You are on page 1of 80

ProcedureGuidelinesandControls Documentation

May23,2006
(rev3May16,2006)

AProposedTemplateforGovernance:ProcessDocumentationandProcessArchitecture AsalignedtoCobiTProcessManagementandDocumentationControls,ISO9001 ProcessDocumentationMethodologyandCOSOERMStandardsforEnterpriseRisk Management Author RobinBasham,M.IT,M.Ed,CISA President,PhoenixBusinessandSystemsProcess

TemplateCopyright[CompanyName]

Copyright2006,PhoenixBusinessandSystemsProcess,Inc.Needham,MA,USA, MorefromPhoenixBusinessandSystemsProcess,http://www.pbandsp.com

Page 1of 80

ProcedureGuidelinesandControlsDocumentation

RobinBasham,M.IT,M.Ed.,CISA

ProcessProfile
ProcessOwners: ProcessOwners Departments: ProcessOwnerAt Release: ReleaseApprovalList: DistributionList: DocumentAuthors: Confidential DataClassification: EffectiveDate: RevisionDate:

VersionControl
RevisionNotes Revision Code Revision Author Revision Release Date Release Approvedby

Copyright2006,PhoenixBusinessandSystemsProcess,Inc.Needham,MA,USA, MorefromPhoenixBusinessandSystemsProcess,http://www.pbandsp.com

Page 1of 80

ProcedureGuidelinesandControlsDocumentation

RobinBasham,M.IT,M.Ed.,CISA

TableofContents
PurposeandScope............................................................................................................................................. 5 PolicyStatement.............................................................................................................................................. 5 Requirements .................................................................................................................................................. 5 DocumentLibraryManagementProgram .................................................................................................... 5 RolesandResponsibilities ............................................................................................................................... 6 ProcessLibrarian......................................................................................................................................... 6 SecurityorResourceAdministration ........................................................................................................... 7 BusinessUnitandDepartmentDataOwners................................................................................................ 7 AccessControl ................................................................................................................................................ 7 AudienceandAuditConsiderations ................................................................................................................. 8 WritingStandards............................................................................................................................................ 8 ChangeRequirements...................................................................................................................................... 8 KeyControls ................................................................................................................................................... 8 DataClassificationandDataOwners ............................................................................................................... 8 NamingConventions ....................................................................................................................................... 9 DocumentTypesandTheirUse ........................................................................................................................ 9 WhatTypeofDocumentDoINeedToWrite? ................................................................................................ 9 FormsandTemplates.................................................................................................................................. 9
GettingStarted: ......................................................................................................................................................1 NewObjectSupportRequest ..................................................................................................................................1

HowDoIValidateMyDocument?.............................................................................................................. 2
Figure1. ValidateaProcessObject ............................................................................................... 2

DocumentType ProcessProfile..................................................................................................................... 3 CharacteristicsofProcess ................................................................................................................................ 3 ShouldIWriteAProcessProfile?............................................................................................................... 4


Figure2. ShouldIwriteaprocessprofile?...................................................................................... 4

WhereDoIFindtheProcessProfileTemplate?........................................................................................... 1
Figure3. Whatarethestepsandcontrolsinwritingaprocessprofile? ........................................... 1

DocumentType PolicyProfile....................................................................................................................... 2 ShouldIWriteAPolicy Profile? ................................................................................................................. 3


Figure4. ShouldIwriteapolicyprofile? ......................................................................................... 3

WhereDoIFindtheTemplate?................................................................................................................... 3 DocumentType ProgramProfile ................................................................................................................... 3 ShouldIWriteAProgramProfile? .............................................................................................................. 4


Figure5. ShouldIwriteaprogramprofile? ..................................................................................... 4

WhereDoIFindTheTemplate?.................................................................................................................. 5 DocumentType WorkInstructionorSOP ..................................................................................................... 5 ShouldIWriteAWorkInstruction SOP? .................................................................................................. 6


Figure6. ShouldIwriteaWorkInstructionSOP........................................................................... 6

WhereDoIFindTheTemplate?.................................................................................................................. 6 DocumentType RunBook ............................................................................................................................. 6 WhyDoRunBooksFocusOnService?........................................................................................................ 7 ShouldIWriteARunBook?........................................................................................................................ 8


Figure7. ShouldIwriteaRunBook? .............................................................................................. 8

WhenIsARunBookComplete?................................................................................................................ 10 WhatAreTheFormatsForRunBook?....................................................................................................... 10
Figure8. RunBookProcess.......................................................................................................... 10 Figure9. ExampleInterfaceforgatheringRunBookelementsbyServiceTitle.............................. 11

WhereDoIFindTheTemplate?................................................................................................................ 12 DocumentElements ......................................................................................................................................... 12


Copyright2006,PhoenixBusinessandSystemsProcess,Inc.Needham,MA,USA, MorefromPhoenixBusinessandSystemsProcess,http://www.pbandsp.com Page 2of 80

ProcedureGuidelinesandControlsDocumentation

RobinBasham,M.IT,M.Ed.,CISA

HowDoIFindOrStoreMyDocument?....................................................................................................... 13 PAL\ ITProcessAssetLibrary .................................................................................................................. 13


Figure10. WhatisinthePAL?..................................................................................................... 13

PAL\ ITWorkProducts............................................................................................................................. 13 WhenDoINeedToCreateAWorkProduct?............................................................................................ 13 WhereDoWeKeepCurrentAndArchivedWorkProducts?...................................................................... 13


Figure11. Whataretheworkproductfolders? ............................................................................. 14

WhereDoIFindReference,BenchmarkandIndustryGuidelines .................................................................. 15
Figure12. StandardsandReferencefolders ................................................................................ 15

OtherWorkProductsandControlledDocumentation:...................................................................................... 2 ControlsEvidenceSpecifictoSoftwareDevelopmentandProductDevelopmentLifecycle: ............................ 2


Figure13. InformationCriteria........................................................................................................ 4

Whatelementsarecapturedduringtheflowdiagrammingprocess? ................................................................. 5
Figure14. ProcessInputsandOutputs,RACIChartforAI7asfoundinCobiT4.0,Copyrightof ISACA 6 Figure15. ProcessFlowDiagram:Howaresoftwaredevelopmentartifactscapturedinsystem eventlogsandsoftwaredesigntemplates? ......................................................................................... 2

ControlsandApplicationControls................................................................................................................... 2 WhendoIneedtodocumentspecificcontrolprocesses? ............................................................................. 2 Howdowemanagealltheserequirements? ................................................................................................. 2 MKSIntegrityManagerforprocessandworkflowmanagementofenterprisesoftwaredevelopment ............... 2 Howmaturedowereallyneedtobe? .............................................................................................................. 3


Figure16. MaturityToolbox,asrepresentedbyISACAandCMUasthecommonmaturitymodelor CMM 3 Figure17. Howaresoftwaredevelopmentartifactscapturedinsystemeventlogsandsoftware designtemplates?............................................................................................................................... 4

TestScripts,UtilitiesandEventTrackingSystems.......................................................................................... 5 WhatIsATestScriptOrTestTemplates? ................................................................................................... 5 WhereDoIFindQATestTemplates? ......................................................................................................... 5 Assets,InventoriesandConfigurationBaselines .............................................................................................. 5


Figure18. ShouldIdocumentacontrolledserverinoursysteminventorydatabase?..................... 6

WhereAreDevicesInventoriedAsAssets? ................................................................................................. 6 WhereDoIFindServerControlRecords? ................................................................................................... 6


Figure19. ControlledServerForm ................................................................................................. 7 Figure20. EachcontrolleditemhasassociatedsecurityexemptionsandstandardOSand Applicationbuild.................................................................................................................................. 8

WhichToolsStoreServerandApplicationInformation? ............................................................................. 8 WhereIsTheListOfToolsAndToolTypes?.............................................................................................. 9 ControlsandKeyControls.............................................................................................................................. 9 WhenDoINeedToDocumentAControlObject? ...................................................................................... 9 WhereAreControlsCatalogued?............................................................................................................... 10


Figure21. WhatProcessEngineering,AuditorsandQualityGatherRegardingCorporateKey Controls 10 Figure22. KeyControlsForm ...................................................................................................... 11

WhereDoIFindTheFormorTemplate? .................................................................................................. 11 Product,ApplicationDevelopmentandQualityTemplates............................................................................ 12 WhichToolStoresProcessandWorkInstructioninformation?.................................................................. 16


Figure23. FacilitatedComplianceManagementprovidessummaryreportsformanyobjecttypes 17 Figure24. FacilitatedComplianceManagementAllowsProcessLibrariantocaptureand catalogueallprocessobjects ............................................................................................................ 17

FlowDiagram ............................................................................................................................................... 17
Copyright2006,PhoenixBusinessandSystemsProcess,Inc.Needham,MA,USA, MorefromPhoenixBusinessandSystemsProcess,http://www.pbandsp.com Page 3of 80

ProcedureGuidelinesandControlsDocumentation

RobinBasham,M.IT,M.Ed.,CISA

WhenDoIUseAFlowDiagram? ............................................................................................................. 17
Figure25. SampleofABusinessProcess.................................................................................... 19

VisioShapesandCustomPropertiesforEvidenceofProcessControls ...................................................... 20
Figure26. ProcessObjectswithproperties .................................................................................. 23

AcronymGlossaryandDefinitions ................................................................................................................ 24 ComprehensiveGlossaryofallCorporateTerms ........................................................................................... 25 RelatedDocuments........................................................................................................................................ 25 ExtendedBibliography .................................................................................................................................... 25 RisksandAssociatedControls....................................................................................................................... 32


Figure27. WhatTypeofDocumentShouldIWrite? ..................................................................... 34

ExampleofPALContentsFileLocation,DescriptionofUse...................................................................... 35

Copyright2006,PhoenixBusinessandSystemsProcess,Inc.Needham,MA,USA, MorefromPhoenixBusinessandSystemsProcess,http://www.pbandsp.com

Page 4of 80

ProcedureGuidelinesandControlsDocumentation

RobinBasham,M.IT,M.Ed.,CISA

PurposeandScope
ProcedureGuidelinesandControlsDocumentationoutlineshowtocreateandmodifyprocedures,work instructions,policies,andRunBooksastheycurrentlyexistintheircorrectlocationandformatandasalignedto therequirementsofdocumentsecurity. Changecontrol,informationassetlocation,anddocumentationformatstandardsarethecombinedresponsibility ofSecurityManagement,QualityAssurance,andProcessEngineering.Inthecontextofcreation,iteration, approval,andposting,theProcessLibrarianmanagesdocumentation. ProcessEngineeringmanagesqualityoverdocumentationasdemonstratedbydocumenttemplates. SecurityManagementdefinespolicyandaccessrulesfortherecording,adherenceto,andmonitoringof proceduresinvolvingdataintegrity,privacy,andsecurityacross anyenterpriselevelconfiguration.

PolicyStatement
Allchanges,additions,anddeletionstotheproductiondocumentationlibraryrequiremanagementapproval. ManagersshouldnotifyProcessEngineeringofchangestoproductionprocess.

Requirements
Theprimarysecurityelementsofanydocumentlibrarymanagementprocessare: Auditablechanges Evidenceofdocumentlibraryanddocumentlifecyclemanagementthatisreadilyavailableforthosewho needtomonitorthisactivity. Documentationstrategiesneedto: Reducecomplexity. Prioritizekeycontrolprocesses ReflectCOMPANYprocessarchitecture Representrealfunctionsandrealactivities

DocumentLibraryManagementProgram
AformaldocumentlibrarymanagementprogrammanagestheProcessAssetLibraryandmonitorscompliance withdocumentlifecycleobjectives(i.e.,annualdocumentreviews).Theprogrammustinclude,butisnotlimited to,thefollowingcontrols: Documentedproceduresforupdatingproductiondocumentation. Definedrolesandresponsibilitiesthatsupportdefinedproceduresfordocumentanddocumentlibrary maintenance. Accountabilityfordocumentcontentintegrity. Education,notification,andawarenessprocesstoinformallnecessarystakeholdersaffectedbydocument modifications. Separationofproductionandnonproductiondocumentation. Adefineddataretentiongoalforeachdocumentorclassofdocument.Documentsaremaintainedforthe lifecycleoftheprocess.Ifalignedtokeycontrolsandloadedin[Nameofcoreproductorservice],the documentisretainedaspartofSAS70evidence.
Copyright2006,PhoenixBusinessandSystemsProcess,Inc.Needham,MA,USA, MorefromPhoenixBusinessandSystemsProcess,http://www.pbandsp.com Page 5of 80

ProcedureGuidelinesandControlsDocumentation

RobinBasham,M.IT,M.Ed.,CISA

Documentlifecyclecontrolproceduresmustdetailtheprocessfor:(ProcessProfileCreationdocsections embeddedinthisdoc) Reviewingneworchangeddocuments. Approvingandrejectingdocuments. Postingdocumentation. Documentinginformationaboutdocumentation(metadata). Auditingthelifecycleofdocumentsinthelibrary.

RolesandResponsibilities
Documentanddocumentclassownersshall: Ensuretheintegrity,confidentiality,andavailabilityofproductiondocumentationandthelibrary environmentthroughtheimplementationofdocumentedprograms,proceduresandstandards. Approveallchangesaffectingtheirdomainofcontrolandresponsibility. Ensureallchangeshavebeenapprovedandproperlycommunicatedpriortoposting. Ensurethattheiremployeesunderstandandabidebythispolicyanditscontrolrequirements. ReportanyviolationofthispolicytotheCTOandCSOoritsdesignatedrepresentatives,withinatimely manner. The ProcessEngineeringTeam willendeavorto assistCOMPANYoperationswithmanytimeconsuming functionsnotcoretotheirroles.Processandtechnicaldocumentationiscentraltothecreationofuserguidesand trainingmaterialsandiscurrentlyalignedto theCOMPANY ProcessEngineeringgroup. AsCOMPANYmay addorextendthisfunction,theprocesslibrarianfunctionwillcontinuetoassistwiththedesignanddeployment oftrainingmaterialsanduserguides. Thesedutiesmayinclude: Assistwithwriting andmaintainingproceduresandcontrols.Thedataownerwillusuallywrite procedures. Providingmethodstomaintainandmeetrecordkeepingobligations. Assistingwiththedesignandmodelingofmanagementreportsandcontrolchecklists. Assistingwithworkflowandprocessdesign. Actingasaliaisonwithbusiness,compliance,anddevelopmenttoimplementand/orupdateprocedures, controls,andsystemenhancements.

ProcessLibrarian
TheProcessLibrariancontrolstheprocessinformationdirectorystructureandmakessuretheintegrityofthe foldersismaintained.Thelibrarianfunctioncataloguesandcategorizesdocumentationassetsandaligns documentationstandardstotheneedsofthebusinessandtechnologyfunctions. Wherechangesarerequiredtoexistingprocessdocumentation,theprocesslibrarianhandlestheregistrationand postingofnewprocedurestotheestablishedprocesslocation.

Copyright2006,PhoenixBusinessandSystemsProcess,Inc.Needham,MA,USA, MorefromPhoenixBusinessandSystemsProcess,http://www.pbandsp.com

Page 6of 80

ProcedureGuidelinesandControlsDocumentation

RobinBasham,M.IT,M.Ed.,CISA

Anynewfoldersmustberequestedviaemailtotheprocesslibrarian,currently[NameofProcessLibrarian],at Process@COMPANY.com.Thelibrarianinsuresnameandcontentsintegritywithin FacilitatedCompliance Managementprocesstracking. \\...\PAL\FacilitatedComplianceManagement\FacilitatedCompliance Management2000FCM.mdb

SecurityorResourceAdministration
Peoplewhoadministeraccesstoprocessassetswilladheretosanctioneduseraccessprocess,providingresource accesstoemployeesasdeterminedbytheirroleandtheapprovaloftheirmanagement.TheResource AdministratorwillnotaddormodifyfoldersoutsidetheboundariesdefinedbytheProcessEngineeringTeam. Specifically,onceabusinessareaisprovidedspaceforinformationassets,modificationtorootlevelfile hierarchyisnotpermitted.Thisruleisestablishedtoassureinventoryoverinformationandinnowaylimitsthe productivityofanybusinessarea.Informationcanbecreatedinsubfolderswithinthedesignatedfileshare. Personswithwriteaccesscancreatesubfolderswithintherootoftheirinformationdomain. TheSecurityAdministratorwillcreatefilesharesandfoldersasrequestedbytheProcessLibrarian,andwill allowchangeswithinthefilesasdeterminedbythebusinessownerfortheshareinformation.

BusinessUnitandDepartmentDataOwners
Dataownersareaccountabletothereasonableuseoftheirdesignateddrivespace,assuringproperclassification andlocationoftheirdata.Businessownersdefineusersandestablishaccessrulesbasedonaneedtoknow principal.Whereabusinessareaneedsfoldersthatextendbeyondthecurrentprocessarchitecture,theBusiness Unitmustgainapprovalthroughprocessengineeringandsecurity,insuringproperrulesforclassificationandthe avoidingofduplicateinformation.(See CurrentPALContentsandFileLocation DescriptionofUse) Businessownersareaccountabletotheperiodicreviewofinformationontheirdrive.Thisreviewistoassure appropriateuseoffilenamingconventions,validityofprocess,completedprocedures,andtoarchiveoutofdate content. Businessownersareaccountabletounderstandingtheirdataprivacyandretentionrequirementsandto communicatetheserequirementstotheirpersonnel.

AccessControl
Accesstotheproductionlibrarycontentsmustbecontrolledinthesamemannerasthe productionenvironmentto ensurethatonlyauthorizeduserscanaccessthedocuments.Accesscontrolsmustbeestablishedtoensureonly authorizedindividualscanview,edit,andupdatedocumentsaccordingtoappropriateroles. Defaultaccesscontrolsinclude: ProcessLibrarianhasadministrativeprivilegestothePALandprovidesSecurityAdministrationwiththe FunctionalBusinessOwnerforeachdirectoryinthePAL. SystemAdministratorhasadministrativeprivilegestothePALandmaygrantuseraccessaccordingto ManagerApproval. FunctionalManagers,suchasSupport,ChangeManagementandProcessEngineering,have read/write/update/deleteprivilegestotheirfileshareonthePAL.Policydictatestheyshouldnotcreateor deletefolderswithoutnotice andapprovalfromtheProcessLibrarian. Employees(nonmanagers)havereadonlyprivilegesunlessgrantedwriteprivilegebytheFunctional Manager.Employeesdonothavedeleteprivilege.

Copyright2006,PhoenixBusinessandSystemsProcess,Inc.Needham,MA,USA, MorefromPhoenixBusinessandSystemsProcess,http://www.pbandsp.com

Page 7of 80

ProcedureGuidelinesandControlsDocumentation

RobinBasham,M.IT,M.Ed.,CISA

AudienceandAuditConsiderations
Thisprocessprofileservesas reference forCOMPANY.Groupsmaybereferencedbyfunctionalemail notificationnamessuchasProcess@company.com.Groupfunctionalemailsareusedtosupportcommunication trailsandfacilitaterulesforreview,approval,andtimelybusinesscommunication. Proceduresaredetaileddocuments,generallyderivedfromparentpolicyandimplementedtothespirit(intent)of thepolicystatement.Therefore,allprocedureswrittenandimplementedbyCOMPANYaligntoSecurityPolicy, HRPolicy,ProgramChange Policy,andspecificrequirementsforDataClassification,DataRetention,andData Privacyasdefinedbyseniormanagement.

WritingStandards
Proceduresarewritteninaclear,concise,andeasilyunderstoodmanner.Proceduresdocumentbusinessprocesses (administrativeandoperational)andtheircontrols.Proceduresarecreatedbyupperandmiddlemanagementasa meanstotranslatepolicytopractice.

ChangeRequirements
Procedures,representedasprocesses,workinstructions,standardoperatingprocedures,workspecifictraining materials,andproductionsupportprocedures(i.e.,RunBooks),aredynamic,changingtofitcurrentbusiness operationalpractices.Theymustreflecttheregularchangesinbusinessfocusandenvironment.Reviewsand updatesofproceduresareessentialiftheyaretoberelevant.Therefore,COMPANYprovidesnoticetobusiness managementofallchangesandnewinstancesofprocess.Bothinternalandexternalauditorswillreview procedurestoidentify,evaluate,andthereaftertestcontrolsoverbusinessprocesses.Giventhisknowledge,itis theresponsibilityoftheprocessownertokeepcurrentanyprocessdocumentationandtonotifytheprocess librarianofanyprocesschangeviaProcess@company.com. Additionally,partofchangeapprovalincludesvalidationthatalltrainingandsupportproceduresarecurrent.

KeyControls
Thecontrolsembeddedinproceduresareevaluatedtoensurethattheyfulfillnecessarycontrolobjectiveswhile makingtheprocessasefficientandpracticalaspossible.Somecontrolsaredesignatedaskeyandrepresent reportedcontrolsevidenceinsupportofCOMPANY regulatoryattestation.Whereoperationalpracticesdonot matchdocumentedproceduresorwheredocumentedproceduresdonotexist,itisdifficult(formanagementand auditors)toidentifycontrolsandensurethattheyareincontinuousoperation.Whilenotallsituationsofthistype representcontrolfailure,eachsituationrequiresreviewandresponsebasedontherisktosafeandeffective processmanagement. DocumentationisakeycontrolinthatproperdocumentationdirectlysupportseveryaspectofCOMPANY controlframework.Theabsenceofdocumentedprocessisarisktooperationsand toCOMPANY .Failureto properlydocumentcontrolproceduresisanindicationofmanagementandcontroldeficiencies. NOTE:Missingorincompletecriticalprocessdocumentationisnottoleratedasacceptablebusiness practice. Keycontrolobjectivesaremappedtodocumentationandotherevidenceofcontrol.Currentlythetooltomanage thisis[Nameofcoreproductorservice].

DataClassificationandDataOwners
TheCobiTPlanningandOrganizationControlobjectiveDefinetheInformationArchitecture,2.3Data ClassificationSchemerequiresageneralclassificationframeworkestablishedwithregardtoplacementofdatain informationclasses(i.e.,securitycategories)aswellasallocationofownership.Theaccessrules,asinwhocan accesswhattypeofdataaswellastherestrictionsoverwherethatdatamayreside,onaperclassificationbasis,
Copyright2006,PhoenixBusinessandSystemsProcess,Inc.Needham,MA,USA, MorefromPhoenixBusinessandSystemsProcess,http://www.pbandsp.com Page 8of 80

ProcedureGuidelinesandControlsDocumentation

RobinBasham,M.IT,M.Ed.,CISA

shouldbeappropriatelydefined.ThisisacodependencyonSecurityandSecurityAdministration,whereProcess assistsintheimplementationofclassificationstandards,andaccessisfurthersupervisedandimplemented throughSecurityprograms. ProcessLibrarianandDataOwnersaredependentupontheaccurateclassificationofinformationassetsas definedbytheSecurityPolicy.Endusermanagersandthesecurityadministratorsrequireclassificationsto accuratelydeterminewhoshouldbeabletoaccesswhat.TheProcessLibrarianassistsinthedesignoffileshare information,whereastheDataOwnerisaccountablefortheclassificationandadministrationofitsuse.The ProcessLibrarian assiststhebusinesstomanagedataassetsbylocationandclassification.TheProcessLibrarian furthersupportsrequirementstohaveaninformationinventoryofinternalprocessandworkproducts.

NamingConventions
Namingconventionsareapartofthe COMPANYoverallsecuritydesignandareanintegralpartofinformation assetaccounting.Inaccordancewithanapprovedsetofaccessrulesstipulatingusers(orgroupsofusers) authorizedtoaccessaresource(suchasadatasetorfile)andatwhatlevel(suchasreadorupdate)theaccess controlmechanismappliestheseruleswheneverauserattemptstoaccessoruseaprotectedresource.Datais maintainedbylocationsuchthataccessisappropriatelyrestricted. Thesegeneralnamingconventionsandassociatedfilesarerequiredinacomputerenvironmenttoestablishand maintainpersonalaccountabilityandsegregationofdutiesintheaccessofdata.Theownersofthedataor application,withthehelpofthesecurityofficerandprocesslibrarian,establishthenameoffilesandsubfolders fortheirbusinessinformation.Itisimportanttoestablishnamingconventionsthatbothpromotethe implementationofefficientaccessrulesandsimplifysecurityadministration.Namingconventionsforsystem resourcesareanimportantprerequisiteforefficientadministrationofsecuritycontrols. ProcessEngineeringKeyControlsandRiskscanbereviewedin ProcessDocumentationComplianceControl CobiTFunction CobiTDetailObjective and RisksandAssociatedControls

DocumentTypesandTheirUse
WhatTypeofDocumentDoINeedToWrite?
Writingadocumentmaysoundeasy,butitisreallyverycomplex.Documentationstrategiesaredesignedto reducecomplexity,prioritizeKeyControlProcesses,reflectacommonProcessArchitecture(ITILandCobiT frameworks),andaboveallelse,representREALFunctionsandREALactivities. Factorsthatinfluencethetypeofdocumentthatwewriteare: Sustainability,howoftendetailwithintheprocesswillchangeand HighLevelnotVagueAchievingtheHighestLevelofinformationpossiblebeforedocumentdetails becomeformless,blurryorvague

FormsandTemplates
Processdocumentationisdesignedforaspecificlayerofabstraction.Processengineeringworkswiththe documentauthortoselectatemplatethatmeetsthewritersminimalrequirements. Guidedwritingisaprocessthatfacilitatescreatingconsistentstandardqualitydocumentation.Writingtakesmany forms,eachbestsuitedtoserveadifferentpurpose. Thefollowingsectionsexplainthedifferenttypesof templatesorwritingguides,includingapplicationinterface,wordtemplatesanddiagrams.

Copyright2006,PhoenixBusinessandSystemsProcess,Inc.Needham,MA,USA, MorefromPhoenixBusinessandSystemsProcess,http://www.pbandsp.com

Page 9of 80

ProcedureGuidelinesandControlsDocumentation

RobinBasham,M.IT,M.Ed.,CISA

GettingStarted:
Priortocreatingaprocedure,personsareaskedtoreviewavailableformatsfordocumentation.Oncethetypeand topicfordocumentationisestablished,ProcessEngineeringisavailabletoreviewandvalidatetheintended process.ProcessEngineeringcataloguescorporationdocumentationandisabletopreventwastedorduplicated documentationefforts. How:Sendnoticeofintentiontocreatedocumentationto process@company.com.Thefollowingdetailsprovide noticetotheProcessLibrarianofanintendedprocessproduct.Thisrequestminimallyrequiresthefollowing information:

NewObjectSupportRequest
Foreachintendedprocessobject,pleasefillinthesectionbelow.Pleasecopythequestionsforeachtitle.
Copyright2006,PhoenixBusinessandSystemsProcess,Inc.Needham,MA,USA, MorefromPhoenixBusinessandSystemsProcess,http://www.pbandsp.com Page 1of 80

ProcedureGuidelinesandControlsDocumentation

RobinBasham,M.IT,M.Ed.,CISA

IsthisaProcess,WorkProcedures,aPolicy,aProgramDefinitionoraForm? ManagementorDepartmentFunction: Title: Owner: Purpose: AffirmationTeam: AssociatedKeyControl: TheProcessTeamwillselectatemplateordocumentformatandrefinethetitleandscopetobestaligntheoutput withexistingprocessarchitectureandrequirements.Templatesexistinthetemplatefolderforeachfunctional area.Amasterfileofbusinesstemplatescanbefoundin \\...\PAL\Templates.Acomprehensivelistofapproved templatesisin FacilitatedComplianceManagement,locatedintheFormsandTemplatesSection.

HowDoIValidateMyDocument?
Beforeembarkingonaprocedure,policy,processoranytypeofcontrolsdocumentation,contacttheprocess librariansotheintendedobjectcanbeverifiedandcataloguedintheprocessobjectsdatabase.

ProcessObjectValidation

Requestnew ProcessObject

New

Enterprocess details Processdetailsexist Departmentor UserApprovalto UpdateProcess ProcessChange


AlertITmanagementof newprocessin development

Returnpending Identifiedprocessobject managers approval Management Approval

Legitimateneedforprocess LaunchProcess Objectform Formopen NewProcess Validation

ITstakeholdersareable togetinvolvedinprocess PassOneprocess created Instanceofprocessin processprofiletable CreatedUpdate ProcessObject

Exists. Gainconsensusisanupdate.

Figure1. ValidateaProcessObject

Copyright2006,PhoenixBusinessandSystemsProcess,Inc.Needham,MA,USA, MorefromPhoenixBusinessandSystemsProcess,http://www.pbandsp.com

Page 2of 80

ProcedureGuidelinesandControlsDocumentation

RobinBasham,M.IT,M.Ed.,CISA

DocumentTypeProcessProfile
Thepurposeofaprocessprofileistocaptureanddocumentessentialelementsassociatedwithabusinessprocess. Aprocessisaseriesofactions,changes,orfunctionsbringingaboutaresult. Elementsincludedinaprocessprofileareselectedbytheprocessteam.Generally,theelementsinclude,butare notlimitedto: VersionControlAndChangeHistory Purpose AndScope AssociatedControlObjectives CriticalSuccessFactors PerformanceIndicators BaselinePerformance Goals/Measures ServiceLevelConsiderations Related/SourceDocuments FormsAndTemplates QualityRecordsIncludingSQM ProcessDiagram ProcessDeviationsAndCurrentState TriggerAndExitCriteria Acronyms/Definitions SafetyIssues RiskManagementPlan ProcessDefinition(InputsAndOutputsToOtherProcesses) StatusCodesMetadata

CharacteristicsofProcess
Highestlevelofabstractionandlowestlevelofdetail Highlevelsetofstepsthatcollectivelyaccomplishabusinessfunction: Typicallyincludessuborcomponentlevelprocesses Oftenusedbymorethanoneprogramordepartment

Copyright2006,PhoenixBusinessandSystemsProcess,Inc.Needham,MA,USA, MorefromPhoenixBusinessandSystemsProcess,http://www.pbandsp.com

Page 3of 80

ProcedureGuidelinesandControlsDocumentation

RobinBasham,M.IT,M.Ed.,CISA

ShouldIWriteAProcessProfile?
Considerwhetherthefollowingstatementsaretrue. Theprocessflowdiagramdemonstratesthestepsinvolvedincreatinganyprocessobject.Ifthisisviewedon line,theflowincludesallprocesspropertiesintheflowobjects.Formoreinformation,seeAppendixA.

Figure2. ShouldIwriteaprocessprofile?

Copyright2006,PhoenixBusinessandSystemsProcess,Inc.Needham,MA,USA, MorefromPhoenixBusinessandSystemsProcess,http://www.pbandsp.com

Page 4of 80

ProcedureGuidelinesandControlsDocumentation

RobinBasham,M.IT,M.Ed.,CISA

WhereDoIFindtheProcessProfileTemplate?
\\...\PAL\Templates\ProcessProfileTemplate.dot

Figure3. Whatare thestepsandcontrolsinwritingaprocessprofile?

Copyright2006,PhoenixBusinessandSystemsProcess,Inc.Needham,MA,USA, MorefromPhoenixBusinessandSystemsProcess,http://www.pbandsp.com

Page 1of 80

ProcedureGuidelinesandControlsDocumentation

RobinBasham,M.IT,M.Ed.,CISA

DocumentTypePolicyProfile
Policyistheunderlyingprincipleuponwhichprocessandprogramsarebuilt.Onemightconsiderthatapolicyis CommandersIntent,anditisuptothepersonsgoverned todeterminethebestpracticeorprocesstoattaintheir goalwithintheconfinesofthepolicy.Whilenoteveryprogramrequiresapolicy,informationtechnologypractice islargelydeterminedbytheSecurityPolicy,ChangePolicyandDataClassificationPolicy.Inaddition,most businesspracticeisinsomewaygovernedbytheHumanResourcePolicy.Policyisimplementedbyprogramsthat enactprocesses.Policyisgenerallyrequiredforlegalandregulatorycompliance.Policyisenforcedthrough system,applicationandorganizationalcontrols.Apolicyistypicallydesignedtobetrueacrossalldepartmentsand forallpersons.Whereapolicyishighlyspecifictoaprogramordepartment,itisgenerallyadepartmentpolicy, butnotaformallydistributedcorporatepolicy. Elements: PolicyArea EffectiveDate RevisionDate Contacts: Summary Goals Applicability PolicyStatement RolesandResponsibilities Compliance Exemptions Appeals Authority RelatedDocuments Definitions

Copyright2006,PhoenixBusinessandSystemsProcess,Inc.Needham,MA,USA, MorefromPhoenixBusinessandSystemsProcess,http://www.pbandsp.com

Page 2of 80

ProcedureGuidelinesandControlsDocumentation

RobinBasham,M.IT,M.Ed.,CISA

ShouldIWriteAPolicyProfile?
Considerwhetherthefollowingstatementsaretrue.

Figure4. ShouldIwriteapolicyprofile?

WhereDoIFindtheTemplate?
\\...\PAL\TEMPLATES\Policy Profile.dot

DocumentTypeProgramProfile
ProgramProfilesaresometimesreferredtoasaprogramordepartmentcharterandareusedtodefinethescopeofa groupaswellastherequirementsofitsorganization.Thisdocumentoutlinestheoverallorganizationalor departmentfunctionandisalignedwithdepartmentsandindividualperformancereviews.Programprofilesmay includejobdescriptionsorjobprofilesandarerepresentedbyorganizationaldiagram.Thesearesupporting documents,oftenassociatedtotheprogramprofile. Attributesofaprograminclude: ManagesControlSystemsandEvents OwnsInitiativesandBusinessandITSystems ResponsibleForSupportingFunctions IsMeasured Programprofilessupporttheabilitytoperform: Personnel RecruitmentandPromotion BenchmarkPersonnelQualifications DesignateRolesandResponsibilities
Copyright2006,PhoenixBusinessandSystemsProcess,Inc.Needham,MA,USA, MorefromPhoenixBusinessandSystemsProcess,http://www.pbandsp.com Page 3of 80

ProcedureGuidelinesandControlsDocumentation

RobinBasham,M.IT,M.Ed.,CISA

PlanandDeliverPersonnelTraining ImplementCrossTrainingorStaffBackup VerifyPersonnelClearanceProcedures DesignandPerformEmployeeJobPerformanceEvaluation DetermineJobChangeandTerminationRequirements ProgramProfileElements: PurposeandScope: RolesandResponsibilities: ProgramElements: Tools: ProgramControlsandMeasures

ShouldIWriteAProgramProfile?
Programprofilesarenotrequired,butcanfacilitateagreatmanyotherfunctionsincludingAuditandTrainingor OrganizationRequirementsDefinition.Whereaprogramprofilesupportstheorganizationtoexplainadepartment charter,itisasimpleandusefultoolthatmaybenefitemployeesandauditorsequally. Considerwhetherthefollowingstatementsaretrue.

ProgramProfile

Supports implementationof processorpolicy

Definesacompany specificactivityIncludingpurpose, elements,toolsandstaff

Requiredtomaintaincontrols

Organizational controlactivity

Thereisa group charteredto performthis function

Servesasaudit guideforprogram implementation

Activityisexclusivetothisgroup

Measuredmetrics

Alignedtojob descriptionsand controlfunctions

CompleteProgram andProgramTest Definition

Figure5. ShouldIwriteaprogramprofile?

Copyright2006,PhoenixBusinessandSystemsProcess,Inc.Needham,MA,USA, MorefromPhoenixBusinessandSystemsProcess,http://www.pbandsp.com

Page 4of 80

ProcedureGuidelinesandControlsDocumentation

RobinBasham,M.IT,M.Ed.,CISA

WhereDoIFindTheTemplate?
\\...\PAL\Templates\ProgramProfileTemplate.dot Templatesthatdescribepositionsorassistinthedesignofaprogramorganizationalchartarelocatedin: \\...\PAL\ITProcessAssetLibrary\HumanResources\Template\JobDescriptionTemplate.dot \\...\PAL\ITProcessAssetLibrary\HumanResources\Template\EmployeeWarningNotice.dot \\...\PAL\ITProcessAssetLibrary\HumanResources\Template\JobAnalysisQuestionnaire.dot

DocumentTypeWorkInstructionorSOP
WorkInstructions,alsoknownasStandardOperatingProcedures,(SOP)represent: Greatestleveloftechnicaldetail Aretooldependent Changewhentechnologychanges Areupdatedoften Storedinknowledgemanagementsystemsorhelpdeskdatabase Associatedwithspecifictoolsandtasks Usedtoguideandtrainworkatthetaskimplementationlevel Arepartofanalreadyapprovedprocess WorkinstructionsorSOPscanbelocatedwithinafunctionalareaandareoftenembeddedinhelpfileswithin systems.RunBooks(explainedinthenextsection)referenceworkinstructionstofacilitateansweringthequestion, WheredoIfinddirectionstoperformthistask?Whereasprocesschangesareapartofstandardchange management,aworkinstructionmaybeupdatedasacourseofanindividualspersonalneedtotrackhowdetailed stepsaredone.Aworkinstructionmay havegeneralorhighlyspecializeduse.Whereworkinstructionsarecritical tothecontrolofaprocess,itisthebusinessmanagersresponsibilitytoinsurethatroutineworkproceduresexist andarefollowedwithintheirfunctionalarea. Allservice affectingoperationalprocessesmustbedocumentedtopreventservicedisruptioncausedbytheabsence ofprimarystaff.Anyprocedurerequiredtomaintainoperations,thatisnotalreadydocumentedasapartofroutine systemfunctions,(i.e.,alreadylocatedingeneralproducthelpfiles),mustbedocumentedtoassurethatinthe absenceofprimarystaff,theprocesscanbesustainedbyothers.Ataminimum,allpersonnelareaccountableto documentationtotheextentthatasimilarlytrainedstaffcould standinforemergencycoverageandbeabletouse directionstomaintainrequiredoperations.Wherestafffailtokeeptheirworkinstructionsuptodate,thefailureis bothonthepartoftheindividualandtheareamanager. WorkinstructionsorSOPs areasimplelistofstepsthatexplaininclearterms,howtoachieveaspecificresult. DirectoriescontainingworkinstructionsandSOPsshouldbeclearlylabeledandinformationshouldbecurrent. Workinstructionscanexistinalleventtrackingsystemsandarenotcentrallylocated,butareaccessibleandknown toallpersonswithintheuserdepartment.

Copyright2006,PhoenixBusinessandSystemsProcess,Inc.Needham,MA,USA, MorefromPhoenixBusinessandSystemsProcess,http://www.pbandsp.com

Page 5of 80

ProcedureGuidelinesandControlsDocumentation

RobinBasham,M.IT,M.Ed.,CISA

ShouldIWriteAWorkInstructionSOP?
Considerwhetherthefollowingstatementsaretrue.

Figure6. ShouldIwriteaWorkInstruction SOP

WhereDoIFindTheTemplate?
Thetemplatetowriteasimplesetofworkinstructionsislocatedin: \\...\PAL\Templates\WorkInstructionTemplate.dot

DocumentTypeRunBook
ARunBook,sometimesknownasplaybook,isadocumentcontaining detailedproceduresthatcollectivelykeepa missioncriticalsystemrunning.ARunBookissometimesviewedasanelementofBusinessContinuityPlanning (BCP)orDisasterRecover(DR).Thisisbecausetheyarewrittentoassurethatanequallyskilled administrator wouldbeabletousetheRunBooktostepinandadministerthesystemuntilsuchtimethatnormalstaffingand conditionsapply.RunBooksareasystemcurrentdocumentwithalltherequiredinformationneededtounderstand howaserviceorsystemiskeptrunning.RunBooksarenotprojectplans,anddonotmaintaininformationunlessit isinuseandapartoftheworkingsystem. ARunBookisusedtoverifyandgatherthelocationofalloperationalinformation.AproductionRunBookis evidenceofdocumentationandcontroloveraserviceorsystem.Itprovidesinformationonhowtorun procedureswithoutnecessarilyprovidingbackgroundfortheprocess.RunBooksaredetailedinstructionsthata userreferenceswhenperformingtheprocess. Onapersysteminstance,aRunBookcandocumentasmallsetofoperationalproceduresandreferencevarious guidelines.Onalargerscale,aserviceorientedRunBookdetailsthecombinationofsystemsandtheir
Copyright2006,PhoenixBusinessandSystemsProcess,Inc.Needham,MA,USA, MorefromPhoenixBusinessandSystemsProcess,http://www.pbandsp.com Page 6of 80

ProcedureGuidelinesandControlsDocumentation

RobinBasham,M.IT,M.Ed.,CISA

dependenciesinkeepingaserviceavailable.ThisisavalidformofmeetingbothBCPandvariousotherlevelsof compliancerequirements.Determiningthisrequirementcanbeasfollows:

WhyDoRunBooksFocusOnService?
ARunBookisServiceOrientedvs.singlesystemoriented.Whendocumentationdoesnotmeettherequirements mentionedabove,itisprobablethatlistingthedeviceinaninventorysystemissufficientandfurtherdocumentation isnotrequired. Wheretheavailabilityofacriticalorcorebusinessfunctiondependsupontheaccurateworkingofinterdependent systems,itisadvisabletohaveabusinessownerwhoassuresthecurrentandcompleteServiceRunBook.Asis trueforanycontrolledsystem,theRunBookexplainsdaytodaysystemprocedures,butadditionallyaddssomeor allofthefollowingelements: FunctionalOverview FunctionalOverviewDiagram ListofInterfaces SystemOverview SystemOverviewDiagram(s) NetworkManagementProcess Hardware HardwareManagementProcess SoftwareDevelopmentandRelease ThirdPartyVendor/SoftwareManagement PerformanceMonitoringProcess DatabaseAdministrationProcess QualityAssurance VendorInformation BackUpProcesses DisasterRecoveryProcess Security ProblemManagement ConfigurationOverview: Server/HW/OS Application DatabaseConfiguration Dailycycle Failover Maintenance TroubleshootingandErrorMessages Glossary Listoffiles FinancialProcesses Testprocedure

Copyright2006,PhoenixBusinessandSystemsProcess,Inc.Needham,MA,USA, MorefromPhoenixBusinessandSystemsProcess,http://www.pbandsp.com

Page 7of 80

ProcedureGuidelinesandControlsDocumentation

RobinBasham,M.IT,M.Ed.,CISA

ShouldIWriteARunBook?
Considerwhetherthefollowingstatementsaretrue.

Figure7. Should IwriteaRunBook?

Copyright2006,PhoenixBusinessandSystemsProcess,Inc.Needham,MA,USA, MorefromPhoenixBusinessandSystemsProcess,http://www.pbandsp.com

Page 8of 80

ProcedureGuidelinesandControlsDocumentation

RobinBasham,M.IT,M.Ed.,CISA

WhereDoIGetTheInformationThatGoesIntoTheRunBook?
Considerthefollowingsources.

RunBooksbringvisibilitytoanaggregationofdocumentsanddetailsthatcollectivelysupportserviceavailabilityor productdelivery.

Copyright2006,PhoenixBusinessandSystemsProcess,Inc.Needham,MA,USA, MorefromPhoenixBusinessandSystemsProcess,http://www.pbandsp.com

Page 9of 80

ProcedureGuidelinesandControlsDocumentation

RobinBasham,M.IT,M.Ed.,CISA

WhenIsARunBookComplete?
Considerwhetherthefollowingstatementsaretrue.

WhatAreTheFormatsForRunBook?
RunBookscanbemaintainedasawordreportthatisoutputfromasingledatabasesystem orfromacollectionof systems.TheformusedtogatherRunBookelements(today)isin FacilitatedComplianceManagement.Thisisa locationthatissubjecttochange.ThetoolthatgathersRunBookdetailsisnotcriticaltotheprocess.Thetoolfor gatheringelementscanalsobeaworddocument,asidentifiedinthetemplatesection.Theprocessforgenerating RunBookinformationisnotimportant,solongasvisibilityofhowsystemsrunismaintainedforthebusinessowner andtechnologysupportpersonnel.
Figure8. RunBookProcess

Copyright2006,PhoenixBusinessandSystemsProcess,Inc.Needham,MA,USA, MorefromPhoenixBusinessandSystemsProcess,http://www.pbandsp.com

Page 10 of 80

ProcedureGuidelinesandControlsDocumentation

RobinBasham,M.IT,M.Ed.,CISA

Figure9. ExampleInterfaceforgatheringRunBookelementsbyServiceTitle

Copyright2006,PhoenixBusinessandSystemsProcess,Inc.Needham,MA,USA, MorefromPhoenixBusinessandSystemsProcess,http://www.pbandsp.com

Page 11 of 80

ProcedureGuidelinesandControlsDocumentation

RobinBasham,M.IT,M.Ed.,CISA

WhereDoIFindTheTemplate?
\\...\pal\FacilitatedComplianceManagement\ShortcuttoRunBookinFacilitatedCompliance Management2000FCM.MAF \\...\pal\Templates\RunBookTemplate.dot ThecurrentprocedureforRunBookistouseoursystemdatabaseandgenerateaRunBookreportasneeded.

DocumentElements
Thefollowingsectioniswrittentoaddressadditionquestionspertainingtodocumentelements,storingand managinginformationandhowstepsandcontrolsarespecificallycapturedtosupporttheinternalauditofIT programandapplicationlevelcontrols.Sectionsinclude:

WhereDoesMyDocumentBelong? \\...\PAL\ITProcessAssetLibrary\ StaticProcessversusProcessOutput(EvidenceofUsingProcess) \\...\PAL\ITWorkProductLibrary\ OtherWorkProductsandControlledDocumentation: ControlsEvidenceSpecificto SoftwareDevelopmentandProductDevelopmentLifecycle: TestScripts,Utilitiesand EventTrackingSystems Assets,InventoriesandConfiguration Baselines ControlsandKeyControls Product,ApplicationDevelopmentandQualityTemplates Flow Diagram

Copyright2006,PhoenixBusinessandSystemsProcess,Inc.Needham,MA,USA, MorefromPhoenixBusinessandSystemsProcess,http://www.pbandsp.com

Page 12 of 80

ProcedureGuidelinesandControlsDocumentation

RobinBasham,M.IT,M.Ed.,CISA

HowDoIFindOrStoreMyDocument?
PAL\ITProcessAssetLibrary
ProcessdocumentsarestoredintheITProcessAssetLibrary(PAL).

Figure10.

WhatisinthePAL?

\\...\PAL\ITPROCESSASSETLIBRARY\

PAL\ITWorkProducts

WhenDoINeedToCreateAWorkProduct?
ThereareavarietyofWordandExcel filesusedduringtheworkday.Thesedocumentsmayincludespreadsheets usedforanalysis,clientcontactfiles,miscellaneousnotes,etc.Thesearenotconsideredformsorproceduresand remainwithintheirrespectivelocationsonthenetwork.Inconditionswheredocumentsorspreadsheetsrepresent evidenceofaprocessoutput,thematerialsareWorkProductsandshouldresideinthefunctionalworkproducts directory.Notalldataisworkproduct.Atestofwhetherinformationbelongsinthework productsareais answeringyestothefollowingquestion: Isthistheoutputofatemplate,process,form,andisthisevidenceofaprocess?

WhereDoWeKeepCurrentAndArchivedWorkProducts?
\\...\PAL\ITWORKPRODUCTLIBRARY\

Copyright2006,PhoenixBusinessandSystemsProcess,Inc.Needham,MA,USA, MorefromPhoenixBusinessandSystemsProcess,http://www.pbandsp.com

Page 13 of 80

ProcedureGuidelinesandControlsDocumentation

RobinBasham,M.IT,M.Ed.,CISA

Figure11.

Whataretheworkproductfolders?

CurrentInventoryofFolderandContentsismaintainedbyProcessEngineering,in\\...\PAL\ITWorkProduct Library\ProcessEngineering\PALFolders.xls

Copyright2006,PhoenixBusinessandSystemsProcess,Inc.Needham,MA,USA, MorefromPhoenixBusinessandSystemsProcess,http://www.pbandsp.com

Page 14 of 80

ProcedureGuidelinesandControlsDocumentation

RobinBasham,M.IT,M.Ed.,CISA

WhereDoIFindReference,BenchmarkandIndustryGuidelines
MethodologyandstandardsdocumentationismaintainedintheStandardsandExternalReferencefolder.Corporate PolicyandTemplatesalsoresideatthislevelofthePAL.Thesefolderlocationsallowforallpersonneltohave equalaccesstoinformationusedtosupportanddesignanyprocess.

Figure12.

StandardsandReferencefolders

Copyright2006,PhoenixBusinessandSystemsProcess,Inc.Needham,MA,USA, MorefromPhoenixBusinessandSystemsProcess,http://www.pbandsp.com

Page 15 of 80

ProcedureGuidelinesandControlsDocumentation

RobinBasham,M.IT,M.Ed.,CISA

OtherWorkProductsandControlledDocumentation: ControlsEvidenceSpecifictoSoftwareDevelopmentandProduct DevelopmentLifecycle:


Teamspreparing theirannualauditworkpapers(controlsevidence)willoftenask,WhataboutSDLCrelated artifactslikeVSS/CVS, testeventsandsourcecodelibraries? SoftwareDevelopmentworkproductshave particularcontrolrequirementssatisfiedthroughtheappropriateuseoftoolssuchasworkflowandevent management,integrateddevelopmentenvironmentsorIDEsandstoragelibrariesforthepurposeofsourcecontrol. Unlikecontrolsdesignedtoenforceandmanagethepolicyofproductionenvironmentshowever,software developmentmustallowforbothcreativegeniusandwatertighttestsoverwhatcansometimesbebleedingedgeor non conformingcode.Therequirementsalignedtocreatingandmodifying todaysbusinesssolutionsmustoften supportmultiplelibrariesofcodeinvolvingissuesintegrationwithenvironmentsbestdescribedasmovingtargets, highlycomplexdatarequirementsandgreaterthirdpartydependenciesthancouldhaveeverbeenanticipated. ProductionEnvironmentsareasfixedasthenextpatchresponsetonewlyrevealedmaliciouscode,hardwareor softwareexploitorevenregulatoryrequirement.AmongthemyriadofmorphingpartsistheHolyGrailwecall productionandthemiraculousbeliefthatwecontrolit.Itisnowonderthatentirecareershavebeenmadeinthe pathofunravelingtheeventsperceivedasthenegativeeffectsofpurposefullyreleasedcode. SoftwaredevelopmentisanintegratedprocessspanningtheentireITorganization.Thetermlifecyclecanbetaken torepresentthecollectionofagreedstepstocontroldevelopment,modificationanddistributionofcode.While ChangeandConfigurationManagementdenoteseparateentitiesexertingpolicyoverstandardsfortheproduction environment,thedesignofthesestandardsandalleffortsbetweenthesepointscanbecharacterizedastheworldof softwaredevelopmentandcode. Clearly,notwocompanieshaveexactlythesameorganization,productorinfrastructure,buttheeffortsofCarnegie MellonUniversity,SoftwareEngineeringInstitute,theOfficeofGovernmentandCommerceandBritishStandards InstituteandtheInformationSystemsAuditandControlAssociationhaveproducedclearandalignedframeworks fortherepresentationofsoftwaredevelopmentbestpractice.Wellrun,ormaturedevelopmentshopsprovide similarprocessandcontrolpointsandreapqualityproductasthebenefitoftheirstatusamongmature organizations. TheControlObjectivesforInformationTechnology,EditionFour,CobiT4.0isourmostwidelyadoptedmatrix andmeasureforallintegratedITandEnterprisecontrols.AligningtheconceptsofCMM,ITIL,ISO/IEC17799 andCOSO,CobiT4.0advancesthepreviousprojectwithincreasedattentionintheareasofSDLC,Qualityand ProjectRiskManagement.Ofparticularnote,isthenewlynumberedcontrolprocessInstallandAccredit SolutionsandChanges,AI7. InstallandAccreditSolutionsandChangesisthehighlevelfunctionalareathatcapturesthegreatestnumberof featuresrepresentingtheactivitiesrelatedtoSDLCorReleaseManagement.AI7states: Newsystemsneedtobemadeoperationaloncedevelopmentiscomplete.Thisrequirespropertestingina dedicatedenvironmentwithrelevanttestdata,definitionofrolloutandmigrationinstructions,release planningandactualpromotiontoproduction,andapostimplementationreview.Thisassuresthat operationalsystemsareinlinewiththeagreedexpectationsandoutcomes. InstallandAccreditSolutionsandChangesincludeinputsandoutputstoconfiguration,project,change, maintenanceandacquisitionprograms.Withhandoffsbasedintriggers,performancegoals,measurementsand businessbasedcriteria,documentedconsensusandtestedresults,evidenceoftheirimplementationisbestsuitedto automatedsystems.

Copyright2006,PhoenixBusinessandSystemsProcess,Inc.Needham,MA,USA, MorefromPhoenixBusinessandSystemsProcess,http://www.pbandsp.com

Page 2of 80

ProcedureGuidelinesandControlsDocumentation

RobinBasham,M.IT,M.Ed.,CISA

Ascompaniescomplywithregulatoryandindustryrequirements,systembasedrecordsshowingevidenceofthese controlsgainevengreaterimportance.Thefollowingarehighleveldefinitionsofthecontrolprocessesfound withinAcquisitionandImplementationprocess,InstallandAccreditSolutionsandChanges,orAI7.


Training(7.1) Trainthe staffoftheaffecteduserdepartmentsandtheoperationsgroupoftheITfunctioninaccordancewiththedefinedtrainingand implementationplanandassociatedmaterials,aspartofeveryinformationsystemsdevelopment,implementationormodification project. TestPlan(7.2) Establishatestplanandobtainapprovalfromrelevantparties.Thetestplanisbasedonorganizationwidestandardsanddefinesroles, responsibilitiesandsuccesscriteria.Theplanconsiderstestpreparation(includingsitepreparation),trainingrequirements,installationor updateofadefinedtestenvironment,planning/performing/documenting/retainingtestcases,errorhandlingandcorrection,andformal approval.Basedonassessmentoftheriskofsystemfailureandfaultsonimplementation,theplanshouldincluderequirementsfor performance,stress,usability,pilotandsecuritytesting. ImplementationPlan(7.3) Establishanimplementationplanandobtainapprovalfromrelevantparties.Theplandefinesreleasedesign,buildofreleasepackages, rolloutprocedures/installation,incidenthandling,distributioncontrols(includingtools),storageofsoftware,andreviewoftherelease anddocumentationofchanges.Theplanshouldalsoincludefallback/backoutarrangements. TestEnvironment(7.4) Establishaseparatetestenvironmentfortesting.Thisenvironmentshouldreflectthefutureoperationsenvironment(e.g.,similar security,internalcontrolsandworkloads)toenablesoundtesting.Proceduresshouldbeinplaceto ensurethatthedatausedinthetest environmentarerepresentativeofthedata(sanitizedwhereneeded)thatwilleventuallybeusedintheproductionenvironment.Provide adequatemeasurestopreventdisclosureofsensitivetestdata.Thedocumentedresultsoftestingshouldberetained. SystemandDataConversion(7.5) Ensurethattheorganization'sdevelopmentmethodsprovidesforalldevelopment,implementationormodificationprojects,thatall necessaryelementssuchashardware,software,transactiondata,masterfiles,backupsandarchives,interfaceswithothersystems, procedures,systemdocumentation,etc.,beconvertedfromtheoldsystemtothenewaccordingtoapreestablishedplan.Anaudittrail ofpre andpostconversionresultsshouldbedevelopedandmaintained.Adetailedverificationoftheinitialprocessingofthenew systemshouldbeperformedbythesystemownerstoconfirmasuccessfultransition. TestingofChanges(7.6) Ensurethatchangesaretestedinaccordancewiththedefinedacceptanceplanandbasedonanimpactandresourceassessmentthat includesperformancesizinginaseparatetestenvironmentbyanindependent(frombuilders)testgroupbeforeuseintheregular operationalenvironmentbegins.Parallelorpilottestingshouldbeconsideredaspartoftheplan.Thesecuritycontrolsshouldbetested andevaluatedpriortodeployment,sotheeffectivenessofsecuritycanbecertified.Fallback/backoutplansshouldalsobedevelopedand testedpriortopromotionofthe changetoproduction. FinalAcceptanceTest(7.7) Ensurethatproceduresprovidefor,aspartofthefinalacceptanceorqualityassurancetestingofnewormodifiedinformationsystems,a formalevaluationandapprovalofthetestresultsbymanagementoftheaffecteduserdepartment(s)andtheITfunction.Thetestsshould coverallcomponentsoftheinformationsystem(e.g.,applicationsoftware,facilities,technologyanduserprocedures)andensurethat theinformationsecurityrequirementsaremetby allcomponents.Thetestdatashouldbesavedforaudittrailpurposesandforfuture testing. PromotiontoProduction(7.8) Implementformalprocedurestocontrolthehandoverofthesystemfromdevelopmenttotestingtooperationsinlinewiththe implementationplan.Managementshouldrequirethatsystemownerauthorizationbeobtainedbeforeanewsystemismovedinto productionandthat,beforetheoldsystemisdiscontinued,thenewsystemhassuccessfullyoperatedthroughalldaily,monthly, quarterlyandyearendproductioncycles. SoftwareRelease(7.9) Ensurethatthereleaseofsoftwareisgovernedbyformalproceduresensuringsignoff,packaging,regressiontesting,distribution, handover,statustracking,backoutproceduresandusernotification. SystemDistribution(7.10)

Copyright2006,PhoenixBusinessandSystemsProcess,Inc.Needham,MA,USA, MorefromPhoenixBusinessandSystemsProcess,http://www.pbandsp.com

Page 3of 80

ProcedureGuidelinesandControlsDocumentation

RobinBasham,M.IT,M.Ed.,CISA

Establishcontrolprocedurestoensuretimelyandcorrectdistributionandupdateofapprovedconfigurationitems.Thisinvolvesintegrity controlssegregationofdutiesamongthosewhobuild,testandoperateandadequate audittrailsofallactions. RecordingandTrackingofChanges(7.11) Automatethesystemusedtomonitorchangestoapplicationsystemstosupporttherecordingandtrackingofchangesmadeto applications,procedures,processes,systemandserviceparameters,andtheunderlyingplatforms. PostimplementationReview(7.12) Establishproceduresinlinewiththeenterprisedevelopmentandchangestandardsthatrequireapostimplementationreviewofthe operationalinformationsystemtoassessandreportonwhetherthechangemetcustomerrequirementsanddeliveredthebenefits envisionedinthemostcosteffectivemanner.

(AdditionalinformationregardingCobiTcanbeviewedathttp://www.isaca.org) WhileSDLCProcessdocumentationisheavilyimpactedbysupportingprograms,suchasSteeringCommitteeand overallProject/ProgramManagement,TrainingandQualityAssurance,cooperationbetweenthesegroupsis necessarytotheproductionacceptanceofanymajorreleaseandinsomeconditions,evensimpleenhancementto previouslyreleasedcode.Artifactsoftheseprocedurescanincludeprocessprofiles,detailedworkflowdiagrams, committeepresentationsandevenonlinehelpfiles,butthetruenatureofsoftwaredevelopmentcontrolsevidence canonlybedemonstratedthroughtheappropriateuseandcaptureofcontrolsoverthepoliciesandproceduresfor thedevelopmentandreleaseofallassociatedsoftwareandcode.Modernformsofevidencegenerallymust:


Demonstrateanexistingsystemcontextintheformoffunctional,transactionprocessandinfrastructure diagrams(e.g.,highlevelbusinessprocessflowschema). Quantifybyclass,ahierarchicaldataflow/controlflowdecomposition. Includecontroltransformations. Allowforminispecifications. Maintaindatadictionaries. Considerallexternaleventsinputsfromexternalenvironment. Trackbychangeanyandeverysingletransformationdataflowdiagramswithextremeemphasistowardsdata input,transformation,verification,validationandoutputcontrols.

ConsiderthesevenInformationCriteriaasrepresentedinreviewofITGovernanceControlsbyISACA

Figure13.

InformationCriteria

Regardlessofdomain,processoutputsarereviewedinthecontextoftheireffectiveness,efficiency,confidentiality, integrity,availability,complianceandreliability.Giventhescenarioofsoftwaredevelopmentprograms, informationcriteriamightbeappliedtoelementssuchasthefollowing:


CodeLibraries Restorebycoderevisionandsecureretrievalprocess MeetingMinutesasvisibleintrackingsystems RiskEvaluationDefinitionandRiskReview AnomalyMeasuresandReporting
Copyright2006,PhoenixBusinessandSystemsProcess,Inc.Needham,MA,USA, MorefromPhoenixBusinessandSystemsProcess,http://www.pbandsp.com Page 4of 80

ProcedureGuidelinesandControlsDocumentation

RobinBasham,M.IT,M.Ed.,CISA

EnhancementRequestTracking QualityandTestTracking TestPlans ProjectMilestoneTracking

DataDictionary Defect,EnhancementorErrorTracking ProductionAcceptanceguidelines PostImplementationReview CustomerSatisfactionRatings ServiceLevelandOperatingLevelRequirements

Versioncontrolsoftware,ortoolsthatcapture arollbackstate,aresometimesconfusedwithfullscalesoftware developmenttrackingapplications.OnlineProgrammingFacilities(integratedDevelopmentEnvironmentlDE), however,mustextendfarbeyondasnapshotandrestorationtopreviousversionofcode.Whilesoftwareprojects mayhaveoncebeencharacterizedasaroutineprocessofdeliveringcodetoasinglebusinessunit,involvinga homogenousdevelopmentteamsusingasingleplatformandfamiliartechnology,todaysprojectcanbe characterizedquitedifferently.Typicalprojectsintegrateeffortsbydozensofdevelopersinmultiplecountries, involvingthreeormorebusinessstreams,traversingvariedplatformsandapplications,acceptingsomedegreeof technologicaluncertaintyandunfamiliarity,andsatisfyingtherequirementsofdisparateorganizationsthatmaynot haveorganicopportunitiestoseekconsensusorevenshareawarenessofeachothersrequirements.Addtothisat leastonemajorvendor,marketprojectionsforcostandcompletionandincreasinglyregulatedandcomplex electronictransactionprocesses. Acodesnapshotdoesntsuffice. Programmingtoolsarenotenoughtofacilitateeffectiveuseofstructuredprogrammingmethodsinthepathof measuredservicedelivery.Highlyskilledprogramteamsrequiresystemstoenableproperuseofbestpractice, includingprotectionoftheirownuseormisuseasaprimaryITresource. Matureshopsleverageanonline programmingfacilityaspartofanintegrateddevelopmentenvironment.Thispracticealone,however,cannot assurematureproductdelivery. SoftwaredepartmentsrequireSDLCproducts,wherethesuiteofmodulesincludes inputsbeyondthoseoftheprogrammerandtoincludeallmembersinthepathofaServiceApplication. Whilean IDEprovidesprogrammersabilitytocodeandcompileprogramsinteractivelywitharemotecomputer,itcannot efficientlyandeffectively controlworkflow,tosaynothingofriskmanagement. Infact,theIDEalonecanfacilitateourmosttremendouscontrolweaknessinIT,beingcapacitytoenter,modify, anddeleteprogrammingcode,aswellascompileandstoreprograms(sourceandobject)onasingleworkstation withoutpriorplan,authorityorapproval. Whileaffordingrequiredreporting,theonlinefacilitiesalsocanbeused bynonISstafftoupdateandretrievedatadirectlyfromcomputerfiles.Whilethisisabusinessrequirement, withoutpropercontrols,itisalso aninherentcontrolrisk.

Whatelementsarecapturedduringtheflowdiagrammingprocess?
SteveCoveysoftenquotedBeginwiththeendinmindprincipleapplieswelltothequestionofwhatdoIneed tocaptureduringtheprocessflowdiagrammingprocess?Accurate,versusincompleterequirementsaresaidto representthesinglegreatestfactorinsoftwaredevelopmentsuccess.Considerthattheprocessofgathering requirementsprovidesmanyopportunitiestocommunicateattributesneededforsuccessfuldocumentationof softwareandbusinesscontrols.Regardlessoftheapplicationsusedtodocumentrequirements,usingcommon termsandcontrolsdefinitions,suchasthosefoundin CobiT4.0willdramaticallyshortentimespentonsoftware designandcontroldocumentation.Thefollowingimageisintendedassuggestedcontentcapturedbycontrol objectsinaprocessflowdiagram.Suchobjectsmightbefoundinvirtuallyallprocessmodelinganddevelopment trackingsystems.Theefforttoapplycontrolslanguagetothedocumentationofresponsibilityisaprocessdriven bypeople,andbestfacilitatedbycurrentandmaturesoftwaredevelopmenttools.
Copyright2006,PhoenixBusinessandSystemsProcess,Inc.Needham,MA,USA, MorefromPhoenixBusinessandSystemsProcess,http://www.pbandsp.com Page 5of 80

ProcedureGuidelinesandControlsDocumentation

RobinBasham,M.IT,M.Ed.,CISA

WhenselectingtoolsforthealignmentofSDLCwithregulatoryandauditreportingrequirements,considerthatthe productmust:
Easilyandclearlyrepresentmaincomponents,objectivesanduserrequirements,whileidentifyingareasthat requirecontrols Providemeansforcapture,evaluationandrankofthemajorrisksto,andexposuresof,thesystem Includehoweachcontrolismonitoredandwhatensurescontrolsareimplementedsuchthtcontrolowners determinetheireffectiveness,forexamplethatbusinessusersreviewbusinessrequirements,dataowners reviewdataaccess,endusersaffirmadequacyoftrainingmaterialsanddocumentation,andsoon Verifythatanysoftwaredevelopmentandchangetrackingsysteminclude: Workorderandrelatedtaskassignmenthistory,status,durationandoutcome Segregatedtrackingofsystemandrolebasedaccesssuchasconsoleloginsandlogoutsbyprogrammers, ticketupdatesbyendusers,programauthorizationbythebusiness. Ensureexistenceofareasonableexplanationforallprogramdeletions

Documentandassignownerstoeventsbasedinasystemmaintenanceprocess: businessauthorization, regressiontestingwherecodeorhardwareintegrationaffectenduserprocessing,and recordofpostmaintenancetestresultsoranyotherauditevidence.

Verifythroughtestandfrequentchecks,theadequacyofproductionlibrarysecurity Integrateprocesscontrolsbetweenconfigurationmanagement,problemmanagementandchange managementintheprocesstoensuretheintegrityoftheproductionresources

ThefollowingchartsandflowdiagramshowsITProgramsinrelationtotheSoftwaredevelopmentLifecycle.The triangleobjectsrepresentauditedCobiTcontrols,withfocustoAI7andincludingadditionalcontrolsfrom supportingprograms.

Figure14.

ProcessInputsandOutputs,RACIChartforAI7asfoundinCobiT4.0,CopyrightofISACA

Copyright2006,PhoenixBusinessandSystemsProcess,Inc.Needham,MA,USA, MorefromPhoenixBusinessandSystemsProcess,http://www.pbandsp.com

Page 6of 80

ProcedureGuidelinesandControlsDocumentation

RobinBasham,M.IT,M.Ed.,CISA

GoalsandMetricsasdescribedinCobiT4.0,CopyrightofISACA

Copyright2006,PhoenixBusinessandSystemsProcess,Inc.Needham,MA,USA, MorefromPhoenixBusinessandSystemsProcess,http://www.pbandsp.com

Page 7of 80

ProcedureGuidelinesandControlsDocumentation

RobinBasham,M.IT,M.Ed.,CISA

Copyright2006,PhoenixBusinessandSystemsProcess,Inc.Needham,MA,USA, MorefromPhoenixBusinessandSystemsProcess,http://www.pbandsp.com

Page 1of 80

ProcedureGuidelinesandControlsDocumentation

RobinBasham,M.IT,M.Ed.,CISA

Figure15. ProcessFlowDiagram:Howaresoftwaredevelopmentartifactscapturedinsystemeventlogsandsoftware designtemplates?

ControlsandApplicationControls
WhendoIneedtodocumentspecificcontrolprocesses?
Theoutputofanypolicyorprocessincludesalistofqualitymeasures.Qualityismeasuredbyasetofcontrolsor tests,eachdesignedtoprovidefeedbackoralignouractionstothosepoliciesandprocedures. Acontroloverprocessischaracterizedbyabilityto: CommunicatesRepeatableIntention ExecutesAsPlanned(Implementation Plan) Measure(RiskMeasurement&ImpactAnalysis) Record(ManagementReporting&KPI) Respond(Thresholds) Archive(DefinedDataRetention) Controlsrequireavisibleandrecognized: Name Owner Method (AutomationorManual) Program Frequency Test ActivityDefinition Location TestEvidence InformationProcessingObjective SequenceIDandmethodoftracking

Howdowemanagealltheserequirements?

MKSIntegrityManagerforprocessandworkflowmanagementof enterprisesoftwaredevelopment
MKSIntegrity ManagerisanexcellentexampleofSoftwaretoolsproviding flexibleprocessandworkflow management,whilefacilitatingcommonbestpractice formanagingsoftwaredevelopment.Thistoolseamlessly marrieswithMKSSourceIntegrityEnterpriseforfullenterprisesoftwareconfigurationmanagement,isthe foundationforMKSRequirementsforrequirementsmanagementandintegratesotherdeveloperproductivity toolstoleveragesoftwareinvestmentsandenhancecoverageofthesoftware.

Copyright2006,PhoenixBusinessandSystemsProcess,Inc.Needham,MA,USA, MorefromPhoenixBusinessandSystemsProcess,http://www.pbandsp.com

Page 2of 80

ProcedureGuidelinesandControlsDocumentation

RobinBasham,M.IT,M.Ed.,CISA

MKSIntegrityManagerImageiscopyrightofMKShttp://www.mks.com TheMKSIntegritysuiteenablesdevelopmentasitoccursinaservicedeliverymodel.InputsfromProject ManagementandHelpDeskarebuiltintotheworkflowwithcontrolsplacedinpointsofemphasistoaprogram designedspecificallyforproductdevelopmentandrelease.Anadditionalhighlightisthisproductsabilityto integratewithmostknownIDEsandtooperateinanywellestablishedtechnologyplatformasitexiststoday. EvenifpopularvotingforyourpersonalITmottoputsyoucantpleaseeveryoneinatiewithdidyouwantit goodordidyouwantitfast?MKSoffersadegreeofsupplantedprocessmaturityrepresentingabumptoatleast leveltwoacrossmostmaturitymeasuresofSDLC.(SeeMaturityModelintextbelow).MKSintegritymanager integratesITprocesses,platformsandtoolswhileguidingsoftwaredevelopmentteamsthroughthemostcommon inputandoutputs,ratholesandhandshakesfoundamongallITshopstoday.

Howmaturedowereallyneedtobe?

Figure16.

MaturityToolbox,asrepresentedbyISACAandCMUasthecommonmaturitymodelorCMM

InstallandAccreditSolutionsandChange,isasignificantlyimportantcontrolforanyITorganization.Without thesecontrolsexistingtosomelevel,itisunlikelythatanyformofbusinesscouldthrive.Consider,however,that mostcompaniescouldbedescribedashavingattributesresemblingthedescriptionsforinitialorrepeatable maturity.WouldthisbematureenoughtoachievethemilestonefoundintheEnterpriseStrategy?Thatisa decisionforeachcompanyanditsleaders.HerearesomeoftheCobiTmaturitydefinitionsfortheInstalland AccreditSolutionsandChangeprocessarea. CobiT4.0DefinesRepeatabletoOptimizedSDLCrelatedpracticeinthefollowingway: *(InstallandAccreditSolutionsandChanges)RepeatablebutIntuitive:Thereissomeconsistencyamongst thetestingandaccreditationapproaches,buttypicallytheyarenotbasedonanymethodology.Theindividual developmentteamsnormallydecidethetestingapproachandthereisusuallyanabsenceofintegrationtesting. Thereisaninformalapprovalprocess. DefinedProcess:Aformalmethodologyrelatingtoinstallation,migration,conversionandacceptanceisin place.ITinstallationandaccreditationprocessesareintegratedintothesystemlifecycleandautomatedtosome extent.Training,testingandtransitiontoproductionstatusandaccreditationarelikelytovaryfromthedefined
Copyright2006,PhoenixBusinessandSystemsProcess,Inc.Needham,MA,USA, MorefromPhoenixBusinessandSystemsProcess,http://www.pbandsp.com Page 3of 80

ProcedureGuidelinesandControlsDocumentation

RobinBasham,M.IT,M.Ed.,CISA

process,basedonindividualdecisions.Thequalityofsystemsenteringproductionisinconsistent,withnew systemsoftengeneratingasignificantlevelofpostimplementationproblems. ManagedandMeasurable:Theproceduresareformalizedanddevelopedtobewellorganizedandpractical withdefinedtestenvironmentsandaccreditationprocedures.Inpractice,allmajorchangestosystemsfollowthis formalizedapproach.Evaluationofmeetinguserrequirementsisstandardizedandmeasurable,producingmetrics thatcanbeeffectivelyreviewedandanalyzedbymanagement.Thequalityofsystemsenteringproductionis satisfactorytomanagementevenwithreasonablelevelsofpostimplementationproblems.Automationofthe processisadhocandprojectdependent.Managementmaybesatisfiedwiththecurrentlevelofefficiencydespite thelackofpostimplementationevaluation.Thetestsystemadequatelyreflectstheliveenvironment.Stress testingfornewsystemsandregressiontestingforexistingsystemsareappliedformajorprojects. Optimized:Theinstallationandaccreditationprocesseshavebeenrefinedtoalevelofgoodpractice,basedon theresultsofcontinuousimprovementandrefinement.ITinstallationandaccreditationprocessesarefully integratedintothesystemlifecycleandautomatedwhenappropriate,facilitatingthemostefficienttraining, testingandtransitiontoproductionstatusofnewsystems.Welldevelopedtestenvironments,problem registers andfaultresolutionprocessesensureefficientandeffectivetransitiontotheproductionenvironment. Accreditationtakesplaceusuallywithnorework,andpostimplementationproblemsarenormallylimitedto minorcorrections.Postimplementationreviewsarestandardized,withlessonslearntchanneledbackintothe processtoensurecontinuousqualityimprovement.Stresstestingfornewsystemsandregressiontestingfor modifiedsystemsareconsistentlyapplied. *(SpellingisalteredforUSEnglish)
NoteveryorganizationwillsetSDLCtargetsonoptimized,butonethingiscertain.Anyorganizationwith strategytowardslevelfiveSoftwareDevelopmentpracticeneedsevidenceofsystembasedcontrolsasseenin theMKSIntegrityManagerSuite.

Figure17.

Howaresoftwaredevelopmentartifactscapturedinsystemeventlogsandsoftwaredesigntemplates?
Page 4of 80

Copyright2006,PhoenixBusinessandSystemsProcess,Inc.Needham,MA,USA, MorefromPhoenixBusinessandSystemsProcess,http://www.pbandsp.com

ProcedureGuidelinesandControlsDocumentation

RobinBasham,M.IT,M.Ed.,CISA

TestScripts,UtilitiesandEventTrackingSystems
WhatIsATestScriptOrTestTemplates?
Programs,systemsandreleaseshaveassociatedtestsand testresults.QAandSecuritymaintainsecuretestplans andtestresults.TestsrelatedtoSoftwareQualityarerunfrom,andsecuredin,the[NameofTestingorQuality AssuranceApplication]Application. Securityscriptsandnetworkingutilitiesare maintainedinsecurelocationwiththehighestdegreeinlimited access.Theseitemsarebydesign,neithervisibleoraccessibletothegeneraluser.

WhereDoIFindQATestTemplates?
TesttemplatesaremaintainedintheQAProcessdirectory \\...\PAL\ITProcessAssetLibrary\QualityAssurance\Template\ SecurityProgramTesttemplatesaremaintainedinSecurityManagementdirectory \\...\PAL\ITProcessAssetLibrary\SecurityManagement\ProgramTestPlans\

Assets,InventoriesandConfigurationBaselines
Networkingdevices,serversandapplicationservershavebothinventoryandconfigurationcontrolrequirements. Configurationbaselinereferstotheminimumsecureconfigurationappliedtoanydeviceatbuild.Changestothe configurationbeyondthispointareassociatedtobusinessrequirements,productreleaseandprojectmanagement. DataCenterOperationsandSupportmanageaninventoryofitemsandbaselineconfiguration.Theserecordsare tablesin FacilitatedComplianceManagementbutarescheduledtobemovedinto[Nameofcoreproductor service]. WhereconfigurationrecordsincludeIPaddressingandotherinformationthatcouldbeusedtocompromise networksecurity,theinformationisnotmade availablebeyondpersonswhosupportandnetworkingand[Name ofcoreproductorservice]platformavailability.

When DoINeedToCreateAControlledServerObject?

Copyright2006,PhoenixBusinessandSystemsProcess,Inc.Needham,MA,USA, MorefromPhoenixBusinessandSystemsProcess,http://www.pbandsp.com

Page 5of 80

ProcedureGuidelinesandControlsDocumentation

RobinBasham,M.IT,M.Ed.,CISA

Considerwhetherthefollowingstatementsaretrue.

Figure18.

Should Idocumentacontrolledserverinoursysteminventorydatabase?

WhereAreDevicesInventoriedAsAssets?
ControlledServerRecordswillresidein[Nameofcoreproductorservice]butarecurrentlystagedin Facilitated ComplianceManagement

WhereDoIFindServerControlRecords?
\\...\pal\FacilitatedComplianceManagement\ShortcuttoControlledServersinFacilitated Compliance Management

Copyright2006,PhoenixBusinessandSystemsProcess,Inc.Needham,MA,USA, MorefromPhoenixBusinessandSystemsProcess,http://www.pbandsp.com

Page 6of 80

ProcedureGuidelinesandControlsDocumentation

RobinBasham,M.IT,M.Ed.,CISA

Figure19.

ControlledServerForm

Copyright2006,PhoenixBusinessandSystemsProcess,Inc.Needham,MA,USA, MorefromPhoenixBusinessandSystemsProcess,http://www.pbandsp.com

Page 7of 80

ProcedureGuidelinesandControlsDocumentation

RobinBasham,M.IT,M.Ed.,CISA

Figure20.

EachcontrolleditemhasassociatedsecurityexemptionsandstandardOSandApplicationbuild

WhichToolsStoreServerandApplicationInformation?
Thedatacentermaintainsalistofdevicesandtoolsorapplicationswiththeirrespectivecontrolsandresource owners.Thisinformation ismaintainedin FacilitatedComplianceManagement. Allsystems,applicationsor Toolsareinventoriedassets. SoftwareControlapplicationsmustaddressallpointsofhandoffinasoftware developmentandsupportlifecycle.

Copyright2006,PhoenixBusinessandSystemsProcess,Inc.Needham,MA,USA, MorefromPhoenixBusinessandSystemsProcess,http://www.pbandsp.com

Page 8of 80

ProcedureGuidelinesandControlsDocumentation

RobinBasham,M.IT,M.Ed.,CISA

WhereIsTheListOfToolsAndToolTypes?
ToolsandTooltypesarelistedintheToolsandToolTypetableinthe FacilitatedCompliance Management2000FCMdatabase.ServersanddevicesarerecordedintheControlledServerForm,locatedinthe FacilitatedComplianceManagementdatabase.

ControlsandKeyControls
WhenDoINeedToDocumentAControlObject?
Controlspracticesprovidereasonableassurancethatbusinessrulesexistandareoptimizedsuchthatnegative impactofundesirableeventsarecaptured,respondedtoandmitigated.ITControlistherightmixtureofpolicies, procedures,practicesandorganizationalstructuresthatassurebusinessobjectivesaremet,whilepreventing, detectingorcorrectinganyorallundesiredevents. ControlDefinitionsexistwithineachprocessandareaninherentfeatureinpolicy. ControlOverProcessIsDemonstratedWhen: ItCommunicatesRepeatableIntention ExecutesAsPlanned(ImplementationPlan) Measures(RiskMeasurement&ImpactAnalysis) Records(ManagementReporting&KPI) Archives(DefinedDataRetention) ControlItemscapture ControlName Owner ControlMethod AutomationorManual Program Frequency TestInformation ActivityDefinition LocationofTestandTestEvidence InformationProcessingObjective SequenceIDandKeyTracking
Copyright2006,PhoenixBusinessandSystemsProcess,Inc.Needham,MA,USA, MorefromPhoenixBusinessandSystemsProcess,http://www.pbandsp.com Page 9of 80

ProcedureGuidelinesandControlsDocumentation

RobinBasham,M.IT,M.Ed.,CISA

Formoreinformation,reviewsectionDocumentElements: FlowDiagram ,VisioShapesandCustomProperties forEvidenceofProcessControls

WhereAreControlsCatalogued?
ControlsarecataloguedbyName,AssociatedProcessesandOwnerswithinTechnologys[Nameofcoreproduct orservice]system.TheinformationisusedforongoingControlSelfAssessmentandCompliance Documentation.Controlsarecataloguedin FacilitatedComplianceManagementandin[Nameofcoreproduct orservice].ControlsarealsoidentifiedwithineveryProcessFlowDiagramandProgramDefinition. Key ControlsaligntotheCobiTframeworkandarevisibleontheControlSelfAssessmentformwithinFacilitated Compliance Management.

Figure21.

WhatProcessEngineering,AuditorsandQualityGatherRegardingCorporateKeyControls

Copyright2006,PhoenixBusinessandSystemsProcess,Inc.Needham,MA,USA, MorefromPhoenixBusinessandSystemsProcess,http://www.pbandsp.com

Page 10 of 80

ProcedureGuidelinesandControlsDocumentation

RobinBasham,M.IT,M.Ed.,CISA

ProcessDiagramscallinformationfromthe FacilitatedComplianceManagementdatabase.Keycontrolspullinformation fromtheKeyControlsTable.

ExampleofaKeyControls

Figure22.

KeyControlsForm

WhereDoIFindTheFormorTemplate?
http://www.COMPANY.com TechnologyControls(LoginRequired) \\...\PAL\Templates\InternalControlTestingTemplate.dot
Copyright2006,PhoenixBusinessandSystemsProcess,Inc.Needham,MA,USA, MorefromPhoenixBusinessandSystemsProcess,http://www.pbandsp.com Page 11 of 80

ProcedureGuidelinesandControlsDocumentation

RobinBasham,M.IT,M.Ed.,CISA

Product,ApplicationDevelopmentandQualityTemplates
ObjectName Function Owners Approve Date

ChangeCommittee ReviewBoard

TheChangeCommitteeReviewBoardTemplate guidesthecompletionofdocumentationforthe purposeofenterpriseorhighpriority/impactChange Management. Checklistidentifiesvalidationitemsbeforeachange controlcanbeapprovedorclosed Emergencycodechangerequireswrittenapprovalby Quality,Development,andCTO.TheEmergency deploymentformrepresentssignedapprovalbyall necessarypartiesandissubmittedtotheNetworkor DataCenterOperationspriortoemergency deploymentofcodetoproduction.Emergency changeissubjecttoChangeManagementpolicyand isreviewedpriortoandpostchangeimplementation. Templateisusedtodocumenthighlevelaspectsofa testplan

[NameofChief Technology Officer]

ChangeReviewBoard Checklist
Copyright2006,Phoenix Businessand SystemsProcess, Inc.Needham,MA,USA,

[NameofChief SecurityOfficer]

Emergency Deployment Authorization

HighLevelTestPlan

[NameofChief Technology Officer],[Nameof QualityAssurance Manager] [NameofChief SecurityOfficer], [NameofChief Technology Officer]

ICQPhysicalSecurity

Templateisusedtogenerateanewuniqueinstanceof ICQPhysicalSecurity.Templates,whenused, constituteaworkproduct,whichisprocessedand thenstoredascontrolevidenceinthe \\...\PAL\IT ProcessAssetLibrary\Processand Procedures\SecurityManagement\Template\ folder Templateisusedtogenerateanewuniqueinstanceof ICQSecurityPolicy.Templates,whenused, constituteaworkproduct,whichisprocessedand thenstoredascontrolevidenceinthe \\...\PAL\IT ProcessAssetLibrary\Processand Procedures\SecurityManagement\Template\ folder. Providesdocumentationformatforan implementation. Templateisusedtodocumentallaspectsoftestingan internalcontrol

ICQSecurityPolicy

[NameofChief SecurityOfficer], [NameofChief Technology Officer]

Implementation PlanningTemplate Internal Control TestingTemplate MeetingAgendaand Minutes.dot

[NameofProcess Librarian] [NameofProcess Librarian] [NameofProcess Librarian]


Page 12 of 80

Copyright2006,PhoenixBusinessandSystemsProcess,Inc.Needham,MA,USA, MorefromPhoenixBusinessandSystemsProcess,http://www.pbandsp.com

ProcedureGuidelinesandControlsDocumentation

RobinBasham,M.IT,M.Ed.,CISA

ObjectName

Function

Owners

Approve Date

MeetingFormLetter

Thisletterislinkedinconsoleasatemplate.

[NameofProcess Librarian] [NameofProcess Librarian]

MeetingMinutes Template.dot NetworkChange IdentificationForm Templateisusedwhenchangesand/orsecurity violationsarefoundonthenetwork,tosystems,orto serversthatdidnotgothroughtheformalchange controlprocess.

[NameofChief SecurityOfficer]

PolicyProfile ProcessProfile Template ProgramProfile Template ProjectCharter Templateisusedtodocumentallareasofaprocess [NameofProcess Librarian] [NameofProcess Librarian] [NameofProcess Librarian]

Templateisusedtodocumentallareasofaprogram

Templateisusedtodocumentthescope,assurance andresourcesofaproject TemplateisusedtodocumentallareasofaProject Plan Templateisusedtoguidedocumentsandtasks neededpriortoQAPlanning

ProjectPlanDefinition

QAPlanningKickoff CheckList

RequestForExemption Templateisusedtodocumentallareasofrisk associatedwithrequestedexemption RequestForRemoval ofMedia Templateisusedtogenerateanewuniqueinstanceof RequestForRemovalofMediaTemplate.Templates, whenused,constituteaworkproduct,whichis processedandthenstoredascontrolevidenceinthe \\...\PAL\ITProcessAssetLibrary\Processand Procedures\SecurityManagement\Template\ folder. Templateisusedtoguidereviewofrequirementsto assurecompletenessacrossallareas.

[NameofChief SecurityOfficer] [NameofChief SecurityOfficer], [NameofChief Technology Officer]

June23, 2005

Requirements Completeness Checklist

,[Nameof ProductorProject Management Director]

RiskCriteria

Templateisusedtogenerateanewuniqueinstanceof RiskCriteriaTemplate.Templates,whenused, constituteaworkproduct,whichisprocessedand thenstoredascontrolevidenceinthe \\...\PAL\IT


Page 13 of 80

Copyright2006,PhoenixBusinessandSystemsProcess,Inc.Needham,MA,USA, MorefromPhoenixBusinessandSystemsProcess,http://www.pbandsp.com

ProcedureGuidelinesandControlsDocumentation

RobinBasham,M.IT,M.Ed.,CISA

ObjectName

Function

Owners

Approve Date

ProcessAssetLibrary\Processand Procedures\SecurityManagement\Template\ folder. RunBookSecurity SectionWhatto Describe Templateisusedtogenerateanewuniqueinstanceof RunBookSecuritySectionWhattoDescribe Template:(Forfinancial/highriskservers). Templates,whenused,constituteaworkproduct, whichisprocessedandthenstoredascontrol evidenceinthe\\...\PAL\ITProcessAsset Library\ProcessandProcedures\Security Management\Template\ folder. Templateisusedtodocumentelectronicsecurity regardingemailandfiletransfer. The purposeoftheSecurityInfrastructurePlanisto establishstrategic,tacticalandannualinformation securityplansforCOMPANY. Templateisusedtogenerateanewuniqueinstanceof SecurityProgramandProgramTestProfileTemplate. Templates,whenused,constituteaworkproduct, whichisprocessedandthenstoredascontrol evidenceinthe\\...\PAL\ITProcessAsset Library\ProcessandProcedures\Security Management\Template\ folder. Templateisusedtousedtocaptureandfullydevelop andanalyzesecurityrisks. Templateisusedtodocumentallrequirementsfor software [NameofChief SecurityOfficer] ThomGray, [NameofProduct orProject Management Director] [NameofChief SecurityOfficer], [NameofChief Technology Officer]

SecureEmailandFile Transfer SecurityInfrastructure Plan

[NameofChief SecurityOfficer] [NameofChief SecurityOfficer]

SecurityProgramand ProgramTestProfile

SituationEvaluation Form SoftwareRequirement Specifications Template

RunBookTemplate

TheRunBookorSystemDocumentationbook containsinformationnecessarytorunandmaintaina corebusinesssystem.Intheeventofemergency staffingchange,thisdocumentservestoguideanew employeethroughthesupportofthissystem. Templateisusedtodocumentalloperational requirementsforasystem TemplateisusedtodocumentallareasofaTestPlan

SystemOperational Requirement TestPlanTemplate

Copyright2006,PhoenixBusinessandSystemsProcess,Inc.Needham,MA,USA, MorefromPhoenixBusinessandSystemsProcess,http://www.pbandsp.com

Page 14 of 80

ProcedureGuidelinesandControlsDocumentation

RobinBasham,M.IT,M.Ed.,CISA

ObjectName

Function

Owners

Approve Date

UserAccessProgram Checklist

Templateisusedtogenerateanewuniqueinstanceof UserAccessControlsWorkProgramTemplate. Templates,whenused,constituteaworkproduct, whichisprocessedandthenstoredascontrol evidenceinthe\\...\PAL\ITProcessAsset Library\ProcessandProcedures\Security Management\Template\ folder. Templateisusedtowarnanemployeewhentheydo somethinginappropriateandhowto improve. JobAnalysisQuestionnairetemplateisusedto describeemployeesresponsibilitiesanddutiesamong otherthings. Templateisusedtoprovideabriefdescriptionofthe generalnatureoftheposition,anoverviewofwhythe jobexists,andwhatthejobistoaccomplish.

[NameofChief SecurityOfficer], [NameofChief Technology Officer]

EmployeeWarning Notice JobAnalysis Questionnaire

JobDescription Template

Copyright2006,PhoenixBusinessandSystemsProcess,Inc.Needham,MA,USA, MorefromPhoenixBusinessandSystemsProcess,http://www.pbandsp.com

Page 15 of 80

ProcedureGuidelinesandControlsDocumentation

RobinBasham,M.IT,M.Ed.,CISA

WhichToolStoresProcessandWorkInstructioninformation?
ProcessEngineeringmanagesalistofallWorkInstructionsandProcessesinthe FacilitatedCompliance ManagementObjecttable.Thereareavarietyofreportsthatsummarizethefunctionforallprocessesaswellas provideanoverviewofallprocessflowdiagrams.

Copyright2006,PhoenixBusinessandSystemsProcess,Inc.Needham,MA,USA, MorefromPhoenixBusinessandSystemsProcess,http://www.pbandsp.com

Page 16 of 80

ProcedureGuidelinesandControlsDocumentation

RobinBasham,M.IT,M.Ed.,CISA

Figure23.

FacilitatedComplianceManagementprovidessummaryreportsformanyobjecttypes

Figure24. FacilitatedComplianceManagementAllowsProcessLibrariantocaptureandcatalogueallprocess objects

FlowDiagram
WhenDoIUseAFlowDiagram?
FlowDiagramsaredevelopedtoprovideahighlevelsummaryofstepsinanyprocessorprocedure.Theyare HighLevel,notvague.ControlsarealsolistedinFlowDiagrams,furtherdemonstratingconstraintsthateither preventerrororreinforcecorrectmovement.Keycontroltemplateobjectsarecreatedbyprocessengineeringin responsetothecurrentcontrolsinscopeforaudit.Theseitemsdetailallaspectsthatcontrola

Copyright2006,PhoenixBusinessandSystemsProcess,Inc.Needham,MA,USA, MorefromPhoenixBusinessandSystemsProcess,http://www.pbandsp.com

Page 17 of 80

ProcedureGuidelinesandControlsDocumentation

RobinBasham,M.IT,M.Ed.,CISA

process.

Copyright2006,PhoenixBusinessandSystemsProcess,Inc.Needham,MA,USA, MorefromPhoenixBusinessandSystemsProcess,http://www.pbandsp.com

Page 18 of 80

ProcedureGuidelinesandControlsDocumentation

RobinBasham,M.IT,M.Ed.,CISA

Figure25.

SampleofABusinessProcess

Copyright2006,PhoenixBusinessandSystemsProcess,Inc.Needham,MA,USA, MorefromPhoenixBusinessandSystemsProcess,http://www.pbandsp.com

Page 19 of 80

ProcedureGuidelinesandControlsDocumentation

RobinBasham,M.IT,M.Ed.,CISA

VisioShapesandCustomPropertiesforEvidenceofProcessControls
Name* Description* DocumentTitle,Scope, Revision,ReleaseDate,Editors, AffirmationTeam AlwaysSequence0.0

Referencetootherprocess documentsandtofullprocesses outsideofthescopeofthe currentdocument. Partofprocessessequence

Identifiesprocessactivity, notingcontrolissuesand potentialgaps,ownersand eventsequence. Partofprocessessequence

Decisionpointandcriteriafor movement Partofprocessessequence

Groupingallowsrepresentation ofsimultaneousevents Sequenceshouldparentchild thesubgroupofactivities Looplimitsusuallyreflectkey controls

Copyright2006,PhoenixBusinessandSystemsProcess,Inc.Needham,MA,USA, MorefromPhoenixBusinessandSystemsProcess,http://www.pbandsp.com

Page 20 of 80

ProcedureGuidelinesandControlsDocumentation

RobinBasham,M.IT,M.Ed.,CISA

Name*

Description* DataManagement: Whatdataisused, howisitclassified, retained,transferred, accessed Listofexternaldocumentsused tocompleteprocess,statusof useincontrolsevidence, creationfrequency,description ofuse Sequenceisalways9.9sothat alldatasourcesareclusteredto thebottomoftheprocess report. Exitandentrancecriteriafor movementfromoneactivityto thenext.Wherecriteriafor movementismonitoredbya systemandiscriticaltocontrol activity,thisshouldbefilledin. Wherethisistrue,therewould beanexpectedcontrol. TriggerandExitcriteria Sequenceisalways0.1sothat alltriggersandexitcriteriaare clusteredto thetopofthe processreport.

Copyright2006,PhoenixBusinessandSystemsProcess,Inc.Needham,MA,USA, MorefromPhoenixBusinessandSystemsProcess,http://www.pbandsp.com

Page 21 of 80

ProcedureGuidelinesandControlsDocumentation

RobinBasham,M.IT,M.Ed.,CISA

Name*

Description* ControlDocumentationObject: Dropdownmenuchoicesincludecommonlanguage fordefiningcontrolsasexpressedbyISACA,PCAOB, PwC,E&Y,KPMG,DeloitteandSANS.Information enteredtothisarea,itisavailabletocontrolsreporting forthisprocess.Thesequenceisusedtoalignthe controltotheassociatedactivitiesthatusethiscontrol. Whereacontrolisusedinmultipleinstances,itneed onlybedescribedonceandthenmentionedonthe activityobject. When acontrolisinadequate,theissueisidentifiedin theGAPcommentaryoftheactivityneedingmore stringentcontrol.Thisforcestherelativeriskofthe controlgaptobeevidenttotheviewerandwriter

DatabasenameandDBA/SA owners Sequenceisalways9.8sothatall datasourcesareclusteredtothe bottomoftheprocessreport.

Copyright2006,PhoenixBusinessandSystemsProcess,Inc.Needham,MA,USA, MorefromPhoenixBusinessandSystemsProcess,http://www.pbandsp.com

Page 22 of 80

ProcedureGuidelinesandControlsDocumentation

RobinBasham,M.IT,M.Ed.,CISA

GroupingBox ParentProcess (indicatesanother processdiagram)

LoopLimit

Database

ProcessTitle Date: AffirmationTeam:

0.0 a

#.#Decision

Figure26.

ProcessObjectswithproperties

Copyright2006,PhoenixBusinessandSystemsProcess,Inc.Needham,MA,USA, MorefromPhoenixBusinessandSystemsProcess,http://www.pbandsp.com

Page 23 of 80

ProcedureGuidelinesandControlsDocumentation

RobinBasham,M.IT,M.Ed.,CISA

AcronymGlossaryandDefinitions
Acronyms Approver Definition Anindividualwhoreviewsthechangetoensuretheintegrityandreliabilityof thedocumentandgrantsapprovalforthedocumenttobeposted.

DocumentOwner

Managerdesignatedashavingownershipofalldocumentsassociatedwiththe productionsystemand,thereby,havingtheauthoritytochangeit.

Dualcontrol

Twopeoplearerequiredforanimportantactivitytobeaccomplished.

Employee

Person,includingcontractorsandtemporarystaff,whohavebeengrantedaccess toARLresources.

Owner

Managerofadepartmentorbusinessunitresponsibleforproductionprocesses, systems,applications,platformsorusers.InaccordancewithInformation Securitypolicies,andstandards,ownersdeterminethelevelofsensitivityand confidentialityoftheirinformation.Assuch,theydeterminechanges,accessand disseminationoftheirinformation.

Activity CISA CobiT

Anelementofworkperformedduringthecourseofaproject.Anactivity normallyhasanexpectedduration CertifiedInformationSystemsAuditor TheCOBIT(ControlObjectivesforInformationandRelatedTechnology) frameworkwasreleasedin1996andupdatedin1998and2000bythe InformationSystemsAuditandControlAssociation (ISACA)inresponsetothe needforareferenceframeworkforsecurityandcontrolininformation technology.In2000,theITGovernanceInstituteandISACFdevelopedthe ManagementGuidelinesforCOBIT.Theseguidelinesrespondtoaneedby ManagementforcontrolandmeasurabilityofIT,forthepurposeofensuringthat ITactivitiesachievebusinessobjectives. Thepolicies,procedures,practicesandorganizationalstructuresdesignedto providereasonableassurancethatbusinessobjectiveswillbeachievedandthat undesiredeventswillbepreventedordetectedandcorrected

Control

DocumentorSource Asampledocumentthatadherestothecriterianecessaryforcompletionofa Document processandincludestheessentialcontentsdefinedinthetemplate. Function ITControlObjective Agroupofrelatedactionscontributingtoalargeraction.SecurityPolicy,Access Control,andPerimeterSecurityrepresentsecurityfunctions. Astatementofthedesiredresultorpurposetobeachievedbyimplementing


Page 24 of 80

Copyright2006,PhoenixBusinessandSystemsProcess,Inc.Needham,MA,USA, MorefromPhoenixBusinessandSystemsProcess,http://www.pbandsp.com

ProcedureGuidelinesandControlsDocumentation

RobinBasham,M.IT,M.Ed.,CISA

Acronyms

Definition controlproceduresinaparticularITactivity

ITIL Process

InformationTechnologyInfrastructureLibrary Aseriesoftasksthattransforminputsintodesiredoutputs.Thetermprocedureis sometimesusedinterchangeablywithprocessinthismethodology.Administer Accounts,PerformRiskAssessment,AuditPerimeterSecurity,InstallHardware areexample

ProcessManagement AhighleveldescriptionofthesystemthatprovidesafullyintegratedKnowledge Architecture Base[ofprocessinformation].TheKnowledgeBaseinturnprovidescontrolof processchangeandaccesstoallprocessesandprocedures. Task Ataskisaspecificactionperformedaspartofaprocess.Disableaccounts, InterviewNetworkManager,andrunCrackontheUnixmachineareexamplesof securitytasks. Askeletondocument,spreadsheet,orgraphicpresentationthatrepresentsthe essentialrequirementsfordeliverablecontent.

Template

ComprehensiveGlossaryofallCorporateTerms
\\...\pal\FacilitatedComplianceManagement\ShortcuttoGlossaryinFacilitatedCompliance Management2000FCM.MAT

RelatedDocuments
The CobiT4.0(ControlObjectivesforInformationandRelatedTechnology)frameworkwasreleasedin1996 andupdatedin1998and2000 andmostrecentlyin2005,bytheInformationSystemsAuditandControl Association (ISACA)inresponsetotheneedforareferenceframeworkforsecurityandcontrolininformation technology.In2000,theITGovernanceInstituteandISACAdevelopedtheManagementGuidelinesforCOBIT. TheseguidelinesrespondtoaneedbyManagementforcontrolandmeasurabilityofIT,forensuringthatIT activitiesachievebusinessobjectives.http://www.isaca.org/cobithorizon.htm TheITInfrastructureLibrary,ITIL(),isaseriesofdocumentsthatareusedtoaidtheimplementationofa frameworkforITServiceManagement(ITSM).ThisframeworkdefineshowServiceManagementisapplied withinspecificorganizations.Beingaframework,itiscompletelycustomizableforapplicationwithinanytypeof businessororganizationthathasarelianceonITinfrastructure. http://www.itilitsmworld.com/ ProjectManagementSkillandKnowledgeRequirementsinanInformationTechnologyEnvironment(ISACA) http://www.phoenixprocessconsulting.com/security/ProcessProject/projectmanagement.pdf

ExtendedBibliography
AgencySecurityPractices.STIGs,SecurityTechnicalImplementationGuides.RetrievedDecember1,2005from http://csrc.nist.gov/pcig/cig.html. ACLU,(AmericanCivilLibertiesUnion).FreeSpeech.RetrievedNovember1,2005from http://www.aclu.org/freespeech/index.html. AICPA,AmericanInstituteofCertifiedPublicAccountants.RetrievedDecember1,2005 http://www.aicpa.org/index.htm.
Copyright2006,PhoenixBusinessandSystemsProcess,Inc.Needham,MA,USA, MorefromPhoenixBusinessandSystemsProcess,http://www.pbandsp.com Page 25 of 80

ProcedureGuidelinesandControlsDocumentation

RobinBasham,M.IT,M.Ed.,CISA

ANSI.U.S.NationalConformityAssessmentPrinciples.RetrievedDecember1,2005from http://www.ansi.org/conformity_assessment/ncap.aspx?menuid=4. Berinato,Scott,DarwinMagazine,http://www.darwinmag.com/read/0502/apples.html. BSI,BritishStandardsInstitute,"BSISO/IEC17799:2005",inBritishStandardISO/IEC27001:2005,London, UnitedKingdom:TheStationaryOffice,2005. CESG(UK)&NIST(USA).CommonCriteria,AnIntroduction.RetrievedDecember1,2005from http://www.commoncriteriaportal.org/public/files/ccintroduction.pdf.Note:"TheCommonCriteriaworkisan internationalinitiativebythefollowingorganizations:CSE(Canada),SCSSI(France),BSI(Germany),NLNCSA (Netherlands),CESG(UK),NIST(USA)andNSA(USA)",p.2. CIS,CenterforInternetSecurity.CISBenchmarks/ScoringTools.RetrievedDecember1,2005from http://www.cisecurity.org/bench.html. CISWG(2004).CorporateInformationSecurityWorkingGroup,ReportoftheBestPracticesandMetricsTeams. RetrievedDecember1,2005from http://www.educause.edu/ir/library/pdf/CSD3661.pdf. Clark,JamesBryce(jamie.clark@oasisopen.org),Shearman&Sterling,NewYork,http://www.oasis open.org/who/tab.php#jclark. CMU/SEI,CarnegieMellonUniversity/SoftwareEngineeringInstitute.RetrievedDecember1,2005 http://www.sei.cmu.edu/. COBIT. IsaproductofISACA,aglobalnotforprofitprofessionalmembershiporganizationfocusedonIT Governance,assuranceandsecurity,withmorethan 60,000membersinmorethan140countries.ITGI undertakesresearchandpublishesCOBIT,anopenstandardandframeworkofcontrolsandbestpracticeforIT governance."ISACA,InformationSystemsAuditandControlAssociation.http://www.isaca.org/. http://www.isaca.org/Template.cfm?Section=CobiT6&Template=/TaggedPage/TaggedPageDisplay.cfm&TPLID =55&ContentID=7981. COSO,CommitteeofSponsoringOrganizationsoftheTreadwayCommission.RetrievedDecember1,2005 http://www.coso.org/. Deming,Edwards(1986),"14PointsforManagement",inOutofCrisis,1986,Cambridge:TheMITPress, http://www.deming.org/resources/books.html. EDUCAUSE&Internet2,ComputerandNetworkSecurityTaskForce,EDUCAUSE/Internet2Computerand NetworkSecurityTaskForce. GovernanceAssessmentToolforHigherEducation,http://www.educause.edu/ir/library/pdf/SEC0421.pdf. ECS,EducationCommissionoftheStates(2002).CitizenshipEducationInclusioninAssessmentand AccountabilitySystems.RetrievedDecember1,2005from http://mb2.ecs.org/reports/Report.aspx?id=107. FASP,FederalAgencySecurityPractices,"STIGs,SecurityTechnicalImplementationGuides", http://csrc.nist.gov/pcig/cig.html. FERF,FinancialExecutivesResearchFoundation,http://www.fei.org/rf/. FFIEC,FederalFinancialInstitutionsExaminationCouncil.RetrievedNovember1,2005 http://www.ffiec.gov/. FIPS,FederalInformationProcessingStandardsPublication,http://www.itl.nist.gov/fipspubs/. Frye,Emily,CybersecurityandCorporateGovernanceNow:DoesItTakeLiabilitytoGetAttention?,in AmericanBarAssociation,SectionOfScience&TechnologyLaw,Chicago2005, http://www.documation.com/aba/pdfs/004.pdf. GAAP,GenerallyAcceptedAccountingPrinciples,http://www.fasab.gov/accepted.html.
Copyright2006,PhoenixBusinessandSystemsProcess,Inc.Needham,MA,USA, MorefromPhoenixBusinessandSystemsProcess,http://www.pbandsp.com Page 26 of 80

ProcedureGuidelinesandControlsDocumentation

RobinBasham,M.IT,M.Ed.,CISA

GAOAccountingandInformationDivision(1999).FISCAM,FederalInformationSystemControlsAudit ManualVolumeI:FinancialStatementAudits,Washington:GovernmentAccountabilityOffice.Retrieved December1,2005from http://www.gao.gov/special.pubs/ai12.19.6.pdf. GAOAccountingandInformationDivision.FISCAM,FederalInformationSystemControlsAuditManual VolumeI:FinancialStatementAudits,Washington:GovernmentAccountabilityOffice,1999.Retrieved December1,2005from http://www.gao.gov/special.pubs/ai12.19.6.pdf. GAP,GovernmentAccountabilityProject,http://www.whistleblower.org/template/index.cfm. Gibaldi,Joseph(2003),MLAHandbookforWritersofResearchPapers,6thEdition, http://www.mla.org/handbook. GPO,GovernmentPrintingOffice.RetrievedDecember1,2005http://www.gpoaccess.gov/index.html. Gruber,Tom,WhatisanOntology?,KSL,KnowledgeSystems,AILaboratory,StanfordUniversity.Retrieved December1,2005from http://wwwksl.stanford.edu/kst/whatisanontology.html.Note:Anontologyisan explicitspecificationofaconceptualization.[]Weusecommonontologiestodescribeontological commitmentsforasetofagentssothattheycancommunicateaboutadomainofdiscoursewithoutnecessarily operatingonagloballysharedtheory." IEC,InternationalElectrotechnicalCommission.RetrievedDecember1,2005 http://www.iec.ch/. ISSA,InformationSystemsSecurityAssociation.RetrievedDecember1,2005http://www.issa.org/. ISO16609:2004Banking Requirementsformessageauthenticationusingsymmetrictechniques ISO/TR17944:2002Banking SecurityandotherfinancialservicesFrameworkforsecurityinfinancial systems ISO/TR19038:2005BankingandrelatedfinancialservicesTripleDEA Modesofoperation Implementation guidelines. ISOTCPortal.StandardsDevelopmentProcesses.RetrievedDecember1,2005from http://isotc.iso.org/livelink/livelink/fetch/2000/2122/3146825/4229629/sds_base.htm. ISO&CASCO,ISO/IECGuide60:2004ConformityAssessmentCodeofGoodPractice,Geneva:ISOStore. RetrievedDecember1,2005from http://www.iso.org/iso/en/CatalogueDetailPage.CatalogueDetail?CSNUMBER=37035&ICS1=3&ICS2=120&IC S3=20&showrevision=y. ISO.Generalinformationontechnicalcommittees.RetrievedDecember1,2005from http://www.iso.ch/iso/en/stdsdevelopment/tc/TC.html. ISO."AchievingOptimalOutput",inISOAnnualReport2004,2004,Chapter4.RetrievedDecember1,2005 from http://www.iso.ch/iso/en/aboutiso/annualreports/pdf/chapter4.pdf. ISO.TheAgreementontechnicalcooperationbetweenISOandCEN(ViennaAgreement).RetrievedDecember 1,2005from http://isotc.iso.org/livelink/livelink.exe/fetch/2000/2122/3146825/4229629/4230450/4230458/customview.html?f unc=ll&objId=4230458&objAction=browse&sort=subtype ITGI,ITGovernanceInstitute.RetrievedDecember1,2005http://www.itgi.org.Note:ITGIdescribesitselfas "TheITGovernanceInstitute(ITGI)existstoassistenterpriseleadersintheirresponsibilitytoensurethatITis alignedwiththebusinessanddeliversvalue,itsperformanceismeasured,itsresourcesproperlyallocatedandits risksmitigated."and"[ITGI]isanotforprofitresearchorganizationaffiliatedwiththeInformationSystems AuditandControlAssociation ITGI&OGC(2005).AligningCOBIT,ITILandISO17799forBusinessBenefit.RetrievedDecember1, 2005from http://www.isaca.org/.
Copyright2006,PhoenixBusinessandSystemsProcess,Inc.Needham,MA,USA, MorefromPhoenixBusinessandSystemsProcess,http://www.pbandsp.com Page 27 of 80

ProcedureGuidelinesandControlsDocumentation

RobinBasham,M.IT,M.Ed.,CISA

ITGI&ISACA(2004).COBITMapping,OverviewofInternationalITGuidance.RetrievedDecember1,2005 from http://www.isaca.org/Content/ContentGroups/Research1/Deliverables/CobiT_Mapping_Paper_6jan04.pdf. ITGI&ISACA(2004).ItControlObjectivesforSarbanesOxley:TheImportanceofItintheDesign, ImplementationandSustainabilityofInternalControloverDisclosureandFinancialReporting.Retrieved December1,2005from http://www.isaca.org/Content/ContentGroups/Research1/Deliverables/IT_Control_Objectives_for_Sarbanes Oxley_7july04.pdf. ITTF,ISO/IECInformationTechnologyTaskForce.RetrievedDecember8,2005 http://isotc.iso.org/livelink/livelink/fetch/2000/2489/Ittf_Home/ITTF.htm.Note:ITTFmaintainsaccesstoall freelyavailableISOstandards,alistthatgrowsdaily,andonDecember8,2005included253freeISOstandards. ITIL,InformationTechnologyInfrastructureLibrary.RetrievedDecember1,2005 http://www.ogc.gov.uk/index.asp?id=2261. ITTF.FreelyAvailableStandards.InaccordancewithISO/IECJTC1andtheISOandIECCouncilsthese InternationalStandardsarepubliclyavailable.RetrievedDecember1,2005from http://isotc.iso.org/livelink/livelink/fetch/2000/2489/Ittf_Home/ITTF.htm.Note:Thestandardsareavailablefor downloadattheITTFwebsite.Thisdoesnotimply freeuseorpermissiontocopyanymaterialsfound.The filesareinzipformat.Ihadnodifficultywiththembutalwaysuseastagingaretorunadditionalanti virus/spywarebeforeopeninganyonesfiles: http://standards.iso.org/ittf/PubliclyAvailableStandards/c040612_ISO_IEC_154081_2005(E).zip, http://standards.iso.org/ittf/PubliclyAvailableStandards/c040613_ISO_IEC_154082_2005(E).zip,& http://standards.iso.org/ittf/PubliclyAvailableStandards/c040614_ISO_IEC_154083_2005(E).zip KNET.RetrievedDecember1,2005http://www.isaca.org/knet.Note:KNETisprovidedbyISACAasa professionalresourceanddescribesitas"aglobalknowledgenetworkforITGovernance,Controland Assurance"andKNETcontainsover5,200peerreviewedwebsiteresourcespertainingtoknowledgecovering ITGovernance,Assurance,SecurityandControl.FullaccesstoKNETisreservedforassociationmembers.In addition,apersonalizedtrackingfeature[].Referenceitemsareorganizedintologicalcategoriesofinterestand concern". LawrenceW.Smith,"TheFASBsEffortsTowardSimplification",inTheFASBReport,February28,2005. RetrievedDecember1,2005from http://www.fasb.org/articles&reports/fasb_efforts_toward_simplification_tfr_feb_2005.pdf.Note:Thisarticle summarizingBobHerz,FASBchairmanofFinancialAccountingStandardsBoardtoshowthecomplexityof GAAPasitrelatestoapplicationofconsistentstandardsandcodificationinthecurrent180ofUSGAAParticles withinU.S.Code. McNamara,RobertS.andMorris,Errol,TheFogofWar:ElevenLessonsfromtheLifeofRobertS.McNamara, December2003. NARA,NationalArchivesandRecordsAdministration.RetrievedDecember1,2005 http://www.archives.gov/. NationalCouncilforScienceandtheEnvironment.CongressionalResearchServiceReports.RetrievedDecember 1,2005from http://www.ncseonline.org/NLE/CRS/. NASD,NationalAssociationofCorporateDirectors.RetrievedDecember1,2005http://www.nacdonline.org/. NHGRI,NationalHumanGenomeResearchInstitute.RetrievedDecember1,2005 http://www.genome.gov/. UnitedStatesCongress,"Circular92","CopyrightLawoftheUnitedStatesofAmericaandRelatedLaws ContainedinTitle17oftheUnitedStatesCode",inUnitedStatesCode,Title17(1976),Washington,U.S. GovernmentPrintingOffice,Chapters18&1012.

Copyright2006,PhoenixBusinessandSystemsProcess,Inc.Needham,MA,USA, MorefromPhoenixBusinessandSystemsProcess,http://www.pbandsp.com

Page 28 of 80

ProcedureGuidelinesandControlsDocumentation

RobinBasham,M.IT,M.Ed.,CISA

NIAC,NationalInfrastructureAdvisoryCouncil(February2003).TheNationalStrategytoSecureCyberspace, Washington:DepartmentofHomelandSecurity.RetrievedDecember1,2005from http://www.dhs.gov/interweb/assetlibrary/National_Cyberspace_Strategy.pdf. NISTInformationTechnologyLaboratory(2002),InternationalStandardISO/IEC17799:2000CodeofPractice forInformationSecurityManagement,FrequentlyAskedQuestions,RetrievedDecember1,2005from http://csrc.nist.gov/publications/secpubs/otherpubs/revisofaq.pdf. NIST,NationalInstituteofStandardsandTechnology.FIPS,FederalInformationProcessingStandards Publication.RetrievedDecember1,2005from http://www.itl.nist.gov/fipspubs/. NISTSP80053DatabaseApplicationisavailablefordownloadathttp://csrc.nist.gov/seccert/download800 53database.html NHGRI,NationalHumanGenomeResearchInstitute,http://www.genome.gov/. NSSN,NationalStandardsSystemsNetwork,"STAR,StandardsTrackingandAutomatedReporting,Services", http://www.nssn.org/star_intro.html. NISO,NationalInformationStandardsOrganization.RetrievedDecember1,2005 http://www.niso.org/index.html. NormanWalsh&LeonardMuellner,DocBook:TheDefinitiveGuide,O'Reilly&Associates,Inc.,Version1.0.2 (1999).RetrievedDecember1,2005from http://www.oreilly.com/catalog/docbook/chapter/book/docbook.html. Note:ThisistheofficialdocumentationforDocBook.&BobStayton,DocBookXSL:TheCompleteGuide, SagehillEnterprises,ThirdEdition(2005).RetrievedDecember1,2005from http://www.sagehill.net/docbookxsl/.Note:ThisisthedefinitiveguidetousingtheDocBookXSLstylesheets.It providesthenecessarydocumentationtorealizethefullpotentialofDocBook OASIS(2005).SecurityAssertionMarkupLanguage(SAML)v2.0.RetrievedDecember1,2005from http://www.oasisopen.org/specs/index.php#samlv2.0,&http://docs.oasisopen.org/security/saml/v2.0/saml2.0 os.zip. OfficeofManagementandBudget."CircularNo.A130Revised",inTransmittalMemorandumNo.4, MemorandumForHeadsOfExecutiveDepartmentsAndAgencies.RetrievedDecember1,2005from http://www.whitehouse.gov/omb/circulars/a130/a130trans4.html. OfficeofManagementandBudget."CircularNo.A119Revised,AccompanyingFederalRegisterMaterials",in FederalParticipationintheDevelopmentandUseofVoluntaryConsensusStandardsandinConformity AssessmentActivities.RetrievedDecember1,2005from http://www.whitehouse.gov/omb/circulars/a119/a119.html. OGC,OfficeofGovernmentCommerce.RetrievedDecember1,2005 http://www.ogc.gov.uk.Note:As explainedbytheOGCas"[]aUKgovernmentorganizationresponsibleforprocurementandefficiency improvementsintheUKpublicsector.OGChasproducedworldclassbestpracticeguidance,includingPRINCE (projectmanagement),MSP(ManagingSuccessfulPrograms)andITIL(ITservicemanagement).ITILis usedthroughouttheworldandisalignedwiththeISO/IEC20000internationalstandardinservicemanagement." OGC,OfficeofGovernmentCommerce,"ICTInfrastructureManagement",inITILSeries,London,United Kingdom:TheStationaryOffice,2002. OntoWebProject,OntoWebWorkingGrouponProcessStandards,http://www.aiai.ed.ac.uk/project/ontoweb/. AmyKnutilla,CraigSchlenoff,StevenRay,StephenT.Polyak,AustinTate,ShuChiunCheahandRichardC. Anderson:"ProcessSpecificationLanguage:AnAnalysisofExistingRepresentations,"NISTIR6160,National InstituteofStandardsandTechnology,Gaithersburg,MD,1998. O'Reilly,Tim,WhatIsWeb2.0,DesignPatternsandBusinessModelsfortheNextGenerationofSoftware, 09/30/2005RetrievedDecember30,2005from
Copyright2006,PhoenixBusinessandSystemsProcess,Inc.Needham,MA,USA, MorefromPhoenixBusinessandSystemsProcess,http://www.pbandsp.com Page 29 of 80

ProcedureGuidelinesandControlsDocumentation

RobinBasham,M.IT,M.Ed.,CISA

http://www.oreillynet.com/pub/a/oreilly/tim/news/2005/09/30/whatisweb20.html?page=1,WhatisWeb 2.0PricewaterhouseCoopersonbehalfofCOSO,COSO,EnterpriseRiskManagementIntegratedFramework, AICPA,Volume2, https://www.cpa2biz.com/CS2000/Products/CPA2BIZ/Publications/COSO+Enterprise+Risk+Management+ +Integrated+Framework.htm,&COSO(2005),InternalControl IntegratedFramework,GuidanceforSmaller PublicCompaniesReportingonInternalControloverFinancialReporting,AICPA,ExposureDraft, http://155.201.80.182/Coso/coserm.nsf/vwResources/PDF_IC/$FILE/COSO_FINAL_Draft_IC_Guidance.pdf. PricewaterhouseCoopers,IntegrityDrivenPerformance,WhitePaper(2004),Page34,Note: PricewaterhouseCoopers(www.pwc.com)providesindustryfocusedassurance,taxandadvisoryservicesfor publicandprivateclients.Morethan120,000peoplein139countriesconnecttheirthinking,experienceand solutionstobuildpublictrustandenhancevalueforclientsandtheirstakeholders. PricewaterhouseCoopersonbehalfofCOSO,COSO,EnterpriseRiskManagementIntegratedFramework, AICPA,Volume2.RetrievedDecember1,2005from https://www.cpa2biz.com/CS2000/Products/CPA2BIZ/Publications/COSO+Enterprise+Risk+Management+ +Integrated+Framework.htm.&COSO(2005),InternalControl IntegratedFramework.&Guidancefor SmallerPublicCompaniesReportingonInternalControloverFinancialReporting,AICPA,Exposure Draft. RetrievedDecember1,2005from http://155.201.80.182/Coso/coserm.nsf/vwResources/PDF_IC/$FILE/COSO_FINAL_Draft_IC_Guidance.pdf. Note:ThesearebothnotedbytheSECasappropriateframeworkintheimplementationofcontrolsassessment. Ross,Dr.RonandNIST,ProtectingFederalInformationSystemsandNetworks,AStandardsbasedSecurity CertificationProgramforOperationalEnvironments, http://cio.doe.gov/Conferences/Security/Presentations/RossRNIST.pps. (Dr.) RonRoss&NIST.ProtectingFederalInformationSystemsandNetworks,AStandardsbasedSecurity CertificationProgramforOperationalEnvironments.RetrievedDecember1,2005from http://cio.doe.gov/Conferences/Security/Presentations/RossRNIST.pps. Dr.RonRoss& TheOWASPFoundation.BuildingMoreSecureInformationSystems,AStrategyforEffectively ApplyingtheProvisionsofFISMA.RetrievedDecember1,2005from http://csrc.nist.gov/organizations/fissea/conference/2005/presentations/Ross/AbstractRoss.pdf. SANSInstitute,SysAdminAuditNetworkSecurityInstitute.December1,2005 http://www.sans.org/aboutsans.php. SkaddenBiography,MichaelS.Hines,http://www.skadden.com/index.cfm?contentID=45&bioID=2732. Smith,LawrenceW.,"TheFASBsEffortsTowardSimplification",inTheFASBReport,February28,2005, http://www.fasb.org/articles&reports/fasb_efforts_toward_simplification_tfr_feb_2005.pdf. SpaffordJr.,George,SpaffordGlobalConsulting,Inc.,SaintJoseph,MI,http://www.spaffordconsulting.com. Swanson,DanandSeccurisInc.,SecurityBenchmark,http://www.securitybenchmark.com. TheInstituteofInternalAuditors.GTAG,GlobalTechnologyAuditGuide.RetrievedDecember1,2005from http://www.theiia.org/index.cfm?doc_id=4706. TQM,TotalQualityManagement,http://www.managementhelp.org/quality/tqm/tqm.htm. U.S.DepartmentofLabor,BureauofLaborStatistics,OccupationalEmploymentandWages,November2004, http://www.bls.gov/oes/current/oes132011.htm. U.S.Navy,Benefits,"IncreasingContractorCommitment", http://www.ar.navy.mil/aosfiles/tools/turbo/topics/cj.cfm. UnitedStatesCongress&SubcommitteeonTechnology,InformationPolicy,IntergovernmentalRelationsand theCensus(2004).OversightHearingStatementbyAdamPutnam,Chairman,IdentityTheft:TheCauses,Costs,
Copyright2006,PhoenixBusinessandSystemsProcess,Inc.Needham,MA,USA, MorefromPhoenixBusinessandSystemsProcess,http://www.pbandsp.com Page 30 of 80

ProcedureGuidelinesandControlsDocumentation

RobinBasham,M.IT,M.Ed.,CISA

Consequences,andPotentialSolutions. http://www.reform.house.gov/UploadedFiles/Final%20Press%20Opening%20Statement%202.pdf,p.5. UnitedStatesCongress,"DMCA","DigitalMillenniumCopyrightAct",inPublicLaw105304,H.R.2281,S. 2037,&CongressionalRecordVol.144(1998),Washington:U.S.GovernmentPrintingOffice,112Stat.2860& 2905. UnitedStatesCongress,SarbanesOxleyActof2002,15U.S.C.7201(2002),"SarbanesOxleyActof2002", "SOX",inPublicLaw107204,H.R.3763,S.2673,&CongressionalRecordVol.148(2002),Washington:U.S. GovernmentPrintingOffice,116STAT.745810. UnitedStatesCongress,"HIPA","HealthInsurancePortabilityandAccountabilityActof1996",inPublicLaw 104191,H.R.3103,S.1028,S.1698,&CongressionalRecordVol.142(1996),110STAT.19362103. UnitedStatesCongress,"GLBA","GrammLeachBlileyAct",inPublicLaw106102,H.R.10,S.900,& CongressionalRecordVol.145(1999), Washington:U.S.GovernmentPrintingOffice,113STAT.13401481. UnitedStatesCongress,"FISMA","FederalInformationSecurityManagementActof2002",inPublicLaw107 347,H.R.245848,TitleIII,Washington:U.S.GovernmentPrintingOffice,SEC301305. U.S.DepartmentofHomelandSecurity.FEMA,FederalEmergencyManagementAgency.RetrievedDecember 1,2005from http://www.fema.gov/. UnitedStatesCongress."DMCA","DigitalMillenniumCopyrightAct",inPublicLaw105304,H.R.2281,S. 2037,&CongressionalRecordVol.144(1998),Washington:U.S.GovernmentPrintingOffice,112Stat.2860& 2905.Note:ReviewoftheDMCArevealsincontributionthenameofMikeS.Hines,whoisfrequentlyin discussiononvariousISACAandCMUsanctionedlistservices.MikecontributestotheInformationSecurity Managementgroup,underISACAsponsor,mailto:infosecmanager@orbit.sparklist.com.Recommendation, sendemailwiththewordjoininsubjectandnoothertextto infosecmanager@share.isaca.org.Hereisa chancetospeakwithafewEagles. UnitedStatesCongress,"ComputerSecurityEnhancementActof1997",inPublicLaw 100418,H.R.1903, CalendarNo.718,&ReportNo.105412(1998),SEC.114.Note:"ToamendtheNationalInstituteofStandards andTechnologyActtoenhancetheabilityoftheNationalInstituteofStandardsandTechnologytoimprove computersecurity,andforotherpurposes." UnitedStatesCongress,"CyberSecurityResearchandDevelopmentAct",inPublicLaw107305,H.R.3394,S. 2182,&CongressionalRecordVol.148(2002),Washington:U.S.GovernmentPrintingOffice,116STAT.2367 2382.RetrievedDecember1,2005from http://thomas.loc.gov/cgi bin/bdquery/z?d107:H.R.3394:@@@L&summ2=m&.FASP,Federal UnitedStatesCongress."ComputerFraudandAbuseAct",in18U.S.C.1030,1986.RetrievedDecember1, 2005from http://cio.doe.gov/Documents/CFA.HTM. VISAInternationalServiceAssociation,SecurityPrograms,http://corporate.visa.com/st/programs.jsp. Walsh,NormanandMuellner,Leonard,DocBook:TheDefinitiveGuide,O'Reilly&Associates,Inc,Version 1.0.2(1999), http://www.oreilly.com/catalog/docbook/chapter/book/docbook.html.

Copyright2006,PhoenixBusinessandSystemsProcess,Inc.Needham,MA,USA, MorefromPhoenixBusinessandSystemsProcess,http://www.pbandsp.com

Page 31 of 80

ProcedureGuidelinesandControlsDocumentation

RobinBasham,M.IT,M.Ed.,CISA

RisksandAssociatedControls
Significance RiskItems Control Likelihood *Impact 2*5 [RiskWatch Authorization: PALinfrastructureiscarefullymanagedbyprocessengineering, idhere] Inadditiontolimitofaccesstodocumentationfrom withadministrativecontrolsasprovidedwithinWindows2000 withinthecorporatenetwork,personsarefurtherrestricted serverandasenforcedbythedataowners. fromreadingandmodifyingdocumentsthroughtheuseof securitypropertiesonprocessassetfolders.Approvalto postormodifyaprocessisinaccordancewith management'sgeneralpoliciesandprocedures.Accessto assetsisfurtherrestrictedthroughtheuseofhyperlinksin placeofattachments,enforcinglimitsforviewing documentsbasedonthepersonsprofilewithinthe organization. Configuration/AccountMappingControls: SecurityismanagedbyNetworkorDataCenterOperationsand Systemconfigurationcontrolsrestrictnonauthorized isenforcedbyProcessEngineeringandtheDataOwner. usersfrom deletingandmodifyingfiles.Processapproval isrequiredinordertopostnewormodifiedprocess. [RiskWatch Interface/ConversionControls:DataIntegrity (dataisnot idhere] changedormanipulated)andsecurity(noonecanaccess it).Interfaces/conversionincludescontrolsintheseareas. Datamanagement(date/timestamps,filenames) Processing(nomissing,duplicate,orredundantdataand toensurecompletenessandaccuracy.) Validation/reconciliation(onlineedits,batchtotals)Over thedetectionandcorrectionofexceptionsanderrors. [RiskWatch KeyPerformanceIndicatorsKPI's:Periodicreviewby idhere] ProcessEngineeringenforcesthegoalofhavingprocesses documentedforallmanagementfunctional areas.Where informationindicatesaneedforprocessoptimization, processengineeringnotesthisrequirementandreviews Whendatacannotbealteredwithoutexplicitaudittrailand approval,itismanagedinVSS.Whencodeordocumentation appearschanged,VSSallowsforreviewofeditsandrollback. Dataintegrityincodeisassuredviapromotiontoproduction process,wherecodeistestedintheQualityenvironmentandthen approvedformovement. ThePALisbackedupnightlyandcontentchangeisevidentvia timestamp. ThePALXLSandinventorieswithin FacilitatedCompliance ManagementdatabaseallowtheProcessEngineeringteam visibilityonkeyperformanceofprocessitemsasrequiredfor SAS70auditandasagreeduponbydepartmentowners.
Page 32 of 80

Howimplementedandactualreviewschedule

1*5

2*5

3*5

Copyright2006,PhoenixBusinessandSystemsProcess,Inc.Needham,MA,USA, MorefromPhoenixBusinessandSystemsProcess,http://www.pbandsp.com

ProcedureGuidelinesandControlsDocumentation

RobinBasham,M.IT,M.Ed.,CISA

Significance RiskItems Control Likelihood *Impact timelycompletionofrequiredprocesschange.Process engineeringalsocataloguesreviewsandguidesprocess developmentandcollection. ThereisRiskthatManagementmayfailtoassurethat proceduresarefinishedinatimelymannerorthatexisting processesarenotroutinelyreviewedtoinsuretheir validityorusability. 1*1 3*5 [RiskWatchidhere]

Howimplementedandactualreviewschedule

ReconciliationofexistingrightswithinthePALtorightsas designedandapprovedbydepartmentownersdemonstratesthat personswhoshouldnothaveaccesstodocumentationtypesare segregated.Rolesintheapprovalprocessdenypersonsauthority toreviewandapprovetheirownwork.


Documentationpractice Hyperlinkvs.Attachment managerenforcementofstoring datainproperfilelocation departmentrolebasedlimittouseraccess enforcingcontrolrelatedDataOwners documentpropertycaptureofkeycontroldata documentclassification, areallcontrolactivitiesthatmakelikelihoodofthisrisk negligible.Eachbusinessormanagementfunctionalownerhas accesstomodifycontentsinsidetheirownareabutcannot modifyfilesoutsidetheirProcessdomain.Remainingriskare filesharesthatstillrequirereviewformisplacedcontent.

2*5

[RiskWatch Riskofaccidentalorintentionaldistributionofclassified idhere] privateandorsensitiveinformation:

Copyright2006,PhoenixBusinessandSystemsProcess,Inc.Needham,MA,USA, MorefromPhoenixBusinessandSystemsProcess,http://www.pbandsp.com

Page 33 of 80

ProcedureGuidelinesandControlsDocumentation

RobinBasham,M.IT,M.Ed.,CISA

Figure27.

WhatTypeofDocumentShouldIWrite?
Page 34 of 80

Copyright2006,PhoenixBusinessandSystemsProcess,Inc.Needham,MA,USA, MorefromPhoenixBusinessandSystemsProcess,http://www.pbandsp.com

ProcedureGuidelinesandControlsDocumentation

RobinBasham,M.IT,M.Ed.,CISA

ExampleofPALContentsFileLocation,DescriptionofUse
Management FunctionFolder DocumentType Subfolders ContentDescription Subfolders allowed Classification

ITProcessAssetLibrary
BackupandRecovery Backupand Recovery Backupand Recovery Backupand Recovery Backupand Recovery BackupandRecoveryFlowchartsfoldercontainsprocessflow diagramsincludingthoseusedinprocessandprocedure documentation. BackupandRecoveryProcessandProcedurefoldercontains processprofiledocumentation. BackupsandRecoveryProgramDefinitionfoldercontains programprofiledocumentation. BackupandRecoveryTemplatefoldercontainsshortcutsto approvedtemplatesandformsasrequiredforthismanagement function.

Flowcharts ProcessandProcedure ProgramDefinition

No No No

Confidential Confidential Confidential

Template

No

Confidential

ChangeManagement Change Management Change Management Change Management Change Management ChangeManagementFlowchartsfoldercontainsprocessflow diagramsincludingthoseusedinprocessandprocedure documentation. ChangeManagementProcessandProcedurefoldercontains processprofiledocumentation. ChangeManagementProgramDefinitionfoldercontainsprogram profiledocumentation. ChangeManagementTemplatefoldercontainsshortcutsto approvedtemplatesandformsasrequiredforthismanagement function.

Flowcharts ProcessandProcedure ProgramDefinition

No No No

Confidential Confidential Confidential

Template

No

Confidential

ConfigurationManagement

Copyright2006,PhoenixBusinessandSystemsProcess,Inc.Needham,MA,USA, MorefromPhoenixBusinessandSystemsProcess,http://www.pbandsp.com

Page 35 of 80

ProcedureGuidelinesandControlsDocumentation

RobinBasham,M.IT,M.Ed.,CISA

Management FunctionFolder Configuration Management

DocumentType Subfolders

ContentDescription ConfigurationManagementFlowchartsfoldercontainsprocess flowdiagramsincludingthoseusedinprocessandprocedure documentation.

Subfolders allowed

Classification

Flowcharts

No

Confidential

Configuration Management

ProcessandProcedure

ConfigurationManagementProcessandProcedurefolder containsprocessprofiledocumentation.

No

Confidential

Configuration Management

ProgramDefinition

ConfigurationManagementProgramDefinitionfoldercontains programprofiledocumentation.

No Temporary/ Untilalldatais movedto database

Confidential

Configuration Management

RunBookCMDB

ConfigurationManagementRunBookCMDBfoldercontains RunBookprocessandguidelines.

Confidential

Configuration Management

ModuleConfiguration

ConfigurationManagementSolutionsDevelopmentClient Configurationfoldercontainsprogramprofiledocumentation.This Subfolderas islimitedtotheareaofMasterTemplateconfigurationguidelines needed ConfigurationManagementTemplatefoldercontainsshortcutsto approvedtemplatesandformsasrequiredforthismanagement function.

Confidential

Configuration Management HumanResources

Template

No

Confidential

HumanResources HumanResources HumanResources

Flowcharts ProcessandProcedure ProgramDefinition

HumanResourcesFlowchartsfoldercontainsprocessflow diagramsincludingthoseusedinprocessandprocedure documentation. HumanResourcesProcessandProcedurefoldercontains processprofiledocumentation. HumanResourcesProgramDefinitionfoldercontainsprogram profiledocumentation.


Page 36 of 80

No No No

Confidential Confidential Confidential

Copyright2006,PhoenixBusinessandSystemsProcess,Inc.Needham,MA,USA, MorefromPhoenixBusinessandSystemsProcess,http://www.pbandsp.com

ProcedureGuidelinesandControlsDocumentation

RobinBasham,M.IT,M.Ed.,CISA

Management FunctionFolder

DocumentType Subfolders

ContentDescription HumanResourcesTemplatefoldercontainsshortcutsto approvedtemplatesandformsasrequiredforthismanagement function.

Subfolders allowed

Classification

HumanResources

Template

No

Confidential

NetworkManagement Network Management Network Management Network Management Network Management Network Management Architectures ArchitectureasDiagrams,longtermstrategicITVision, infrastructureplanningandtechnicaldocumentation. NetworkManagementFlowchartsfoldercontainsprocessflow diagramsincludingthoseusedinprocessandprocedure documentation. NetworkManagementProcessandProcedurefoldercontains processprofiledocumentation. NetworkManagementProgramDefinitionfoldercontains programprofiledocumentation. NetworkManagementTemplatefoldercontainsshortcutsto approvedtemplatesandformsasrequiredforthismanagement function. Subfolderas needed Sensitive

Flowcharts ProcessandProcedure ProgramDefinition

No No No

Confidential Confidential Confidential

Template

No

Confidential

PerformanceManagement Performance Management Performance Management Performance Management PerformanceManagementFlowchartsfoldercontainsprocess flowdiagramsincludingthoseusedinprocessandprocedure documentation. PerformanceManagementProcessandProcedurefolder containsprocessprofiledocumentation.Thisareaincludes databaseprocessoptimization. PerformanceManagementTemplatefoldercontainsshortcutsto approvedtemplatesandformsasrequiredforthismanagement function.

Flowcharts

No

Confidential

ProcessandProcedure

No

Confidential

Template

No

Confidential

ProcessEngineeringManagement

Copyright2006,PhoenixBusinessandSystemsProcess,Inc.Needham,MA,USA, MorefromPhoenixBusinessandSystemsProcess,http://www.pbandsp.com

Page 37 of 80

ProcedureGuidelinesandControlsDocumentation

RobinBasham,M.IT,M.Ed.,CISA

Management FunctionFolder Process Engineering Management Process Engineering Management Process Engineering Management Process Engineering Management

DocumentType Subfolders

ContentDescription ProcessEngineeringManagementFlowchartsfoldercontains processflowdiagramsincludingthoseusedinprocessand proceduredocumentation. ProcessEngineeringManagementProcessandProcedurefolder containsprocessprofiledocumentation. ProcessEngineeringManagementProcessProfilefolder containsprogramprofiledocumentation. ProcessEngineeringManagementTemplatefoldercontains shortcutstoapprovedtemplatesandformsasrequiredforthis managementfunction.

Subfolders allowed

Classification

Flowcharts

No

Confidential

ProcessandProcedure

No

Confidential

ProcessProfile

No

Confidential

Template

No

Confidential

ProductManagement Product Management Product Management Product Management Product Management QualityAssurance QualityAssuranceFlowchartsfoldercontainsprocessflow diagramsincludingthoseusedinprocessandprocedure documentation. QualityAssuranceProcessandProcedurefoldercontains processprofiledocumentation.
Page 38 of 80

Flowcharts ProcessandProcedure ProgramDefinition

ProductManagementFlowchartsfoldercontainsprocessflow diagramsincludingthoseusedinprocessandprocedure documentation. ProductManagementProcessandProcedurefoldercontains processprofiledocumentation. ProductManagementProgramDefinitionfoldercontainsprogram profiledocumentation. ProductManagementTemplatefoldercontainsshortcutsto approvedtemplatesandformsasrequiredforthismanagement function.

No No No

Confidential Confidential Confidential

Template

No

Confidential

QualityAssurance QualityAssurance

Flowcharts ProcessandProcedure

No No

Confidential Confidential

Copyright2006,PhoenixBusinessandSystemsProcess,Inc.Needham,MA,USA, MorefromPhoenixBusinessandSystemsProcess,http://www.pbandsp.com

ProcedureGuidelinesandControlsDocumentation

RobinBasham,M.IT,M.Ed.,CISA

Management FunctionFolder QualityAssurance

DocumentType Subfolders ProgramDefinition

ContentDescription QualityAssuranceProgramDefinitionfoldercontainsprogram profiledocumentation. QualityAssuranceTemplatefoldercontainsshortcutsto approvedtemplatesandformsasrequiredforthismanagement function.

Subfolders allowed No

Classification Confidential

QualityAssurance

Template

No

Confidential

SecurityManagement Security Management Security Management Security Management Security Management Security Management SecurityManagementFlowchartsfoldercontainsprocessflow diagramsincludingthoseusedinprocessandprocedure documentation. SecurityManagementProcessandProcedurefoldercontains processprofiledocumentation. SecurityManagementProgramProfilesfoldercontainsprogram profiledocumentation. SecurityManagementProgramTestPlansfoldercontains securityspecificprogramcontroltestplans. SecurityManagementTemplatefoldercontainsshortcutsto approvedtemplatesandformsasrequiredforthismanagement function.

Flowcharts ProcessandProcedure ProgramProfiles ProgramTestPlans

No No No No

Confidential Confidential Confidential Confidential

Template

No

Confidential

SoftwareDevelopment Software Development Software Development Software Development SoftwareDevelopmentFlowchartsfoldercontainsprocessflow diagramsincludingthoseusedinprocessandprocedure documentation. SoftwareDevelopmentProcessandProcedurefoldercontains processprofiledocumentation. SoftwareDevelopmentProgramProfilesfoldercontainsprogram profiledocumentation.

Flowcharts ProcessandProcedure ProgramProfiles

No No No

Confidential Confidential Confidential

Copyright2006,PhoenixBusinessandSystemsProcess,Inc.Needham,MA,USA, MorefromPhoenixBusinessandSystemsProcess,http://www.pbandsp.com

Page 39 of 80

ProcedureGuidelinesandControlsDocumentation

RobinBasham,M.IT,M.Ed.,CISA

Management FunctionFolder Software Development

DocumentType Subfolders

ContentDescription SoftwareDevelopmentTemplatefoldercontainsshortcutsto approvedtemplatesandformsasrequiredforthismanagement function.

Subfolders allowed

Classification

Template

No

Confidential

StandardOperationProcedures StandardOperation Procedures StandardOperation Procedures Forms StandardOperationProceduresGeneralUseFlowchartsfolder containsprocessflowdiagramsincludingthoseusedinprocess GeneralUseFlowcharts andproceduredocumentation. OutputoftheRunBookDatabaseisapapercopyofthe RunBook.RunBooksliveinthedatabase,butasinglepaper copymaybepostedhereasSAS70summaryevidence.This foldercouldalsoberemoved. No Confidential

No

Confidential

StandardOperation Procedures

*RunBook

No Foldersshould besetbutifan areaisneeded/ add

Confidential

StandardOperation Procedures

SOPByDomain \Citrix \Desktop \LANAccess Distribution \OracleDB \OracleServer \SQLServer \Unix \VPN \WANBackbone \WINTEL

Standardoperatingproceduresareanysetofdirectionsusedto maintainoroperateanyproductionsystem. Eachfolderisaholdingplaceforshortinstructionsrelatedtothe maintenanceandcareofanytechnologytype.Ifaperson createsanyworkinstructions,beitinemailorasawordfile,this aplacetostorearecordoftheworksothattheSOPdoesn't havetobecreatedagain.SOPislessstrictthanprocessinthat theownerofthetechnologymaintainstheircurrentinstructions anddoesnotrequireapprovaltoaddtotheirfolder.Manageris responsibleforinsuringthatanyhighriskprocessisdocumented andthattheprocesscouldbefollowedbyapersonofequalskill intheeventthattheprimarysupportstaffwasnotavailable. StandardOperationProceduresTemplatefoldercontains shortcutstoapprovedtemplatesandformsasrequiredforthis managementfunction.
Page 40 of 80

Confidential

StandardOperation Procedures StandardOperation Procedures

Subfolderas neededfor specificservers andsystems.

Sensitive

Template

No

Confidential

Copyright2006,PhoenixBusinessandSystemsProcess,Inc.Needham,MA,USA, MorefromPhoenixBusinessandSystemsProcess,http://www.pbandsp.com

ProcedureGuidelinesandControlsDocumentation

RobinBasham,M.IT,M.Ed.,CISA

Management FunctionFolder

DocumentType Subfolders

ContentDescription

Subfolders allowed

Classification

SupportManagement Support Management Support Management Support Management Support Management SupportManagementFlowchartsfoldercontainsprocessflow diagramsincludingthoseusedinprocessandprocedure documentation. SupportManagementProcessandProcedurefoldercontains processprofiledocumentation. SupportManagementProgramDefinitionfoldercontainsprogram profiledocumentation. SupportManagementTemplatefoldercontainsshortcutsto approvedtemplatesandformsasrequiredforthismanagement function.

Flowcharts ProcessandProcedure ProgramDefinition

No No No

Confidential Confidential Confidential

Template

No

Confidential

ITWorkProductLibrary ChangeManagement Change Management Change Management ProductionReleaseand ChangeReview Meetings \Agendas \MeetingMinutes ThisareawillberelocatedtoRiskConsoleoncetheChange Managementprogramisoperational Changerequestsandchangereviewmeetingrecords

No No

Confidential Confidential

NetworkorDataCenterOperationsPlanningandInfrastructure NetworkorData CenterOperations Planningand Infrastructure NetworkorData CenterOperations Planningand Infrastructure Documentationpertainingtoinfrastructureplanningand developmentincludinganycurrentprojects.Thisareawill supportnumerousprojectspecificsubfolders.

InfrastructurePlanning

No Subfolderona perproject basis

Confidential

\133patch

Createafolderforinfrastructureitemandkeepallplanningfor thatchangeorprojectinthefolder

Confidential

Copyright2006,PhoenixBusinessandSystemsProcess,Inc.Needham,MA,USA, MorefromPhoenixBusinessandSystemsProcess,http://www.pbandsp.com

Page 41 of 80

ProcedureGuidelinesandControlsDocumentation

RobinBasham,M.IT,M.Ed.,CISA

Management FunctionFolder NetworkorData CenterOperations Planningand Infrastructure

DocumentType Subfolders

ContentDescription

Subfolders allowed Subfolderona permonitoring areaasneeded

Classification

Performance Management

Outputofmonitoringperformance,showsevidenceofmonitoring activity

Confidential

ProcessMeetingMinutes

ProcessMeeting Minutes

MeetingMinutesand ReviewPlanning

MeetingMinutesandapprovalsforProcessEngineeringteam andprogram

No

Confidential

ProductManagement Product Management Product Management Meetings ProjectPlanning Meetingspertainingtoanyreleasearecapturedandstoredhere Releasetasksbyreleaseandotherevidenceofprojectstructure No No Confidential Confidential

Product Management Product Management Product Management Product Management ProductTraining

Requirements

CurrentlistofrequirementsbelongsinVSS,butthislocationisan evidencepointershowingtherequirementsinplayandrecent past.Thisfoldershouldhaveashortcuttheactuallocationin VSSandsomeonewhocanwalktheauditorthroughthose folders. No

Confidential

[CompanyCoreProduct orService]Release Notes Pastandcurrentreleasenotes,evidencefolder ModuleConfiguration OutputofplanningforMasterTemplateservicerelatedtasks. Staffreportstomanagersregardingwork activity

No Subfolderas needed

Confidential Confidential

StatusReports

Anystatusprovidedcanbestored here.Phillipcanusethistoshowhis oversightofstaffandprograms

Sensitive

Copyright2006,PhoenixBusinessandSystemsProcess,Inc.Needham,MA,USA, MorefromPhoenixBusinessandSystemsProcess,http://www.pbandsp.com

Page 42 of 80

ProcedureGuidelinesandControlsDocumentation

RobinBasham,M.IT,M.Ed.,CISA

Management FunctionFolder

DocumentType Subfolders

ContentDescription

Subfolders allowed

Classification

ProductTraining

[CompanyCoreProduct orService]UserGuide External Producttrainingoutput/evidencefolder [CompanyCoreProduct orService]User TechnicalGuide Internal Producttrainingoutput/evidencefolder

No

Confidential

ProductTraining QualityAssurance

No

Confidential

QualityAssurance

QuarterlyReports

Documentationpertainingtoinfrastructureplanningand developmentincludinganycurrentprojects.Thisareawill supportnumerousprojectspecificsubfolders.

Subfolders createdby quarteras needed Subfoldersare notlimited. Thisisaplace tostorein processwork. Subfolders limitedtothe InternalControl Testing program

Confidential

QualityAssurance

[CompanyCoreProduct Testplanningdocumentationandalinktothecurrenttestsin orService]QATesting TestinTestDirector.Thisisa"pointerfile"usedtoassistauditor ByRelease infindingtheevidence. UsedtogathertheInternalControlsTestingPlansandthemost currentsnapshotoftestingasusedforevidenceintheupcoming SAS70.Theactualtestinginformationmustresideinitssecure locationwithinTestDirector.Thisisanoutputforevidence purposesonly.

Confidential

QualityAssurance

TestOutput

Confidential

QualityAssurance

fs02mainQuality Assurance

theQAfolderonFS02Mainshouldberelocatedtotheprocess andworkproductareas.

Confidential

ReleaseSoftwareDevelopment

Copyright2006,PhoenixBusinessandSystemsProcess,Inc.Needham,MA,USA, MorefromPhoenixBusinessandSystemsProcess,http://www.pbandsp.com

Page 43 of 80

ProcedureGuidelinesandControlsDocumentation

RobinBasham,M.IT,M.Ed.,CISA

Management FunctionFolder ReleaseSoftware Development

DocumentType Subfolders ReleasePlanEvidence Copyforcurrentreview cycle

ContentDescription DocumentationinVSSmustremaininVSS.Thisisapointerfile anddemonstrationofcurrentcontentoncurrentrelease.VSS linkshouldbehere. Emailouttakesandmeetingnoteswhereareleaserelated activityisrequested.ReleaserequestsliveinDevTrack,butcan startasemailsornotes.Thisiswherethedocumentrecordis stored.AlldetailswouldshowupasaDevTrackID.

Subfolders allowed

Classification

No

Confidential

ReleaseSoftware Development

ReleaseRequest

No

Confidential

ReleaseSoftware Development

DesignSpecificationsfromVSSarehereasprocessevidence andarereadonly.Thisisaplaceholderforauditdata.Auditor shouldnotbeinVSSclickingthroughdirectoriesasthiswould [CompanyCoreProduct raiseissuesarounditemsthatareoutofdate.Betterstrategyis orService] toputwhatwewanttoshowhere.

No

Confidential

SecurityManagement Businessrequestsforpolicyexceptionbasedinneedtomaintain operationswithgiventechnologyconstraints.Allexemptions shouldalsobeloggedinatablewhereCSOcanmaintain visibilityonsuchitems.RCisgoodcandidateforthis,especially astiedtoRiskarea. OutputofsituationreviewanddecisionsbasedonExceptionsto policy. Meetingnotesfromanysecuritymeetingorincidentresponse meeting RecommendaformatforfilenamethatshowsSecurity,dateand meetingtype.Agendacanbeaplaceholderformeetingplans andmeetingminutesarejustmeetingminutes. Emailouttakesandcopyofdocumentsindicatingapprovalto implementsecurityprograms.Ihaveaconcernaboutstoring electronicimageofsignaturesandrequestthatfilesstatethat signatureislockedinafile.
Page 44 of 80

Security Management Security Management Security Management Security Management

ExemptionRequests ...\SituationEvaluation Forms MeetingsNotesand IncidentReview Records

No No

Sensitive Sensitive

No

Sensitive

...\Agendas\Minutes

No

Sensitive

Security Management

ProgramPolicy Approval

Straight evidencefolder/ Sensitive NO

Copyright2006,PhoenixBusinessandSystemsProcess,Inc.Needham,MA,USA, MorefromPhoenixBusinessandSystemsProcess,http://www.pbandsp.com

ProcedureGuidelinesandControlsDocumentation

RobinBasham,M.IT,M.Ed.,CISA

Management FunctionFolder Security Management Security Management Security Management Security Management

DocumentType Subfolders SecurityInfrastructure andProgramPlanning \Awareness TestOutput Trackingand ReconciliationReports \Tools .\...\LastLoginScripts \...\...\Risklabs Domain \...\...\Company Domain

ContentDescription Infrastructureplanningdocumentandinformationrelatedtothe planningofanysecurityprogram. Awarenessprogramdocuments,includingplannedpresentations anddocumentsforthedevelopmentoftheprogram DS5relatedinternalcontroltestplansandoutput Outputofsecurityscansandprocesses.

Subfolders allowed Createa subfolderfor anyprogram. Subfolderas needed Onefolderper programtested Subfolderas needed

Classification

Sensitive Sensitive Sensitive Sensitive

Security Management

Evidenceofsecuritymonitoringactivity

Subfolderas needed

Sensitive

Contacttheauthor:http://www.pbandsp.com/cgi/form.html

Copyright2006,PhoenixBusinessandSystemsProcess,Inc.Needham,MA,USA, MorefromPhoenixBusinessandSystemsProcess,http://www.pbandsp.com

Page 45 of 80