimited to,thefollowingcontrols: Documentedproceduresforupdatingproductiondocumentation. Definedrolesandresponsibilitiesthatsupportdefinedproceduresfordocumentanddocumentlibrary maintenance. Accountabilityfordocumentcontentintegrity. Education,notification,andawarenessprocesstoinformallnecessarystakeholdersaffectedbydocument modifications. Separationofproductionandnonproductiondocumentation. Adefineddataretentiongoalforeachdocumentorclassofdocument.Documentsaremaintainedforthe lifecycleoftheprocess.Ifalignedtokeycontrolsandloadedin[Nameofcoreproductorservice],the documentisretainedaspartofSAS70evidence.
Documentlifecyclecontrolproceduresmustdetailtheprocessfor:(ProcessProfileCreationdocsections embeddedinthisdoc) Reviewingneworchangeddocuments. Approvingandrejectingdocuments. Postingdocumentation. Documentinginformationaboutdocumentation(metadata). Auditingthelifecycleofdocumentsinthelibrary.
RolesandResponsibilities
Documentanddocumentclassownersshall: Ensuretheintegrity,confidentiality,andavailabilityofproductiondocumentationandthelibrary environmentthroughtheimplementationofdocumentedprograms,proceduresandstandards. Approveallchangesaffectingtheirdomainofcontrolandresponsibility. Ensureallchangeshavebeenapprovedandproperlycommunicatedpriortoposting. Ensurethattheiremployeesunderstandandabidebythispolicyanditscontrolrequirements. ReportanyviolationofthispolicytotheCTOandCSOoritsdesignatedrepresentatives,withinatimely manner. The ProcessEngineeringTeam willendeavorto assistCOMPANYoperationswithmanytimeconsuming functionsnotcoretotheirroles.Processandtechnicaldocumentationiscentraltothecreationofuserguidesand trainingmaterialsandiscurrentlyalignedto theCOMPANY ProcessEngineeringgroup. AsCOMPANYmay addorextendthisfunction,theprocesslibrarianfunctionwillcontinuetoassistwiththedesignanddeployment oftrainingmaterialsanduserguides. Thesedutiesmayinclude: Assistwithwriting andmaintainingproceduresandcontrols.Thedataownerwillusuallywrite procedures. Providingmethodstomaintainandmeetrecordkeepingobligations. Assistingwiththedesignandmodelingofmanagementreportsandcontrolchecklists. Assistingwithworkflowandprocessdesign. Actingasaliaisonwithbusiness,compliance,anddevelopmenttoimplementand/orupdateprocedures, controls,andsystemenhancements.
ProcessLibrarian
TheProcessLibrariancontrolstheprocessinformationdirectorystructureandmakessuretheintegrityofthe foldersismaintained.Thelibrarianfunctioncataloguesandcategorizesdocumentationassetsandaligns documentationstandardstotheneedsofthebusinessandtechnologyfunctions. Wherechangesarerequiredtoexistingprocessdocumentation,theprocesslibrarianhandlestheregistrationand postingofnewprocedurestotheestablishedprocesslocation.
Page 6of 80
Anynewfoldersmustberequestedviaemailtotheprocesslibrarian,currently[NameofProcessLibrarian],at Process@COMPANY.com.Thelibrarianinsuresnameandcontentsintegritywithin FacilitatedCompliance Managementprocesstracking. \\...\PAL\FacilitatedComplianceManagement\FacilitatedCompliance Management2000FCM.mdb
SecurityorResourceAdministration
Peoplewhoadministeraccesstoprocessassetswilladheretosanctioneduseraccessprocess,providingresource accesstoemployeesasdeterminedbytheirroleandtheapprovaloftheirmanagement.TheResource AdministratorwillnotaddormodifyfoldersoutsidetheboundariesdefinedbytheProcessEngineeringTeam. Specifically,onceabusinessareaisprovidedspaceforinformationassets,modificationtorootlevelfile hierarchyisnotpermitted.Thisruleisestablishedtoassureinventoryoverinformationandinnowaylimitsthe productivityofanybusinessarea.Informationcanbecreatedinsubfolderswithinthedesignatedfileshare. Personswithwriteaccesscancreatesubfolderswithintherootoftheirinformationdomain. TheSecurityAdministratorwillcreatefilesharesandfoldersasrequestedbytheProcessLibrarian,andwill allowchangeswithinthefilesasdeterminedbythebusinessownerfortheshareinformation.
BusinessUnitandDepartmentDataOwners
Dataownersareaccountabletothereasonableuseoftheirdesignateddrivespace,assuringproperclassification andlocationoftheirdata.Businessownersdefineusersandestablishaccessrulesbasedonaneedtoknow principal.Whereabusinessareaneedsfoldersthatextendbeyondthecurrentprocessarchitecture,theBusiness Unitmustgainapprovalthroughprocessengineeringandsecurity,insuringproperrulesforclassificationandthe avoidingofduplicateinformation.(See CurrentPALContentsandFileLocation DescriptionofUse) Businessownersareaccountabletotheperiodicreviewofinformationontheirdrive.Thisreviewistoassure appropriateuseoffilenamingconventions,validityofprocess,completedprocedures,andtoarchiveoutofdate content. Businessownersareaccountabletounderstandingtheirdataprivacyandretentionrequirementsandto communicatetheserequirementstotheirpersonnel.
AccessControl
Accesstotheproductionlibrarycontentsmustbecontrolledinthesamemannerasthe productionenvironmentto ensurethatonlyauthorizeduserscanaccessthedocuments.Accesscontrolsmustbeestablishedtoensureonly authorizedindividualscanview,edit,andupdatedocumentsaccordingtoappropriateroles. Defaultaccesscontrolsinclude: ProcessLibrarianhasadministrativeprivilegestothePALandprovidesSecurityAdministrationwiththe FunctionalBusinessOwnerforeachdirectoryinthePAL. SystemAdministratorhasadministrativeprivilegestothePALandmaygrantuseraccessaccordingto ManagerApproval. FunctionalManagers,suchasSupport,ChangeManagementandProcessEngineering,have read/write/update/deleteprivilegestotheirfileshareonthePAL.Policydictatestheyshouldnotcreateor deletefolderswithoutnotice andapprovalfromtheProcessLibrarian. Employees(nonmanagers)havereadonlyprivilegesunlessgrantedwriteprivilegebytheFunctional Manager.Employeesdonothavedeleteprivilege.
Page 7of 80
AudienceandAuditConsiderations
Thisprocessprofileservesas reference forCOMPANY.Groupsmaybereferencedbyfunctionalemail notificationnamessuchasProcess@company.com.Groupfunctionalemailsareusedtosupportcommunication trailsandfacilitaterulesforreview,approval,andtimelybusinesscommunication. Proceduresaredetaileddocuments,generallyderivedfromparentpolicyandimplementedtothespirit(intent)of thepolicystatement.Therefore,allprocedureswrittenandimplementedbyCOMPANYaligntoSecurityPolicy, HRPolicy,ProgramChange Policy,andspecificrequirementsforDataClassification,DataRetention,andData Privacyasdefinedbyseniormanagement.
WritingStandards
Proceduresarewritteninaclear,concise,andeasilyunderstoodmanner.Proceduresdocumentbusinessprocesses (administrativeandoperational)andtheircontrols.Proceduresarecreatedbyupperandmiddlemanagementasa meanstotranslatepolicytopractice.
ChangeRequirements
Procedures,representedasprocesses,workinstructions,standardoperatingprocedures,workspecifictraining materials,andproductionsupportprocedures(i.e.,RunBooks),aredynamic,changingtofitcurrentbusiness operationalpractices.Theymustreflecttheregularchangesinbusinessfocusandenvironment.Reviewsand updatesofproceduresareessentialiftheyaretoberelevant.Therefore,COMPANYprovidesnoticetobusiness managementofallchangesandnewinstancesofprocess.Bothinternalandexternalauditorswillreview procedurestoidentify,evaluate,andthereaftertestcontrolsoverbusinessprocesses.Giventhisknowledge,itis theresponsibilityoftheprocessownertokeepcurrentanyprocessdocumentationandtonotifytheprocess librarianofanyprocesschangeviaProcess@company.com. Additionally,partofchangeapprovalincludesvalidationthatalltrainingandsupportproceduresarecurrent.
KeyControls
Thecontrolsembeddedinproceduresareevaluatedtoensurethattheyfulfillnecessarycontrolobjectiveswhile makingtheprocessasefficientandpracticalaspossible.Somecontrolsaredesignatedaskeyandrepresent reportedcontrolsevidenceinsupportofCOMPANY regulatoryattestation.Whereoperationalpracticesdonot matchdocumentedproceduresorwheredocumentedproceduresdonotexist,itisdifficult(formanagementand auditors)toidentifycontrolsandensurethattheyareincontinuousoperation.Whilenotallsituationsofthistype representcontrolfailure,eachsituationrequiresreviewandresponsebasedontherisktosafeandeffective processmanagement. DocumentationisakeycontrolinthatproperdocumentationdirectlysupportseveryaspectofCOMPANY controlframework.Theabsenceofdocumentedprocessisarisktooperationsand toCOMPANY .Failureto properlydocumentcontrolproceduresisanindicationofmanagementandcontroldeficiencies. NOTE:Missingorincompletecriticalprocessdocumentationisnottoleratedasacceptablebusiness practice. Keycontrolobjectivesaremappedtodocumentationandotherevidenceofcontrol.Currentlythetooltomanage thisis[Nameofcoreproductorservice].
DataClassificationandDataOwners
TheCobiTPlanningandOrganizationControlobjectiveDefinetheInformationArchitecture,2.3Data ClassificationSchemerequiresageneralclassificationframeworkestablishedwithregardtoplacementofdatain informationclasses(i.e.,securitycategories)aswellasallocationofownership.Theaccessrules,asinwhocan accesswhattypeofdataaswellastherestrictionsoverwherethatdatamayreside,onaperclassificationbasis,
shouldbeappropriatelydefined.ThisisacodependencyonSecurityandSecurityAdministration,whereProcess assistsintheimplementationofclassificationstandards,andaccessisfurthersupervisedandimplemented throughSecurityprograms. ProcessLibrarianandDataOwnersaredependentupontheaccurateclassificationofinformationassetsas definedbytheSecurityPolicy.Endusermanagersandthesecurityadministratorsrequireclassificationsto accuratelydeterminewhoshouldbeabletoaccesswhat.TheProcessLibrarianassistsinthedesignoffileshare information,whereastheDataOwnerisaccountablefortheclassificationandadministrationofitsuse.The ProcessLibrarian assiststhebusinesstomanagedataassetsbylocationandclassification.TheProcessLibrarian furthersupportsrequirementstohaveaninformationinventoryofinternalprocessandworkproducts.
NamingConventions
Namingconventionsareapartofthe COMPANYoverallsecuritydesignandareanintegralpartofinformation assetaccounting.Inaccordancewithanapprovedsetofaccessrulesstipulatingusers(orgroupsofusers) authorizedtoaccessaresource(suchasadatasetorfile)andatwhatlevel(suchasreadorupdate)theaccess controlmechanismappliestheseruleswheneverauserattemptstoaccessoruseaprotectedresource.Datais maintainedbylocationsuchthataccessisappropriatelyrestricted. Thesegeneralnamingconventionsandassociatedfilesarerequiredinacomputerenvironmenttoestablishand maintainpersonalaccountabilityandsegregationofdutiesintheaccessofdata.Theownersofthedataor application,withthehelpofthesecurityofficerandprocesslibrarian,establishthenameoffilesandsubfolders fortheirbusinessinformation.Itisimportanttoestablishnamingconventionsthatbothpromotethe implementationofefficientaccessrulesandsimplifysecurityadministration.Namingconventionsforsystem resourcesareanimportantprerequisiteforefficientadministrationofsecuritycontrols. ProcessEngineeringKeyControlsandRiskscanbereviewedin ProcessDocumentationComplianceControl CobiTFunction CobiTDetailObjective and RisksandAssociatedControls
DocumentTypesandTheirUse
WhatTypeofDocumentDoINeedToWrite?
Writingadocumentmaysoundeasy,butitisreallyverycomplex.Documentationstrategiesaredesignedto reducecomplexity,prioritizeKeyControlProcesses,reflectacommonProcessArchitecture(ITILandCobiT frameworks),andaboveallelse,representREALFunctionsandREALactivities. Factorsthatinfluencethetypeofdocumentthatwewriteare: Sustainability,howoftendetailwithintheprocesswillchangeand HighLevelnotVagueAchievingtheHighestLevelofinformationpossiblebeforedocumentdetails becomeformless,blurryorvague
FormsandTemplates
Processdocumentationisdesignedforaspecificlayerofabstraction.Processengineeringworkswiththe documentauthortoselectatemplatethatmeetsthewritersminimalrequirements. Guidedwritingisaprocessthatfacilitatescreatingconsistentstandardqualitydocumentation.Writingtakesmany forms,eachbestsuitedtoserveadifferentpurpose. Thefollowingsectionsexplainthedifferenttypesof templatesorwritingguides,includingapplicationinterface,wordtemplatesanddiagrams.
Page 9of 80
GettingStarted:
Priortocreatingaprocedure,personsareaskedtoreviewavailableformatsfordocumentation.Oncethetypeand topicfordocumentationisestablished,ProcessEngineeringisavailabletoreviewandvalidatetheintended process.ProcessEngineeringcataloguescorporationdocumentationandisabletopreventwastedorduplicated documentationefforts. How:Sendnoticeofintentiontocreatedocumentationto process@company.com.Thefollowingdetailsprovide noticetotheProcessLibrarianofanintendedprocessproduct.Thisrequestminimallyrequiresthefollowing information:
NewObjectSupportRequest
Foreachintendedprocessobject,pleasefillinthesectionbelow.Pleasecopythequestionsforeachtitle.
IsthisaProcess,WorkProcedures,aPolicy,aProgramDefinitionoraForm? ManagementorDepartmentFunction: Title: Owner: Purpose: AffirmationTeam: AssociatedKeyControl: TheProcessTeamwillselectatemplateordocumentformatandrefinethetitleandscopetobestaligntheoutput withexistingprocessarchitectureandrequirements.Templatesexistinthetemplatefolderforeachfunctional area.Amasterfileofbusinesstemplatescanbefoundin \\...\PAL\Templates.Acomprehensivelistofapproved templatesisin FacilitatedComplianceManagement,locatedintheFormsandTemplatesSection.
HowDoIValidateMyDocument?
Beforeembarkingonaprocedure,policy,processoranytypeofcontrolsdocumentation,contacttheprocess librariansotheintendedobjectcanbeverifiedandcataloguedintheprocessobjectsdatabase.
ProcessObjectValidation
Requestnew ProcessObject
New
Enterprocess details Processdetailsexist Departmentor UserApprovalto UpdateProcess ProcessChange

AlertITmanagementof newprocessin development
Returnpending Identifiedprocessobject managers approval Management Approval
Legitimateneedforprocess LaunchProcess Objectform Formopen NewProcess Validation
ITstakeholdersareable togetinvolvedinprocess PassOneprocess created Instanceofprocessin processprofiletable CreatedUpdate ProcessObject
Exists. Gainconsensusisanupdate.
Figure1. ValidateaProcessObject
Page 2of 80
DocumentTypeProcessProfile
Thepurposeofaprocessprofileistocaptureanddocumentessentialelementsassociatedwithabusinessprocess. Aprocessisaseriesofactions,changes,orfunctionsbringingaboutaresult. Elementsincludedinaprocessprofileareselectedbytheprocessteam.Generally,theelementsinclude,butare notlimitedto: VersionControlAndChangeHistory Purpose AndScope AssociatedControlObjectives CriticalSuccessFactors PerformanceIndicators BaselinePerformance Goals/Measures ServiceLevelConsiderations Related/SourceDocuments FormsAndTemplates QualityRecordsIncludingSQM ProcessDiagram ProcessDeviationsAndCurrentState TriggerAndExitCriteria Acronyms/Definitions SafetyIssues RiskManagementPlan ProcessDefinition(InputsAndOutputsToOtherProcesses) StatusCodesMetadata
CharacteristicsofProcess
Highestlevelofabstractionandlowestlevelofdetail Highlevelsetofstepsthatcollectivelyaccomplishabusinessfunction: Typicallyincludessuborcomponentlevelprocesses Oftenusedbymorethanoneprogramordepartment
Page 3of 80
ShouldIWriteAProcessProfile?
Considerwhetherthefollowingstatementsaretrue. Theprocessflowdiagramdemonstratesthestepsinvolvedincreatinganyprocessobject.Ifthisisviewedon line,theflowincludesallprocesspropertiesintheflowobjects.Formoreinformation,seeAppendixA.
Figure2. ShouldIwriteaprocessprofile?
Page 4of 80
WhereDoIFindtheProcessProfileTemplate?
\\...\PAL\Templates\ProcessProfileTemplate.dot
Figure3. Whatare thestepsandcontrolsinwritingaprocessprofile?
Page 1of 80
DocumentTypePolicyProfile
Policyistheunderlyingprincipleuponwhichprocessandprogramsarebuilt.Onemightconsiderthatapolicyis CommandersIntent,anditisuptothepersonsgoverned todeterminethebestpracticeorprocesstoattaintheir goalwithintheconfinesofthepolicy.Whilenoteveryprogramrequiresapolicy,informationtechnologypractice islargelydeterminedbytheSecurityPolicy,ChangePolicyandDataClassificationPolicy.Inaddition,most businesspracticeisinsomewaygovernedbytheHumanResourcePolicy.Policyisimplementedbyprogramsthat enactprocesses.Policyisgenerallyrequiredforlegalandregulatorycompliance.Policyisenforcedthrough system,applicationandorganizationalcontrols.Apolicyistypicallydesignedtobetrueacrossalldepartmentsand forallpersons.Whereapolicyishighlyspecifictoaprogramordepartment,itisgenerallyadepartmentpolicy, butnotaformallydistributedcorporatepolicy. Elements: PolicyArea EffectiveDate RevisionDate Contacts: Summary Goals Applicability PolicyStatement RolesandResponsibilities Compliance Exemptions Appeals Authority RelatedDocuments Definitions
Page 2of 80
ShouldIWriteAPolicyProfile?
Considerwhetherthefollowingstatementsaretrue.
Figure4. ShouldIwriteapolicyprofile?
WhereDoIFindtheTemplate?
\\...\PAL\TEMPLATES\Policy Profile.dot
DocumentTypeProgramProfile
ProgramProfilesaresometimesreferredtoasaprogramordepartmentcharterandareusedtodefinethescopeofa groupaswellastherequirementsofitsorganization.Thisdocumentoutlinestheoverallorganizationalor departmentfunctionandisalignedwithdepartmentsandindividualperformancereviews.Programprofilesmay includejobdescriptionsorjobprofilesandarerepresentedbyorganizationaldiagram.Thesearesupporting documents,oftenassociatedtotheprogramprofile. Attributesofaprograminclude: ManagesControlSystemsandEvents OwnsInitiativesandBusinessandITSystems ResponsibleForSupportingFunctions IsMeasured Programprofilessupporttheabilitytoperform: Personnel RecruitmentandPromotion BenchmarkPersonnelQualifications DesignateRolesandResponsibilities
PlanandDeliverPersonnelTraining ImplementCrossTrainingorStaffBackup VerifyPersonnelClearanceProcedures DesignandPerformEmployeeJobPerformanceEvaluation DetermineJobChangeandTerminationRequirements ProgramProfileElements: PurposeandScope: RolesandResponsibilities: ProgramElements: Tools: ProgramControlsandMeasures
ShouldIWriteAProgramProfile?
Programprofilesarenotrequired,butcanfacilitateagreatmanyotherfunctionsincludingAuditandTrainingor OrganizationRequirementsDefinition.Whereaprogramprofilesupportstheorganizationtoexplainadepartment charter,itisasimpleandusefultoolthatmaybenefitemployeesandauditorsequally. Considerwhetherthefollowingstatementsaretrue.
ProgramProfile
Supports implementationof processorpolicy
Definesacompany specificactivityIncludingpurpose, elements,toolsandstaff
Requiredtomaintaincontrols
Organizational controlactivity
Thereisa group charteredto performthis function
Servesasaudit guideforprogram implementation
Activityisexclusivetothisgroup
Measuredmetrics
Alignedtojob descriptionsand controlfunctions
CompleteProgram andProgramTest Definition
Figure5. ShouldIwriteaprogramprofile?
Page 4of 80
WhereDoIFindTheTemplate?
\\...\PAL\Templates\ProgramProfileTemplate.dot Templatesthatdescribepositionsorassistinthedesignofaprogramorganizationalchartarelocatedin: \\...\PAL\ITProcessAssetLibrary\HumanResources\Template\JobDescriptionTemplate.dot \\...\PAL\ITProcessAssetLibrary\HumanResources\Template\EmployeeWarningNotice.dot \\...\PAL\ITProcessAssetLibrary\HumanResources\Template\JobAnalysisQuestionnaire.dot
DocumentTypeWorkInstructionorSOP
WorkInstructions,alsoknownasStandardOperatingProcedures,(SOP)represent: Greatestleveloftechnicaldetail Aretooldependent Changewhentechnologychanges Areupdatedoften Storedinknowledgemanagementsystemsorhelpdeskdatabase Associatedwithspecifictoolsandtasks Usedtoguideandtrainworkatthetaskimplementationlevel Arepartofanalreadyapprovedprocess WorkinstructionsorSOPscanbelocatedwithinafunctionalareaandareoftenembeddedinhelpfileswithin systems.RunBooks(explainedinthenextsection)referenceworkinstructionstofacilitateansweringthequestion, WheredoIfinddirectionstoperformthistask?Whereasprocesschangesareapartofstandardchange management,aworkinstructionmaybeupdatedasacourseofanindividualspersonalneedtotrackhowdetailed stepsaredone.Aworkinstructionmay havegeneralorhighlyspecializeduse.Whereworkinstructionsarecritical tothecontrolofaprocess,itisthebusinessmanagersresponsibilitytoinsurethatroutineworkproceduresexist andarefollowedwithintheirfunctionalarea. Allservice affectingoperationalprocessesmustbedocumentedtopreventservicedisruptioncausedbytheabsence ofprimarystaff.Anyprocedurerequiredtomaintainoperations,thatisnotalreadydocumentedasapartofroutine systemfunctions,(i.e.,alreadylocatedingeneralproducthelpfiles),mustbedocumentedtoassurethatinthe absenceofprimarystaff,theprocesscanbesustainedbyothers.Ataminimum,allpersonnelareaccountableto documentationtotheextentthatasimilarlytrainedstaffcould standinforemergencycoverageandbeabletouse directionstomaintainrequiredoperations.Wherestafffailtokeeptheirworkinstructionsuptodate,thefailureis bothonthepartoftheindividualandtheareamanager. WorkinstructionsorSOPs areasimplelistofstepsthatexplaininclearterms,howtoachieveaspecificresult. DirectoriescontainingworkinstructionsandSOPsshouldbeclearlylabeledandinformationshouldbecurrent. Workinstructionscanexistinalleventtrackingsystemsandarenotcentrallylocated,butareaccessibleandknown toallpersonswithintheuserdepartment.
Page 5of 80
ShouldIWriteAWorkInstructionSOP?
Figure6. ShouldIwriteaWorkInstruction SOP
Thetemplatetowriteasimplesetofworkinstructionsislocatedin: \\...\PAL\Templates\WorkInstructionTemplate.dot
DocumentTypeRunBook
ARunBook,sometimesknownasplaybook,isadocumentcontaining detailedproceduresthatcollectivelykeepa missioncriticalsystemrunning.ARunBookissometimesviewedasanelementofBusinessContinuityPlanning (BCP)orDisasterRecover(DR).Thisisbecausetheyarewrittentoassurethatanequallyskilled administrator wouldbeabletousetheRunBooktostepinandadministerthesystemuntilsuchtimethatnormalstaffingand conditionsapply.RunBooksareasystemcurrentdocumentwithalltherequiredinformationneededtounderstand howaserviceorsystemiskeptrunning.RunBooksarenotprojectplans,anddonotmaintaininformationunlessit isinuseandapartoftheworkingsystem. ARunBookisusedtoverifyandgatherthelocationofalloperationalinformation.AproductionRunBookis evidenceofdocumentationandcontroloveraserviceorsystem.Itprovidesinformationonhowtorun procedureswithoutnecessarilyprovidingbackgroundfortheprocess.RunBooksaredetailedinstructionsthata userreferenceswhenperformingtheprocess. Onapersysteminstance,aRunBookcandocumentasmallsetofoperationalproceduresandreferencevarious guidelines.Onalargerscale,aserviceorientedRunBookdetailsthecombinationofsystemsandtheir
dependenciesinkeepingaserviceavailable.ThisisavalidformofmeetingbothBCPandvariousotherlevelsof compliancerequirements.Determiningthisrequirementcanbeasfollows:
WhyDoRunBooksFocusOnService?
ARunBookisServiceOrientedvs.singlesystemoriented.Whendocumentationdoesnotmeettherequirements mentionedabove,itisprobablethatlistingthedeviceinaninventorysystemissufficientandfurtherdocumentation isnotrequired. Wheretheavailabilityofacriticalorcorebusinessfunctiondependsupontheaccurateworkingofinterdependent systems,itisadvisabletohaveabusinessownerwhoassuresthecurrentandcompleteServiceRunBook.Asis trueforanycontrolledsystem,theRunBookexplainsdaytodaysystemprocedures,butadditionallyaddssomeor allofthefollowingelements: FunctionalOverview FunctionalOverviewDiagram ListofInterfaces SystemOverview SystemOverviewDiagram(s) NetworkManagementProcess Hardware HardwareManagementProcess SoftwareDevelopmentandRelease ThirdPartyVendor/SoftwareManagement PerformanceMonitoringProcess DatabaseAdministrationProcess QualityAssurance VendorInformation BackUpProcesses DisasterRecoveryProcess Security ProblemManagement ConfigurationOverview: Server/HW/OS Application DatabaseConfiguration Dailycycle Failover Maintenance TroubleshootingandErrorMessages Glossary Listoffiles FinancialProcesses Testprocedure
Page 7of 80
ShouldIWriteARunBook?
Figure7. Should IwriteaRunBook?
Page 8of 80
WhereDoIGetTheInformationThatGoesIntoTheRunBook?
Considerthefollowingsources.
RunBooksbringvisibilitytoanaggregationofdocumentsanddetailsthatcollectivelysupportserviceavailabilityor productdelivery.
Page 9of 80
WhenIsARunBookComplete?
WhatAreTheFormatsForRunBook?
RunBookscanbemaintainedasawordreportthatisoutputfromasingledatabasesystem orfromacollectionof systems.TheformusedtogatherRunBookelements(today)isin FacilitatedComplianceManagement.Thisisa locationthatissubjecttochange.ThetoolthatgathersRunBookdetailsisnotcriticaltotheprocess.Thetoolfor gatheringelementscanalsobeaworddocument,asidentifiedinthetemplatesection.Theprocessforgenerating RunBookinformationisnotimportant,solongasvisibilityofhowsystemsrunismaintainedforthebusinessowner andtechnologysupportpersonnel.
Figure8. RunBookProcess
Page 10 of 80
Figure9. ExampleInterfaceforgatheringRunBookelementsbyServiceTitle
Page 11 of 80
\\...\pal\FacilitatedComplianceManagement\ShortcuttoRunBookinFacilitatedCompliance Management2000FCM.MAF \\...\pal\Templates\RunBookTemplate.dot ThecurrentprocedureforRunBookistouseoursystemdatabaseandgenerateaRunBookreportasneeded.
DocumentElements
Thefollowingsectioniswrittentoaddressadditionquestionspertainingtodocumentelements,storingand managinginformationandhowstepsandcontrolsarespecificallycapturedtosupporttheinternalauditofIT programandapplicationlevelcontrols.Sectionsinclude:
WhereDoesMyDocumentBelong? \\...\PAL\ITProcessAssetLibrary\ StaticProcessversusProcessOutput(EvidenceofUsingProcess) \\...\PAL\ITWorkProductLibrary\ OtherWorkProductsandControlledDocumentation: ControlsEvidenceSpecificto SoftwareDevelopmentandProductDevelopmentLifecycle: TestScripts,Utilitiesand EventTrackingSystems Assets,InventoriesandConfiguration Baselines ControlsandKeyControls Product,ApplicationDevelopmentandQualityTemplates Flow Diagram
Page 12 of 80
HowDoIFindOrStoreMyDocument?
PAL\ITProcessAssetLibrary
ProcessdocumentsarestoredintheITProcessAssetLibrary(PAL).
Figure10.
WhatisinthePAL?
\\...\PAL\ITPROCESSASSETLIBRARY\
PAL\ITWorkProducts
WhenDoINeedToCreateAWorkProduct?
ThereareavarietyofWordandExcel filesusedduringtheworkday.Thesedocumentsmayincludespreadsheets usedforanalysis,clientcontactfiles,miscellaneousnotes,etc.Thesearenotconsideredformsorproceduresand remainwithintheirrespectivelocationsonthenetwork.Inconditionswheredocumentsorspreadsheetsrepresent evidenceofaprocessoutput,thematerialsareWorkProductsandshouldresideinthefunctionalworkproducts directory.Notalldataisworkproduct.Atestofwhetherinformationbelongsinthework productsareais answeringyestothefollowingquestion: Isthistheoutputofatemplate,process,form,andisthisevidenceofaprocess?
WhereDoWeKeepCurrentAndArchivedWorkProducts?
\\...\PAL\ITWORKPRODUCTLIBRARY\
Page 13 of 80
Figure11.
Whataretheworkproductfolders?
CurrentInventoryofFolderandContentsismaintainedbyProcessEngineering,in\\...\PAL\ITWorkProduct Library\ProcessEngineering\PALFolders.xls
Page 14 of 80
WhereDoIFindReference,BenchmarkandIndustryGuidelines
MethodologyandstandardsdocumentationismaintainedintheStandardsandExternalReferencefolder.Corporate PolicyandTemplatesalsoresideatthislevelofthePAL.Thesefolderlocationsallowforallpersonneltohave equalaccesstoinformationusedtosupportanddesignanyprocess.
Figure12.
StandardsandReferencefolders
Page 15 of 80
OtherWorkProductsandControlledDocumentation: ControlsEvidenceSpecifictoSoftwareDevelopmentandProduct DevelopmentLifecycle:

Teamspreparing theirannualauditworkpapers(controlsevidence)willoftenask,WhataboutSDLCrelated artifactslikeVSS/CVS, testeventsandsourcecodelibraries? SoftwareDevelopmentworkproductshave particularcontrolrequirementssatisfiedthroughtheappropriateuseoftoolssuchasworkflowandevent management,integrateddevelopmentenvironmentsorIDEsandstoragelibrariesforthepurposeofsourcecontrol. Unlikecontrolsdesignedtoenforceandmanagethepolicyofproductionenvironmentshowever,software developmentmustallowforbothcreativegeniusandwatertighttestsoverwhatcansometimesbebleedingedgeor non conformingcode.Therequirementsalignedtocreatingandmodifying todaysbusinesssolutionsmustoften supportmultiplelibrariesofcodeinvolvingissuesintegrationwithenvironmentsbestdescribedasmovingtargets, highlycomplexdatarequirementsandgreaterthirdpartydependenciesthancouldhaveeverbeenanticipated. ProductionEnvironmentsareasfixedasthenextpatchresponsetonewlyrevealedmaliciouscode,hardwareor softwareexploitorevenregulatoryrequirement.AmongthemyriadofmorphingpartsistheHolyGrailwecall productionandthemiraculousbeliefthatwecontrolit.Itisnowonderthatentirecareershavebeenmadeinthe pathofunravelingtheeventsperceivedasthenegativeeffectsofpurposefullyreleasedcode. SoftwaredevelopmentisanintegratedprocessspanningtheentireITorganization.Thetermlifecyclecanbetaken torepresentthecollectionofagreedstepstocontroldevelopment,modificationanddistributionofcode.While ChangeandConfigurationManagementdenoteseparateentitiesexertingpolicyoverstandardsfortheproduction environment,thedesignofthesestandardsandalleffortsbetweenthesepointscanbecharacterizedastheworldof softwaredevelopmentandcode. Clearly,notwocompanieshaveexactlythesameorganization,productorinfrastructure,buttheeffortsofCarnegie MellonUniversity,SoftwareEngineeringInstitute,theOfficeofGovernmentandCommerceandBritishStandards InstituteandtheInformationSystemsAuditandControlAssociationhaveproducedclearandalignedframeworks fortherepresentationofsoftwaredevelopmentbestpractice.Wellrun,ormaturedevelopmentshopsprovide similarprocessandcontrolpointsandreapqualityproductasthebenefitoftheirstatusamongmature organizations. TheControlObjectivesforInformationTechnology,EditionFour,CobiT4.0isourmostwidelyadoptedmatrix andmeasureforallintegratedITandEnterprisecontrols.AligningtheconceptsofCMM,ITIL,ISO/IEC17799 andCOSO,CobiT4.0advancesthepreviousprojectwithincreasedattentionintheareasofSDLC,Qualityand ProjectRiskManagement.Ofparticularnote,isthenewlynumberedcontrolprocessInstallandAccredit SolutionsandChanges,AI7. InstallandAccreditSolutionsandChangesisthehighlevelfunctionalareathatcapturesthegreatestnumberof featuresrepresentingtheactivitiesrelatedtoSDLCorReleaseManagement.AI7states: Newsystemsneedtobemadeoperationaloncedevelopmentiscomplete.Thisrequirespropertestingina dedicatedenvironmentwithrelevanttestdata,definitionofrolloutandmigrationinstructions,release planningandactualpromotiontoproduction,andapostimplementationreview.Thisassuresthat operationalsystemsareinlinewiththeagreedexpectationsandoutcomes. InstallandAccreditSolutionsandChangesincludeinputsandoutputstoconfiguration,project,change, maintenanceandacquisitionprograms.Withhandoffsbasedintriggers,performancegoals,measurementsand businessbasedcriteria,documentedconsensusandtestedresults,evidenceoftheirimplementationisbestsuitedto automatedsystems.
Page 2of 80
Ascompaniescomplywithregulatoryandindustryrequirements,systembasedrecordsshowingevidenceofthese controlsgainevengreaterimportance.Thefollowingarehighleveldefinitionsofthecontrolprocessesfound withinAcquisitionandImplementationprocess,InstallandAccreditSolutionsandChanges,orAI7.

Training(7.1) Trainthe staffoftheaffecteduserdepartmentsandtheoperationsgroupoftheITfunctioninaccordancewiththedefinedtrainingand implementationplanandassociatedmaterials,aspartofeveryinformationsystemsdevelopment,implementationormodification project. TestPlan(7.2) Establishatestplanandobtainapprovalfromrelevantparties.Thetestplanisbasedonorganizationwidestandardsanddefinesroles, responsibilitiesandsuccesscriteria.Theplanconsiderstestpreparation(includingsitepreparation),trainingrequirements,installationor updateofadefinedtestenvironment,planning/performing/documenting/retainingtestcases,errorhandlingandcorrection,andformal approval.Basedonassessmentoftheriskofsystemfailureandfaultsonimplementation,theplanshouldincluderequirementsfor performance,stress,usability,pilotandsecuritytesting. ImplementationPlan(7.3) Establishanimplementationplanandobtainapprovalfromrelevantparties.Theplandefinesreleasedesign,buildofreleasepackages, rolloutprocedures/installation,incidenthandling,distributioncontrols(includingtools),storageofsoftware,andreviewoftherelease anddocumentationofchanges.Theplanshouldalsoincludefallback/backoutarrangements. TestEnvironment(7.4) Establishaseparatetestenvironmentfortesting.Thisenvironmentshouldreflectthefutureoperationsenvironment(e.g.,similar security,internalcontrolsandworkloads)toenablesoundtesting.Proceduresshouldbeinplaceto ensurethatthedatausedinthetest environmentarerepresentativeofthedata(sanitizedwhereneeded)thatwilleventuallybeusedintheproductionenvironment.Provide adequatemeasurestopreventdisclosureofsensitivetestdata.Thedocumentedresultsoftestingshouldberetained. SystemandDataConversion(7.5) Ensurethattheorganization'sdevelopmentmethodsprovidesforalldevelopment,implementationormodificationprojects,thatall necessaryelementssuchashardware,software,transactiondata,masterfiles,backupsandarchives,interfaceswithothersystems, procedures,systemdocumentation,etc.,beconvertedfromtheoldsystemtothenewaccordingtoapreestablishedplan.Anaudittrail ofpre andpostconversionresultsshouldbedevelopedandmaintained.Adetailedverificationoftheinitialprocessingofthenew systemshouldbeperformedbythesystemownerstoconfirmasuccessfultransition. TestingofChanges(7.6) Ensurethatchangesaretestedinaccordancewiththedefinedacceptanceplanandbasedonanimpactandresourceassessmentthat includesperformancesizinginaseparatetestenvironmentbyanindependent(frombuilders)testgroupbeforeuseintheregular operationalenvironmentbegins.Parallelorpilottestingshouldbeconsideredaspartoftheplan.Thesecuritycontrolsshouldbetested andevaluatedpriortodeployment,sotheeffectivenessofsecuritycanbecertified.Fallback/backoutplansshouldalsobedevelopedand testedpriortopromotionofthe changetoproduction. FinalAcceptanceTest(7.7) Ensurethatproceduresprovidefor,aspartofthefinalacceptanceorqualityassurancetestingofnewormodifiedinformationsystems,a formalevaluationandapprovalofthetestresultsbymanagementoftheaffecteduserdepartment(s)andtheITfunction.Thetestsshould coverallcomponentsoftheinformationsystem(e.g.,applicationsoftware,facilities,technologyanduserprocedures)andensurethat theinformationsecurityrequirementsaremetby allcomponents.Thetestdatashouldbesavedforaudittrailpurposesandforfuture testing. PromotiontoProduction(7.8) Implementformalprocedurestocontrolthehandoverofthesystemfromdevelopmenttotestingtooperationsinlinewiththe implementationplan.Managementshouldrequirethatsystemownerauthorizationbeobtainedbeforeanewsystemismovedinto productionandthat,beforetheoldsystemisdiscontinued,thenewsystemhassuccessfullyoperatedthroughalldaily,monthly, quarterlyandyearendproductioncycles. SoftwareRelease(7.9) Ensurethatthereleaseofsoftwareisgovernedbyformalproceduresensuringsignoff,packaging,regressiontesting,distribution, handover,statustracking,backoutproceduresandusernotification. SystemDistribution(7.10)
Page 3of 80
Establishcontrolprocedurestoensuretimelyandcorrectdistributionandupdateofapprovedconfigurationitems.Thisinvolvesintegrity controlssegregationofdutiesamongthosewhobuild,testandoperateandadequate audittrailsofallactions. RecordingandTrackingofChanges(7.11) Automatethesystemusedtomonitorchangestoapplicationsystemstosupporttherecordingandtrackingofchangesmadeto applications,procedures,processes,systemandserviceparameters,andtheunderlyingplatforms. PostimplementationReview(7.12) Establishproceduresinlinewiththeenterprisedevelopmentandchangestandardsthatrequireapostimplementationreviewofthe operationalinformationsystemtoassessandreportonwhetherthechangemetcustomerrequirementsanddeliveredthebenefits envisionedinthemostcosteffectivemanner.
(AdditionalinformationregardingCobiTcanbeviewedathttp://www.isaca.org) WhileSDLCProcessdocumentationisheavilyimpactedbysupportingprograms,suchasSteeringCommitteeand overallProject/ProgramManagement,TrainingandQualityAssurance,cooperationbetweenthesegroupsis necessarytotheproductionacceptanceofanymajorreleaseandinsomeconditions,evensimpleenhancementto previouslyreleasedcode.Artifactsoftheseprocedurescanincludeprocessprofiles,detailedworkflowdiagrams, committeepresentationsandevenonlinehelpfiles,butthetruenatureofsoftwaredevelopmentcontrolsevidence canonlybedemonstratedthroughtheappropriateuseandcaptureofcontrolsoverthepoliciesandproceduresfor thedevelopmentandreleaseofallassociatedsoftwareandcode.Modernformsofevidencegenerallymust:

Demonstrateanexistingsystemcontextintheformoffunctional,transactionprocessandinfrastructure diagrams(e.g.,highlevelbusinessprocessflowschema). Quantifybyclass,ahierarchicaldataflow/controlflowdecomposition. Includecontroltransformations. Allowforminispecifications. Maintaindatadictionaries. Considerallexternaleventsinputsfromexternalenvironment. Trackbychangeanyandeverysingletransformationdataflowdiagramswithextremeemphasistowardsdata input,transformation,verification,validationandoutputcontrols.
ConsiderthesevenInformationCriteriaasrepresentedinreviewofITGovernanceControlsbyISACA
Figure13.
InformationCriteria
Regardlessofdomain,processoutputsarereviewedinthecontextoftheireffectiveness,efficiency,confidentiality, integrity,availability,complianceandreliability.Giventhescenarioofsoftwaredevelopmentprograms, informationcriteriamightbeappliedtoelementssuchasthefollowing:

CodeLibraries Restorebycoderevisionandsecureretrievalprocess MeetingMinutesasvisibleintrackingsystems RiskEvaluationDefinitionandRiskReview AnomalyMeasuresandReporting
EnhancementRequestTracking QualityandTestTracking TestPlans ProjectMilestoneTracking
DataDictionary Defect,EnhancementorErrorTracking ProductionAcceptanceguidelines PostImplementationReview CustomerSatisfactionRatings ServiceLevelandOperatingLevelRequirements
Versioncontrolsoftware,ortoolsthatcapture arollbackstate,aresometimesconfusedwithfullscalesoftware developmenttrackingapplications.OnlineProgrammingFacilities(integratedDevelopmentEnvironmentlDE), however,mustextendfarbeyondasnapshotandrestorationtopreviousversionofcode.Whilesoftwareprojects mayhaveoncebeencharacterizedasaroutineprocessofdeliveringcodetoasinglebusinessunit,involvinga homogenousdevelopmentteamsusingasingleplatformandfamiliartechnology,todaysprojectcanbe characterizedquitedifferently.Typicalprojectsintegrateeffortsbydozensofdevelopersinmultiplecountries, involvingthreeormorebusinessstreams,traversingvariedplatformsandapplications,acceptingsomedegreeof technologicaluncertaintyandunfamiliarity,andsatisfyingtherequirementsofdisparateorganizationsthatmaynot haveorganicopportunitiestoseekconsensusorevenshareawarenessofeachothersrequirements.Addtothisat leastonemajorvendor,marketprojectionsforcostandcompletionandincreasinglyregulatedandcomplex electronictransactionprocesses. Acodesnapshotdoesntsuffice. Programmingtoolsarenotenoughtofacilitateeffectiveuseofstructuredprogrammingmethodsinthepathof measuredservicedelivery.Highlyskilledprogramteamsrequiresystemstoenableproperuseofbestpractice, includingprotectionoftheirownuseormisuseasaprimaryITresource. Matureshopsleverageanonline programmingfacilityaspartofanintegrateddevelopmentenvironment.Thispracticealone,however,cannot assurematureproductdelivery. SoftwaredepartmentsrequireSDLCproducts,wherethesuiteofmodulesincludes inputsbeyondthoseoftheprogrammerandtoincludeallmembersinthepathofaServiceApplication. Whilean IDEprovidesprogrammersabilitytocodeandcompileprogramsinteractivelywitharemotecomputer,itcannot efficientlyandeffectively controlworkflow,tosaynothingofriskmanagement. Infact,theIDEalonecanfacilitateourmosttremendouscontrolweaknessinIT,beingcapacitytoenter,modify, anddeleteprogrammingcode,aswellascompileandstoreprograms(sourceandobject)onasingleworkstation withoutpriorplan,authorityorapproval. Whileaffordingrequiredreporting,theonlinefacilitiesalsocanbeused bynonISstafftoupdateandretrievedatadirectlyfromcomputerfiles.Whilethisisabusinessrequirement, withoutpropercontrols,itisalso aninherentcontrolrisk.
Whatelementsarecapturedduringtheflowdiagrammingprocess?
SteveCoveysoftenquotedBeginwiththeendinmindprincipleapplieswelltothequestionofwhatdoIneed tocaptureduringtheprocessflowdiagrammingprocess?Accurate,versusincompleterequirementsaresaidto representthesinglegreatestfactorinsoftwaredevelopmentsuccess.Considerthattheprocessofgathering requirementsprovidesmanyopportunitiestocommunicateattributesneededforsuccessfuldocumentationof softwareandbusinesscontrols.Regardlessoftheapplicationsusedtodocumentrequirements,usingcommon termsandcontrolsdefinitions,suchasthosefoundin CobiT4.0willdramaticallyshortentimespentonsoftware designandcontroldocumentation.Thefollowingimageisintendedassuggestedcontentcapturedbycontrol objectsinaprocessflowdiagram.Suchobjectsmightbefoundinvirtuallyallprocessmodelinganddevelopment trackingsystems.Theefforttoapplycontrolslanguagetothedocumentationofresponsibilityisaprocessdriven bypeople,andbestfacilitatedbycurrentandmaturesoftwaredevelopmenttools.
WhenselectingtoolsforthealignmentofSDLCwithregulatoryandauditreportingrequirements,considerthatthe productmust:
Easilyandclearlyrepresentmaincomponents,objectivesanduserrequirements,whileidentifyingareasthat requirecontrols Providemeansforcapture,evaluationandrankofthemajorrisksto,andexposuresof,thesystem Includehoweachcontrolismonitoredandwhatensurescontrolsareimplementedsuchthtcontrolowners determinetheireffectiveness,forexamplethatbusinessusersreviewbusinessrequirements,dataowners reviewdataaccess,endusersaffirmadequacyoftrainingmaterialsanddocumentation,andsoon Verifythatanysoftwaredevelopmentandchangetrackingsysteminclude: Workorderandrelatedtaskassignmenthistory,status,durationandoutcome Segregatedtrackingofsystemandrolebasedaccesssuchasconsoleloginsandlogoutsbyprogrammers, ticketupdatesbyendusers,programauthorizationbythebusiness. Ensureexistenceofareasonableexplanationforallprogramdeletions
Documentandassignownerstoeventsbasedinasystemmaintenanceprocess: businessauthorization, regressiontestingwherecodeorhardwareintegrationaffectenduserprocessing,and recordofpostmaintenancetestresultsoranyotherauditevidence.
Verifythroughtestandfrequentchecks,theadequacyofproductionlibrarysecurity Integrateprocesscontrolsbetweenconfigurationmanagement,problemmanagementandchange managementintheprocesstoensuretheintegrityoftheproductionresources
ThefollowingchartsandflowdiagramshowsITProgramsinrelationtotheSoftwaredevelopmentLifecycle.The triangleobjectsrepresentauditedCobiTcontrols,withfocustoAI7andincludingadditionalcontrolsfrom supportingprograms.
Figure14.
ProcessInputsandOutputs,RACIChartforAI7asfoundinCobiT4.0,CopyrightofISACA
Page 6of 80
GoalsandMetricsasdescribedinCobiT4.0,CopyrightofISACA
Page 7of 80
Page 1of 80
Figure15. ProcessFlowDiagram:Howaresoftwaredevelopmentartifactscapturedinsystemeventlogsandsoftware designtemplates?
ControlsandApplicationControls
WhendoIneedtodocumentspecificcontrolprocesses?
Theoutputofanypolicyorprocessincludesalistofqualitymeasures.Qualityismeasuredbyasetofcontrolsor tests,eachdesignedtoprovidefeedbackoralignouractionstothosepoliciesandprocedures. Acontroloverprocessischaracterizedbyabilityto: CommunicatesRepeatableIntention ExecutesAsPlanned(Implementation Plan) Measure(RiskMeasurement&ImpactAnalysis) Record(ManagementReporting&KPI) Respond(Thresholds) Archive(DefinedDataRetention) Controlsrequireavisibleandrecognized: Name Owner Method (AutomationorManual) Program Frequency Test ActivityDefinition Location TestEvidence InformationProcessingObjective SequenceIDandmethodoftracking
Howdowemanagealltheserequirements?
MKSIntegrityManagerforprocessandworkflowmanagementof enterprisesoftwaredevelopment
MKSIntegrity ManagerisanexcellentexampleofSoftwaretoolsproviding flexibleprocessandworkflow management,whilefacilitatingcommonbestpractice formanagingsoftwaredevelopment.Thistoolseamlessly marrieswithMKSSourceIntegrityEnterpriseforfullenterprisesoftwareconfigurationmanagement,isthe foundationforMKSRequirementsforrequirementsmanagementandintegratesotherdeveloperproductivity toolstoleveragesoftwareinvestmentsandenhancecoverageofthesoftware.
Page 2of 80
MKSIntegrityManagerImageiscopyrightofMKShttp://www.mks.com TheMKSIntegritysuiteenablesdevelopmentasitoccursinaservicedeliverymodel.InputsfromProject ManagementandHelpDeskarebuiltintotheworkflowwithcontrolsplacedinpointsofemphasistoaprogram designedspecificallyforproductdevelopmentandrelease.Anadditionalhighlightisthisproductsabilityto integratewithmostknownIDEsandtooperateinanywellestablishedtechnologyplatformasitexiststoday. EvenifpopularvotingforyourpersonalITmottoputsyoucantpleaseeveryoneinatiewithdidyouwantit goodordidyouwantitfast?MKSoffersadegreeofsupplantedprocessmaturityrepresentingabumptoatleast leveltwoacrossmostmaturitymeasuresofSDLC.(SeeMaturityModelintextbelow).MKSintegritymanager integratesITprocesses,platformsandtoolswhileguidingsoftwaredevelopmentteamsthroughthemostcommon inputandoutputs,ratholesandhandshakesfoundamongallITshopstoday.
Howmaturedowereallyneedtobe?
Figure16.
MaturityToolbox,asrepresentedbyISACAandCMUasthecommonmaturitymodelorCMM
InstallandAccreditSolutionsandChange,isasignificantlyimportantcontrolforanyITorganization.Without thesecontrolsexistingtosomelevel,itisunlikelythatanyformofbusinesscouldthrive.Consider,however,that mostcompaniescouldbedescribedashavingattributesresemblingthedescriptionsforinitialorrepeatable maturity.WouldthisbematureenoughtoachievethemilestonefoundintheEnterpriseStrategy?Thatisa decisionforeachcompanyanditsleaders.HerearesomeoftheCobiTmaturitydefinitionsfortheInstalland AccreditSolutionsandChangeprocessarea. CobiT4.0DefinesRepeatabletoOptimizedSDLCrelatedpracticeinthefollowingway: *(InstallandAccreditSolutionsandChanges)RepeatablebutIntuitive:Thereissomeconsistencyamongst thetestingandaccreditationapproaches,buttypicallytheyarenotbasedonanymethodology.Theindividual developmentteamsnormallydecidethetestingapproachandthereisusuallyanabsenceofintegrationtesting. Thereisaninformalapprovalprocess. DefinedProcess:Aformalmethodologyrelatingtoinstallation,migration,conversionandacceptanceisin place.ITinstallationandaccreditationprocessesareintegratedintothesystemlifecycleandautomatedtosome extent.Training,testingandtransitiontoproductionstatusandaccreditationarelikelytovaryfromthedefined
process,basedonindividualdecisions.Thequalityofsystemsenteringproductionisinconsistent,withnew systemsoftengeneratingasignificantlevelofpostimplementationproblems. ManagedandMeasurable:Theproceduresareformalizedanddevelopedtobewellorganizedandpractical withdefinedtestenvironmentsandaccreditationprocedures.Inpractice,allmajorchangestosystemsfollowthis formalizedapproach.Evaluationofmeetinguserrequirementsisstandardizedandmeasurable,producingmetrics thatcanbeeffectivelyreviewedandanalyzedbymanagement.Thequalityofsystemsenteringproductionis satisfactorytomanagementevenwithreasonablelevelsofpostimplementationproblems.Automationofthe processisadhocandprojectdependent.Managementmaybesatisfiedwiththecurrentlevelofefficiencydespite thelackofpostimplementationevaluation.Thetestsystemadequatelyreflectstheliveenvironment.Stress testingfornewsystemsandregressiontestingforexistingsystemsareappliedformajorprojects. Optimized:Theinstallationandaccreditationprocesseshavebeenrefinedtoalevelofgoodpractice,basedon theresultsofcontinuousimprovementandrefinement.ITinstallationandaccreditationprocessesarefully integratedintothesystemlifecycleandautomatedwhenappropriate,facilitatingthemostefficienttraining, testingandtransitiontoproductionstatusofnewsystems.Welldevelopedtestenvironments,problem registers andfaultresolutionprocessesensureefficientandeffectivetransitiontotheproductionenvironment. Accreditationtakesplaceusuallywithnorework,andpostimplementationproblemsarenormallylimitedto minorcorrections.Postimplementationreviewsarestandardized,withlessonslearntchanneledbackintothe processtoensurecontinuousqualityimprovement.Stresstestingfornewsystemsandregressiontestingfor modifiedsystemsareconsistentlyapplied. *(SpellingisalteredforUSEnglish)
NoteveryorganizationwillsetSDLCtargetsonoptimized,butonethingiscertain.Anyorganizationwith strategytowardslevelfiveSoftwareDevelopmentpracticeneedsevidenceofsystembasedcontrolsasseenin theMKSIntegrityManagerSuite.
Figure17.
Howaresoftwaredevelopmentartifactscapturedinsystemeventlogsandsoftwaredesigntemplates?
Page 4of 80
TestScripts,UtilitiesandEventTrackingSystems
WhatIsATestScriptOrTestTemplates?
Programs,systemsandreleaseshaveassociatedtestsand testresults.QAandSecuritymaintainsecuretestplans andtestresults.TestsrelatedtoSoftwareQualityarerunfrom,andsecuredin,the[NameofTestingorQuality AssuranceApplication]Application. Securityscriptsandnetworkingutilitiesare maintainedinsecurelocationwiththehighestdegreeinlimited access.Theseitemsarebydesign,neithervisibleoraccessibletothegeneraluser.
WhereDoIFindQATestTemplates?
TesttemplatesaremaintainedintheQAProcessdirectory \\...\PAL\ITProcessAssetLibrary\QualityAssurance\Template\ SecurityProgramTesttemplatesaremaintainedinSecurityManagementdirectory \\...\PAL\ITProcessAssetLibrary\SecurityManagement\ProgramTestPlans\
Assets,InventoriesandConfigurationBaselines
Networkingdevices,serversandapplicationservershavebothinventoryandconfigurationcontrolrequirements. Configurationbaselinereferstotheminimumsecureconfigurationappliedtoanydeviceatbuild.Changestothe configurationbeyondthispointareassociatedtobusinessrequirements,productreleaseandprojectmanagement. DataCenterOperationsandSupportmanageaninventoryofitemsandbaselineconfiguration.Theserecordsare tablesin FacilitatedComplianceManagementbutarescheduledtobemovedinto[Nameofcoreproductor service]. WhereconfigurationrecordsincludeIPaddressingandotherinformationthatcouldbeusedtocompromise networksecurity,theinformationisnotmade availablebeyondpersonswhosupportandnetworkingand[Name ofcoreproductorservice]platformavailability.
When DoINeedToCreateAControlledServerObject?
Page 5of 80
Figure18.
Should Idocumentacontrolledserverinoursysteminventorydatabase?
WhereAreDevicesInventoriedAsAssets?
ControlledServerRecordswillresidein[Nameofcoreproductorservice]butarecurrentlystagedin Facilitated ComplianceManagement
WhereDoIFindServerControlRecords?
\\...\pal\FacilitatedComplianceManagement\ShortcuttoControlledServersinFacilitated Compliance Management
Page 6of 80
Figure19.
ControlledServerForm
Page 7of 80
Figure20.
EachcontrolleditemhasassociatedsecurityexemptionsandstandardOSandApplicationbuild
WhichToolsStoreServerandApplicationInformation?
Thedatacentermaintainsalistofdevicesandtoolsorapplicationswiththeirrespectivecontrolsandresource owners.Thisinformation ismaintainedin FacilitatedComplianceManagement. Allsystems,applicationsor Toolsareinventoriedassets. SoftwareControlapplicationsmustaddressallpointsofhandoffinasoftware developmentandsupportlifecycle.
Page 8of 80
WhereIsTheListOfToolsAndToolTypes?
ToolsandTooltypesarelistedintheToolsandToolTypetableinthe FacilitatedCompliance Management2000FCMdatabase.ServersanddevicesarerecordedintheControlledServerForm,locatedinthe FacilitatedComplianceManagementdatabase.
ControlsandKeyControls
WhenDoINeedToDocumentAControlObject?
Controlspracticesprovidereasonableassurancethatbusinessrulesexistandareoptimizedsuchthatnegative impactofundesirableeventsarecaptured,respondedtoandmitigated.ITControlistherightmixtureofpolicies, procedures,practicesandorganizationalstructuresthatassurebusinessobjectivesaremet,whilepreventing, detectingorcorrectinganyorallundesiredevents. ControlDefinitionsexistwithineachprocessandareaninherentfeatureinpolicy. ControlOverProcessIsDemonstratedWhen: ItCommunicatesRepeatableIntention ExecutesAsPlanned(ImplementationPlan) Measures(RiskMeasurement&ImpactAnalysis) Records(ManagementReporting&KPI) Archives(DefinedDataRetention) ControlItemscapture ControlName Owner ControlMethod AutomationorManual Program Frequency TestInformation ActivityDefinition LocationofTestandTestEvidence InformationProcessingObjective SequenceIDandKeyTracking
Formoreinformation,reviewsectionDocumentElements: FlowDiagram ,VisioShapesandCustomProperties forEvidenceofProcessControls
WhereAreControlsCatalogued?
ControlsarecataloguedbyName,AssociatedProcessesandOwnerswithinTechnologys[Nameofcoreproduct orservice]system.TheinformationisusedforongoingControlSelfAssessmentandCompliance Documentation.Controlsarecataloguedin FacilitatedComplianceManagementandin[Nameofcoreproduct orservice].ControlsarealsoidentifiedwithineveryProcessFlowDiagramandProgramDefinition. Key ControlsaligntotheCobiTframeworkandarevisibleontheControlSelfAssessmentformwithinFacilitated Compliance Management.
Figure21.
WhatProcessEngineering,AuditorsandQualityGatherRegardingCorporateKeyControls
Page 10 of 80
ProcessDiagramscallinformationfromthe FacilitatedComplianceManagementdatabase.Keycontrolspullinformation fromtheKeyControlsTable.
ExampleofaKeyControls
Figure22.
KeyControlsForm
WhereDoIFindTheFormorTemplate?
http://www.COMPANY.com TechnologyControls(LoginRequired) \\...\PAL\Templates\InternalControlTestingTemplate.dot
Copyright2006,PhoenixBusinessandSystemsProcess,Inc.Needham,MA,USA, MorefromPhoenixBusinessandSystemsProcess,http://www.pbandsp.com Page 11 of 80
Product,ApplicationDevelopmentandQualityTemplates
ObjectName Function Owners Approve Date
ChangeCommittee ReviewBoard
TheChangeCommitteeReviewBoardTemplate guidesthecompletionofdocumentationforthe purposeofenterpriseorhighpriority/impactChange Management. Checklistidentifiesvalidationitemsbeforeachange controlcanbeapprovedorclosed Emergencycodechangerequireswrittenapprovalby Quality,Development,andCTO.TheEmergency deploymentformrepresentssignedapprovalbyall necessarypartiesandissubmittedtotheNetworkor DataCenterOperationspriortoemergency deploymentofcodetoproduction.Emergency changeissubjecttoChangeManagementpolicyand isreviewedpriortoandpostchangeimplementation. Templateisusedtodocumenthighlevelaspectsofa testplan
[NameofChief Technology Officer]
ChangeReviewBoard Checklist
Copyright2006,Phoenix Businessand SystemsProcess, Inc.Needham,MA,USA,
[NameofChief SecurityOfficer]
Emergency Deployment Authorization
HighLevelTestPlan
[NameofChief Technology Officer],[Nameof QualityAssurance Manager] [NameofChief SecurityOfficer], [NameofChief Technology Officer]
ICQPhysicalSecurity
Templateisusedtogenerateanewuniqueinstanceof ICQPhysicalSecurity.Templates,whenused, constituteaworkproduct,whichisprocessedand thenstoredascontrolevidenceinthe \\...\PAL\IT ProcessAssetLibrary\Processand Procedures\SecurityManagement\Template\ folder Templateisusedtogenerateanewuniqueinstanceof ICQSecurityPolicy.Templates,whenused, constituteaworkproduct,whichisprocessedand thenstoredascontrolevidenceinthe \\...\PAL\IT ProcessAssetLibrary\Processand Procedures\SecurityManagement\Template\ folder. Providesdocumentationformatforan implementation. Templateisusedtodocumentallaspectsoftestingan internalcontrol
ICQSecurityPolicy
[NameofChief SecurityOfficer], [NameofChief Technology Officer]
Implementation PlanningTemplate Internal Control TestingTemplate MeetingAgendaand Minutes.dot
[NameofProcess Librarian] [NameofProcess Librarian] [NameofProcess Librarian]

Page 12 of 80
ObjectName
Function
Owners
Approve Date
MeetingFormLetter
Thisletterislinkedinconsoleasatemplate.
[NameofProcess Librarian] [NameofProcess Librarian]
MeetingMinutes Template.dot NetworkChange IdentificationForm Templateisusedwhenchangesand/orsecurity violationsarefoundonthenetwork,tosystems,orto serversthatdidnotgothroughtheformalchange controlprocess.
[NameofChief SecurityOfficer]
PolicyProfile ProcessProfile Template ProgramProfile Template ProjectCharter Templateisusedtodocumentallareasofaprocess [NameofProcess Librarian] [NameofProcess Librarian] [NameofProcess Librarian]
Templateisusedtodocumentallareasofaprogram
Templateisusedtodocumentthescope,assurance andresourcesofaproject TemplateisusedtodocumentallareasofaProject Plan Templateisusedtoguidedocumentsandtasks neededpriortoQAPlanning
ProjectPlanDefinition
QAPlanningKickoff CheckList
RequestForExemption Templateisusedtodocumentallareasofrisk associatedwithrequestedexemption RequestForRemoval ofMedia Templateisusedtogenerateanewuniqueinstanceof RequestForRemovalofMediaTemplate.Templates, whenused,constituteaworkproduct,whichis processedandthenstoredascontrolevidenceinthe \\...\PAL\ITProcessAssetLibrary\Processand Procedures\SecurityManagement\Template\ folder. Templateisusedtoguidereviewofrequirementsto assurecompletenessacrossallareas.
[NameofChief SecurityOfficer] [NameofChief SecurityOfficer], [NameofChief Technology Officer]
June23, 2005
Requirements Completeness Checklist
,[Nameof ProductorProject Management Director]
RiskCriteria
Templateisusedtogenerateanewuniqueinstanceof RiskCriteriaTemplate.Templates,whenused, constituteaworkproduct,whichisprocessedand thenstoredascontrolevidenceinthe \\...\PAL\IT

Page 13 of 80
ObjectName
Function
Owners
Approve Date
ProcessAssetLibrary\Processand Procedures\SecurityManagement\Template\ folder. RunBookSecurity SectionWhatto Describe Templateisusedtogenerateanewuniqueinstanceof RunBookSecuritySectionWhattoDescribe Template:(Forfinancial/highriskservers). Templates,whenused,constituteaworkproduct, whichisprocessedandthenstoredascontrol evidenceinthe\\...\PAL\ITProcessAsset Library\ProcessandProcedures\Security Management\Template\ folder. Templateisusedtodocumentelectronicsecurity regardingemailandfiletransfer. The purposeoftheSecurityInfrastructurePlanisto establishstrategic,tacticalandannualinformation securityplansforCOMPANY. Templateisusedtogenerateanewuniqueinstanceof SecurityProgramandProgramTestProfileTemplate. Templates,whenused,constituteaworkproduct, whichisprocessedandthenstoredascontrol evidenceinthe\\...\PAL\ITProcessAsset Library\ProcessandProcedures\Security Management\Template\ folder. Templateisusedtousedtocaptureandfullydevelop andanalyzesecurityrisks. Templateisusedtodocumentallrequirementsfor software [NameofChief SecurityOfficer] ThomGray, [NameofProduct orProject Management Director] [NameofChief SecurityOfficer], [NameofChief Technology Officer]
SecureEmailandFile Transfer SecurityInfrastructure Plan
[NameofChief SecurityOfficer] [NameofChief SecurityOfficer]
SecurityProgramand ProgramTestProfile
SituationEvaluation Form SoftwareRequirement Specifications Template
RunBookTemplate
TheRunBookorSystemDocumentationbook containsinformationnecessarytorunandmaintaina corebusinesssystem.Intheeventofemergency staffingchange,thisdocumentservestoguideanew employeethroughthesupportofthissystem. Templateisusedtodocumentalloperational requirementsforasystem TemplateisusedtodocumentallareasofaTestPlan
SystemOperational Requirement TestPlanTemplate
Page 14 of 80
ObjectName
Function
Owners
Approve Date
UserAccessProgram Checklist
Templateisusedtogenerateanewuniqueinstanceof UserAccessControlsWorkProgramTemplate. Templates,whenused,constituteaworkproduct, whichisprocessedandthenstoredascontrol evidenceinthe\\...\PAL\ITProcessAsset Library\ProcessandProcedures\Security Management\Template\ folder. Templateisusedtowarnanemployeewhentheydo somethinginappropriateandhowto improve. JobAnalysisQuestionnairetemplateisusedto describeemployeesresponsibilitiesanddutiesamong otherthings. Templateisusedtoprovideabriefdescriptionofthe generalnatureoftheposition,anoverviewofwhythe jobexists,andwhatthejobistoaccomplish.
[NameofChief SecurityOfficer], [NameofChief Technology Officer]
EmployeeWarning Notice JobAnalysis Questionnaire
JobDescription Template
Page 15 of 80
WhichToolStoresProcessandWorkInstructioninformation?
ProcessEngineeringmanagesalistofallWorkInstructionsandProcessesinthe FacilitatedCompliance ManagementObjecttable.Thereareavarietyofreportsthatsummarizethefunctionforallprocessesaswellas provideanoverviewofallprocessflowdiagrams.
Page 16 of 80
Figure23.
FacilitatedComplianceManagementprovidessummaryreportsformanyobjecttypes
Figure24. FacilitatedComplianceManagementAllowsProcessLibrariantocaptureandcatalogueallprocess objects
FlowDiagram
WhenDoIUseAFlowDiagram?
FlowDiagramsaredevelopedtoprovideahighlevelsummaryofstepsinanyprocessorprocedure.Theyare HighLevel,notvague.ControlsarealsolistedinFlowDiagrams,furtherdemonstratingconstraintsthateither preventerrororreinforcecorrectmovement.Keycontroltemplateobjectsarecreatedbyprocessengineeringin responsetothecurrentcontrolsinscopeforaudit.Theseitemsdetailallaspectsthatcontrola
Page 17 of 80
process.
Page 18 of 80
Figure25.
SampleofABusinessProcess
Page 19 of 80
VisioShapesandCustomPropertiesforEvidenceofProcessControls
Name* Description* DocumentTitle,Scope, Revision,ReleaseDate,Editors, AffirmationTeam AlwaysSequence0.0
Referencetootherprocess documentsandtofullprocesses outsideofthescopeofthe currentdocument. Partofprocessessequence
Identifiesprocessactivity, notingcontrolissuesand potentialgaps,ownersand eventsequence. Partofprocessessequence
Decisionpointandcriteriafor movement Partofprocessessequence
Groupingallowsrepresentation ofsimultaneousevents Sequenceshouldparentchild thesubgroupofactivities Looplimitsusuallyreflectkey controls
Page 20 of 80
Name*
Description* DataManagement: Whatdataisused, howisitclassified, retained,transferred, accessed Listofexternaldocumentsused tocompleteprocess,statusof useincontrolsevidence, creationfrequency,description ofuse Sequenceisalways9.9sothat alldatasourcesareclusteredto thebottomoftheprocess report. Exitandentrancecriteriafor movementfromoneactivityto thenext.Wherecriteriafor movementismonitoredbya systemandiscriticaltocontrol activity,thisshouldbefilledin. Wherethisistrue,therewould beanexpectedcontrol. TriggerandExitcriteria Sequenceisalways0.1sothat alltriggersandexitcriteriaare clusteredto thetopofthe processreport.
Page 21 of 80
Name*
Description* ControlDocumentationObject: Dropdownmenuchoicesincludecommonlanguage fordefiningcontrolsasexpressedbyISACA,PCAOB, PwC,E&Y,KPMG,DeloitteandSANS.Information enteredtothisarea,itisavailabletocontrolsreporting forthisprocess.Thesequenceisusedtoalignthe controltotheassociatedactivitiesthatusethiscontrol. Whereacontrolisusedinmultipleinstances,itneed onlybedescribedonceandthenmentionedonthe activityobject. When acontrolisinadequate,theissueisidentifiedin theGAPcommentaryoftheactivityneedingmore stringentcontrol.Thisforcestherelativeriskofthe controlgaptobeevidenttotheviewerandwriter
DatabasenameandDBA/SA owners Sequenceisalways9.8sothatall datasourcesareclusteredtothe bottomoftheprocessreport.
Page 22 of 80
GroupingBox ParentProcess (indicatesanother processdiagram)
LoopLimit
Database
ProcessTitle Date: AffirmationTeam:
0.0 a
#.#Decision
Figure26.
ProcessObjectswithproperties
Page 23 of 80
AcronymGlossaryandDefinitions
Acronyms Approver Definition Anindividualwhoreviewsthechangetoensuretheintegrityandreliabilityof thedocumentandgrantsapprovalforthedocumenttobeposted.
DocumentOwner
Managerdesignatedashavingownershipofalldocumentsassociatedwiththe productionsystemand,thereby,havingtheauthoritytochangeit.
Dualcontrol
Twopeoplearerequiredforanimportantactivitytobeaccomplished.
Employee
Person,includingcontractorsandtemporarystaff,whohavebeengrantedaccess toARLresources.
Owner
Managerofadepartmentorbusinessunitresponsibleforproductionprocesses, systems,applications,platformsorusers.InaccordancewithInformation Securitypolicies,andstandards,ownersdeterminethelevelofsensitivityand confidentialityoftheirinformation.Assuch,theydeterminechanges,accessand disseminationoftheirinformation.
Activity CISA CobiT
Anelementofworkperformedduringthecourseofaproject.Anactivity normallyhasanexpectedduration CertifiedInformationSystemsAuditor TheCOBIT(ControlObjectivesforInformationandRelatedTechnology) frameworkwasreleasedin1996andupdatedin1998and2000bythe InformationSystemsAuditandControlAssociation (ISACA)inresponsetothe needforareferenceframeworkforsecurityandcontrolininformation technology.In2000,theITGovernanceInstituteandISACFdevelopedthe ManagementGuidelinesforCOBIT.Theseguidelinesrespondtoaneedby ManagementforcontrolandmeasurabilityofIT,forthepurposeofensuringthat ITactivitiesachievebusinessobjectives. Thepolicies,procedures,practicesandorganizationalstructuresdesignedto providereasonableassurancethatbusinessobjectiveswillbeachievedandthat undesiredeventswillbepreventedordetectedandcorrected
Control
DocumentorSource Asampledocumentthatadherestothecriterianecessaryforcompletionofa Document processandincludestheessentialcontentsdefinedinthetemplate. Function ITControlObjective Agroupofrelatedactionscontributingtoalargeraction.SecurityPolicy,Access Control,andPerimeterSecurityrepresentsecurityfunctions. Astatementofthedesiredresultorpurposetobeachievedbyimplementing

Page 24 of 80
Acronyms
Definition controlproceduresinaparticularITactivity
ITIL Process
InformationTechnologyInfrastructureLibrary Aseriesoftasksthattransforminputsintodesiredoutputs.Thetermprocedureis sometimesusedinterchangeablywithprocessinthismethodology.Administer Accounts,PerformRiskAssessment,AuditPerimeterSecurity,InstallHardware areexample
ProcessManagement AhighleveldescriptionofthesystemthatprovidesafullyintegratedKnowledge Architecture Base[ofprocessinformation].TheKnowledgeBaseinturnprovidescontrolof processchangeandaccesstoallprocessesandprocedures. Task Ataskisaspecificactionperformedaspartofaprocess.Disableaccounts, InterviewNetworkManager,andrunCrackontheUnixmachineareexamplesof securitytasks. Askeletondocument,spreadsheet,orgraphicpresentationthatrepresentsthe essentialrequirementsfordeliverablecontent.
Template
ComprehensiveGlossaryofallCorporateTerms
\\...\pal\FacilitatedComplianceManagement\ShortcuttoGlossaryinFacilitatedCompliance Management2000FCM.MAT
RelatedDocuments
The CobiT4.0(ControlObjectivesforInformationandRelatedTechnology)frameworkwasreleasedin1996 andupdatedin1998and2000 andmostrecentlyin2005,bytheInformationSystemsAuditandControl Association (ISACA)inresponsetotheneedforareferenceframeworkforsecurityandcontrolininformation technology.In2000,theITGovernanceInstituteandISACAdevelopedtheManagementGuidelinesforCOBIT. TheseguidelinesrespondtoaneedbyManagementforcontrolandmeasurabilityofIT,forensuringthatIT activitiesachievebusinessobjectives.http://www.isaca.org/cobithorizon.htm TheITInfrastructureLibrary,ITIL(),isaseriesofdocumentsthatareusedtoaidtheimplementationofa frameworkforITServiceManagement(ITSM).ThisframeworkdefineshowServiceManagementisapplied withinspecificorganizations.Beingaframework,itiscompletelycustomizableforapplicationwithinanytypeof businessororganizationthathasarelianceonITinfrastructure. http://www.itilitsmworld.com/ ProjectManagementSkillandKnowledgeRequirementsinanInformationTechnologyEnvironment(ISACA) http://www.phoenixprocessconsulting.com/security/ProcessProject/projectmanagement.pdf
ExtendedBibliography
AgencySecurityPractices.STIGs,SecurityTechnicalImplementationGuides.RetrievedDecember1,2005from http://csrc.nist.gov/pcig/cig.html. ACLU,(AmericanCivilLibertiesUnion).FreeSpeech.RetrievedNovember1,2005from http://www.aclu.org/freespeech/index.html. AICPA,AmericanInstituteofCertifiedPublicAccountants.RetrievedDecember1,2005 http://www.aicpa.org/index.htm.
ANSI.U.S.NationalConformityAssessmentPrinciples.RetrievedDecember1,2005from http://www.ansi.org/conformity_assessment/ncap.aspx?menuid=4. Berinato,Scott,DarwinMagazine,http://www.darwinmag.com/read/0502/apples.html. BSI,BritishStandardsInstitute,"BSISO/IEC17799:2005",inBritishStandardISO/IEC27001:2005,London, UnitedKingdom:TheStationaryOffice,2005. CESG(UK)&NIST(USA).CommonCriteria,AnIntroduction.RetrievedDecember1,2005from http://www.commoncriteriaportal.org/public/files/ccintroduction.pdf.Note:"TheCommonCriteriaworkisan internationalinitiativebythefollowingorganizations:CSE(Canada),SCSSI(France),BSI(Germany),NLNCSA (Netherlands),CESG(UK),NIST(USA)andNSA(USA)",p.2. CIS,CenterforInternetSecurity.CISBenchmarks/ScoringTools.RetrievedDecember1,2005from http://www.cisecurity.org/bench.html. CISWG(2004).CorporateInformationSecurityWorkingGroup,ReportoftheBestPracticesandMetricsTeams. RetrievedDecember1,2005from http://www.educause.edu/ir/library/pdf/CSD3661.pdf. Clark,JamesBryce(jamie.clark@oasisopen.org),Shearman&Sterling,NewYork,http://www.oasis open.org/who/tab.php#jclark. CMU/SEI,CarnegieMellonUniversity/SoftwareEngineeringInstitute.RetrievedDecember1,2005 http://www.sei.cmu.edu/. COBIT. IsaproductofISACA,aglobalnotforprofitprofessionalmembershiporganizationfocusedonIT Governance,assuranceandsecurity,withmorethan 60,000membersinmorethan140countries.ITGI undertakesresearchandpublishesCOBIT,anopenstandardandframeworkofcontrolsandbestpracticeforIT governance."ISACA,InformationSystemsAuditandControlAssociation.http://www.isaca.org/. http://www.isaca.org/Template.cfm?Section=CobiT6&Template=/TaggedPage/TaggedPageDisplay.cfm&TPLID =55&ContentID=7981. COSO,CommitteeofSponsoringOrganizationsoftheTreadwayCommission.RetrievedDecember1,2005 http://www.coso.org/. Deming,Edwards(1986),"14PointsforManagement",inOutofCrisis,1986,Cambridge:TheMITPress, http://www.deming.org/resources/books.html. EDUCAUSE&Internet2,ComputerandNetworkSecurityTaskForce,EDUCAUSE/Internet2Computerand NetworkSecurityTaskForce. GovernanceAssessmentToolforHigherEducation,http://www.educause.edu/ir/library/pdf/SEC0421.pdf. ECS,EducationCommissionoftheStates(2002).CitizenshipEducationInclusioninAssessmentand AccountabilitySystems.RetrievedDecember1,2005from http://mb2.ecs.org/reports/Report.aspx?id=107. FASP,FederalAgencySecurityPractices,"STIGs,SecurityTechnicalImplementationGuides", http://csrc.nist.gov/pcig/cig.html. FERF,FinancialExecutivesResearchFoundation,http://www.fei.org/rf/. FFIEC,FederalFinancialInstitutionsExaminationCouncil.RetrievedNovember1,2005 http://www.ffiec.gov/. FIPS,FederalInformationProcessingStandardsPublication,http://www.itl.nist.gov/fipspubs/. Frye,Emily,CybersecurityandCorporateGovernanceNow:DoesItTakeLiabilitytoGetAttention?,in AmericanBarAssociation,SectionOfScience&TechnologyLaw,Chicago2005, http://www.documation.com/aba/pdfs/004.pdf. GAAP,GenerallyAcceptedAccountingPrinciples,http://www.fasab.gov/accepted.html.
GAOAccountingandInformationDivision(1999).FISCAM,FederalInformationSystemControlsAudit ManualVolumeI:FinancialStatementAudits,Washington:GovernmentAccountabilityOffice.Retrieved December1,2005from http://www.gao.gov/special.pubs/ai12.19.6.pdf. GAOAccountingandInformationDivision.FISCAM,FederalInformationSystemControlsAuditManual VolumeI:FinancialStatementAudits,Washington:GovernmentAccountabilityOffice,1999.Retrieved December1,2005from http://www.gao.gov/special.pubs/ai12.19.6.pdf. GAP,GovernmentAccountabilityProject,http://www.whistleblower.org/template/index.cfm. Gibaldi,Joseph(2003),MLAHandbookforWritersofResearchPapers,6thEdition, http://www.mla.org/handbook. GPO,GovernmentPrintingOffice.RetrievedDecember1,2005http://www.gpoaccess.gov/index.html. Gruber,Tom,WhatisanOntology?,KSL,KnowledgeSystems,AILaboratory,StanfordUniversity.Retrieved December1,2005from http://wwwksl.stanford.edu/kst/whatisanontology.html.Note:Anontologyisan explicitspecificationofaconceptualization.[]Weusecommonontologiestodescribeontological commitmentsforasetofagentssothattheycancommunicateaboutadomainofdiscoursewithoutnecessarily operatingonagloballysharedtheory." IEC,InternationalElectrotechnicalCommission.RetrievedDecember1,2005 http://www.iec.ch/. ISSA,InformationSystemsSecurityAssociation.RetrievedDecember1,2005http://www.issa.org/. ISO16609:2004Banking Requirementsformessageauthenticationusingsymmetrictechniques ISO/TR17944:2002Banking SecurityandotherfinancialservicesFrameworkforsecurityinfinancial systems ISO/TR19038:2005BankingandrelatedfinancialservicesTripleDEA Modesofoperation Implementation guidelines. ISOTCPortal.StandardsDevelopmentProcesses.RetrievedDecember1,2005from http://isotc.iso.org/livelink/livelink/fetch/2000/2122/3146825/4229629/sds_base.htm. ISO&CASCO,ISO/IECGuide60:2004ConformityAssessmentCodeofGoodPractice,Geneva:ISOStore. RetrievedDecember1,2005from http://www.iso.org/iso/en/CatalogueDetailPage.CatalogueDetail?CSNUMBER=37035&ICS1=3&ICS2=120&IC S3=20&showrevision=y. ISO.Generalinformationontechnicalcommittees.RetrievedDecember1,2005from http://www.iso.ch/iso/en/stdsdevelopment/tc/TC.html. ISO."AchievingOptimalOutput",inISOAnnualReport2004,2004,Chapter4.RetrievedDecember1,2005 from http://www.iso.ch/iso/en/aboutiso/annualreports/pdf/chapter4.pdf. ISO.TheAgreementontechnicalcooperationbetweenISOandCEN(ViennaAgreement).RetrievedDecember 1,2005from http://isotc.iso.org/livelink/livelink.exe/fetch/2000/2122/3146825/4229629/4230450/4230458/customview.html?f unc=ll&objId=4230458&objAction=browse&sort=subtype ITGI,ITGovernanceInstitute.RetrievedDecember1,2005http://www.itgi.org.Note:ITGIdescribesitselfas "TheITGovernanceInstitute(ITGI)existstoassistenterpriseleadersintheirresponsibilitytoensurethatITis alignedwiththebusinessanddeliversvalue,itsperformanceismeasured,itsresourcesproperlyallocatedandits risksmitigated."and"[ITGI]isanotforprofitresearchorganizationaffiliatedwiththeInformationSystems AuditandControlAssociation ITGI&OGC(2005).AligningCOBIT,ITILandISO17799forBusinessBenefit.RetrievedDecember1, 2005from http://www.isaca.org/.
ITGI&ISACA(2004).COBITMapping,OverviewofInternationalITGuidance.RetrievedDecember1,2005 from http://www.isaca.org/Content/ContentGroups/Research1/Deliverables/CobiT_Mapping_Paper_6jan04.pdf. ITGI&ISACA(2004).ItControlObjectivesforSarbanesOxley:TheImportanceofItintheDesign, ImplementationandSustainabilityofInternalControloverDisclosureandFinancialReporting.Retrieved December1,2005from http://www.isaca.org/Content/ContentGroups/Research1/Deliverables/IT_Control_Objectives_for_Sarbanes Oxley_7july04.pdf. ITTF,ISO/IECInformationTechnologyTaskForce.RetrievedDecember8,2005 http://isotc.iso.org/livelink/livelink/fetch/2000/2489/Ittf_Home/ITTF.htm.Note:ITTFmaintainsaccesstoall freelyavailableISOstandards,alistthatgrowsdaily,andonDecember8,2005included253freeISOstandards. ITIL,InformationTechnologyInfrastructureLibrary.RetrievedDecember1,2005 http://www.ogc.gov.uk/index.asp?id=2261. ITTF.FreelyAvailableStandards.InaccordancewithISO/IECJTC1andtheISOandIECCouncilsthese InternationalStandardsarepubliclyavailable.RetrievedDecember1,2005from http://isotc.iso.org/livelink/livelink/fetch/2000/2489/Ittf_Home/ITTF.htm.Note:Thestandardsareavailablefor downloadattheITTFwebsite.Thisdoesnotimply freeuseorpermissiontocopyanymaterialsfound.The filesareinzipformat.Ihadnodifficultywiththembutalwaysuseastagingaretorunadditionalanti virus/spywarebeforeopeninganyonesfiles: http://standards.iso.org/ittf/PubliclyAvailableStandards/c040612_ISO_IEC_154081_2005(E).zip, http://standards.iso.org/ittf/PubliclyAvailableStandards/c040613_ISO_IEC_154082_2005(E).zip,& http://standards.iso.org/ittf/PubliclyAvailableStandards/c040614_ISO_IEC_154083_2005(E).zip KNET.RetrievedDecember1,2005http://www.isaca.org/knet.Note:KNETisprovidedbyISACAasa professionalresourceanddescribesitas"aglobalknowledgenetworkforITGovernance,Controland Assurance"andKNETcontainsover5,200peerreviewedwebsiteresourcespertainingtoknowledgecovering ITGovernance,Assurance,SecurityandControl.FullaccesstoKNETisreservedforassociationmembers.In addition,apersonalizedtrackingfeature[].Referenceitemsareorganizedintologicalcategoriesofinterestand concern". LawrenceW.Smith,"TheFASBsEffortsTowardSimplification",inTheFASBReport,February28,2005. RetrievedDecember1,2005from http://www.fasb.org/articles&reports/fasb_efforts_toward_simplification_tfr_feb_2005.pdf.Note:Thisarticle summarizingBobHerz,FASBchairmanofFinancialAccountingStandardsBoardtoshowthecomplexityof GAAPasitrelatestoapplicationofconsistentstandardsandcodificationinthecurrent180ofUSGAAParticles withinU.S.Code. McNamara,RobertS.andMorris,Errol,TheFogofWar:ElevenLessonsfromtheLifeofRobertS.McNamara, December2003. NARA,NationalArchivesandRecordsAdministration.RetrievedDecember1,2005 http://www.archives.gov/. NationalCouncilforScienceandtheEnvironment.CongressionalResearchServiceReports.RetrievedDecember 1,2005from http://www.ncseonline.org/NLE/CRS/. NASD,NationalAssociationofCorporateDirectors.RetrievedDecember1,2005http://www.nacdonline.org/. NHGRI,NationalHumanGenomeResearchInstitute.RetrievedDecember1,2005 http://www.genome.gov/. UnitedStatesCongress,"Circular92","CopyrightLawoftheUnitedStatesofAmericaandRelatedLaws ContainedinTitle17oftheUnitedStatesCode",inUnitedStatesCode,Title17(1976),Washington,U.S. GovernmentPrintingOffice,Chapters18&1012.
Page 28 of 80
NIAC,NationalInfrastructureAdvisoryCouncil(February2003).TheNationalStrategytoSecureCyberspace, Washington:DepartmentofHomelandSecurity.RetrievedDecember1,2005from http://www.dhs.gov/interweb/assetlibrary/National_Cyberspace_Strategy.pdf. NISTInformationTechnologyLaboratory(2002),InternationalStandardISO/IEC17799:2000CodeofPractice forInformationSecurityManagement,FrequentlyAskedQuestions,RetrievedDecember1,2005from http://csrc.nist.gov/publications/secpubs/otherpubs/revisofaq.pdf. NIST,NationalInstituteofStandardsandTechnology.FIPS,FederalInformationProcessingStandards Publication.RetrievedDecember1,2005from http://www.itl.nist.gov/fipspubs/. NISTSP80053DatabaseApplicationisavailablefordownloadathttp://csrc.nist.gov/seccert/download800 53database.html NHGRI,NationalHumanGenomeResearchInstitute,http://www.genome.gov/. NSSN,NationalStandardsSystemsNetwork,"STAR,StandardsTrackingandAutomatedReporting,Services", http://www.nssn.org/star_intro.html. NISO,NationalInformationStandardsOrganization.RetrievedDecember1,2005 http://www.niso.org/index.html. NormanWalsh&LeonardMuellner,DocBook:TheDefinitiveGuide,O'Reilly&Associates,Inc.,Version1.0.2 (1999).RetrievedDecember1,2005from http://www.oreilly.com/catalog/docbook/chapter/book/docbook.html. Note:ThisistheofficialdocumentationforDocBook.&BobStayton,DocBookXSL:TheCompleteGuide, SagehillEnterprises,ThirdEdition(2005).RetrievedDecember1,2005from http://www.sagehill.net/docbookxsl/.Note:ThisisthedefinitiveguidetousingtheDocBookXSLstylesheets.It providesthenecessarydocumentationtorealizethefullpotentialofDocBook OASIS(2005).SecurityAssertionMarkupLanguage(SAML)v2.0.RetrievedDecember1,2005from http://www.oasisopen.org/specs/index.php#samlv2.0,&http://docs.oasisopen.org/security/saml/v2.0/saml2.0 os.zip. OfficeofManagementandBudget."CircularNo.A130Revised",inTransmittalMemorandumNo.4, MemorandumForHeadsOfExecutiveDepartmentsAndAgencies.RetrievedDecember1,2005from http://www.whitehouse.gov/omb/circulars/a130/a130trans4.html. OfficeofManagementandBudget."CircularNo.A119Revised,AccompanyingFederalRegisterMaterials",in FederalParticipationintheDevelopmentandUseofVoluntaryConsensusStandardsandinConformity AssessmentActivities.RetrievedDecember1,2005from http://www.whitehouse.gov/omb/circulars/a119/a119.html. OGC,OfficeofGovernmentCommerce.RetrievedDecember1,2005 http://www.ogc.gov.uk.Note:As explainedbytheOGCas"[]aUKgovernmentorganizationresponsibleforprocurementandefficiency improvementsintheUKpublicsector.OGChasproducedworldclassbestpracticeguidance,includingPRINCE (projectmanagement),MSP(ManagingSuccessfulPrograms)andITIL(ITservicemanagement).ITILis usedthroughouttheworldandisalignedwiththeISO/IEC20000internationalstandardinservicemanagement." OGC,OfficeofGovernmentCommerce,"ICTInfrastructureManagement",inITILSeries,London,United Kingdom:TheStationaryOffice,2002. OntoWebProject,OntoWebWorkingGrouponProcessStandards,http://www.aiai.ed.ac.uk/project/ontoweb/. AmyKnutilla,CraigSchlenoff,StevenRay,StephenT.Polyak,AustinTate,ShuChiunCheahandRichardC. Anderson:"ProcessSpecificationLanguage:AnAnalysisofExistingRepresentations,"NISTIR6160,National InstituteofStandardsandTechnology,Gaithersburg,MD,1998. O'Reilly,Tim,WhatIsWeb2.0,DesignPatternsandBusinessModelsfortheNextGenerationofSoftware, 09/30/2005RetrievedDecember30,2005from
http://www.oreillynet.com/pub/a/oreilly/tim/news/2005/09/30/whatisweb20.html?page=1,WhatisWeb 2.0PricewaterhouseCoopersonbehalfofCOSO,COSO,EnterpriseRiskManagementIntegratedFramework, AICPA,Volume2, https://www.cpa2biz.com/CS2000/Products/CPA2BIZ/Publications/COSO+Enterprise+Risk+Management+ +Integrated+Framework.htm,&COSO(2005),InternalControl IntegratedFramework,GuidanceforSmaller PublicCompaniesReportingonInternalControloverFinancialReporting,AICPA,ExposureDraft, http://155.201.80.182/Coso/coserm.nsf/vwResources/PDF_IC/$FILE/COSO_FINAL_Draft_IC_Guidance.pdf. PricewaterhouseCoopers,IntegrityDrivenPerformance,WhitePaper(2004),Page34,Note: PricewaterhouseCoopers(www.pwc.com)providesindustryfocusedassurance,taxandadvisoryservicesfor publicandprivateclients.Morethan120,000peoplein139countriesconnecttheirthinking,experienceand solutionstobuildpublictrustandenhancevalueforclientsandtheirstakeholders. PricewaterhouseCoopersonbehalfofCOSO,COSO,EnterpriseRiskManagementIntegratedFramework, AICPA,Volume2.RetrievedDecember1,2005from https://www.cpa2biz.com/CS2000/Products/CPA2BIZ/Publications/COSO+Enterprise+Risk+Management+ +Integrated+Framework.htm.&COSO(2005),InternalControl IntegratedFramework.&Guidancefor SmallerPublicCompaniesReportingonInternalControloverFinancialReporting,AICPA,Exposure Draft. RetrievedDecember1,2005from http://155.201.80.182/Coso/coserm.nsf/vwResources/PDF_IC/$FILE/COSO_FINAL_Draft_IC_Guidance.pdf. Note:ThesearebothnotedbytheSECasappropriateframeworkintheimplementationofcontrolsassessment. Ross,Dr.RonandNIST,ProtectingFederalInformationSystemsandNetworks,AStandardsbasedSecurity CertificationProgramforOperationalEnvironments, http://cio.doe.gov/Conferences/Security/Presentations/RossRNIST.pps. (Dr.) RonRoss&NIST.ProtectingFederalInformationSystemsandNetworks,AStandardsbasedSecurity CertificationProgramforOperationalEnvironments.RetrievedDecember1,2005from http://cio.doe.gov/Conferences/Security/Presentations/RossRNIST.pps. Dr.RonRoss& TheOWASPFoundation.BuildingMoreSecureInformationSystems,AStrategyforEffectively ApplyingtheProvisionsofFISMA.RetrievedDecember1,2005from http://csrc.nist.gov/organizations/fissea/conference/2005/presentations/Ross/AbstractRoss.pdf. SANSInstitute,SysAdminAuditNetworkSecurityInstitute.December1,2005 http://www.sans.org/aboutsans.php. SkaddenBiography,MichaelS.Hines,http://www.skadden.com/index.cfm?contentID=45&bioID=2732. Smith,LawrenceW.,"TheFASBsEffortsTowardSimplification",inTheFASBReport,February28,2005, http://www.fasb.org/articles&reports/fasb_efforts_toward_simplification_tfr_feb_2005.pdf. SpaffordJr.,George,SpaffordGlobalConsulting,Inc.,SaintJoseph,MI,http://www.spaffordconsulting.com. Swanson,DanandSeccurisInc.,SecurityBenchmark,http://www.securitybenchmark.com. TheInstituteofInternalAuditors.GTAG,GlobalTechnologyAuditGuide.RetrievedDecember1,2005from http://www.theiia.org/index.cfm?doc_id=4706. TQM,TotalQualityManagement,http://www.managementhelp.org/quality/tqm/tqm.htm. U.S.DepartmentofLabor,BureauofLaborStatistics,OccupationalEmploymentandWages,November2004, http://www.bls.gov/oes/current/oes132011.htm. U.S.Navy,Benefits,"IncreasingContractorCommitment", http://www.ar.navy.mil/aosfiles/tools/turbo/topics/cj.cfm. UnitedStatesCongress&SubcommitteeonTechnology,InformationPolicy,IntergovernmentalRelationsand theCensus(2004).OversightHearingStatementbyAdamPutnam,Chairman,IdentityTheft:TheCauses,Costs,
Consequences,andPotentialSolutions. http://www.reform.house.gov/UploadedFiles/Final%20Press%20Opening%20Statement%202.pdf,p.5. UnitedStatesCongress,"DMCA","DigitalMillenniumCopyrightAct",inPublicLaw105304,H.R.2281,S. 2037,&CongressionalRecordVol.144(1998),Washington:U.S.GovernmentPrintingOffice,112Stat.2860& 2905. UnitedStatesCongress,SarbanesOxleyActof2002,15U.S.C.7201(2002),"SarbanesOxleyActof2002", "SOX",inPublicLaw107204,H.R.3763,S.2673,&CongressionalRecordVol.148(2002),Washington:U.S. GovernmentPrintingOffice,116STAT.745810. UnitedStatesCongress,"HIPA","HealthInsurancePortabilityandAccountabilityActof1996",inPublicLaw 104191,H.R.3103,S.1028,S.1698,&CongressionalRecordVol.142(1996),110STAT.19362103. UnitedStatesCongress,"GLBA","GrammLeachBlileyAct",inPublicLaw106102,H.R.10,S.900,& CongressionalRecordVol.145(1999), Washington:U.S.GovernmentPrintingOffice,113STAT.13401481. UnitedStatesCongress,"FISMA","FederalInformationSecurityManagementActof2002",inPublicLaw107 347,H.R.245848,TitleIII,Washington:U.S.GovernmentPrintingOffice,SEC301305. U.S.DepartmentofHomelandSecurity.FEMA,FederalEmergencyManagementAgency.RetrievedDecember 1,2005from http://www.fema.gov/. UnitedStatesCongress."DMCA","DigitalMillenniumCopyrightAct",inPublicLaw105304,H.R.2281,S. 2037,&CongressionalRecordVol.144(1998),Washington:U.S.GovernmentPrintingOffice,112Stat.2860& 2905.Note:ReviewoftheDMCArevealsincontributionthenameofMikeS.Hines,whoisfrequentlyin discussiononvariousISACAandCMUsanctionedlistservices.MikecontributestotheInformationSecurity Managementgroup,underISACAsponsor,mailto:infosecmanager@orbit.sparklist.com.Recommendation, sendemailwiththewordjoininsubjectandnoothertextto infosecmanager@share.isaca.org.Hereisa chancetospeakwithafewEagles. UnitedStatesCongress,"ComputerSecurityEnhancementActof1997",inPublicLaw 100418,H.R.1903, CalendarNo.718,&ReportNo.105412(1998),SEC.114.Note:"ToamendtheNationalInstituteofStandards andTechnologyActtoenhancetheabilityoftheNationalInstituteofStandardsandTechnologytoimprove computersecurity,andforotherpurposes." UnitedStatesCongress,"CyberSecurityResearchandDevelopmentAct",inPublicLaw107305,H.R.3394,S. 2182,&CongressionalRecordVol.148(2002),Washington:U.S.GovernmentPrintingOffice,116STAT.2367 2382.RetrievedDecember1,2005from http://thomas.loc.gov/cgi bin/bdquery/z?d107:H.R.3394:@@@L&summ2=m&.FASP,Federal UnitedStatesCongress."ComputerFraudandAbuseAct",in18U.S.C.1030,1986.RetrievedDecember1, 2005from http://cio.doe.gov/Documents/CFA.HTM. VISAInternationalServiceAssociation,SecurityPrograms,http://corporate.visa.com/st/programs.jsp. Walsh,NormanandMuellner,Leonard,DocBook:TheDefinitiveGuide,O'Reilly&Associates,Inc,Version 1.0.2(1999), http://www.oreilly.com/catalog/docbook/chapter/book/docbook.html.
Page 31 of 80
RisksandAssociatedControls
Significance RiskItems Control Likelihood *Impact 2*5 [RiskWatch Authorization: PALinfrastructureiscarefullymanagedbyprocessengineering, idhere] Inadditiontolimitofaccesstodocumentationfrom withadministrativecontrolsasprovidedwithinWindows2000 withinthecorporatenetwork,personsarefurtherrestricted serverandasenforcedbythedataowners. fromreadingandmodifyingdocumentsthroughtheuseof securitypropertiesonprocessassetfolders.Approvalto postormodifyaprocessisinaccordancewith management'sgeneralpoliciesandprocedures.Accessto assetsisfurtherrestrictedthroughtheuseofhyperlinksin placeofattachments,enforcinglimitsforviewing documentsbasedonthepersonsprofilewithinthe organization. Configuration/AccountMappingControls: SecurityismanagedbyNetworkorDataCenterOperationsand Systemconfigurationcontrolsrestrictnonauthorized isenforcedbyProcessEngineeringandtheDataOwner. usersfrom deletingandmodifyingfiles.Processapproval isrequiredinordertopostnewormodifiedprocess. [RiskWatch Interface/ConversionControls:DataIntegrity (dataisnot idhere] changedormanipulated)andsecurity(noonecanaccess it).Interfaces/conversionincludescontrolsintheseareas. Datamanagement(date/timestamps,filenames) Processing(nomissing,duplicate,orredundantdataand toensurecompletenessandaccuracy.) Validation/reconciliation(onlineedits,batchtotals)Over thedetectionandcorrectionofexceptionsanderrors. [RiskWatch KeyPerformanceIndicatorsKPI's:Periodicreviewby idhere] ProcessEngineeringenforcesthegoalofhavingprocesses documentedforallmanagementfunctional areas.Where informationindicatesaneedforprocessoptimization, processengineeringnotesthisrequirementandreviews Whendatacannotbealteredwithoutexplicitaudittrailand approval,itismanagedinVSS.Whencodeordocumentation appearschanged,VSSallowsforreviewofeditsandrollback. Dataintegrityincodeisassuredviapromotiontoproduction process,wherecodeistestedintheQualityenvironmentandthen approvedformovement. ThePALisbackedupnightlyandcontentchangeisevidentvia timestamp. ThePALXLSandinventorieswithin FacilitatedCompliance ManagementdatabaseallowtheProcessEngineeringteam visibilityonkeyperformanceofprocessitemsasrequiredfor SAS70auditandasagreeduponbydepartmentowners.
Page 32 of 80
Howimplementedandactualreviewschedule
1*5
2*5
3*5
Significance RiskItems Control Likelihood *Impact timelycompletionofrequiredprocesschange.Process engineeringalsocataloguesreviewsandguidesprocess developmentandcollection. ThereisRiskthatManagementmayfailtoassurethat proceduresarefinishedinatimelymannerorthatexisting processesarenotroutinelyreviewedtoinsuretheir validityorusability. 1*1 3*5 [RiskWatchidhere]
Howimplementedandactualreviewschedule
ReconciliationofexistingrightswithinthePALtorightsas designedandapprovedbydepartmentownersdemonstratesthat personswhoshouldnothaveaccesstodocumentationtypesare segregated.Rolesintheapprovalprocessdenypersonsauthority toreviewandapprovetheirownwork.

Documentationpractice Hyperlinkvs.Attachment managerenforcementofstoring datainproperfilelocation departmentrolebasedlimittouseraccess enforcingcontrolrelatedDataOwners documentpropertycaptureofkeycontroldata documentclassification, areallcontrolactivitiesthatmakelikelihoodofthisrisk negligible.Eachbusinessormanagementfunctionalownerhas accesstomodifycontentsinsidetheirownareabutcannot modifyfilesoutsidetheirProcessdomain.Remainingriskare filesharesthatstillrequirereviewformisplacedcontent.
2*5
[RiskWatch Riskofaccidentalorintentionaldistributionofclassified idhere] privateandorsensitiveinformation:
Page 33 of 80
Figure27.
WhatTypeofDocumentShouldIWrite?
Page 34 of 80
ExampleofPALContentsFileLocation,DescriptionofUse
Management FunctionFolder DocumentType Subfolders ContentDescription Subfolders allowed Classification
ITProcessAssetLibrary
BackupandRecovery Backupand Recovery Backupand Recovery Backupand Recovery Backupand Recovery BackupandRecoveryFlowchartsfoldercontainsprocessflow diagramsincludingthoseusedinprocessandprocedure documentation. BackupandRecoveryProcessandProcedurefoldercontains processprofiledocumentation. BackupsandRecoveryProgramDefinitionfoldercontains programprofiledocumentation. BackupandRecoveryTemplatefoldercontainsshortcutsto approvedtemplatesandformsasrequiredforthismanagement function.
Flowcharts ProcessandProcedure ProgramDefinition
No No No
Confidential Confidential Confidential
Template
No
Confidential
ChangeManagement Change Management Change Management Change Management Change Management ChangeManagementFlowchartsfoldercontainsprocessflow diagramsincludingthoseusedinprocessandprocedure documentation. ChangeManagementProcessandProcedurefoldercontains processprofiledocumentation. ChangeManagementProgramDefinitionfoldercontainsprogram profiledocumentation. ChangeManagementTemplatefoldercontainsshortcutsto approvedtemplatesandformsasrequiredforthismanagement function.
No No No
Template
No
Confidential
ConfigurationManagement
Page 35 of 80
Management FunctionFolder Configuration Management
DocumentType Subfolders
ContentDescription ConfigurationManagementFlowchartsfoldercontainsprocess flowdiagramsincludingthoseusedinprocessandprocedure documentation.
Subfolders allowed
Classification
Flowcharts
No
Confidential
Configuration Management
ProcessandProcedure
ConfigurationManagementProcessandProcedurefolder containsprocessprofiledocumentation.
No
Confidential
ProgramDefinition
ConfigurationManagementProgramDefinitionfoldercontains programprofiledocumentation.
No Temporary/ Untilalldatais movedto database
Confidential
RunBookCMDB
ConfigurationManagementRunBookCMDBfoldercontains RunBookprocessandguidelines.
Confidential
ModuleConfiguration
ConfigurationManagementSolutionsDevelopmentClient Configurationfoldercontainsprogramprofiledocumentation.This Subfolderas islimitedtotheareaofMasterTemplateconfigurationguidelines needed ConfigurationManagementTemplatefoldercontainsshortcutsto approvedtemplatesandformsasrequiredforthismanagement function.
Confidential
Configuration Management HumanResources
Template
No
Confidential
HumanResources HumanResources HumanResources
HumanResourcesFlowchartsfoldercontainsprocessflow diagramsincludingthoseusedinprocessandprocedure documentation. HumanResourcesProcessandProcedurefoldercontains processprofiledocumentation. HumanResourcesProgramDefinitionfoldercontainsprogram profiledocumentation.

Page 36 of 80
No No No
Management FunctionFolder
ContentDescription HumanResourcesTemplatefoldercontainsshortcutsto approvedtemplatesandformsasrequiredforthismanagement function.
Subfolders allowed
Classification
HumanResources
Template
No
Confidential
NetworkManagement Network Management Network Management Network Management Network Management Network Management Architectures ArchitectureasDiagrams,longtermstrategicITVision, infrastructureplanningandtechnicaldocumentation. NetworkManagementFlowchartsfoldercontainsprocessflow diagramsincludingthoseusedinprocessandprocedure documentation. NetworkManagementProcessandProcedurefoldercontains processprofiledocumentation. NetworkManagementProgramDefinitionfoldercontains programprofiledocumentation. NetworkManagementTemplatefoldercontainsshortcutsto approvedtemplatesandformsasrequiredforthismanagement function. Subfolderas needed Sensitive
No No No
Template
No
Confidential
PerformanceManagement Performance Management Performance Management Performance Management PerformanceManagementFlowchartsfoldercontainsprocess flowdiagramsincludingthoseusedinprocessandprocedure documentation. PerformanceManagementProcessandProcedurefolder containsprocessprofiledocumentation.Thisareaincludes databaseprocessoptimization. PerformanceManagementTemplatefoldercontainsshortcutsto approvedtemplatesandformsasrequiredforthismanagement function.
Flowcharts
No
Confidential
ProcessandProcedure
No
Confidential
Template
No
Confidential
ProcessEngineeringManagement
Page 37 of 80
Management FunctionFolder Process Engineering Management Process Engineering Management Process Engineering Management Process Engineering Management
ContentDescription ProcessEngineeringManagementFlowchartsfoldercontains processflowdiagramsincludingthoseusedinprocessand proceduredocumentation. ProcessEngineeringManagementProcessandProcedurefolder containsprocessprofiledocumentation. ProcessEngineeringManagementProcessProfilefolder containsprogramprofiledocumentation. ProcessEngineeringManagementTemplatefoldercontains shortcutstoapprovedtemplatesandformsasrequiredforthis managementfunction.
Subfolders allowed
Classification
Flowcharts
No
Confidential
ProcessandProcedure
No
Confidential
ProcessProfile
No
Confidential
Template
No
Confidential
ProductManagement Product Management Product Management Product Management Product Management QualityAssurance QualityAssuranceFlowchartsfoldercontainsprocessflow diagramsincludingthoseusedinprocessandprocedure documentation. QualityAssuranceProcessandProcedurefoldercontains processprofiledocumentation.
Page 38 of 80
ProductManagementFlowchartsfoldercontainsprocessflow diagramsincludingthoseusedinprocessandprocedure documentation. ProductManagementProcessandProcedurefoldercontains processprofiledocumentation. ProductManagementProgramDefinitionfoldercontainsprogram profiledocumentation. ProductManagementTemplatefoldercontainsshortcutsto approvedtemplatesandformsasrequiredforthismanagement function.
No No No
Template
No
Confidential
QualityAssurance QualityAssurance
Flowcharts ProcessandProcedure
No No
Confidential Confidential
Management FunctionFolder QualityAssurance
DocumentType Subfolders ProgramDefinition
ContentDescription QualityAssuranceProgramDefinitionfoldercontainsprogram profiledocumentation. QualityAssuranceTemplatefoldercontainsshortcutsto approvedtemplatesandformsasrequiredforthismanagement function.
Subfolders allowed No
Classification Confidential
QualityAssurance
Template
No
Confidential
SecurityManagement Security Management Security Management Security Management Security Management Security Management SecurityManagementFlowchartsfoldercontainsprocessflow diagramsincludingthoseusedinprocessandprocedure documentation. SecurityManagementProcessandProcedurefoldercontains processprofiledocumentation. SecurityManagementProgramProfilesfoldercontainsprogram profiledocumentation. SecurityManagementProgramTestPlansfoldercontains securityspecificprogramcontroltestplans. SecurityManagementTemplatefoldercontainsshortcutsto approvedtemplatesandformsasrequiredforthismanagement function.
Flowcharts ProcessandProcedure ProgramProfiles ProgramTestPlans
No No No No
Confidential Confidential Confidential Confidential
Template
No
Confidential
SoftwareDevelopment Software Development Software Development Software Development SoftwareDevelopmentFlowchartsfoldercontainsprocessflow diagramsincludingthoseusedinprocessandprocedure documentation. SoftwareDevelopmentProcessandProcedurefoldercontains processprofiledocumentation. SoftwareDevelopmentProgramProfilesfoldercontainsprogram profiledocumentation.
Flowcharts ProcessandProcedure ProgramProfiles
No No No
Page 39 of 80
Management FunctionFolder Software Development
ContentDescription SoftwareDevelopmentTemplatefoldercontainsshortcutsto approvedtemplatesandformsasrequiredforthismanagement function.
Subfolders allowed
Classification
Template
No
Confidential
StandardOperationProcedures StandardOperation Procedures StandardOperation Procedures Forms StandardOperationProceduresGeneralUseFlowchartsfolder containsprocessflowdiagramsincludingthoseusedinprocess GeneralUseFlowcharts andproceduredocumentation. OutputoftheRunBookDatabaseisapapercopyofthe RunBook.RunBooksliveinthedatabase,butasinglepaper copymaybepostedhereasSAS70summaryevidence.This foldercouldalsoberemoved. No Confidential
No
Confidential
StandardOperation Procedures
*RunBook
No Foldersshould besetbutifan areaisneeded/ add
Confidential
StandardOperation Procedures
SOPByDomain \Citrix \Desktop \LANAccess Distribution \OracleDB \OracleServer \SQLServer \Unix \VPN \WANBackbone \WINTEL
Standardoperatingproceduresareanysetofdirectionsusedto maintainoroperateanyproductionsystem. Eachfolderisaholdingplaceforshortinstructionsrelatedtothe maintenanceandcareofanytechnologytype.Ifaperson createsanyworkinstructions,beitinemailorasawordfile,this aplacetostorearecordoftheworksothattheSOPdoesn't havetobecreatedagain.SOPislessstrictthanprocessinthat theownerofthetechnologymaintainstheircurrentinstructions anddoesnotrequireapprovaltoaddtotheirfolder.Manageris responsibleforinsuringthatanyhighriskprocessisdocumented andthattheprocesscouldbefollowedbyapersonofequalskill intheeventthattheprimarysupportstaffwasnotavailable. StandardOperationProceduresTemplatefoldercontains shortcutstoapprovedtemplatesandformsasrequiredforthis managementfunction.
Page 40 of 80
Confidential
StandardOperation Procedures StandardOperation Procedures
Subfolderas neededfor specificservers andsystems.
Sensitive
Template
No
Confidential
ContentDescription
Subfolders allowed
Classification
SupportManagement Support Management Support Management Support Management Support Management SupportManagementFlowchartsfoldercontainsprocessflow diagramsincludingthoseusedinprocessandprocedure documentation. SupportManagementProcessandProcedurefoldercontains processprofiledocumentation. SupportManagementProgramDefinitionfoldercontainsprogram profiledocumentation. SupportManagementTemplatefoldercontainsshortcutsto approvedtemplatesandformsasrequiredforthismanagement function.
No No No
Template
No
Confidential
ITWorkProductLibrary ChangeManagement Change Management Change Management ProductionReleaseand ChangeReview Meetings \Agendas \MeetingMinutes ThisareawillberelocatedtoRiskConsoleoncetheChange Managementprogramisoperational Changerequestsandchangereviewmeetingrecords
No No
NetworkorDataCenterOperationsPlanningandInfrastructure NetworkorData CenterOperations Planningand Infrastructure NetworkorData CenterOperations Planningand Infrastructure Documentationpertainingtoinfrastructureplanningand developmentincludinganycurrentprojects.Thisareawill supportnumerousprojectspecificsubfolders.
InfrastructurePlanning
No Subfolderona perproject basis
Confidential
\133patch
Createafolderforinfrastructureitemandkeepallplanningfor thatchangeorprojectinthefolder
Confidential
Page 41 of 80
Management FunctionFolder NetworkorData CenterOperations Planningand Infrastructure
ContentDescription
Subfolders allowed Subfolderona permonitoring areaasneeded
Classification
Performance Management
Outputofmonitoringperformance,showsevidenceofmonitoring activity
Confidential
ProcessMeetingMinutes
ProcessMeeting Minutes
MeetingMinutesand ReviewPlanning
MeetingMinutesandapprovalsforProcessEngineeringteam andprogram
No
Confidential
ProductManagement Product Management Product Management Meetings ProjectPlanning Meetingspertainingtoanyreleasearecapturedandstoredhere Releasetasksbyreleaseandotherevidenceofprojectstructure No No Confidential Confidential
Product Management Product Management Product Management Product Management ProductTraining
Requirements
CurrentlistofrequirementsbelongsinVSS,butthislocationisan evidencepointershowingtherequirementsinplayandrecent past.Thisfoldershouldhaveashortcuttheactuallocationin VSSandsomeonewhocanwalktheauditorthroughthose folders. No
Confidential
[CompanyCoreProduct orService]Release Notes Pastandcurrentreleasenotes,evidencefolder ModuleConfiguration OutputofplanningforMasterTemplateservicerelatedtasks. Staffreportstomanagersregardingwork activity
No Subfolderas needed
StatusReports
Anystatusprovidedcanbestored here.Phillipcanusethistoshowhis oversightofstaffandprograms
Sensitive
Page 42 of 80
ContentDescription
Subfolders allowed
Classification
ProductTraining
[CompanyCoreProduct orService]UserGuide External Producttrainingoutput/evidencefolder [CompanyCoreProduct orService]User TechnicalGuide Internal Producttrainingoutput/evidencefolder
No
Confidential
ProductTraining QualityAssurance
No
Confidential
QualityAssurance
QuarterlyReports
Documentationpertainingtoinfrastructureplanningand developmentincludinganycurrentprojects.Thisareawill supportnumerousprojectspecificsubfolders.
Subfolders createdby quarteras needed Subfoldersare notlimited. Thisisaplace tostorein processwork. Subfolders limitedtothe InternalControl Testing program
Confidential
QualityAssurance
[CompanyCoreProduct Testplanningdocumentationandalinktothecurrenttestsin orService]QATesting TestinTestDirector.Thisisa"pointerfile"usedtoassistauditor ByRelease infindingtheevidence. UsedtogathertheInternalControlsTestingPlansandthemost currentsnapshotoftestingasusedforevidenceintheupcoming SAS70.Theactualtestinginformationmustresideinitssecure locationwithinTestDirector.Thisisanoutputforevidence purposesonly.
Confidential
QualityAssurance
TestOutput
Confidential
QualityAssurance
fs02mainQuality Assurance
theQAfolderonFS02Mainshouldberelocatedtotheprocess andworkproductareas.
Confidential
ReleaseSoftwareDevelopment
Page 43 of 80
Management FunctionFolder ReleaseSoftware Development
DocumentType Subfolders ReleasePlanEvidence Copyforcurrentreview cycle
ContentDescription DocumentationinVSSmustremaininVSS.Thisisapointerfile anddemonstrationofcurrentcontentoncurrentrelease.VSS linkshouldbehere. Emailouttakesandmeetingnoteswhereareleaserelated activityisrequested.ReleaserequestsliveinDevTrack,butcan startasemailsornotes.Thisiswherethedocumentrecordis stored.AlldetailswouldshowupasaDevTrackID.
Subfolders allowed
Classification
No
Confidential
ReleaseSoftware Development
ReleaseRequest
No
Confidential
ReleaseSoftware Development
DesignSpecificationsfromVSSarehereasprocessevidence andarereadonly.Thisisaplaceholderforauditdata.Auditor shouldnotbeinVSSclickingthroughdirectoriesasthiswould [CompanyCoreProduct raiseissuesarounditemsthatareoutofdate.Betterstrategyis orService] toputwhatwewanttoshowhere.
No
Confidential
SecurityManagement Businessrequestsforpolicyexceptionbasedinneedtomaintain operationswithgiventechnologyconstraints.Allexemptions shouldalsobeloggedinatablewhereCSOcanmaintain visibilityonsuchitems.RCisgoodcandidateforthis,especially astiedtoRiskarea. OutputofsituationreviewanddecisionsbasedonExceptionsto policy. Meetingnotesfromanysecuritymeetingorincidentresponse meeting RecommendaformatforfilenamethatshowsSecurity,dateand meetingtype.Agendacanbeaplaceholderformeetingplans andmeetingminutesarejustmeetingminutes. Emailouttakesandcopyofdocumentsindicatingapprovalto implementsecurityprograms.Ihaveaconcernaboutstoring electronicimageofsignaturesandrequestthatfilesstatethat signatureislockedinafile.
Page 44 of 80
Security Management Security Management Security Management Security Management
ExemptionRequests ...\SituationEvaluation Forms MeetingsNotesand IncidentReview Records
No No
Sensitive Sensitive
No
Sensitive
...\Agendas\Minutes
No
Sensitive
Security Management
ProgramPolicy Approval
Straight evidencefolder/ Sensitive NO
Management FunctionFolder Security Management Security Management Security Management Security Management
DocumentType Subfolders SecurityInfrastructure andProgramPlanning \Awareness TestOutput Trackingand ReconciliationReports \Tools .\...\LastLoginScripts \...\...\Risklabs Domain \...\...\Company Domain
ContentDescription Infrastructureplanningdocumentandinformationrelatedtothe planningofanysecurityprogram. Awarenessprogramdocuments,includingplannedpresentations anddocumentsforthedevelopmentoftheprogram DS5relatedinternalcontroltestplansandoutput Outputofsecurityscansandprocesses.
Subfolders allowed Createa subfolderfor anyprogram. Subfolderas needed Onefolderper programtested Subfolderas needed
Classification
Sensitive Sensitive Sensitive Sensitive
Security Management
Evidenceofsecuritymonitoringactivity
Subfolderas needed
Sensitive
Contacttheauthor:http://www.pbandsp.com/cgi/form.html
Page 45 of 80

Procedures and Controls Documentation Guidelines

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Procedures and Controls Documentation Guidelines

Uploaded by

Copyright:

Available Formats

ProcedureGuidelinesandControls Documentation

AProposedTemplateforGovernance:ProcessDocumentationandProcessArchitecture AsalignedtoCobiTProcessManagementandDocumentationControls,ISO9001 ProcessDocumentationMethodologyandCOSOERMStandardsforEnterpriseRisk Management Author RobinBasham,M.IT,M.Ed,CISA President,PhoenixBusinessandSystemsProcess

DocumentType PolicyProfile....................................................................................................................... 2 ShouldIWriteAPolicy Profile? ................................................................................................................. 3

WhereDoIFindTheTemplate?................................................................................................................ 12 DocumentElements ......................................................................................................................................... 12

HowDoIFindOrStoreMyDocument?....................................................................................................... 13 PAL\ ITProcessAssetLibrary .................................................................................................................. 13

OtherWorkProductsandControlledDocumentation:...................................................................................... 2 ControlsEvidenceSpecifictoSoftwareDevelopmentandProductDevelopmentLifecycle: ............................ 2

WhereAreDevicesInventoriedAsAssets? ................................................................................................. 6 WhereDoIFindServerControlRecords? ................................................................................................... 6

Documentlifecyclecontrolproceduresmustdetailtheprocessfor:(ProcessProfileCreationdocsections embeddedinthisdoc) Reviewingneworchangeddocuments. Approvingandrejectingdocuments. Postingdocumentation. Documentinginformationaboutdocumentation(metadata). Auditingthelifecycleofdocumentsinthelibrary.

Anynewfoldersmustberequestedviaemailtotheprocesslibrarian,currently[NameofProcessLibrarian],at Process@COMPANY.com.Thelibrarianinsuresnameandcontentsintegritywithin FacilitatedCompliance Managementprocesstracking. \\...\PAL\FacilitatedComplianceManagement\FacilitatedCompliance Management2000FCM.mdb

Enterprocess details Processdetailsexist Departmentor UserApprovalto UpdateProcess ProcessChange

Returnpending Identifiedprocessobject managers approval Management Approval

Legitimateneedforprocess LaunchProcess Objectform Formopen NewProcess Validation

ITstakeholdersareable togetinvolvedinprocess PassOneprocess created Instanceofprocessin processprofiletable CreatedUpdate ProcessObject

Figure3. Whatare thestepsandcontrolsinwritingaprocessprofile?

Supports implementationof processorpolicy

Definesacompany specificactivityIncludingpurpose, elements,toolsandstaff

Thereisa group charteredto performthis function

Servesasaudit guideforprogram implementation

Alignedtojob descriptionsand controlfunctions

CompleteProgram andProgramTest Definition

Figure6. ShouldIwriteaWorkInstruction SOP

Figure7. Should IwriteaRunBook?

OtherWorkProductsandControlledDocumentation: ControlsEvidenceSpecifictoSoftwareDevelopmentandProduct DevelopmentLifecycle:

Ascompaniescomplywithregulatoryandindustryrequirements,systembasedrecordsshowingevidenceofthese controlsgainevengreaterimportance.Thefollowingarehighleveldefinitionsofthecontrolprocessesfound withinAcquisitionandImplementationprocess,InstallandAccreditSolutionsandChanges,orAI7.

Regardlessofdomain,processoutputsarereviewedinthecontextoftheireffectiveness,efficiency,confidentiality, integrity,availability,complianceandreliability.Giventhescenarioofsoftwaredevelopmentprograms, informationcriteriamightbeappliedtoelementssuchasthefollowing:

EnhancementRequestTracking QualityandTestTracking TestPlans ProjectMilestoneTracking

DataDictionary Defect,EnhancementorErrorTracking ProductionAcceptanceguidelines PostImplementationReview CustomerSatisfactionRatings ServiceLevelandOperatingLevelRequirements

Documentandassignownerstoeventsbasedinasystemmaintenanceprocess: businessauthorization, regressiontestingwherecodeorhardwareintegrationaffectenduserprocessing,and recordofpostmaintenancetestresultsoranyotherauditevidence.

Verifythroughtestandfrequentchecks,theadequacyofproductionlibrarysecurity Integrateprocesscontrolsbetweenconfigurationmanagement,problemmanagementandchange managementintheprocesstoensuretheintegrityoftheproductionresources

ThefollowingchartsandflowdiagramshowsITProgramsinrelationtotheSoftwaredevelopmentLifecycle.The triangleobjectsrepresentauditedCobiTcontrols,withfocustoAI7andincludingadditionalcontrolsfrom supportingprograms.

Figure15. ProcessFlowDiagram:Howaresoftwaredevelopmentartifactscapturedinsystemeventlogsandsoftware designtemplates?

Formoreinformation,reviewsectionDocumentElements: FlowDiagram ,VisioShapesandCustomProperties forEvidenceofProcessControls

ProcessDiagramscallinformationfromthe FacilitatedComplianceManagementdatabase.Keycontrolspullinformation fromtheKeyControlsTable.

[NameofChief Technology Officer]

Emergency Deployment Authorization

[NameofChief SecurityOfficer], [NameofChief Technology Officer]

Implementation PlanningTemplate Internal Control TestingTemplate MeetingAgendaand Minutes.dot

[NameofProcess Librarian] [NameofProcess Librarian] [NameofProcess Librarian]

[NameofProcess Librarian] [NameofProcess Librarian]

MeetingMinutes Template.dot NetworkChange IdentificationForm Templateisusedwhenchangesand/orsecurity violationsarefoundonthenetwork,tosystems,orto serversthatdidnotgothroughtheformalchange controlprocess.

Templateisusedtodocumentthescope,assurance andresourcesofaproject TemplateisusedtodocumentallareasofaProject Plan Templateisusedtoguidedocumentsandtasks neededpriortoQAPlanning

[NameofChief SecurityOfficer] [NameofChief SecurityOfficer], [NameofChief Technology Officer]

Requirements Completeness Checklist

,[Nameof ProductorProject Management Director]

Templateisusedtogenerateanewuniqueinstanceof RiskCriteriaTemplate.Templates,whenused, constituteaworkproduct,whichisprocessedand thenstoredascontrolevidenceinthe \\...\PAL\IT

SecureEmailandFile Transfer SecurityInfrastructure Plan

[NameofChief SecurityOfficer] [NameofChief SecurityOfficer]

SituationEvaluation Form SoftwareRequirement Specifications Template

SystemOperational Requirement TestPlanTemplate

[NameofChief SecurityOfficer], [NameofChief Technology Officer]

EmployeeWarning Notice JobAnalysis Questionnaire

Figure24. FacilitatedComplianceManagementAllowsProcessLibrariantocaptureandcatalogueallprocess objects

Referencetootherprocess documentsandtofullprocesses outsideofthescopeofthe currentdocument. Partofprocessessequence

Identifiesprocessactivity, notingcontrolissuesand potentialgaps,ownersand eventsequence. Partofprocessessequence

Decisionpointandcriteriafor movement Partofprocessessequence

Groupingallowsrepresentation ofsimultaneousevents Sequenceshouldparentchild thesubgroupofactivities Looplimitsusuallyreflectkey controls

DatabasenameandDBA/SA owners Sequenceisalways9.8sothatall datasourcesareclusteredtothe bottomoftheprocessreport.

GroupingBox ParentProcess (indicatesanother processdiagram)

ProcessTitle Date: AffirmationTeam:

Activity CISA CobiT

InformationTechnologyInfrastructureLibrary Aseriesoftasksthattransforminputsintodesiredoutputs.Thetermprocedureis sometimesusedinterchangeablywithprocessinthismethodology.Administer Accounts,PerformRiskAssessment,AuditPerimeterSecurity,InstallHardware areexample

ReconciliationofexistingrightswithinthePALtorightsas designedandapprovedbydepartmentownersdemonstratesthat personswhoshouldnothaveaccesstodocumentationtypesare segregated.Rolesintheapprovalprocessdenypersonsauthority toreviewandapprovetheirownwork.

[RiskWatch Riskofaccidentalorintentionaldistributionofclassified idhere] privateandorsensitiveinformation:

Flowcharts ProcessandProcedure ProgramDefinition