Professional Documents
Culture Documents
May23,2006
(rev3May16,2006)
TemplateCopyright[CompanyName]
Copyright2006,PhoenixBusinessandSystemsProcess,Inc.Needham,MA,USA, MorefromPhoenixBusinessandSystemsProcess,http://www.pbandsp.com
Page 1of 80
ProcedureGuidelinesandControlsDocumentation
RobinBasham,M.IT,M.Ed.,CISA
ProcessProfile
ProcessOwners: ProcessOwners Departments: ProcessOwnerAt Release: ReleaseApprovalList: DistributionList: DocumentAuthors: Confidential DataClassification: EffectiveDate: RevisionDate:
VersionControl
RevisionNotes Revision Code Revision Author Revision Release Date Release Approvedby
Copyright2006,PhoenixBusinessandSystemsProcess,Inc.Needham,MA,USA, MorefromPhoenixBusinessandSystemsProcess,http://www.pbandsp.com
Page 1of 80
ProcedureGuidelinesandControlsDocumentation
RobinBasham,M.IT,M.Ed.,CISA
TableofContents
PurposeandScope............................................................................................................................................. 5 PolicyStatement.............................................................................................................................................. 5 Requirements .................................................................................................................................................. 5 DocumentLibraryManagementProgram .................................................................................................... 5 RolesandResponsibilities ............................................................................................................................... 6 ProcessLibrarian......................................................................................................................................... 6 SecurityorResourceAdministration ........................................................................................................... 7 BusinessUnitandDepartmentDataOwners................................................................................................ 7 AccessControl ................................................................................................................................................ 7 AudienceandAuditConsiderations ................................................................................................................. 8 WritingStandards............................................................................................................................................ 8 ChangeRequirements...................................................................................................................................... 8 KeyControls ................................................................................................................................................... 8 DataClassificationandDataOwners ............................................................................................................... 8 NamingConventions ....................................................................................................................................... 9 DocumentTypesandTheirUse ........................................................................................................................ 9 WhatTypeofDocumentDoINeedToWrite? ................................................................................................ 9 FormsandTemplates.................................................................................................................................. 9
GettingStarted: ......................................................................................................................................................1 NewObjectSupportRequest ..................................................................................................................................1
HowDoIValidateMyDocument?.............................................................................................................. 2
Figure1. ValidateaProcessObject ............................................................................................... 2
WhereDoIFindtheProcessProfileTemplate?........................................................................................... 1
Figure3. Whatarethestepsandcontrolsinwritingaprocessprofile? ........................................... 1
WhenIsARunBookComplete?................................................................................................................ 10 WhatAreTheFormatsForRunBook?....................................................................................................... 10
Figure8. RunBookProcess.......................................................................................................... 10 Figure9. ExampleInterfaceforgatheringRunBookelementsbyServiceTitle.............................. 11
ProcedureGuidelinesandControlsDocumentation
RobinBasham,M.IT,M.Ed.,CISA
WhereDoIFindReference,BenchmarkandIndustryGuidelines .................................................................. 15
Figure12. StandardsandReferencefolders ................................................................................ 15
Whatelementsarecapturedduringtheflowdiagrammingprocess? ................................................................. 5
Figure14. ProcessInputsandOutputs,RACIChartforAI7asfoundinCobiT4.0,Copyrightof ISACA 6 Figure15. ProcessFlowDiagram:Howaresoftwaredevelopmentartifactscapturedinsystem eventlogsandsoftwaredesigntemplates? ......................................................................................... 2
FlowDiagram ............................................................................................................................................... 17
Copyright2006,PhoenixBusinessandSystemsProcess,Inc.Needham,MA,USA, MorefromPhoenixBusinessandSystemsProcess,http://www.pbandsp.com Page 3of 80
ProcedureGuidelinesandControlsDocumentation
RobinBasham,M.IT,M.Ed.,CISA
WhenDoIUseAFlowDiagram? ............................................................................................................. 17
Figure25. SampleofABusinessProcess.................................................................................... 19
VisioShapesandCustomPropertiesforEvidenceofProcessControls ...................................................... 20
Figure26. ProcessObjectswithproperties .................................................................................. 23
ExampleofPALContentsFileLocation,DescriptionofUse...................................................................... 35
Copyright2006,PhoenixBusinessandSystemsProcess,Inc.Needham,MA,USA, MorefromPhoenixBusinessandSystemsProcess,http://www.pbandsp.com
Page 4of 80
ProcedureGuidelinesandControlsDocumentation
RobinBasham,M.IT,M.Ed.,CISA
PurposeandScope
ProcedureGuidelinesandControlsDocumentationoutlineshowtocreateandmodifyprocedures,work instructions,policies,andRunBooksastheycurrentlyexistintheircorrectlocationandformatandasalignedto therequirementsofdocumentsecurity. Changecontrol,informationassetlocation,anddocumentationformatstandardsarethecombinedresponsibility ofSecurityManagement,QualityAssurance,andProcessEngineering.Inthecontextofcreation,iteration, approval,andposting,theProcessLibrarianmanagesdocumentation. ProcessEngineeringmanagesqualityoverdocumentationasdemonstratedbydocumenttemplates. SecurityManagementdefinespolicyandaccessrulesfortherecording,adherenceto,andmonitoringof proceduresinvolvingdataintegrity,privacy,andsecurityacross anyenterpriselevelconfiguration.
PolicyStatement
Allchanges,additions,anddeletionstotheproductiondocumentationlibraryrequiremanagementapproval. ManagersshouldnotifyProcessEngineeringofchangestoproductionprocess.
Requirements
Theprimarysecurityelementsofanydocumentlibrarymanagementprocessare: Auditablechanges Evidenceofdocumentlibraryanddocumentlifecyclemanagementthatisreadilyavailableforthosewho needtomonitorthisactivity. Documentationstrategiesneedto: Reducecomplexity. Prioritizekeycontrolprocesses ReflectCOMPANYprocessarchitecture Representrealfunctionsandrealactivities
DocumentLibraryManagementProgram
AformaldocumentlibrarymanagementprogrammanagestheProcessAssetLibraryandmonitorscompliance withdocumentlifecycleobjectives(i.e.,annualdocumentreviews).Theprogrammustinclude,butisnotlimited to,thefollowingcontrols: Documentedproceduresforupdatingproductiondocumentation. Definedrolesandresponsibilitiesthatsupportdefinedproceduresfordocumentanddocumentlibrary maintenance. Accountabilityfordocumentcontentintegrity. Education,notification,andawarenessprocesstoinformallnecessarystakeholdersaffectedbydocument modifications. Separationofproductionandnonproductiondocumentation. Adefineddataretentiongoalforeachdocumentorclassofdocument.Documentsaremaintainedforthe lifecycleoftheprocess.Ifalignedtokeycontrolsandloadedin[Nameofcoreproductorservice],the documentisretainedaspartofSAS70evidence.
Copyright2006,PhoenixBusinessandSystemsProcess,Inc.Needham,MA,USA, MorefromPhoenixBusinessandSystemsProcess,http://www.pbandsp.com Page 5of 80
ProcedureGuidelinesandControlsDocumentation
RobinBasham,M.IT,M.Ed.,CISA
RolesandResponsibilities
Documentanddocumentclassownersshall: Ensuretheintegrity,confidentiality,andavailabilityofproductiondocumentationandthelibrary environmentthroughtheimplementationofdocumentedprograms,proceduresandstandards. Approveallchangesaffectingtheirdomainofcontrolandresponsibility. Ensureallchangeshavebeenapprovedandproperlycommunicatedpriortoposting. Ensurethattheiremployeesunderstandandabidebythispolicyanditscontrolrequirements. ReportanyviolationofthispolicytotheCTOandCSOoritsdesignatedrepresentatives,withinatimely manner. The ProcessEngineeringTeam willendeavorto assistCOMPANYoperationswithmanytimeconsuming functionsnotcoretotheirroles.Processandtechnicaldocumentationiscentraltothecreationofuserguidesand trainingmaterialsandiscurrentlyalignedto theCOMPANY ProcessEngineeringgroup. AsCOMPANYmay addorextendthisfunction,theprocesslibrarianfunctionwillcontinuetoassistwiththedesignanddeployment oftrainingmaterialsanduserguides. Thesedutiesmayinclude: Assistwithwriting andmaintainingproceduresandcontrols.Thedataownerwillusuallywrite procedures. Providingmethodstomaintainandmeetrecordkeepingobligations. Assistingwiththedesignandmodelingofmanagementreportsandcontrolchecklists. Assistingwithworkflowandprocessdesign. Actingasaliaisonwithbusiness,compliance,anddevelopmenttoimplementand/orupdateprocedures, controls,andsystemenhancements.
ProcessLibrarian
TheProcessLibrariancontrolstheprocessinformationdirectorystructureandmakessuretheintegrityofthe foldersismaintained.Thelibrarianfunctioncataloguesandcategorizesdocumentationassetsandaligns documentationstandardstotheneedsofthebusinessandtechnologyfunctions. Wherechangesarerequiredtoexistingprocessdocumentation,theprocesslibrarianhandlestheregistrationand postingofnewprocedurestotheestablishedprocesslocation.
Copyright2006,PhoenixBusinessandSystemsProcess,Inc.Needham,MA,USA, MorefromPhoenixBusinessandSystemsProcess,http://www.pbandsp.com
Page 6of 80
ProcedureGuidelinesandControlsDocumentation
RobinBasham,M.IT,M.Ed.,CISA
SecurityorResourceAdministration
Peoplewhoadministeraccesstoprocessassetswilladheretosanctioneduseraccessprocess,providingresource accesstoemployeesasdeterminedbytheirroleandtheapprovaloftheirmanagement.TheResource AdministratorwillnotaddormodifyfoldersoutsidetheboundariesdefinedbytheProcessEngineeringTeam. Specifically,onceabusinessareaisprovidedspaceforinformationassets,modificationtorootlevelfile hierarchyisnotpermitted.Thisruleisestablishedtoassureinventoryoverinformationandinnowaylimitsthe productivityofanybusinessarea.Informationcanbecreatedinsubfolderswithinthedesignatedfileshare. Personswithwriteaccesscancreatesubfolderswithintherootoftheirinformationdomain. TheSecurityAdministratorwillcreatefilesharesandfoldersasrequestedbytheProcessLibrarian,andwill allowchangeswithinthefilesasdeterminedbythebusinessownerfortheshareinformation.
BusinessUnitandDepartmentDataOwners
Dataownersareaccountabletothereasonableuseoftheirdesignateddrivespace,assuringproperclassification andlocationoftheirdata.Businessownersdefineusersandestablishaccessrulesbasedonaneedtoknow principal.Whereabusinessareaneedsfoldersthatextendbeyondthecurrentprocessarchitecture,theBusiness Unitmustgainapprovalthroughprocessengineeringandsecurity,insuringproperrulesforclassificationandthe avoidingofduplicateinformation.(See CurrentPALContentsandFileLocation DescriptionofUse) Businessownersareaccountabletotheperiodicreviewofinformationontheirdrive.Thisreviewistoassure appropriateuseoffilenamingconventions,validityofprocess,completedprocedures,andtoarchiveoutofdate content. Businessownersareaccountabletounderstandingtheirdataprivacyandretentionrequirementsandto communicatetheserequirementstotheirpersonnel.
AccessControl
Accesstotheproductionlibrarycontentsmustbecontrolledinthesamemannerasthe productionenvironmentto ensurethatonlyauthorizeduserscanaccessthedocuments.Accesscontrolsmustbeestablishedtoensureonly authorizedindividualscanview,edit,andupdatedocumentsaccordingtoappropriateroles. Defaultaccesscontrolsinclude: ProcessLibrarianhasadministrativeprivilegestothePALandprovidesSecurityAdministrationwiththe FunctionalBusinessOwnerforeachdirectoryinthePAL. SystemAdministratorhasadministrativeprivilegestothePALandmaygrantuseraccessaccordingto ManagerApproval. FunctionalManagers,suchasSupport,ChangeManagementandProcessEngineering,have read/write/update/deleteprivilegestotheirfileshareonthePAL.Policydictatestheyshouldnotcreateor deletefolderswithoutnotice andapprovalfromtheProcessLibrarian. Employees(nonmanagers)havereadonlyprivilegesunlessgrantedwriteprivilegebytheFunctional Manager.Employeesdonothavedeleteprivilege.
Copyright2006,PhoenixBusinessandSystemsProcess,Inc.Needham,MA,USA, MorefromPhoenixBusinessandSystemsProcess,http://www.pbandsp.com
Page 7of 80
ProcedureGuidelinesandControlsDocumentation
RobinBasham,M.IT,M.Ed.,CISA
AudienceandAuditConsiderations
Thisprocessprofileservesas reference forCOMPANY.Groupsmaybereferencedbyfunctionalemail notificationnamessuchasProcess@company.com.Groupfunctionalemailsareusedtosupportcommunication trailsandfacilitaterulesforreview,approval,andtimelybusinesscommunication. Proceduresaredetaileddocuments,generallyderivedfromparentpolicyandimplementedtothespirit(intent)of thepolicystatement.Therefore,allprocedureswrittenandimplementedbyCOMPANYaligntoSecurityPolicy, HRPolicy,ProgramChange Policy,andspecificrequirementsforDataClassification,DataRetention,andData Privacyasdefinedbyseniormanagement.
WritingStandards
Proceduresarewritteninaclear,concise,andeasilyunderstoodmanner.Proceduresdocumentbusinessprocesses (administrativeandoperational)andtheircontrols.Proceduresarecreatedbyupperandmiddlemanagementasa meanstotranslatepolicytopractice.
ChangeRequirements
Procedures,representedasprocesses,workinstructions,standardoperatingprocedures,workspecifictraining materials,andproductionsupportprocedures(i.e.,RunBooks),aredynamic,changingtofitcurrentbusiness operationalpractices.Theymustreflecttheregularchangesinbusinessfocusandenvironment.Reviewsand updatesofproceduresareessentialiftheyaretoberelevant.Therefore,COMPANYprovidesnoticetobusiness managementofallchangesandnewinstancesofprocess.Bothinternalandexternalauditorswillreview procedurestoidentify,evaluate,andthereaftertestcontrolsoverbusinessprocesses.Giventhisknowledge,itis theresponsibilityoftheprocessownertokeepcurrentanyprocessdocumentationandtonotifytheprocess librarianofanyprocesschangeviaProcess@company.com. Additionally,partofchangeapprovalincludesvalidationthatalltrainingandsupportproceduresarecurrent.
KeyControls
Thecontrolsembeddedinproceduresareevaluatedtoensurethattheyfulfillnecessarycontrolobjectiveswhile makingtheprocessasefficientandpracticalaspossible.Somecontrolsaredesignatedaskeyandrepresent reportedcontrolsevidenceinsupportofCOMPANY regulatoryattestation.Whereoperationalpracticesdonot matchdocumentedproceduresorwheredocumentedproceduresdonotexist,itisdifficult(formanagementand auditors)toidentifycontrolsandensurethattheyareincontinuousoperation.Whilenotallsituationsofthistype representcontrolfailure,eachsituationrequiresreviewandresponsebasedontherisktosafeandeffective processmanagement. DocumentationisakeycontrolinthatproperdocumentationdirectlysupportseveryaspectofCOMPANY controlframework.Theabsenceofdocumentedprocessisarisktooperationsand toCOMPANY .Failureto properlydocumentcontrolproceduresisanindicationofmanagementandcontroldeficiencies. NOTE:Missingorincompletecriticalprocessdocumentationisnottoleratedasacceptablebusiness practice. Keycontrolobjectivesaremappedtodocumentationandotherevidenceofcontrol.Currentlythetooltomanage thisis[Nameofcoreproductorservice].
DataClassificationandDataOwners
TheCobiTPlanningandOrganizationControlobjectiveDefinetheInformationArchitecture,2.3Data ClassificationSchemerequiresageneralclassificationframeworkestablishedwithregardtoplacementofdatain informationclasses(i.e.,securitycategories)aswellasallocationofownership.Theaccessrules,asinwhocan accesswhattypeofdataaswellastherestrictionsoverwherethatdatamayreside,onaperclassificationbasis,
Copyright2006,PhoenixBusinessandSystemsProcess,Inc.Needham,MA,USA, MorefromPhoenixBusinessandSystemsProcess,http://www.pbandsp.com Page 8of 80
ProcedureGuidelinesandControlsDocumentation
RobinBasham,M.IT,M.Ed.,CISA
shouldbeappropriatelydefined.ThisisacodependencyonSecurityandSecurityAdministration,whereProcess assistsintheimplementationofclassificationstandards,andaccessisfurthersupervisedandimplemented throughSecurityprograms. ProcessLibrarianandDataOwnersaredependentupontheaccurateclassificationofinformationassetsas definedbytheSecurityPolicy.Endusermanagersandthesecurityadministratorsrequireclassificationsto accuratelydeterminewhoshouldbeabletoaccesswhat.TheProcessLibrarianassistsinthedesignoffileshare information,whereastheDataOwnerisaccountablefortheclassificationandadministrationofitsuse.The ProcessLibrarian assiststhebusinesstomanagedataassetsbylocationandclassification.TheProcessLibrarian furthersupportsrequirementstohaveaninformationinventoryofinternalprocessandworkproducts.
NamingConventions
Namingconventionsareapartofthe COMPANYoverallsecuritydesignandareanintegralpartofinformation assetaccounting.Inaccordancewithanapprovedsetofaccessrulesstipulatingusers(orgroupsofusers) authorizedtoaccessaresource(suchasadatasetorfile)andatwhatlevel(suchasreadorupdate)theaccess controlmechanismappliestheseruleswheneverauserattemptstoaccessoruseaprotectedresource.Datais maintainedbylocationsuchthataccessisappropriatelyrestricted. Thesegeneralnamingconventionsandassociatedfilesarerequiredinacomputerenvironmenttoestablishand maintainpersonalaccountabilityandsegregationofdutiesintheaccessofdata.Theownersofthedataor application,withthehelpofthesecurityofficerandprocesslibrarian,establishthenameoffilesandsubfolders fortheirbusinessinformation.Itisimportanttoestablishnamingconventionsthatbothpromotethe implementationofefficientaccessrulesandsimplifysecurityadministration.Namingconventionsforsystem resourcesareanimportantprerequisiteforefficientadministrationofsecuritycontrols. ProcessEngineeringKeyControlsandRiskscanbereviewedin ProcessDocumentationComplianceControl CobiTFunction CobiTDetailObjective and RisksandAssociatedControls
DocumentTypesandTheirUse
WhatTypeofDocumentDoINeedToWrite?
Writingadocumentmaysoundeasy,butitisreallyverycomplex.Documentationstrategiesaredesignedto reducecomplexity,prioritizeKeyControlProcesses,reflectacommonProcessArchitecture(ITILandCobiT frameworks),andaboveallelse,representREALFunctionsandREALactivities. Factorsthatinfluencethetypeofdocumentthatwewriteare: Sustainability,howoftendetailwithintheprocesswillchangeand HighLevelnotVagueAchievingtheHighestLevelofinformationpossiblebeforedocumentdetails becomeformless,blurryorvague
FormsandTemplates
Processdocumentationisdesignedforaspecificlayerofabstraction.Processengineeringworkswiththe documentauthortoselectatemplatethatmeetsthewritersminimalrequirements. Guidedwritingisaprocessthatfacilitatescreatingconsistentstandardqualitydocumentation.Writingtakesmany forms,eachbestsuitedtoserveadifferentpurpose. Thefollowingsectionsexplainthedifferenttypesof templatesorwritingguides,includingapplicationinterface,wordtemplatesanddiagrams.
Copyright2006,PhoenixBusinessandSystemsProcess,Inc.Needham,MA,USA, MorefromPhoenixBusinessandSystemsProcess,http://www.pbandsp.com
Page 9of 80
ProcedureGuidelinesandControlsDocumentation
RobinBasham,M.IT,M.Ed.,CISA
GettingStarted:
Priortocreatingaprocedure,personsareaskedtoreviewavailableformatsfordocumentation.Oncethetypeand topicfordocumentationisestablished,ProcessEngineeringisavailabletoreviewandvalidatetheintended process.ProcessEngineeringcataloguescorporationdocumentationandisabletopreventwastedorduplicated documentationefforts. How:Sendnoticeofintentiontocreatedocumentationto process@company.com.Thefollowingdetailsprovide noticetotheProcessLibrarianofanintendedprocessproduct.Thisrequestminimallyrequiresthefollowing information:
NewObjectSupportRequest
Foreachintendedprocessobject,pleasefillinthesectionbelow.Pleasecopythequestionsforeachtitle.
Copyright2006,PhoenixBusinessandSystemsProcess,Inc.Needham,MA,USA, MorefromPhoenixBusinessandSystemsProcess,http://www.pbandsp.com Page 1of 80
ProcedureGuidelinesandControlsDocumentation
RobinBasham,M.IT,M.Ed.,CISA
IsthisaProcess,WorkProcedures,aPolicy,aProgramDefinitionoraForm? ManagementorDepartmentFunction: Title: Owner: Purpose: AffirmationTeam: AssociatedKeyControl: TheProcessTeamwillselectatemplateordocumentformatandrefinethetitleandscopetobestaligntheoutput withexistingprocessarchitectureandrequirements.Templatesexistinthetemplatefolderforeachfunctional area.Amasterfileofbusinesstemplatescanbefoundin \\...\PAL\Templates.Acomprehensivelistofapproved templatesisin FacilitatedComplianceManagement,locatedintheFormsandTemplatesSection.
HowDoIValidateMyDocument?
Beforeembarkingonaprocedure,policy,processoranytypeofcontrolsdocumentation,contacttheprocess librariansotheintendedobjectcanbeverifiedandcataloguedintheprocessobjectsdatabase.
ProcessObjectValidation
Requestnew ProcessObject
New
Exists. Gainconsensusisanupdate.
Figure1. ValidateaProcessObject
Copyright2006,PhoenixBusinessandSystemsProcess,Inc.Needham,MA,USA, MorefromPhoenixBusinessandSystemsProcess,http://www.pbandsp.com
Page 2of 80
ProcedureGuidelinesandControlsDocumentation
RobinBasham,M.IT,M.Ed.,CISA
DocumentTypeProcessProfile
Thepurposeofaprocessprofileistocaptureanddocumentessentialelementsassociatedwithabusinessprocess. Aprocessisaseriesofactions,changes,orfunctionsbringingaboutaresult. Elementsincludedinaprocessprofileareselectedbytheprocessteam.Generally,theelementsinclude,butare notlimitedto: VersionControlAndChangeHistory Purpose AndScope AssociatedControlObjectives CriticalSuccessFactors PerformanceIndicators BaselinePerformance Goals/Measures ServiceLevelConsiderations Related/SourceDocuments FormsAndTemplates QualityRecordsIncludingSQM ProcessDiagram ProcessDeviationsAndCurrentState TriggerAndExitCriteria Acronyms/Definitions SafetyIssues RiskManagementPlan ProcessDefinition(InputsAndOutputsToOtherProcesses) StatusCodesMetadata
CharacteristicsofProcess
Highestlevelofabstractionandlowestlevelofdetail Highlevelsetofstepsthatcollectivelyaccomplishabusinessfunction: Typicallyincludessuborcomponentlevelprocesses Oftenusedbymorethanoneprogramordepartment
Copyright2006,PhoenixBusinessandSystemsProcess,Inc.Needham,MA,USA, MorefromPhoenixBusinessandSystemsProcess,http://www.pbandsp.com
Page 3of 80
ProcedureGuidelinesandControlsDocumentation
RobinBasham,M.IT,M.Ed.,CISA
ShouldIWriteAProcessProfile?
Considerwhetherthefollowingstatementsaretrue. Theprocessflowdiagramdemonstratesthestepsinvolvedincreatinganyprocessobject.Ifthisisviewedon line,theflowincludesallprocesspropertiesintheflowobjects.Formoreinformation,seeAppendixA.
Figure2. ShouldIwriteaprocessprofile?
Copyright2006,PhoenixBusinessandSystemsProcess,Inc.Needham,MA,USA, MorefromPhoenixBusinessandSystemsProcess,http://www.pbandsp.com
Page 4of 80
ProcedureGuidelinesandControlsDocumentation
RobinBasham,M.IT,M.Ed.,CISA
WhereDoIFindtheProcessProfileTemplate?
\\...\PAL\Templates\ProcessProfileTemplate.dot
Copyright2006,PhoenixBusinessandSystemsProcess,Inc.Needham,MA,USA, MorefromPhoenixBusinessandSystemsProcess,http://www.pbandsp.com
Page 1of 80
ProcedureGuidelinesandControlsDocumentation
RobinBasham,M.IT,M.Ed.,CISA
DocumentTypePolicyProfile
Policyistheunderlyingprincipleuponwhichprocessandprogramsarebuilt.Onemightconsiderthatapolicyis CommandersIntent,anditisuptothepersonsgoverned todeterminethebestpracticeorprocesstoattaintheir goalwithintheconfinesofthepolicy.Whilenoteveryprogramrequiresapolicy,informationtechnologypractice islargelydeterminedbytheSecurityPolicy,ChangePolicyandDataClassificationPolicy.Inaddition,most businesspracticeisinsomewaygovernedbytheHumanResourcePolicy.Policyisimplementedbyprogramsthat enactprocesses.Policyisgenerallyrequiredforlegalandregulatorycompliance.Policyisenforcedthrough system,applicationandorganizationalcontrols.Apolicyistypicallydesignedtobetrueacrossalldepartmentsand forallpersons.Whereapolicyishighlyspecifictoaprogramordepartment,itisgenerallyadepartmentpolicy, butnotaformallydistributedcorporatepolicy. Elements: PolicyArea EffectiveDate RevisionDate Contacts: Summary Goals Applicability PolicyStatement RolesandResponsibilities Compliance Exemptions Appeals Authority RelatedDocuments Definitions
Copyright2006,PhoenixBusinessandSystemsProcess,Inc.Needham,MA,USA, MorefromPhoenixBusinessandSystemsProcess,http://www.pbandsp.com
Page 2of 80
ProcedureGuidelinesandControlsDocumentation
RobinBasham,M.IT,M.Ed.,CISA
ShouldIWriteAPolicyProfile?
Considerwhetherthefollowingstatementsaretrue.
Figure4. ShouldIwriteapolicyprofile?
WhereDoIFindtheTemplate?
\\...\PAL\TEMPLATES\Policy Profile.dot
DocumentTypeProgramProfile
ProgramProfilesaresometimesreferredtoasaprogramordepartmentcharterandareusedtodefinethescopeofa groupaswellastherequirementsofitsorganization.Thisdocumentoutlinestheoverallorganizationalor departmentfunctionandisalignedwithdepartmentsandindividualperformancereviews.Programprofilesmay includejobdescriptionsorjobprofilesandarerepresentedbyorganizationaldiagram.Thesearesupporting documents,oftenassociatedtotheprogramprofile. Attributesofaprograminclude: ManagesControlSystemsandEvents OwnsInitiativesandBusinessandITSystems ResponsibleForSupportingFunctions IsMeasured Programprofilessupporttheabilitytoperform: Personnel RecruitmentandPromotion BenchmarkPersonnelQualifications DesignateRolesandResponsibilities
Copyright2006,PhoenixBusinessandSystemsProcess,Inc.Needham,MA,USA, MorefromPhoenixBusinessandSystemsProcess,http://www.pbandsp.com Page 3of 80
ProcedureGuidelinesandControlsDocumentation
RobinBasham,M.IT,M.Ed.,CISA
PlanandDeliverPersonnelTraining ImplementCrossTrainingorStaffBackup VerifyPersonnelClearanceProcedures DesignandPerformEmployeeJobPerformanceEvaluation DetermineJobChangeandTerminationRequirements ProgramProfileElements: PurposeandScope: RolesandResponsibilities: ProgramElements: Tools: ProgramControlsandMeasures
ShouldIWriteAProgramProfile?
Programprofilesarenotrequired,butcanfacilitateagreatmanyotherfunctionsincludingAuditandTrainingor OrganizationRequirementsDefinition.Whereaprogramprofilesupportstheorganizationtoexplainadepartment charter,itisasimpleandusefultoolthatmaybenefitemployeesandauditorsequally. Considerwhetherthefollowingstatementsaretrue.
ProgramProfile
Requiredtomaintaincontrols
Organizational controlactivity
Activityisexclusivetothisgroup
Measuredmetrics
Figure5. ShouldIwriteaprogramprofile?
Copyright2006,PhoenixBusinessandSystemsProcess,Inc.Needham,MA,USA, MorefromPhoenixBusinessandSystemsProcess,http://www.pbandsp.com
Page 4of 80
ProcedureGuidelinesandControlsDocumentation
RobinBasham,M.IT,M.Ed.,CISA
WhereDoIFindTheTemplate?
\\...\PAL\Templates\ProgramProfileTemplate.dot Templatesthatdescribepositionsorassistinthedesignofaprogramorganizationalchartarelocatedin: \\...\PAL\ITProcessAssetLibrary\HumanResources\Template\JobDescriptionTemplate.dot \\...\PAL\ITProcessAssetLibrary\HumanResources\Template\EmployeeWarningNotice.dot \\...\PAL\ITProcessAssetLibrary\HumanResources\Template\JobAnalysisQuestionnaire.dot
DocumentTypeWorkInstructionorSOP
WorkInstructions,alsoknownasStandardOperatingProcedures,(SOP)represent: Greatestleveloftechnicaldetail Aretooldependent Changewhentechnologychanges Areupdatedoften Storedinknowledgemanagementsystemsorhelpdeskdatabase Associatedwithspecifictoolsandtasks Usedtoguideandtrainworkatthetaskimplementationlevel Arepartofanalreadyapprovedprocess WorkinstructionsorSOPscanbelocatedwithinafunctionalareaandareoftenembeddedinhelpfileswithin systems.RunBooks(explainedinthenextsection)referenceworkinstructionstofacilitateansweringthequestion, WheredoIfinddirectionstoperformthistask?Whereasprocesschangesareapartofstandardchange management,aworkinstructionmaybeupdatedasacourseofanindividualspersonalneedtotrackhowdetailed stepsaredone.Aworkinstructionmay havegeneralorhighlyspecializeduse.Whereworkinstructionsarecritical tothecontrolofaprocess,itisthebusinessmanagersresponsibilitytoinsurethatroutineworkproceduresexist andarefollowedwithintheirfunctionalarea. Allservice affectingoperationalprocessesmustbedocumentedtopreventservicedisruptioncausedbytheabsence ofprimarystaff.Anyprocedurerequiredtomaintainoperations,thatisnotalreadydocumentedasapartofroutine systemfunctions,(i.e.,alreadylocatedingeneralproducthelpfiles),mustbedocumentedtoassurethatinthe absenceofprimarystaff,theprocesscanbesustainedbyothers.Ataminimum,allpersonnelareaccountableto documentationtotheextentthatasimilarlytrainedstaffcould standinforemergencycoverageandbeabletouse directionstomaintainrequiredoperations.Wherestafffailtokeeptheirworkinstructionsuptodate,thefailureis bothonthepartoftheindividualandtheareamanager. WorkinstructionsorSOPs areasimplelistofstepsthatexplaininclearterms,howtoachieveaspecificresult. DirectoriescontainingworkinstructionsandSOPsshouldbeclearlylabeledandinformationshouldbecurrent. Workinstructionscanexistinalleventtrackingsystemsandarenotcentrallylocated,butareaccessibleandknown toallpersonswithintheuserdepartment.
Copyright2006,PhoenixBusinessandSystemsProcess,Inc.Needham,MA,USA, MorefromPhoenixBusinessandSystemsProcess,http://www.pbandsp.com
Page 5of 80
ProcedureGuidelinesandControlsDocumentation
RobinBasham,M.IT,M.Ed.,CISA
ShouldIWriteAWorkInstructionSOP?
Considerwhetherthefollowingstatementsaretrue.
WhereDoIFindTheTemplate?
Thetemplatetowriteasimplesetofworkinstructionsislocatedin: \\...\PAL\Templates\WorkInstructionTemplate.dot
DocumentTypeRunBook
ARunBook,sometimesknownasplaybook,isadocumentcontaining detailedproceduresthatcollectivelykeepa missioncriticalsystemrunning.ARunBookissometimesviewedasanelementofBusinessContinuityPlanning (BCP)orDisasterRecover(DR).Thisisbecausetheyarewrittentoassurethatanequallyskilled administrator wouldbeabletousetheRunBooktostepinandadministerthesystemuntilsuchtimethatnormalstaffingand conditionsapply.RunBooksareasystemcurrentdocumentwithalltherequiredinformationneededtounderstand howaserviceorsystemiskeptrunning.RunBooksarenotprojectplans,anddonotmaintaininformationunlessit isinuseandapartoftheworkingsystem. ARunBookisusedtoverifyandgatherthelocationofalloperationalinformation.AproductionRunBookis evidenceofdocumentationandcontroloveraserviceorsystem.Itprovidesinformationonhowtorun procedureswithoutnecessarilyprovidingbackgroundfortheprocess.RunBooksaredetailedinstructionsthata userreferenceswhenperformingtheprocess. Onapersysteminstance,aRunBookcandocumentasmallsetofoperationalproceduresandreferencevarious guidelines.Onalargerscale,aserviceorientedRunBookdetailsthecombinationofsystemsandtheir
Copyright2006,PhoenixBusinessandSystemsProcess,Inc.Needham,MA,USA, MorefromPhoenixBusinessandSystemsProcess,http://www.pbandsp.com Page 6of 80
ProcedureGuidelinesandControlsDocumentation
RobinBasham,M.IT,M.Ed.,CISA
dependenciesinkeepingaserviceavailable.ThisisavalidformofmeetingbothBCPandvariousotherlevelsof compliancerequirements.Determiningthisrequirementcanbeasfollows:
WhyDoRunBooksFocusOnService?
ARunBookisServiceOrientedvs.singlesystemoriented.Whendocumentationdoesnotmeettherequirements mentionedabove,itisprobablethatlistingthedeviceinaninventorysystemissufficientandfurtherdocumentation isnotrequired. Wheretheavailabilityofacriticalorcorebusinessfunctiondependsupontheaccurateworkingofinterdependent systems,itisadvisabletohaveabusinessownerwhoassuresthecurrentandcompleteServiceRunBook.Asis trueforanycontrolledsystem,theRunBookexplainsdaytodaysystemprocedures,butadditionallyaddssomeor allofthefollowingelements: FunctionalOverview FunctionalOverviewDiagram ListofInterfaces SystemOverview SystemOverviewDiagram(s) NetworkManagementProcess Hardware HardwareManagementProcess SoftwareDevelopmentandRelease ThirdPartyVendor/SoftwareManagement PerformanceMonitoringProcess DatabaseAdministrationProcess QualityAssurance VendorInformation BackUpProcesses DisasterRecoveryProcess Security ProblemManagement ConfigurationOverview: Server/HW/OS Application DatabaseConfiguration Dailycycle Failover Maintenance TroubleshootingandErrorMessages Glossary Listoffiles FinancialProcesses Testprocedure
Copyright2006,PhoenixBusinessandSystemsProcess,Inc.Needham,MA,USA, MorefromPhoenixBusinessandSystemsProcess,http://www.pbandsp.com
Page 7of 80
ProcedureGuidelinesandControlsDocumentation
RobinBasham,M.IT,M.Ed.,CISA
ShouldIWriteARunBook?
Considerwhetherthefollowingstatementsaretrue.
Copyright2006,PhoenixBusinessandSystemsProcess,Inc.Needham,MA,USA, MorefromPhoenixBusinessandSystemsProcess,http://www.pbandsp.com
Page 8of 80
ProcedureGuidelinesandControlsDocumentation
RobinBasham,M.IT,M.Ed.,CISA
WhereDoIGetTheInformationThatGoesIntoTheRunBook?
Considerthefollowingsources.
RunBooksbringvisibilitytoanaggregationofdocumentsanddetailsthatcollectivelysupportserviceavailabilityor productdelivery.
Copyright2006,PhoenixBusinessandSystemsProcess,Inc.Needham,MA,USA, MorefromPhoenixBusinessandSystemsProcess,http://www.pbandsp.com
Page 9of 80
ProcedureGuidelinesandControlsDocumentation
RobinBasham,M.IT,M.Ed.,CISA
WhenIsARunBookComplete?
Considerwhetherthefollowingstatementsaretrue.
WhatAreTheFormatsForRunBook?
RunBookscanbemaintainedasawordreportthatisoutputfromasingledatabasesystem orfromacollectionof systems.TheformusedtogatherRunBookelements(today)isin FacilitatedComplianceManagement.Thisisa locationthatissubjecttochange.ThetoolthatgathersRunBookdetailsisnotcriticaltotheprocess.Thetoolfor gatheringelementscanalsobeaworddocument,asidentifiedinthetemplatesection.Theprocessforgenerating RunBookinformationisnotimportant,solongasvisibilityofhowsystemsrunismaintainedforthebusinessowner andtechnologysupportpersonnel.
Figure8. RunBookProcess
Copyright2006,PhoenixBusinessandSystemsProcess,Inc.Needham,MA,USA, MorefromPhoenixBusinessandSystemsProcess,http://www.pbandsp.com
Page 10 of 80
ProcedureGuidelinesandControlsDocumentation
RobinBasham,M.IT,M.Ed.,CISA
Figure9. ExampleInterfaceforgatheringRunBookelementsbyServiceTitle
Copyright2006,PhoenixBusinessandSystemsProcess,Inc.Needham,MA,USA, MorefromPhoenixBusinessandSystemsProcess,http://www.pbandsp.com
Page 11 of 80
ProcedureGuidelinesandControlsDocumentation
RobinBasham,M.IT,M.Ed.,CISA
WhereDoIFindTheTemplate?
\\...\pal\FacilitatedComplianceManagement\ShortcuttoRunBookinFacilitatedCompliance Management2000FCM.MAF \\...\pal\Templates\RunBookTemplate.dot ThecurrentprocedureforRunBookistouseoursystemdatabaseandgenerateaRunBookreportasneeded.
DocumentElements
Thefollowingsectioniswrittentoaddressadditionquestionspertainingtodocumentelements,storingand managinginformationandhowstepsandcontrolsarespecificallycapturedtosupporttheinternalauditofIT programandapplicationlevelcontrols.Sectionsinclude:
WhereDoesMyDocumentBelong? \\...\PAL\ITProcessAssetLibrary\ StaticProcessversusProcessOutput(EvidenceofUsingProcess) \\...\PAL\ITWorkProductLibrary\ OtherWorkProductsandControlledDocumentation: ControlsEvidenceSpecificto SoftwareDevelopmentandProductDevelopmentLifecycle: TestScripts,Utilitiesand EventTrackingSystems Assets,InventoriesandConfiguration Baselines ControlsandKeyControls Product,ApplicationDevelopmentandQualityTemplates Flow Diagram
Copyright2006,PhoenixBusinessandSystemsProcess,Inc.Needham,MA,USA, MorefromPhoenixBusinessandSystemsProcess,http://www.pbandsp.com
Page 12 of 80
ProcedureGuidelinesandControlsDocumentation
RobinBasham,M.IT,M.Ed.,CISA
HowDoIFindOrStoreMyDocument?
PAL\ITProcessAssetLibrary
ProcessdocumentsarestoredintheITProcessAssetLibrary(PAL).
Figure10.
WhatisinthePAL?
\\...\PAL\ITPROCESSASSETLIBRARY\
PAL\ITWorkProducts
WhenDoINeedToCreateAWorkProduct?
ThereareavarietyofWordandExcel filesusedduringtheworkday.Thesedocumentsmayincludespreadsheets usedforanalysis,clientcontactfiles,miscellaneousnotes,etc.Thesearenotconsideredformsorproceduresand remainwithintheirrespectivelocationsonthenetwork.Inconditionswheredocumentsorspreadsheetsrepresent evidenceofaprocessoutput,thematerialsareWorkProductsandshouldresideinthefunctionalworkproducts directory.Notalldataisworkproduct.Atestofwhetherinformationbelongsinthework productsareais answeringyestothefollowingquestion: Isthistheoutputofatemplate,process,form,andisthisevidenceofaprocess?
WhereDoWeKeepCurrentAndArchivedWorkProducts?
\\...\PAL\ITWORKPRODUCTLIBRARY\
Copyright2006,PhoenixBusinessandSystemsProcess,Inc.Needham,MA,USA, MorefromPhoenixBusinessandSystemsProcess,http://www.pbandsp.com
Page 13 of 80
ProcedureGuidelinesandControlsDocumentation
RobinBasham,M.IT,M.Ed.,CISA
Figure11.
Whataretheworkproductfolders?
CurrentInventoryofFolderandContentsismaintainedbyProcessEngineering,in\\...\PAL\ITWorkProduct Library\ProcessEngineering\PALFolders.xls
Copyright2006,PhoenixBusinessandSystemsProcess,Inc.Needham,MA,USA, MorefromPhoenixBusinessandSystemsProcess,http://www.pbandsp.com
Page 14 of 80
ProcedureGuidelinesandControlsDocumentation
RobinBasham,M.IT,M.Ed.,CISA
WhereDoIFindReference,BenchmarkandIndustryGuidelines
MethodologyandstandardsdocumentationismaintainedintheStandardsandExternalReferencefolder.Corporate PolicyandTemplatesalsoresideatthislevelofthePAL.Thesefolderlocationsallowforallpersonneltohave equalaccesstoinformationusedtosupportanddesignanyprocess.
Figure12.
StandardsandReferencefolders
Copyright2006,PhoenixBusinessandSystemsProcess,Inc.Needham,MA,USA, MorefromPhoenixBusinessandSystemsProcess,http://www.pbandsp.com
Page 15 of 80
ProcedureGuidelinesandControlsDocumentation
RobinBasham,M.IT,M.Ed.,CISA
Copyright2006,PhoenixBusinessandSystemsProcess,Inc.Needham,MA,USA, MorefromPhoenixBusinessandSystemsProcess,http://www.pbandsp.com
Page 2of 80
ProcedureGuidelinesandControlsDocumentation
RobinBasham,M.IT,M.Ed.,CISA
Copyright2006,PhoenixBusinessandSystemsProcess,Inc.Needham,MA,USA, MorefromPhoenixBusinessandSystemsProcess,http://www.pbandsp.com
Page 3of 80
ProcedureGuidelinesandControlsDocumentation
RobinBasham,M.IT,M.Ed.,CISA
Establishcontrolprocedurestoensuretimelyandcorrectdistributionandupdateofapprovedconfigurationitems.Thisinvolvesintegrity controlssegregationofdutiesamongthosewhobuild,testandoperateandadequate audittrailsofallactions. RecordingandTrackingofChanges(7.11) Automatethesystemusedtomonitorchangestoapplicationsystemstosupporttherecordingandtrackingofchangesmadeto applications,procedures,processes,systemandserviceparameters,andtheunderlyingplatforms. PostimplementationReview(7.12) Establishproceduresinlinewiththeenterprisedevelopmentandchangestandardsthatrequireapostimplementationreviewofthe operationalinformationsystemtoassessandreportonwhetherthechangemetcustomerrequirementsanddeliveredthebenefits envisionedinthemostcosteffectivemanner.
ConsiderthesevenInformationCriteriaasrepresentedinreviewofITGovernanceControlsbyISACA
Figure13.
InformationCriteria
ProcedureGuidelinesandControlsDocumentation
RobinBasham,M.IT,M.Ed.,CISA
Versioncontrolsoftware,ortoolsthatcapture arollbackstate,aresometimesconfusedwithfullscalesoftware developmenttrackingapplications.OnlineProgrammingFacilities(integratedDevelopmentEnvironmentlDE), however,mustextendfarbeyondasnapshotandrestorationtopreviousversionofcode.Whilesoftwareprojects mayhaveoncebeencharacterizedasaroutineprocessofdeliveringcodetoasinglebusinessunit,involvinga homogenousdevelopmentteamsusingasingleplatformandfamiliartechnology,todaysprojectcanbe characterizedquitedifferently.Typicalprojectsintegrateeffortsbydozensofdevelopersinmultiplecountries, involvingthreeormorebusinessstreams,traversingvariedplatformsandapplications,acceptingsomedegreeof technologicaluncertaintyandunfamiliarity,andsatisfyingtherequirementsofdisparateorganizationsthatmaynot haveorganicopportunitiestoseekconsensusorevenshareawarenessofeachothersrequirements.Addtothisat leastonemajorvendor,marketprojectionsforcostandcompletionandincreasinglyregulatedandcomplex electronictransactionprocesses. Acodesnapshotdoesntsuffice. Programmingtoolsarenotenoughtofacilitateeffectiveuseofstructuredprogrammingmethodsinthepathof measuredservicedelivery.Highlyskilledprogramteamsrequiresystemstoenableproperuseofbestpractice, includingprotectionoftheirownuseormisuseasaprimaryITresource. Matureshopsleverageanonline programmingfacilityaspartofanintegrateddevelopmentenvironment.Thispracticealone,however,cannot assurematureproductdelivery. SoftwaredepartmentsrequireSDLCproducts,wherethesuiteofmodulesincludes inputsbeyondthoseoftheprogrammerandtoincludeallmembersinthepathofaServiceApplication. Whilean IDEprovidesprogrammersabilitytocodeandcompileprogramsinteractivelywitharemotecomputer,itcannot efficientlyandeffectively controlworkflow,tosaynothingofriskmanagement. Infact,theIDEalonecanfacilitateourmosttremendouscontrolweaknessinIT,beingcapacitytoenter,modify, anddeleteprogrammingcode,aswellascompileandstoreprograms(sourceandobject)onasingleworkstation withoutpriorplan,authorityorapproval. Whileaffordingrequiredreporting,theonlinefacilitiesalsocanbeused bynonISstafftoupdateandretrievedatadirectlyfromcomputerfiles.Whilethisisabusinessrequirement, withoutpropercontrols,itisalso aninherentcontrolrisk.
Whatelementsarecapturedduringtheflowdiagrammingprocess?
SteveCoveysoftenquotedBeginwiththeendinmindprincipleapplieswelltothequestionofwhatdoIneed tocaptureduringtheprocessflowdiagrammingprocess?Accurate,versusincompleterequirementsaresaidto representthesinglegreatestfactorinsoftwaredevelopmentsuccess.Considerthattheprocessofgathering requirementsprovidesmanyopportunitiestocommunicateattributesneededforsuccessfuldocumentationof softwareandbusinesscontrols.Regardlessoftheapplicationsusedtodocumentrequirements,usingcommon termsandcontrolsdefinitions,suchasthosefoundin CobiT4.0willdramaticallyshortentimespentonsoftware designandcontroldocumentation.Thefollowingimageisintendedassuggestedcontentcapturedbycontrol objectsinaprocessflowdiagram.Suchobjectsmightbefoundinvirtuallyallprocessmodelinganddevelopment trackingsystems.Theefforttoapplycontrolslanguagetothedocumentationofresponsibilityisaprocessdriven bypeople,andbestfacilitatedbycurrentandmaturesoftwaredevelopmenttools.
Copyright2006,PhoenixBusinessandSystemsProcess,Inc.Needham,MA,USA, MorefromPhoenixBusinessandSystemsProcess,http://www.pbandsp.com Page 5of 80
ProcedureGuidelinesandControlsDocumentation
RobinBasham,M.IT,M.Ed.,CISA
WhenselectingtoolsforthealignmentofSDLCwithregulatoryandauditreportingrequirements,considerthatthe productmust:
Easilyandclearlyrepresentmaincomponents,objectivesanduserrequirements,whileidentifyingareasthat requirecontrols Providemeansforcapture,evaluationandrankofthemajorrisksto,andexposuresof,thesystem Includehoweachcontrolismonitoredandwhatensurescontrolsareimplementedsuchthtcontrolowners determinetheireffectiveness,forexamplethatbusinessusersreviewbusinessrequirements,dataowners reviewdataaccess,endusersaffirmadequacyoftrainingmaterialsanddocumentation,andsoon Verifythatanysoftwaredevelopmentandchangetrackingsysteminclude: Workorderandrelatedtaskassignmenthistory,status,durationandoutcome Segregatedtrackingofsystemandrolebasedaccesssuchasconsoleloginsandlogoutsbyprogrammers, ticketupdatesbyendusers,programauthorizationbythebusiness. Ensureexistenceofareasonableexplanationforallprogramdeletions
Figure14.
ProcessInputsandOutputs,RACIChartforAI7asfoundinCobiT4.0,CopyrightofISACA
Copyright2006,PhoenixBusinessandSystemsProcess,Inc.Needham,MA,USA, MorefromPhoenixBusinessandSystemsProcess,http://www.pbandsp.com
Page 6of 80
ProcedureGuidelinesandControlsDocumentation
RobinBasham,M.IT,M.Ed.,CISA
GoalsandMetricsasdescribedinCobiT4.0,CopyrightofISACA
Copyright2006,PhoenixBusinessandSystemsProcess,Inc.Needham,MA,USA, MorefromPhoenixBusinessandSystemsProcess,http://www.pbandsp.com
Page 7of 80
ProcedureGuidelinesandControlsDocumentation
RobinBasham,M.IT,M.Ed.,CISA
Copyright2006,PhoenixBusinessandSystemsProcess,Inc.Needham,MA,USA, MorefromPhoenixBusinessandSystemsProcess,http://www.pbandsp.com
Page 1of 80
ProcedureGuidelinesandControlsDocumentation
RobinBasham,M.IT,M.Ed.,CISA
ControlsandApplicationControls
WhendoIneedtodocumentspecificcontrolprocesses?
Theoutputofanypolicyorprocessincludesalistofqualitymeasures.Qualityismeasuredbyasetofcontrolsor tests,eachdesignedtoprovidefeedbackoralignouractionstothosepoliciesandprocedures. Acontroloverprocessischaracterizedbyabilityto: CommunicatesRepeatableIntention ExecutesAsPlanned(Implementation Plan) Measure(RiskMeasurement&ImpactAnalysis) Record(ManagementReporting&KPI) Respond(Thresholds) Archive(DefinedDataRetention) Controlsrequireavisibleandrecognized: Name Owner Method (AutomationorManual) Program Frequency Test ActivityDefinition Location TestEvidence InformationProcessingObjective SequenceIDandmethodoftracking
Howdowemanagealltheserequirements?
MKSIntegrityManagerforprocessandworkflowmanagementof enterprisesoftwaredevelopment
MKSIntegrity ManagerisanexcellentexampleofSoftwaretoolsproviding flexibleprocessandworkflow management,whilefacilitatingcommonbestpractice formanagingsoftwaredevelopment.Thistoolseamlessly marrieswithMKSSourceIntegrityEnterpriseforfullenterprisesoftwareconfigurationmanagement,isthe foundationforMKSRequirementsforrequirementsmanagementandintegratesotherdeveloperproductivity toolstoleveragesoftwareinvestmentsandenhancecoverageofthesoftware.
Copyright2006,PhoenixBusinessandSystemsProcess,Inc.Needham,MA,USA, MorefromPhoenixBusinessandSystemsProcess,http://www.pbandsp.com
Page 2of 80
ProcedureGuidelinesandControlsDocumentation
RobinBasham,M.IT,M.Ed.,CISA
MKSIntegrityManagerImageiscopyrightofMKShttp://www.mks.com TheMKSIntegritysuiteenablesdevelopmentasitoccursinaservicedeliverymodel.InputsfromProject ManagementandHelpDeskarebuiltintotheworkflowwithcontrolsplacedinpointsofemphasistoaprogram designedspecificallyforproductdevelopmentandrelease.Anadditionalhighlightisthisproductsabilityto integratewithmostknownIDEsandtooperateinanywellestablishedtechnologyplatformasitexiststoday. EvenifpopularvotingforyourpersonalITmottoputsyoucantpleaseeveryoneinatiewithdidyouwantit goodordidyouwantitfast?MKSoffersadegreeofsupplantedprocessmaturityrepresentingabumptoatleast leveltwoacrossmostmaturitymeasuresofSDLC.(SeeMaturityModelintextbelow).MKSintegritymanager integratesITprocesses,platformsandtoolswhileguidingsoftwaredevelopmentteamsthroughthemostcommon inputandoutputs,ratholesandhandshakesfoundamongallITshopstoday.
Howmaturedowereallyneedtobe?
Figure16.
MaturityToolbox,asrepresentedbyISACAandCMUasthecommonmaturitymodelorCMM
InstallandAccreditSolutionsandChange,isasignificantlyimportantcontrolforanyITorganization.Without thesecontrolsexistingtosomelevel,itisunlikelythatanyformofbusinesscouldthrive.Consider,however,that mostcompaniescouldbedescribedashavingattributesresemblingthedescriptionsforinitialorrepeatable maturity.WouldthisbematureenoughtoachievethemilestonefoundintheEnterpriseStrategy?Thatisa decisionforeachcompanyanditsleaders.HerearesomeoftheCobiTmaturitydefinitionsfortheInstalland AccreditSolutionsandChangeprocessarea. CobiT4.0DefinesRepeatabletoOptimizedSDLCrelatedpracticeinthefollowingway: *(InstallandAccreditSolutionsandChanges)RepeatablebutIntuitive:Thereissomeconsistencyamongst thetestingandaccreditationapproaches,buttypicallytheyarenotbasedonanymethodology.Theindividual developmentteamsnormallydecidethetestingapproachandthereisusuallyanabsenceofintegrationtesting. Thereisaninformalapprovalprocess. DefinedProcess:Aformalmethodologyrelatingtoinstallation,migration,conversionandacceptanceisin place.ITinstallationandaccreditationprocessesareintegratedintothesystemlifecycleandautomatedtosome extent.Training,testingandtransitiontoproductionstatusandaccreditationarelikelytovaryfromthedefined
Copyright2006,PhoenixBusinessandSystemsProcess,Inc.Needham,MA,USA, MorefromPhoenixBusinessandSystemsProcess,http://www.pbandsp.com Page 3of 80
ProcedureGuidelinesandControlsDocumentation
RobinBasham,M.IT,M.Ed.,CISA
process,basedonindividualdecisions.Thequalityofsystemsenteringproductionisinconsistent,withnew systemsoftengeneratingasignificantlevelofpostimplementationproblems. ManagedandMeasurable:Theproceduresareformalizedanddevelopedtobewellorganizedandpractical withdefinedtestenvironmentsandaccreditationprocedures.Inpractice,allmajorchangestosystemsfollowthis formalizedapproach.Evaluationofmeetinguserrequirementsisstandardizedandmeasurable,producingmetrics thatcanbeeffectivelyreviewedandanalyzedbymanagement.Thequalityofsystemsenteringproductionis satisfactorytomanagementevenwithreasonablelevelsofpostimplementationproblems.Automationofthe processisadhocandprojectdependent.Managementmaybesatisfiedwiththecurrentlevelofefficiencydespite thelackofpostimplementationevaluation.Thetestsystemadequatelyreflectstheliveenvironment.Stress testingfornewsystemsandregressiontestingforexistingsystemsareappliedformajorprojects. Optimized:Theinstallationandaccreditationprocesseshavebeenrefinedtoalevelofgoodpractice,basedon theresultsofcontinuousimprovementandrefinement.ITinstallationandaccreditationprocessesarefully integratedintothesystemlifecycleandautomatedwhenappropriate,facilitatingthemostefficienttraining, testingandtransitiontoproductionstatusofnewsystems.Welldevelopedtestenvironments,problem registers andfaultresolutionprocessesensureefficientandeffectivetransitiontotheproductionenvironment. Accreditationtakesplaceusuallywithnorework,andpostimplementationproblemsarenormallylimitedto minorcorrections.Postimplementationreviewsarestandardized,withlessonslearntchanneledbackintothe processtoensurecontinuousqualityimprovement.Stresstestingfornewsystemsandregressiontestingfor modifiedsystemsareconsistentlyapplied. *(SpellingisalteredforUSEnglish)
NoteveryorganizationwillsetSDLCtargetsonoptimized,butonethingiscertain.Anyorganizationwith strategytowardslevelfiveSoftwareDevelopmentpracticeneedsevidenceofsystembasedcontrolsasseenin theMKSIntegrityManagerSuite.
Figure17.
Howaresoftwaredevelopmentartifactscapturedinsystemeventlogsandsoftwaredesigntemplates?
Page 4of 80
Copyright2006,PhoenixBusinessandSystemsProcess,Inc.Needham,MA,USA, MorefromPhoenixBusinessandSystemsProcess,http://www.pbandsp.com
ProcedureGuidelinesandControlsDocumentation
RobinBasham,M.IT,M.Ed.,CISA
TestScripts,UtilitiesandEventTrackingSystems
WhatIsATestScriptOrTestTemplates?
Programs,systemsandreleaseshaveassociatedtestsand testresults.QAandSecuritymaintainsecuretestplans andtestresults.TestsrelatedtoSoftwareQualityarerunfrom,andsecuredin,the[NameofTestingorQuality AssuranceApplication]Application. Securityscriptsandnetworkingutilitiesare maintainedinsecurelocationwiththehighestdegreeinlimited access.Theseitemsarebydesign,neithervisibleoraccessibletothegeneraluser.
WhereDoIFindQATestTemplates?
TesttemplatesaremaintainedintheQAProcessdirectory \\...\PAL\ITProcessAssetLibrary\QualityAssurance\Template\ SecurityProgramTesttemplatesaremaintainedinSecurityManagementdirectory \\...\PAL\ITProcessAssetLibrary\SecurityManagement\ProgramTestPlans\
Assets,InventoriesandConfigurationBaselines
Networkingdevices,serversandapplicationservershavebothinventoryandconfigurationcontrolrequirements. Configurationbaselinereferstotheminimumsecureconfigurationappliedtoanydeviceatbuild.Changestothe configurationbeyondthispointareassociatedtobusinessrequirements,productreleaseandprojectmanagement. DataCenterOperationsandSupportmanageaninventoryofitemsandbaselineconfiguration.Theserecordsare tablesin FacilitatedComplianceManagementbutarescheduledtobemovedinto[Nameofcoreproductor service]. WhereconfigurationrecordsincludeIPaddressingandotherinformationthatcouldbeusedtocompromise networksecurity,theinformationisnotmade availablebeyondpersonswhosupportandnetworkingand[Name ofcoreproductorservice]platformavailability.
When DoINeedToCreateAControlledServerObject?
Copyright2006,PhoenixBusinessandSystemsProcess,Inc.Needham,MA,USA, MorefromPhoenixBusinessandSystemsProcess,http://www.pbandsp.com
Page 5of 80
ProcedureGuidelinesandControlsDocumentation
RobinBasham,M.IT,M.Ed.,CISA
Considerwhetherthefollowingstatementsaretrue.
Figure18.
Should Idocumentacontrolledserverinoursysteminventorydatabase?
WhereAreDevicesInventoriedAsAssets?
ControlledServerRecordswillresidein[Nameofcoreproductorservice]butarecurrentlystagedin Facilitated ComplianceManagement
WhereDoIFindServerControlRecords?
\\...\pal\FacilitatedComplianceManagement\ShortcuttoControlledServersinFacilitated Compliance Management
Copyright2006,PhoenixBusinessandSystemsProcess,Inc.Needham,MA,USA, MorefromPhoenixBusinessandSystemsProcess,http://www.pbandsp.com
Page 6of 80
ProcedureGuidelinesandControlsDocumentation
RobinBasham,M.IT,M.Ed.,CISA
Figure19.
ControlledServerForm
Copyright2006,PhoenixBusinessandSystemsProcess,Inc.Needham,MA,USA, MorefromPhoenixBusinessandSystemsProcess,http://www.pbandsp.com
Page 7of 80
ProcedureGuidelinesandControlsDocumentation
RobinBasham,M.IT,M.Ed.,CISA
Figure20.
EachcontrolleditemhasassociatedsecurityexemptionsandstandardOSandApplicationbuild
WhichToolsStoreServerandApplicationInformation?
Thedatacentermaintainsalistofdevicesandtoolsorapplicationswiththeirrespectivecontrolsandresource owners.Thisinformation ismaintainedin FacilitatedComplianceManagement. Allsystems,applicationsor Toolsareinventoriedassets. SoftwareControlapplicationsmustaddressallpointsofhandoffinasoftware developmentandsupportlifecycle.
Copyright2006,PhoenixBusinessandSystemsProcess,Inc.Needham,MA,USA, MorefromPhoenixBusinessandSystemsProcess,http://www.pbandsp.com
Page 8of 80
ProcedureGuidelinesandControlsDocumentation
RobinBasham,M.IT,M.Ed.,CISA
WhereIsTheListOfToolsAndToolTypes?
ToolsandTooltypesarelistedintheToolsandToolTypetableinthe FacilitatedCompliance Management2000FCMdatabase.ServersanddevicesarerecordedintheControlledServerForm,locatedinthe FacilitatedComplianceManagementdatabase.
ControlsandKeyControls
WhenDoINeedToDocumentAControlObject?
Controlspracticesprovidereasonableassurancethatbusinessrulesexistandareoptimizedsuchthatnegative impactofundesirableeventsarecaptured,respondedtoandmitigated.ITControlistherightmixtureofpolicies, procedures,practicesandorganizationalstructuresthatassurebusinessobjectivesaremet,whilepreventing, detectingorcorrectinganyorallundesiredevents. ControlDefinitionsexistwithineachprocessandareaninherentfeatureinpolicy. ControlOverProcessIsDemonstratedWhen: ItCommunicatesRepeatableIntention ExecutesAsPlanned(ImplementationPlan) Measures(RiskMeasurement&ImpactAnalysis) Records(ManagementReporting&KPI) Archives(DefinedDataRetention) ControlItemscapture ControlName Owner ControlMethod AutomationorManual Program Frequency TestInformation ActivityDefinition LocationofTestandTestEvidence InformationProcessingObjective SequenceIDandKeyTracking
Copyright2006,PhoenixBusinessandSystemsProcess,Inc.Needham,MA,USA, MorefromPhoenixBusinessandSystemsProcess,http://www.pbandsp.com Page 9of 80
ProcedureGuidelinesandControlsDocumentation
RobinBasham,M.IT,M.Ed.,CISA
WhereAreControlsCatalogued?
ControlsarecataloguedbyName,AssociatedProcessesandOwnerswithinTechnologys[Nameofcoreproduct orservice]system.TheinformationisusedforongoingControlSelfAssessmentandCompliance Documentation.Controlsarecataloguedin FacilitatedComplianceManagementandin[Nameofcoreproduct orservice].ControlsarealsoidentifiedwithineveryProcessFlowDiagramandProgramDefinition. Key ControlsaligntotheCobiTframeworkandarevisibleontheControlSelfAssessmentformwithinFacilitated Compliance Management.
Figure21.
WhatProcessEngineering,AuditorsandQualityGatherRegardingCorporateKeyControls
Copyright2006,PhoenixBusinessandSystemsProcess,Inc.Needham,MA,USA, MorefromPhoenixBusinessandSystemsProcess,http://www.pbandsp.com
Page 10 of 80
ProcedureGuidelinesandControlsDocumentation
RobinBasham,M.IT,M.Ed.,CISA
ExampleofaKeyControls
Figure22.
KeyControlsForm
WhereDoIFindTheFormorTemplate?
http://www.COMPANY.com TechnologyControls(LoginRequired) \\...\PAL\Templates\InternalControlTestingTemplate.dot
Copyright2006,PhoenixBusinessandSystemsProcess,Inc.Needham,MA,USA, MorefromPhoenixBusinessandSystemsProcess,http://www.pbandsp.com Page 11 of 80
ProcedureGuidelinesandControlsDocumentation
RobinBasham,M.IT,M.Ed.,CISA
Product,ApplicationDevelopmentandQualityTemplates
ObjectName Function Owners Approve Date
ChangeCommittee ReviewBoard
TheChangeCommitteeReviewBoardTemplate guidesthecompletionofdocumentationforthe purposeofenterpriseorhighpriority/impactChange Management. Checklistidentifiesvalidationitemsbeforeachange controlcanbeapprovedorclosed Emergencycodechangerequireswrittenapprovalby Quality,Development,andCTO.TheEmergency deploymentformrepresentssignedapprovalbyall necessarypartiesandissubmittedtotheNetworkor DataCenterOperationspriortoemergency deploymentofcodetoproduction.Emergency changeissubjecttoChangeManagementpolicyand isreviewedpriortoandpostchangeimplementation. Templateisusedtodocumenthighlevelaspectsofa testplan
ChangeReviewBoard Checklist
Copyright2006,Phoenix Businessand SystemsProcess, Inc.Needham,MA,USA,
[NameofChief SecurityOfficer]
HighLevelTestPlan
[NameofChief Technology Officer],[Nameof QualityAssurance Manager] [NameofChief SecurityOfficer], [NameofChief Technology Officer]
ICQPhysicalSecurity
Templateisusedtogenerateanewuniqueinstanceof ICQPhysicalSecurity.Templates,whenused, constituteaworkproduct,whichisprocessedand thenstoredascontrolevidenceinthe \\...\PAL\IT ProcessAssetLibrary\Processand Procedures\SecurityManagement\Template\ folder Templateisusedtogenerateanewuniqueinstanceof ICQSecurityPolicy.Templates,whenused, constituteaworkproduct,whichisprocessedand thenstoredascontrolevidenceinthe \\...\PAL\IT ProcessAssetLibrary\Processand Procedures\SecurityManagement\Template\ folder. Providesdocumentationformatforan implementation. Templateisusedtodocumentallaspectsoftestingan internalcontrol
ICQSecurityPolicy
Copyright2006,PhoenixBusinessandSystemsProcess,Inc.Needham,MA,USA, MorefromPhoenixBusinessandSystemsProcess,http://www.pbandsp.com
ProcedureGuidelinesandControlsDocumentation
RobinBasham,M.IT,M.Ed.,CISA
ObjectName
Function
Owners
Approve Date
MeetingFormLetter
Thisletterislinkedinconsoleasatemplate.
[NameofChief SecurityOfficer]
PolicyProfile ProcessProfile Template ProgramProfile Template ProjectCharter Templateisusedtodocumentallareasofaprocess [NameofProcess Librarian] [NameofProcess Librarian] [NameofProcess Librarian]
Templateisusedtodocumentallareasofaprogram
ProjectPlanDefinition
QAPlanningKickoff CheckList
RequestForExemption Templateisusedtodocumentallareasofrisk associatedwithrequestedexemption RequestForRemoval ofMedia Templateisusedtogenerateanewuniqueinstanceof RequestForRemovalofMediaTemplate.Templates, whenused,constituteaworkproduct,whichis processedandthenstoredascontrolevidenceinthe \\...\PAL\ITProcessAssetLibrary\Processand Procedures\SecurityManagement\Template\ folder. Templateisusedtoguidereviewofrequirementsto assurecompletenessacrossallareas.
June23, 2005
RiskCriteria
Copyright2006,PhoenixBusinessandSystemsProcess,Inc.Needham,MA,USA, MorefromPhoenixBusinessandSystemsProcess,http://www.pbandsp.com
ProcedureGuidelinesandControlsDocumentation
RobinBasham,M.IT,M.Ed.,CISA
ObjectName
Function
Owners
Approve Date
ProcessAssetLibrary\Processand Procedures\SecurityManagement\Template\ folder. RunBookSecurity SectionWhatto Describe Templateisusedtogenerateanewuniqueinstanceof RunBookSecuritySectionWhattoDescribe Template:(Forfinancial/highriskservers). Templates,whenused,constituteaworkproduct, whichisprocessedandthenstoredascontrol evidenceinthe\\...\PAL\ITProcessAsset Library\ProcessandProcedures\Security Management\Template\ folder. Templateisusedtodocumentelectronicsecurity regardingemailandfiletransfer. The purposeoftheSecurityInfrastructurePlanisto establishstrategic,tacticalandannualinformation securityplansforCOMPANY. Templateisusedtogenerateanewuniqueinstanceof SecurityProgramandProgramTestProfileTemplate. Templates,whenused,constituteaworkproduct, whichisprocessedandthenstoredascontrol evidenceinthe\\...\PAL\ITProcessAsset Library\ProcessandProcedures\Security Management\Template\ folder. Templateisusedtousedtocaptureandfullydevelop andanalyzesecurityrisks. Templateisusedtodocumentallrequirementsfor software [NameofChief SecurityOfficer] ThomGray, [NameofProduct orProject Management Director] [NameofChief SecurityOfficer], [NameofChief Technology Officer]
SecurityProgramand ProgramTestProfile
RunBookTemplate
Copyright2006,PhoenixBusinessandSystemsProcess,Inc.Needham,MA,USA, MorefromPhoenixBusinessandSystemsProcess,http://www.pbandsp.com
Page 14 of 80
ProcedureGuidelinesandControlsDocumentation
RobinBasham,M.IT,M.Ed.,CISA
ObjectName
Function
Owners
Approve Date
UserAccessProgram Checklist
Templateisusedtogenerateanewuniqueinstanceof UserAccessControlsWorkProgramTemplate. Templates,whenused,constituteaworkproduct, whichisprocessedandthenstoredascontrol evidenceinthe\\...\PAL\ITProcessAsset Library\ProcessandProcedures\Security Management\Template\ folder. Templateisusedtowarnanemployeewhentheydo somethinginappropriateandhowto improve. JobAnalysisQuestionnairetemplateisusedto describeemployeesresponsibilitiesanddutiesamong otherthings. Templateisusedtoprovideabriefdescriptionofthe generalnatureoftheposition,anoverviewofwhythe jobexists,andwhatthejobistoaccomplish.
JobDescription Template
Copyright2006,PhoenixBusinessandSystemsProcess,Inc.Needham,MA,USA, MorefromPhoenixBusinessandSystemsProcess,http://www.pbandsp.com
Page 15 of 80
ProcedureGuidelinesandControlsDocumentation
RobinBasham,M.IT,M.Ed.,CISA
WhichToolStoresProcessandWorkInstructioninformation?
ProcessEngineeringmanagesalistofallWorkInstructionsandProcessesinthe FacilitatedCompliance ManagementObjecttable.Thereareavarietyofreportsthatsummarizethefunctionforallprocessesaswellas provideanoverviewofallprocessflowdiagrams.
Copyright2006,PhoenixBusinessandSystemsProcess,Inc.Needham,MA,USA, MorefromPhoenixBusinessandSystemsProcess,http://www.pbandsp.com
Page 16 of 80
ProcedureGuidelinesandControlsDocumentation
RobinBasham,M.IT,M.Ed.,CISA
Figure23.
FacilitatedComplianceManagementprovidessummaryreportsformanyobjecttypes
FlowDiagram
WhenDoIUseAFlowDiagram?
FlowDiagramsaredevelopedtoprovideahighlevelsummaryofstepsinanyprocessorprocedure.Theyare HighLevel,notvague.ControlsarealsolistedinFlowDiagrams,furtherdemonstratingconstraintsthateither preventerrororreinforcecorrectmovement.Keycontroltemplateobjectsarecreatedbyprocessengineeringin responsetothecurrentcontrolsinscopeforaudit.Theseitemsdetailallaspectsthatcontrola
Copyright2006,PhoenixBusinessandSystemsProcess,Inc.Needham,MA,USA, MorefromPhoenixBusinessandSystemsProcess,http://www.pbandsp.com
Page 17 of 80
ProcedureGuidelinesandControlsDocumentation
RobinBasham,M.IT,M.Ed.,CISA
process.
Copyright2006,PhoenixBusinessandSystemsProcess,Inc.Needham,MA,USA, MorefromPhoenixBusinessandSystemsProcess,http://www.pbandsp.com
Page 18 of 80
ProcedureGuidelinesandControlsDocumentation
RobinBasham,M.IT,M.Ed.,CISA
Figure25.
SampleofABusinessProcess
Copyright2006,PhoenixBusinessandSystemsProcess,Inc.Needham,MA,USA, MorefromPhoenixBusinessandSystemsProcess,http://www.pbandsp.com
Page 19 of 80
ProcedureGuidelinesandControlsDocumentation
RobinBasham,M.IT,M.Ed.,CISA
VisioShapesandCustomPropertiesforEvidenceofProcessControls
Name* Description* DocumentTitle,Scope, Revision,ReleaseDate,Editors, AffirmationTeam AlwaysSequence0.0
Copyright2006,PhoenixBusinessandSystemsProcess,Inc.Needham,MA,USA, MorefromPhoenixBusinessandSystemsProcess,http://www.pbandsp.com
Page 20 of 80
ProcedureGuidelinesandControlsDocumentation
RobinBasham,M.IT,M.Ed.,CISA
Name*
Description* DataManagement: Whatdataisused, howisitclassified, retained,transferred, accessed Listofexternaldocumentsused tocompleteprocess,statusof useincontrolsevidence, creationfrequency,description ofuse Sequenceisalways9.9sothat alldatasourcesareclusteredto thebottomoftheprocess report. Exitandentrancecriteriafor movementfromoneactivityto thenext.Wherecriteriafor movementismonitoredbya systemandiscriticaltocontrol activity,thisshouldbefilledin. Wherethisistrue,therewould beanexpectedcontrol. TriggerandExitcriteria Sequenceisalways0.1sothat alltriggersandexitcriteriaare clusteredto thetopofthe processreport.
Copyright2006,PhoenixBusinessandSystemsProcess,Inc.Needham,MA,USA, MorefromPhoenixBusinessandSystemsProcess,http://www.pbandsp.com
Page 21 of 80
ProcedureGuidelinesandControlsDocumentation
RobinBasham,M.IT,M.Ed.,CISA
Name*
Description* ControlDocumentationObject: Dropdownmenuchoicesincludecommonlanguage fordefiningcontrolsasexpressedbyISACA,PCAOB, PwC,E&Y,KPMG,DeloitteandSANS.Information enteredtothisarea,itisavailabletocontrolsreporting forthisprocess.Thesequenceisusedtoalignthe controltotheassociatedactivitiesthatusethiscontrol. Whereacontrolisusedinmultipleinstances,itneed onlybedescribedonceandthenmentionedonthe activityobject. When acontrolisinadequate,theissueisidentifiedin theGAPcommentaryoftheactivityneedingmore stringentcontrol.Thisforcestherelativeriskofthe controlgaptobeevidenttotheviewerandwriter
Copyright2006,PhoenixBusinessandSystemsProcess,Inc.Needham,MA,USA, MorefromPhoenixBusinessandSystemsProcess,http://www.pbandsp.com
Page 22 of 80
ProcedureGuidelinesandControlsDocumentation
RobinBasham,M.IT,M.Ed.,CISA
LoopLimit
Database
0.0 a
#.#Decision
Figure26.
ProcessObjectswithproperties
Copyright2006,PhoenixBusinessandSystemsProcess,Inc.Needham,MA,USA, MorefromPhoenixBusinessandSystemsProcess,http://www.pbandsp.com
Page 23 of 80
ProcedureGuidelinesandControlsDocumentation
RobinBasham,M.IT,M.Ed.,CISA
AcronymGlossaryandDefinitions
Acronyms Approver Definition Anindividualwhoreviewsthechangetoensuretheintegrityandreliabilityof thedocumentandgrantsapprovalforthedocumenttobeposted.
DocumentOwner
Managerdesignatedashavingownershipofalldocumentsassociatedwiththe productionsystemand,thereby,havingtheauthoritytochangeit.
Dualcontrol
Twopeoplearerequiredforanimportantactivitytobeaccomplished.
Employee
Person,includingcontractorsandtemporarystaff,whohavebeengrantedaccess toARLresources.
Owner
Anelementofworkperformedduringthecourseofaproject.Anactivity normallyhasanexpectedduration CertifiedInformationSystemsAuditor TheCOBIT(ControlObjectivesforInformationandRelatedTechnology) frameworkwasreleasedin1996andupdatedin1998and2000bythe InformationSystemsAuditandControlAssociation (ISACA)inresponsetothe needforareferenceframeworkforsecurityandcontrolininformation technology.In2000,theITGovernanceInstituteandISACFdevelopedthe ManagementGuidelinesforCOBIT.Theseguidelinesrespondtoaneedby ManagementforcontrolandmeasurabilityofIT,forthepurposeofensuringthat ITactivitiesachievebusinessobjectives. Thepolicies,procedures,practicesandorganizationalstructuresdesignedto providereasonableassurancethatbusinessobjectiveswillbeachievedandthat undesiredeventswillbepreventedordetectedandcorrected
Control
Copyright2006,PhoenixBusinessandSystemsProcess,Inc.Needham,MA,USA, MorefromPhoenixBusinessandSystemsProcess,http://www.pbandsp.com
ProcedureGuidelinesandControlsDocumentation
RobinBasham,M.IT,M.Ed.,CISA
Acronyms
Definition controlproceduresinaparticularITactivity
ITIL Process
ProcessManagement AhighleveldescriptionofthesystemthatprovidesafullyintegratedKnowledge Architecture Base[ofprocessinformation].TheKnowledgeBaseinturnprovidescontrolof processchangeandaccesstoallprocessesandprocedures. Task Ataskisaspecificactionperformedaspartofaprocess.Disableaccounts, InterviewNetworkManager,andrunCrackontheUnixmachineareexamplesof securitytasks. Askeletondocument,spreadsheet,orgraphicpresentationthatrepresentsthe essentialrequirementsfordeliverablecontent.
Template
ComprehensiveGlossaryofallCorporateTerms
\\...\pal\FacilitatedComplianceManagement\ShortcuttoGlossaryinFacilitatedCompliance Management2000FCM.MAT
RelatedDocuments
The CobiT4.0(ControlObjectivesforInformationandRelatedTechnology)frameworkwasreleasedin1996 andupdatedin1998and2000 andmostrecentlyin2005,bytheInformationSystemsAuditandControl Association (ISACA)inresponsetotheneedforareferenceframeworkforsecurityandcontrolininformation technology.In2000,theITGovernanceInstituteandISACAdevelopedtheManagementGuidelinesforCOBIT. TheseguidelinesrespondtoaneedbyManagementforcontrolandmeasurabilityofIT,forensuringthatIT activitiesachievebusinessobjectives.http://www.isaca.org/cobithorizon.htm TheITInfrastructureLibrary,ITIL(),isaseriesofdocumentsthatareusedtoaidtheimplementationofa frameworkforITServiceManagement(ITSM).ThisframeworkdefineshowServiceManagementisapplied withinspecificorganizations.Beingaframework,itiscompletelycustomizableforapplicationwithinanytypeof businessororganizationthathasarelianceonITinfrastructure. http://www.itilitsmworld.com/ ProjectManagementSkillandKnowledgeRequirementsinanInformationTechnologyEnvironment(ISACA) http://www.phoenixprocessconsulting.com/security/ProcessProject/projectmanagement.pdf
ExtendedBibliography
AgencySecurityPractices.STIGs,SecurityTechnicalImplementationGuides.RetrievedDecember1,2005from http://csrc.nist.gov/pcig/cig.html. ACLU,(AmericanCivilLibertiesUnion).FreeSpeech.RetrievedNovember1,2005from http://www.aclu.org/freespeech/index.html. AICPA,AmericanInstituteofCertifiedPublicAccountants.RetrievedDecember1,2005 http://www.aicpa.org/index.htm.
Copyright2006,PhoenixBusinessandSystemsProcess,Inc.Needham,MA,USA, MorefromPhoenixBusinessandSystemsProcess,http://www.pbandsp.com Page 25 of 80
ProcedureGuidelinesandControlsDocumentation
RobinBasham,M.IT,M.Ed.,CISA
ANSI.U.S.NationalConformityAssessmentPrinciples.RetrievedDecember1,2005from http://www.ansi.org/conformity_assessment/ncap.aspx?menuid=4. Berinato,Scott,DarwinMagazine,http://www.darwinmag.com/read/0502/apples.html. BSI,BritishStandardsInstitute,"BSISO/IEC17799:2005",inBritishStandardISO/IEC27001:2005,London, UnitedKingdom:TheStationaryOffice,2005. CESG(UK)&NIST(USA).CommonCriteria,AnIntroduction.RetrievedDecember1,2005from http://www.commoncriteriaportal.org/public/files/ccintroduction.pdf.Note:"TheCommonCriteriaworkisan internationalinitiativebythefollowingorganizations:CSE(Canada),SCSSI(France),BSI(Germany),NLNCSA (Netherlands),CESG(UK),NIST(USA)andNSA(USA)",p.2. CIS,CenterforInternetSecurity.CISBenchmarks/ScoringTools.RetrievedDecember1,2005from http://www.cisecurity.org/bench.html. CISWG(2004).CorporateInformationSecurityWorkingGroup,ReportoftheBestPracticesandMetricsTeams. RetrievedDecember1,2005from http://www.educause.edu/ir/library/pdf/CSD3661.pdf. Clark,JamesBryce(jamie.clark@oasisopen.org),Shearman&Sterling,NewYork,http://www.oasis open.org/who/tab.php#jclark. CMU/SEI,CarnegieMellonUniversity/SoftwareEngineeringInstitute.RetrievedDecember1,2005 http://www.sei.cmu.edu/. COBIT. IsaproductofISACA,aglobalnotforprofitprofessionalmembershiporganizationfocusedonIT Governance,assuranceandsecurity,withmorethan 60,000membersinmorethan140countries.ITGI undertakesresearchandpublishesCOBIT,anopenstandardandframeworkofcontrolsandbestpracticeforIT governance."ISACA,InformationSystemsAuditandControlAssociation.http://www.isaca.org/. http://www.isaca.org/Template.cfm?Section=CobiT6&Template=/TaggedPage/TaggedPageDisplay.cfm&TPLID =55&ContentID=7981. COSO,CommitteeofSponsoringOrganizationsoftheTreadwayCommission.RetrievedDecember1,2005 http://www.coso.org/. Deming,Edwards(1986),"14PointsforManagement",inOutofCrisis,1986,Cambridge:TheMITPress, http://www.deming.org/resources/books.html. EDUCAUSE&Internet2,ComputerandNetworkSecurityTaskForce,EDUCAUSE/Internet2Computerand NetworkSecurityTaskForce. GovernanceAssessmentToolforHigherEducation,http://www.educause.edu/ir/library/pdf/SEC0421.pdf. ECS,EducationCommissionoftheStates(2002).CitizenshipEducationInclusioninAssessmentand AccountabilitySystems.RetrievedDecember1,2005from http://mb2.ecs.org/reports/Report.aspx?id=107. FASP,FederalAgencySecurityPractices,"STIGs,SecurityTechnicalImplementationGuides", http://csrc.nist.gov/pcig/cig.html. FERF,FinancialExecutivesResearchFoundation,http://www.fei.org/rf/. FFIEC,FederalFinancialInstitutionsExaminationCouncil.RetrievedNovember1,2005 http://www.ffiec.gov/. FIPS,FederalInformationProcessingStandardsPublication,http://www.itl.nist.gov/fipspubs/. Frye,Emily,CybersecurityandCorporateGovernanceNow:DoesItTakeLiabilitytoGetAttention?,in AmericanBarAssociation,SectionOfScience&TechnologyLaw,Chicago2005, http://www.documation.com/aba/pdfs/004.pdf. GAAP,GenerallyAcceptedAccountingPrinciples,http://www.fasab.gov/accepted.html.
Copyright2006,PhoenixBusinessandSystemsProcess,Inc.Needham,MA,USA, MorefromPhoenixBusinessandSystemsProcess,http://www.pbandsp.com Page 26 of 80
ProcedureGuidelinesandControlsDocumentation
RobinBasham,M.IT,M.Ed.,CISA
GAOAccountingandInformationDivision(1999).FISCAM,FederalInformationSystemControlsAudit ManualVolumeI:FinancialStatementAudits,Washington:GovernmentAccountabilityOffice.Retrieved December1,2005from http://www.gao.gov/special.pubs/ai12.19.6.pdf. GAOAccountingandInformationDivision.FISCAM,FederalInformationSystemControlsAuditManual VolumeI:FinancialStatementAudits,Washington:GovernmentAccountabilityOffice,1999.Retrieved December1,2005from http://www.gao.gov/special.pubs/ai12.19.6.pdf. GAP,GovernmentAccountabilityProject,http://www.whistleblower.org/template/index.cfm. Gibaldi,Joseph(2003),MLAHandbookforWritersofResearchPapers,6thEdition, http://www.mla.org/handbook. GPO,GovernmentPrintingOffice.RetrievedDecember1,2005http://www.gpoaccess.gov/index.html. Gruber,Tom,WhatisanOntology?,KSL,KnowledgeSystems,AILaboratory,StanfordUniversity.Retrieved December1,2005from http://wwwksl.stanford.edu/kst/whatisanontology.html.Note:Anontologyisan explicitspecificationofaconceptualization.[]Weusecommonontologiestodescribeontological commitmentsforasetofagentssothattheycancommunicateaboutadomainofdiscoursewithoutnecessarily operatingonagloballysharedtheory." IEC,InternationalElectrotechnicalCommission.RetrievedDecember1,2005 http://www.iec.ch/. ISSA,InformationSystemsSecurityAssociation.RetrievedDecember1,2005http://www.issa.org/. ISO16609:2004Banking Requirementsformessageauthenticationusingsymmetrictechniques ISO/TR17944:2002Banking SecurityandotherfinancialservicesFrameworkforsecurityinfinancial systems ISO/TR19038:2005BankingandrelatedfinancialservicesTripleDEA Modesofoperation Implementation guidelines. ISOTCPortal.StandardsDevelopmentProcesses.RetrievedDecember1,2005from http://isotc.iso.org/livelink/livelink/fetch/2000/2122/3146825/4229629/sds_base.htm. ISO&CASCO,ISO/IECGuide60:2004ConformityAssessmentCodeofGoodPractice,Geneva:ISOStore. RetrievedDecember1,2005from http://www.iso.org/iso/en/CatalogueDetailPage.CatalogueDetail?CSNUMBER=37035&ICS1=3&ICS2=120&IC S3=20&showrevision=y. ISO.Generalinformationontechnicalcommittees.RetrievedDecember1,2005from http://www.iso.ch/iso/en/stdsdevelopment/tc/TC.html. ISO."AchievingOptimalOutput",inISOAnnualReport2004,2004,Chapter4.RetrievedDecember1,2005 from http://www.iso.ch/iso/en/aboutiso/annualreports/pdf/chapter4.pdf. ISO.TheAgreementontechnicalcooperationbetweenISOandCEN(ViennaAgreement).RetrievedDecember 1,2005from http://isotc.iso.org/livelink/livelink.exe/fetch/2000/2122/3146825/4229629/4230450/4230458/customview.html?f unc=ll&objId=4230458&objAction=browse&sort=subtype ITGI,ITGovernanceInstitute.RetrievedDecember1,2005http://www.itgi.org.Note:ITGIdescribesitselfas "TheITGovernanceInstitute(ITGI)existstoassistenterpriseleadersintheirresponsibilitytoensurethatITis alignedwiththebusinessanddeliversvalue,itsperformanceismeasured,itsresourcesproperlyallocatedandits risksmitigated."and"[ITGI]isanotforprofitresearchorganizationaffiliatedwiththeInformationSystems AuditandControlAssociation ITGI&OGC(2005).AligningCOBIT,ITILandISO17799forBusinessBenefit.RetrievedDecember1, 2005from http://www.isaca.org/.
Copyright2006,PhoenixBusinessandSystemsProcess,Inc.Needham,MA,USA, MorefromPhoenixBusinessandSystemsProcess,http://www.pbandsp.com Page 27 of 80
ProcedureGuidelinesandControlsDocumentation
RobinBasham,M.IT,M.Ed.,CISA
ITGI&ISACA(2004).COBITMapping,OverviewofInternationalITGuidance.RetrievedDecember1,2005 from http://www.isaca.org/Content/ContentGroups/Research1/Deliverables/CobiT_Mapping_Paper_6jan04.pdf. ITGI&ISACA(2004).ItControlObjectivesforSarbanesOxley:TheImportanceofItintheDesign, ImplementationandSustainabilityofInternalControloverDisclosureandFinancialReporting.Retrieved December1,2005from http://www.isaca.org/Content/ContentGroups/Research1/Deliverables/IT_Control_Objectives_for_Sarbanes Oxley_7july04.pdf. ITTF,ISO/IECInformationTechnologyTaskForce.RetrievedDecember8,2005 http://isotc.iso.org/livelink/livelink/fetch/2000/2489/Ittf_Home/ITTF.htm.Note:ITTFmaintainsaccesstoall freelyavailableISOstandards,alistthatgrowsdaily,andonDecember8,2005included253freeISOstandards. ITIL,InformationTechnologyInfrastructureLibrary.RetrievedDecember1,2005 http://www.ogc.gov.uk/index.asp?id=2261. ITTF.FreelyAvailableStandards.InaccordancewithISO/IECJTC1andtheISOandIECCouncilsthese InternationalStandardsarepubliclyavailable.RetrievedDecember1,2005from http://isotc.iso.org/livelink/livelink/fetch/2000/2489/Ittf_Home/ITTF.htm.Note:Thestandardsareavailablefor downloadattheITTFwebsite.Thisdoesnotimply freeuseorpermissiontocopyanymaterialsfound.The filesareinzipformat.Ihadnodifficultywiththembutalwaysuseastagingaretorunadditionalanti virus/spywarebeforeopeninganyonesfiles: http://standards.iso.org/ittf/PubliclyAvailableStandards/c040612_ISO_IEC_154081_2005(E).zip, http://standards.iso.org/ittf/PubliclyAvailableStandards/c040613_ISO_IEC_154082_2005(E).zip,& http://standards.iso.org/ittf/PubliclyAvailableStandards/c040614_ISO_IEC_154083_2005(E).zip KNET.RetrievedDecember1,2005http://www.isaca.org/knet.Note:KNETisprovidedbyISACAasa professionalresourceanddescribesitas"aglobalknowledgenetworkforITGovernance,Controland Assurance"andKNETcontainsover5,200peerreviewedwebsiteresourcespertainingtoknowledgecovering ITGovernance,Assurance,SecurityandControl.FullaccesstoKNETisreservedforassociationmembers.In addition,apersonalizedtrackingfeature[].Referenceitemsareorganizedintologicalcategoriesofinterestand concern". LawrenceW.Smith,"TheFASBsEffortsTowardSimplification",inTheFASBReport,February28,2005. RetrievedDecember1,2005from http://www.fasb.org/articles&reports/fasb_efforts_toward_simplification_tfr_feb_2005.pdf.Note:Thisarticle summarizingBobHerz,FASBchairmanofFinancialAccountingStandardsBoardtoshowthecomplexityof GAAPasitrelatestoapplicationofconsistentstandardsandcodificationinthecurrent180ofUSGAAParticles withinU.S.Code. McNamara,RobertS.andMorris,Errol,TheFogofWar:ElevenLessonsfromtheLifeofRobertS.McNamara, December2003. NARA,NationalArchivesandRecordsAdministration.RetrievedDecember1,2005 http://www.archives.gov/. NationalCouncilforScienceandtheEnvironment.CongressionalResearchServiceReports.RetrievedDecember 1,2005from http://www.ncseonline.org/NLE/CRS/. NASD,NationalAssociationofCorporateDirectors.RetrievedDecember1,2005http://www.nacdonline.org/. NHGRI,NationalHumanGenomeResearchInstitute.RetrievedDecember1,2005 http://www.genome.gov/. UnitedStatesCongress,"Circular92","CopyrightLawoftheUnitedStatesofAmericaandRelatedLaws ContainedinTitle17oftheUnitedStatesCode",inUnitedStatesCode,Title17(1976),Washington,U.S. GovernmentPrintingOffice,Chapters18&1012.
Copyright2006,PhoenixBusinessandSystemsProcess,Inc.Needham,MA,USA, MorefromPhoenixBusinessandSystemsProcess,http://www.pbandsp.com
Page 28 of 80
ProcedureGuidelinesandControlsDocumentation
RobinBasham,M.IT,M.Ed.,CISA
NIAC,NationalInfrastructureAdvisoryCouncil(February2003).TheNationalStrategytoSecureCyberspace, Washington:DepartmentofHomelandSecurity.RetrievedDecember1,2005from http://www.dhs.gov/interweb/assetlibrary/National_Cyberspace_Strategy.pdf. NISTInformationTechnologyLaboratory(2002),InternationalStandardISO/IEC17799:2000CodeofPractice forInformationSecurityManagement,FrequentlyAskedQuestions,RetrievedDecember1,2005from http://csrc.nist.gov/publications/secpubs/otherpubs/revisofaq.pdf. NIST,NationalInstituteofStandardsandTechnology.FIPS,FederalInformationProcessingStandards Publication.RetrievedDecember1,2005from http://www.itl.nist.gov/fipspubs/. NISTSP80053DatabaseApplicationisavailablefordownloadathttp://csrc.nist.gov/seccert/download800 53database.html NHGRI,NationalHumanGenomeResearchInstitute,http://www.genome.gov/. NSSN,NationalStandardsSystemsNetwork,"STAR,StandardsTrackingandAutomatedReporting,Services", http://www.nssn.org/star_intro.html. NISO,NationalInformationStandardsOrganization.RetrievedDecember1,2005 http://www.niso.org/index.html. NormanWalsh&LeonardMuellner,DocBook:TheDefinitiveGuide,O'Reilly&Associates,Inc.,Version1.0.2 (1999).RetrievedDecember1,2005from http://www.oreilly.com/catalog/docbook/chapter/book/docbook.html. Note:ThisistheofficialdocumentationforDocBook.&BobStayton,DocBookXSL:TheCompleteGuide, SagehillEnterprises,ThirdEdition(2005).RetrievedDecember1,2005from http://www.sagehill.net/docbookxsl/.Note:ThisisthedefinitiveguidetousingtheDocBookXSLstylesheets.It providesthenecessarydocumentationtorealizethefullpotentialofDocBook OASIS(2005).SecurityAssertionMarkupLanguage(SAML)v2.0.RetrievedDecember1,2005from http://www.oasisopen.org/specs/index.php#samlv2.0,&http://docs.oasisopen.org/security/saml/v2.0/saml2.0 os.zip. OfficeofManagementandBudget."CircularNo.A130Revised",inTransmittalMemorandumNo.4, MemorandumForHeadsOfExecutiveDepartmentsAndAgencies.RetrievedDecember1,2005from http://www.whitehouse.gov/omb/circulars/a130/a130trans4.html. OfficeofManagementandBudget."CircularNo.A119Revised,AccompanyingFederalRegisterMaterials",in FederalParticipationintheDevelopmentandUseofVoluntaryConsensusStandardsandinConformity AssessmentActivities.RetrievedDecember1,2005from http://www.whitehouse.gov/omb/circulars/a119/a119.html. OGC,OfficeofGovernmentCommerce.RetrievedDecember1,2005 http://www.ogc.gov.uk.Note:As explainedbytheOGCas"[]aUKgovernmentorganizationresponsibleforprocurementandefficiency improvementsintheUKpublicsector.OGChasproducedworldclassbestpracticeguidance,includingPRINCE (projectmanagement),MSP(ManagingSuccessfulPrograms)andITIL(ITservicemanagement).ITILis usedthroughouttheworldandisalignedwiththeISO/IEC20000internationalstandardinservicemanagement." OGC,OfficeofGovernmentCommerce,"ICTInfrastructureManagement",inITILSeries,London,United Kingdom:TheStationaryOffice,2002. OntoWebProject,OntoWebWorkingGrouponProcessStandards,http://www.aiai.ed.ac.uk/project/ontoweb/. AmyKnutilla,CraigSchlenoff,StevenRay,StephenT.Polyak,AustinTate,ShuChiunCheahandRichardC. Anderson:"ProcessSpecificationLanguage:AnAnalysisofExistingRepresentations,"NISTIR6160,National InstituteofStandardsandTechnology,Gaithersburg,MD,1998. O'Reilly,Tim,WhatIsWeb2.0,DesignPatternsandBusinessModelsfortheNextGenerationofSoftware, 09/30/2005RetrievedDecember30,2005from
Copyright2006,PhoenixBusinessandSystemsProcess,Inc.Needham,MA,USA, MorefromPhoenixBusinessandSystemsProcess,http://www.pbandsp.com Page 29 of 80
ProcedureGuidelinesandControlsDocumentation
RobinBasham,M.IT,M.Ed.,CISA
http://www.oreillynet.com/pub/a/oreilly/tim/news/2005/09/30/whatisweb20.html?page=1,WhatisWeb 2.0PricewaterhouseCoopersonbehalfofCOSO,COSO,EnterpriseRiskManagementIntegratedFramework, AICPA,Volume2, https://www.cpa2biz.com/CS2000/Products/CPA2BIZ/Publications/COSO+Enterprise+Risk+Management+ +Integrated+Framework.htm,&COSO(2005),InternalControl IntegratedFramework,GuidanceforSmaller PublicCompaniesReportingonInternalControloverFinancialReporting,AICPA,ExposureDraft, http://155.201.80.182/Coso/coserm.nsf/vwResources/PDF_IC/$FILE/COSO_FINAL_Draft_IC_Guidance.pdf. PricewaterhouseCoopers,IntegrityDrivenPerformance,WhitePaper(2004),Page34,Note: PricewaterhouseCoopers(www.pwc.com)providesindustryfocusedassurance,taxandadvisoryservicesfor publicandprivateclients.Morethan120,000peoplein139countriesconnecttheirthinking,experienceand solutionstobuildpublictrustandenhancevalueforclientsandtheirstakeholders. PricewaterhouseCoopersonbehalfofCOSO,COSO,EnterpriseRiskManagementIntegratedFramework, AICPA,Volume2.RetrievedDecember1,2005from https://www.cpa2biz.com/CS2000/Products/CPA2BIZ/Publications/COSO+Enterprise+Risk+Management+ +Integrated+Framework.htm.&COSO(2005),InternalControl IntegratedFramework.&Guidancefor SmallerPublicCompaniesReportingonInternalControloverFinancialReporting,AICPA,Exposure Draft. RetrievedDecember1,2005from http://155.201.80.182/Coso/coserm.nsf/vwResources/PDF_IC/$FILE/COSO_FINAL_Draft_IC_Guidance.pdf. Note:ThesearebothnotedbytheSECasappropriateframeworkintheimplementationofcontrolsassessment. Ross,Dr.RonandNIST,ProtectingFederalInformationSystemsandNetworks,AStandardsbasedSecurity CertificationProgramforOperationalEnvironments, http://cio.doe.gov/Conferences/Security/Presentations/RossRNIST.pps. (Dr.) RonRoss&NIST.ProtectingFederalInformationSystemsandNetworks,AStandardsbasedSecurity CertificationProgramforOperationalEnvironments.RetrievedDecember1,2005from http://cio.doe.gov/Conferences/Security/Presentations/RossRNIST.pps. Dr.RonRoss& TheOWASPFoundation.BuildingMoreSecureInformationSystems,AStrategyforEffectively ApplyingtheProvisionsofFISMA.RetrievedDecember1,2005from http://csrc.nist.gov/organizations/fissea/conference/2005/presentations/Ross/AbstractRoss.pdf. SANSInstitute,SysAdminAuditNetworkSecurityInstitute.December1,2005 http://www.sans.org/aboutsans.php. SkaddenBiography,MichaelS.Hines,http://www.skadden.com/index.cfm?contentID=45&bioID=2732. Smith,LawrenceW.,"TheFASBsEffortsTowardSimplification",inTheFASBReport,February28,2005, http://www.fasb.org/articles&reports/fasb_efforts_toward_simplification_tfr_feb_2005.pdf. SpaffordJr.,George,SpaffordGlobalConsulting,Inc.,SaintJoseph,MI,http://www.spaffordconsulting.com. Swanson,DanandSeccurisInc.,SecurityBenchmark,http://www.securitybenchmark.com. TheInstituteofInternalAuditors.GTAG,GlobalTechnologyAuditGuide.RetrievedDecember1,2005from http://www.theiia.org/index.cfm?doc_id=4706. TQM,TotalQualityManagement,http://www.managementhelp.org/quality/tqm/tqm.htm. U.S.DepartmentofLabor,BureauofLaborStatistics,OccupationalEmploymentandWages,November2004, http://www.bls.gov/oes/current/oes132011.htm. U.S.Navy,Benefits,"IncreasingContractorCommitment", http://www.ar.navy.mil/aosfiles/tools/turbo/topics/cj.cfm. UnitedStatesCongress&SubcommitteeonTechnology,InformationPolicy,IntergovernmentalRelationsand theCensus(2004).OversightHearingStatementbyAdamPutnam,Chairman,IdentityTheft:TheCauses,Costs,
Copyright2006,PhoenixBusinessandSystemsProcess,Inc.Needham,MA,USA, MorefromPhoenixBusinessandSystemsProcess,http://www.pbandsp.com Page 30 of 80
ProcedureGuidelinesandControlsDocumentation
RobinBasham,M.IT,M.Ed.,CISA
Consequences,andPotentialSolutions. http://www.reform.house.gov/UploadedFiles/Final%20Press%20Opening%20Statement%202.pdf,p.5. UnitedStatesCongress,"DMCA","DigitalMillenniumCopyrightAct",inPublicLaw105304,H.R.2281,S. 2037,&CongressionalRecordVol.144(1998),Washington:U.S.GovernmentPrintingOffice,112Stat.2860& 2905. UnitedStatesCongress,SarbanesOxleyActof2002,15U.S.C.7201(2002),"SarbanesOxleyActof2002", "SOX",inPublicLaw107204,H.R.3763,S.2673,&CongressionalRecordVol.148(2002),Washington:U.S. GovernmentPrintingOffice,116STAT.745810. UnitedStatesCongress,"HIPA","HealthInsurancePortabilityandAccountabilityActof1996",inPublicLaw 104191,H.R.3103,S.1028,S.1698,&CongressionalRecordVol.142(1996),110STAT.19362103. UnitedStatesCongress,"GLBA","GrammLeachBlileyAct",inPublicLaw106102,H.R.10,S.900,& CongressionalRecordVol.145(1999), Washington:U.S.GovernmentPrintingOffice,113STAT.13401481. UnitedStatesCongress,"FISMA","FederalInformationSecurityManagementActof2002",inPublicLaw107 347,H.R.245848,TitleIII,Washington:U.S.GovernmentPrintingOffice,SEC301305. U.S.DepartmentofHomelandSecurity.FEMA,FederalEmergencyManagementAgency.RetrievedDecember 1,2005from http://www.fema.gov/. UnitedStatesCongress."DMCA","DigitalMillenniumCopyrightAct",inPublicLaw105304,H.R.2281,S. 2037,&CongressionalRecordVol.144(1998),Washington:U.S.GovernmentPrintingOffice,112Stat.2860& 2905.Note:ReviewoftheDMCArevealsincontributionthenameofMikeS.Hines,whoisfrequentlyin discussiononvariousISACAandCMUsanctionedlistservices.MikecontributestotheInformationSecurity Managementgroup,underISACAsponsor,mailto:infosecmanager@orbit.sparklist.com.Recommendation, sendemailwiththewordjoininsubjectandnoothertextto infosecmanager@share.isaca.org.Hereisa chancetospeakwithafewEagles. UnitedStatesCongress,"ComputerSecurityEnhancementActof1997",inPublicLaw 100418,H.R.1903, CalendarNo.718,&ReportNo.105412(1998),SEC.114.Note:"ToamendtheNationalInstituteofStandards andTechnologyActtoenhancetheabilityoftheNationalInstituteofStandardsandTechnologytoimprove computersecurity,andforotherpurposes." UnitedStatesCongress,"CyberSecurityResearchandDevelopmentAct",inPublicLaw107305,H.R.3394,S. 2182,&CongressionalRecordVol.148(2002),Washington:U.S.GovernmentPrintingOffice,116STAT.2367 2382.RetrievedDecember1,2005from http://thomas.loc.gov/cgi bin/bdquery/z?d107:H.R.3394:@@@L&summ2=m&.FASP,Federal UnitedStatesCongress."ComputerFraudandAbuseAct",in18U.S.C.1030,1986.RetrievedDecember1, 2005from http://cio.doe.gov/Documents/CFA.HTM. VISAInternationalServiceAssociation,SecurityPrograms,http://corporate.visa.com/st/programs.jsp. Walsh,NormanandMuellner,Leonard,DocBook:TheDefinitiveGuide,O'Reilly&Associates,Inc,Version 1.0.2(1999), http://www.oreilly.com/catalog/docbook/chapter/book/docbook.html.
Copyright2006,PhoenixBusinessandSystemsProcess,Inc.Needham,MA,USA, MorefromPhoenixBusinessandSystemsProcess,http://www.pbandsp.com
Page 31 of 80
ProcedureGuidelinesandControlsDocumentation
RobinBasham,M.IT,M.Ed.,CISA
RisksandAssociatedControls
Significance RiskItems Control Likelihood *Impact 2*5 [RiskWatch Authorization: PALinfrastructureiscarefullymanagedbyprocessengineering, idhere] Inadditiontolimitofaccesstodocumentationfrom withadministrativecontrolsasprovidedwithinWindows2000 withinthecorporatenetwork,personsarefurtherrestricted serverandasenforcedbythedataowners. fromreadingandmodifyingdocumentsthroughtheuseof securitypropertiesonprocessassetfolders.Approvalto postormodifyaprocessisinaccordancewith management'sgeneralpoliciesandprocedures.Accessto assetsisfurtherrestrictedthroughtheuseofhyperlinksin placeofattachments,enforcinglimitsforviewing documentsbasedonthepersonsprofilewithinthe organization. Configuration/AccountMappingControls: SecurityismanagedbyNetworkorDataCenterOperationsand Systemconfigurationcontrolsrestrictnonauthorized isenforcedbyProcessEngineeringandtheDataOwner. usersfrom deletingandmodifyingfiles.Processapproval isrequiredinordertopostnewormodifiedprocess. [RiskWatch Interface/ConversionControls:DataIntegrity (dataisnot idhere] changedormanipulated)andsecurity(noonecanaccess it).Interfaces/conversionincludescontrolsintheseareas. Datamanagement(date/timestamps,filenames) Processing(nomissing,duplicate,orredundantdataand toensurecompletenessandaccuracy.) Validation/reconciliation(onlineedits,batchtotals)Over thedetectionandcorrectionofexceptionsanderrors. [RiskWatch KeyPerformanceIndicatorsKPI's:Periodicreviewby idhere] ProcessEngineeringenforcesthegoalofhavingprocesses documentedforallmanagementfunctional areas.Where informationindicatesaneedforprocessoptimization, processengineeringnotesthisrequirementandreviews Whendatacannotbealteredwithoutexplicitaudittrailand approval,itismanagedinVSS.Whencodeordocumentation appearschanged,VSSallowsforreviewofeditsandrollback. Dataintegrityincodeisassuredviapromotiontoproduction process,wherecodeistestedintheQualityenvironmentandthen approvedformovement. ThePALisbackedupnightlyandcontentchangeisevidentvia timestamp. ThePALXLSandinventorieswithin FacilitatedCompliance ManagementdatabaseallowtheProcessEngineeringteam visibilityonkeyperformanceofprocessitemsasrequiredfor SAS70auditandasagreeduponbydepartmentowners.
Page 32 of 80
Howimplementedandactualreviewschedule
1*5
2*5
3*5
Copyright2006,PhoenixBusinessandSystemsProcess,Inc.Needham,MA,USA, MorefromPhoenixBusinessandSystemsProcess,http://www.pbandsp.com
ProcedureGuidelinesandControlsDocumentation
RobinBasham,M.IT,M.Ed.,CISA
Significance RiskItems Control Likelihood *Impact timelycompletionofrequiredprocesschange.Process engineeringalsocataloguesreviewsandguidesprocess developmentandcollection. ThereisRiskthatManagementmayfailtoassurethat proceduresarefinishedinatimelymannerorthatexisting processesarenotroutinelyreviewedtoinsuretheir validityorusability. 1*1 3*5 [RiskWatchidhere]
Howimplementedandactualreviewschedule
2*5
Copyright2006,PhoenixBusinessandSystemsProcess,Inc.Needham,MA,USA, MorefromPhoenixBusinessandSystemsProcess,http://www.pbandsp.com
Page 33 of 80
ProcedureGuidelinesandControlsDocumentation
RobinBasham,M.IT,M.Ed.,CISA
Figure27.
WhatTypeofDocumentShouldIWrite?
Page 34 of 80
Copyright2006,PhoenixBusinessandSystemsProcess,Inc.Needham,MA,USA, MorefromPhoenixBusinessandSystemsProcess,http://www.pbandsp.com
ProcedureGuidelinesandControlsDocumentation
RobinBasham,M.IT,M.Ed.,CISA
ExampleofPALContentsFileLocation,DescriptionofUse
Management FunctionFolder DocumentType Subfolders ContentDescription Subfolders allowed Classification
ITProcessAssetLibrary
BackupandRecovery Backupand Recovery Backupand Recovery Backupand Recovery Backupand Recovery BackupandRecoveryFlowchartsfoldercontainsprocessflow diagramsincludingthoseusedinprocessandprocedure documentation. BackupandRecoveryProcessandProcedurefoldercontains processprofiledocumentation. BackupsandRecoveryProgramDefinitionfoldercontains programprofiledocumentation. BackupandRecoveryTemplatefoldercontainsshortcutsto approvedtemplatesandformsasrequiredforthismanagement function.
No No No
Template
No
Confidential
ChangeManagement Change Management Change Management Change Management Change Management ChangeManagementFlowchartsfoldercontainsprocessflow diagramsincludingthoseusedinprocessandprocedure documentation. ChangeManagementProcessandProcedurefoldercontains processprofiledocumentation. ChangeManagementProgramDefinitionfoldercontainsprogram profiledocumentation. ChangeManagementTemplatefoldercontainsshortcutsto approvedtemplatesandformsasrequiredforthismanagement function.
No No No
Template
No
Confidential
ConfigurationManagement
Copyright2006,PhoenixBusinessandSystemsProcess,Inc.Needham,MA,USA, MorefromPhoenixBusinessandSystemsProcess,http://www.pbandsp.com
Page 35 of 80
ProcedureGuidelinesandControlsDocumentation
RobinBasham,M.IT,M.Ed.,CISA
DocumentType Subfolders
Subfolders allowed
Classification
Flowcharts
No
Confidential
Configuration Management
ProcessandProcedure
ConfigurationManagementProcessandProcedurefolder containsprocessprofiledocumentation.
No
Confidential
Configuration Management
ProgramDefinition
ConfigurationManagementProgramDefinitionfoldercontains programprofiledocumentation.
Confidential
Configuration Management
RunBookCMDB
ConfigurationManagementRunBookCMDBfoldercontains RunBookprocessandguidelines.
Confidential
Configuration Management
ModuleConfiguration
Confidential
Template
No
Confidential
No No No
Copyright2006,PhoenixBusinessandSystemsProcess,Inc.Needham,MA,USA, MorefromPhoenixBusinessandSystemsProcess,http://www.pbandsp.com
ProcedureGuidelinesandControlsDocumentation
RobinBasham,M.IT,M.Ed.,CISA
Management FunctionFolder
DocumentType Subfolders
Subfolders allowed
Classification
HumanResources
Template
No
Confidential
NetworkManagement Network Management Network Management Network Management Network Management Network Management Architectures ArchitectureasDiagrams,longtermstrategicITVision, infrastructureplanningandtechnicaldocumentation. NetworkManagementFlowchartsfoldercontainsprocessflow diagramsincludingthoseusedinprocessandprocedure documentation. NetworkManagementProcessandProcedurefoldercontains processprofiledocumentation. NetworkManagementProgramDefinitionfoldercontains programprofiledocumentation. NetworkManagementTemplatefoldercontainsshortcutsto approvedtemplatesandformsasrequiredforthismanagement function. Subfolderas needed Sensitive
No No No
Template
No
Confidential
PerformanceManagement Performance Management Performance Management Performance Management PerformanceManagementFlowchartsfoldercontainsprocess flowdiagramsincludingthoseusedinprocessandprocedure documentation. PerformanceManagementProcessandProcedurefolder containsprocessprofiledocumentation.Thisareaincludes databaseprocessoptimization. PerformanceManagementTemplatefoldercontainsshortcutsto approvedtemplatesandformsasrequiredforthismanagement function.
Flowcharts
No
Confidential
ProcessandProcedure
No
Confidential
Template
No
Confidential
ProcessEngineeringManagement
Copyright2006,PhoenixBusinessandSystemsProcess,Inc.Needham,MA,USA, MorefromPhoenixBusinessandSystemsProcess,http://www.pbandsp.com
Page 37 of 80
ProcedureGuidelinesandControlsDocumentation
RobinBasham,M.IT,M.Ed.,CISA
Management FunctionFolder Process Engineering Management Process Engineering Management Process Engineering Management Process Engineering Management
DocumentType Subfolders
ContentDescription ProcessEngineeringManagementFlowchartsfoldercontains processflowdiagramsincludingthoseusedinprocessand proceduredocumentation. ProcessEngineeringManagementProcessandProcedurefolder containsprocessprofiledocumentation. ProcessEngineeringManagementProcessProfilefolder containsprogramprofiledocumentation. ProcessEngineeringManagementTemplatefoldercontains shortcutstoapprovedtemplatesandformsasrequiredforthis managementfunction.
Subfolders allowed
Classification
Flowcharts
No
Confidential
ProcessandProcedure
No
Confidential
ProcessProfile
No
Confidential
Template
No
Confidential
ProductManagement Product Management Product Management Product Management Product Management QualityAssurance QualityAssuranceFlowchartsfoldercontainsprocessflow diagramsincludingthoseusedinprocessandprocedure documentation. QualityAssuranceProcessandProcedurefoldercontains processprofiledocumentation.
Page 38 of 80
ProductManagementFlowchartsfoldercontainsprocessflow diagramsincludingthoseusedinprocessandprocedure documentation. ProductManagementProcessandProcedurefoldercontains processprofiledocumentation. ProductManagementProgramDefinitionfoldercontainsprogram profiledocumentation. ProductManagementTemplatefoldercontainsshortcutsto approvedtemplatesandformsasrequiredforthismanagement function.
No No No
Template
No
Confidential
QualityAssurance QualityAssurance
Flowcharts ProcessandProcedure
No No
Confidential Confidential
Copyright2006,PhoenixBusinessandSystemsProcess,Inc.Needham,MA,USA, MorefromPhoenixBusinessandSystemsProcess,http://www.pbandsp.com
ProcedureGuidelinesandControlsDocumentation
RobinBasham,M.IT,M.Ed.,CISA
Subfolders allowed No
Classification Confidential
QualityAssurance
Template
No
Confidential
SecurityManagement Security Management Security Management Security Management Security Management Security Management SecurityManagementFlowchartsfoldercontainsprocessflow diagramsincludingthoseusedinprocessandprocedure documentation. SecurityManagementProcessandProcedurefoldercontains processprofiledocumentation. SecurityManagementProgramProfilesfoldercontainsprogram profiledocumentation. SecurityManagementProgramTestPlansfoldercontains securityspecificprogramcontroltestplans. SecurityManagementTemplatefoldercontainsshortcutsto approvedtemplatesandformsasrequiredforthismanagement function.
No No No No
Template
No
Confidential
SoftwareDevelopment Software Development Software Development Software Development SoftwareDevelopmentFlowchartsfoldercontainsprocessflow diagramsincludingthoseusedinprocessandprocedure documentation. SoftwareDevelopmentProcessandProcedurefoldercontains processprofiledocumentation. SoftwareDevelopmentProgramProfilesfoldercontainsprogram profiledocumentation.
No No No
Copyright2006,PhoenixBusinessandSystemsProcess,Inc.Needham,MA,USA, MorefromPhoenixBusinessandSystemsProcess,http://www.pbandsp.com
Page 39 of 80
ProcedureGuidelinesandControlsDocumentation
RobinBasham,M.IT,M.Ed.,CISA
DocumentType Subfolders
Subfolders allowed
Classification
Template
No
Confidential
StandardOperationProcedures StandardOperation Procedures StandardOperation Procedures Forms StandardOperationProceduresGeneralUseFlowchartsfolder containsprocessflowdiagramsincludingthoseusedinprocess GeneralUseFlowcharts andproceduredocumentation. OutputoftheRunBookDatabaseisapapercopyofthe RunBook.RunBooksliveinthedatabase,butasinglepaper copymaybepostedhereasSAS70summaryevidence.This foldercouldalsoberemoved. No Confidential
No
Confidential
StandardOperation Procedures
*RunBook
Confidential
StandardOperation Procedures
SOPByDomain \Citrix \Desktop \LANAccess Distribution \OracleDB \OracleServer \SQLServer \Unix \VPN \WANBackbone \WINTEL
Standardoperatingproceduresareanysetofdirectionsusedto maintainoroperateanyproductionsystem. Eachfolderisaholdingplaceforshortinstructionsrelatedtothe maintenanceandcareofanytechnologytype.Ifaperson createsanyworkinstructions,beitinemailorasawordfile,this aplacetostorearecordoftheworksothattheSOPdoesn't havetobecreatedagain.SOPislessstrictthanprocessinthat theownerofthetechnologymaintainstheircurrentinstructions anddoesnotrequireapprovaltoaddtotheirfolder.Manageris responsibleforinsuringthatanyhighriskprocessisdocumented andthattheprocesscouldbefollowedbyapersonofequalskill intheeventthattheprimarysupportstaffwasnotavailable. StandardOperationProceduresTemplatefoldercontains shortcutstoapprovedtemplatesandformsasrequiredforthis managementfunction.
Page 40 of 80
Confidential
Sensitive
Template
No
Confidential
Copyright2006,PhoenixBusinessandSystemsProcess,Inc.Needham,MA,USA, MorefromPhoenixBusinessandSystemsProcess,http://www.pbandsp.com
ProcedureGuidelinesandControlsDocumentation
RobinBasham,M.IT,M.Ed.,CISA
Management FunctionFolder
DocumentType Subfolders
ContentDescription
Subfolders allowed
Classification
SupportManagement Support Management Support Management Support Management Support Management SupportManagementFlowchartsfoldercontainsprocessflow diagramsincludingthoseusedinprocessandprocedure documentation. SupportManagementProcessandProcedurefoldercontains processprofiledocumentation. SupportManagementProgramDefinitionfoldercontainsprogram profiledocumentation. SupportManagementTemplatefoldercontainsshortcutsto approvedtemplatesandformsasrequiredforthismanagement function.
No No No
Template
No
Confidential
ITWorkProductLibrary ChangeManagement Change Management Change Management ProductionReleaseand ChangeReview Meetings \Agendas \MeetingMinutes ThisareawillberelocatedtoRiskConsoleoncetheChange Managementprogramisoperational Changerequestsandchangereviewmeetingrecords
No No
Confidential Confidential
NetworkorDataCenterOperationsPlanningandInfrastructure NetworkorData CenterOperations Planningand Infrastructure NetworkorData CenterOperations Planningand Infrastructure Documentationpertainingtoinfrastructureplanningand developmentincludinganycurrentprojects.Thisareawill supportnumerousprojectspecificsubfolders.
InfrastructurePlanning
Confidential
\133patch
Createafolderforinfrastructureitemandkeepallplanningfor thatchangeorprojectinthefolder
Confidential
Copyright2006,PhoenixBusinessandSystemsProcess,Inc.Needham,MA,USA, MorefromPhoenixBusinessandSystemsProcess,http://www.pbandsp.com
Page 41 of 80
ProcedureGuidelinesandControlsDocumentation
RobinBasham,M.IT,M.Ed.,CISA
DocumentType Subfolders
ContentDescription
Classification
Performance Management
Outputofmonitoringperformance,showsevidenceofmonitoring activity
Confidential
ProcessMeetingMinutes
ProcessMeeting Minutes
MeetingMinutesand ReviewPlanning
MeetingMinutesandapprovalsforProcessEngineeringteam andprogram
No
Confidential
ProductManagement Product Management Product Management Meetings ProjectPlanning Meetingspertainingtoanyreleasearecapturedandstoredhere Releasetasksbyreleaseandotherevidenceofprojectstructure No No Confidential Confidential
Requirements
Confidential
No Subfolderas needed
Confidential Confidential
StatusReports
Sensitive
Copyright2006,PhoenixBusinessandSystemsProcess,Inc.Needham,MA,USA, MorefromPhoenixBusinessandSystemsProcess,http://www.pbandsp.com
Page 42 of 80
ProcedureGuidelinesandControlsDocumentation
RobinBasham,M.IT,M.Ed.,CISA
Management FunctionFolder
DocumentType Subfolders
ContentDescription
Subfolders allowed
Classification
ProductTraining
No
Confidential
ProductTraining QualityAssurance
No
Confidential
QualityAssurance
QuarterlyReports
Subfolders createdby quarteras needed Subfoldersare notlimited. Thisisaplace tostorein processwork. Subfolders limitedtothe InternalControl Testing program
Confidential
QualityAssurance
[CompanyCoreProduct Testplanningdocumentationandalinktothecurrenttestsin orService]QATesting TestinTestDirector.Thisisa"pointerfile"usedtoassistauditor ByRelease infindingtheevidence. UsedtogathertheInternalControlsTestingPlansandthemost currentsnapshotoftestingasusedforevidenceintheupcoming SAS70.Theactualtestinginformationmustresideinitssecure locationwithinTestDirector.Thisisanoutputforevidence purposesonly.
Confidential
QualityAssurance
TestOutput
Confidential
QualityAssurance
fs02mainQuality Assurance
theQAfolderonFS02Mainshouldberelocatedtotheprocess andworkproductareas.
Confidential
ReleaseSoftwareDevelopment
Copyright2006,PhoenixBusinessandSystemsProcess,Inc.Needham,MA,USA, MorefromPhoenixBusinessandSystemsProcess,http://www.pbandsp.com
Page 43 of 80
ProcedureGuidelinesandControlsDocumentation
RobinBasham,M.IT,M.Ed.,CISA
Subfolders allowed
Classification
No
Confidential
ReleaseSoftware Development
ReleaseRequest
No
Confidential
ReleaseSoftware Development
No
Confidential
SecurityManagement Businessrequestsforpolicyexceptionbasedinneedtomaintain operationswithgiventechnologyconstraints.Allexemptions shouldalsobeloggedinatablewhereCSOcanmaintain visibilityonsuchitems.RCisgoodcandidateforthis,especially astiedtoRiskarea. OutputofsituationreviewanddecisionsbasedonExceptionsto policy. Meetingnotesfromanysecuritymeetingorincidentresponse meeting RecommendaformatforfilenamethatshowsSecurity,dateand meetingtype.Agendacanbeaplaceholderformeetingplans andmeetingminutesarejustmeetingminutes. Emailouttakesandcopyofdocumentsindicatingapprovalto implementsecurityprograms.Ihaveaconcernaboutstoring electronicimageofsignaturesandrequestthatfilesstatethat signatureislockedinafile.
Page 44 of 80
No No
Sensitive Sensitive
No
Sensitive
...\Agendas\Minutes
No
Sensitive
Security Management
ProgramPolicy Approval
Copyright2006,PhoenixBusinessandSystemsProcess,Inc.Needham,MA,USA, MorefromPhoenixBusinessandSystemsProcess,http://www.pbandsp.com
ProcedureGuidelinesandControlsDocumentation
RobinBasham,M.IT,M.Ed.,CISA
Management FunctionFolder Security Management Security Management Security Management Security Management
DocumentType Subfolders SecurityInfrastructure andProgramPlanning \Awareness TestOutput Trackingand ReconciliationReports \Tools .\...\LastLoginScripts \...\...\Risklabs Domain \...\...\Company Domain
Subfolders allowed Createa subfolderfor anyprogram. Subfolderas needed Onefolderper programtested Subfolderas needed
Classification
Security Management
Evidenceofsecuritymonitoringactivity
Subfolderas needed
Sensitive
Contacttheauthor:http://www.pbandsp.com/cgi/form.html
Copyright2006,PhoenixBusinessandSystemsProcess,Inc.Needham,MA,USA, MorefromPhoenixBusinessandSystemsProcess,http://www.pbandsp.com
Page 45 of 80