March 3, 2009

COBIT – Deliver & Support (DS)

Posted in COBIT tagged , at 3:04 pm by Molly

There are some basic but informative drawings in the ‘ITSM Library – IT Governance based on COBIT 4.1’ on page 32 of this small handbook, which explains in some visual descriptions the process steps. This book has proved very useful in giving me an overview so far, and I would recommend to anyone new to COBIT, it was also just £11.

The DS domain focuses on the delivery aspects of the information technology. It covers areas such as the execution of the applications within the IT system and its results, as well as, the support processes that enable the effective and efficient execution of these IT systems. These support processes include security issues and training.

(3) Deliver & Support (DS)

PROCESSES

DS1 Define and Manage Service Levels
DS2 Manage Third-party Services
DS3 Manage Performance and Capacity
DS4 Ensure Continuous Service
DS5 Ensure Systems Security
DS6 Identify and Allocate Costs
DS7 Educate and Train Users
DS8 Manage Service Desk and Incidents
DS9 Manage the Configuration
DS10 Manage Problems
DS11 Manage Data
DS12 Manage the Physical Environment
DS13 Manage Operations

Let’s now approach it in more detail and include other processes and activities that are involved.

(1) Business Requirements, External Requirements, PO and AI domain are important inputs into the strategic cluster or ‘heart’ as I shall refer to it here.

(2) Within the ‘heart’ of this domain lies a few interesting clusters: The Service Level Cluster made up of processes DS1 (which is the key process here) and DS2. Related to the DS1 & DS2 (define & manage service levels AND manage 3rd party services) is the related DS6 ‘identify and allocate costs’ because we want to know about the financial implications.

(3) Feed down to the next important cluster – The Operations Cluster (DS11, DS12 & DS13 – managing data, managing the operational environment and managing operations respectively)

(4) As side ‘organs’ to the ‘heart’ we have the delivery cluster, or as I will refer to as the ‘brains’, which include the following processes (DS3 through to DS7), or in plain English, maaging or ensuring the performance and capacity, ITSCM (a reference to ITIL there), security, education and training.

(5) On the other side assisting the ‘heart’ we have the usual suspects for the general resources cluster, or ‘organs’, PO8, PO9, PO10 & ME1-4 (managing quality, IT risk and projects and all that monitoring and evalutation stuff that we shall cover shortly). You see you always have to keep an eye on the IT risks as a matter of principle, probably best to have a Risk Register.

(6) Before we come to the outputs of this domain, let’s take a look at two further processes that have their roots in ITIL, namely those of DS8 (Managing Service Desk and Incidents) which feed out to DS10 (Managing Problems).

(7) So what are the outputs of DS. We have AI and PO as outputs from DS.

SUMMARY

Inputs = Requirements, PO and AI.

Outputs = AI and PO.

Acitivities of the ‘heart’ = SLM Cluster, a bit of financial management, Operational Cluster, Service Desk, Incident and Problem Management.

Activities of the ‘organs’ = Quality, IT risks, projects & lots of monitoring and evaluation.

Activities of the ‘brain’ = Performance and Capacity management, Continuity management, security management, education and training management.

COBIT – Acquire & Implement (AI)

Posted in COBIT tagged , at 2:53 pm by Molly

There are some basic but informative drawings in the ‘ITSM Library – IT Governance based on COBIT 4.1’ on page 30 of this small handbook, which explains in some visual descriptions the process steps. This book has proved very useful in giving me an overview so far, and I would recommend to anyone new to COBIT, it was also just £11.

We’ve already discussed the PO domain, and now we shall turn the attention to the AI domain, its processes and activities.

The AI domain covers identifying IT requirements, acquiring the technology, and implementing it within the company’s current business processes. This domain also addresses the development of a maintenance plan that a company should adopt in order to prolong the life of an IT system and its components.

(2) Acquire & Implement (AI)

PROCESSES

AI1 Identify Automated Solutions
AI2 Acquire and Maintain Application Software
AI3 Acquire and Maintain Technology Infrastructure
AI4 Enable Operation and Use
AI5 Procure IT Resources
AI6 Manage Changes
AI7 Install and Accredit Solutions and Changes

Let’s now approach it in more detail and include other processes and activities that are involved.

(1) Business Requirements, External Requirements, PO and DS domain are important inputs into the strategic cluster or ‘heart’ as I shall refer to it here.

(2) The ‘heart’ of this domain includes processes AI1, AI2, AI3, AI4, AI6 & AI7, identifying the automated solutions, managing changes, and the additional DS9 managing the configuration. AI2 – AI4 are described as the development cluster and are all about maintaining the software, infrastructure and use.

(3) as a input to the ‘heart’ we have some additional ‘organs’ which keeps our ‘heart’ pumping away regularly. They are PO8 to P10 and ME1 to ME4 that we use again from the PO domain (managing quality, IT risks and projects, as well as regular monitoring and evaluation). The other ‘organ’ is AI5 which is the procure IT resouces activity.

(5) our last two outputs from our ‘heart’ are the DS domain and the PO domain. Which leads us nicely to the COBIT DS (Deliver and Support) domain.

SUMMARY

Inputs = Requirements and PO activities;

Outputs = DS and PO;

Activities of the ‘heart’ = identifying the solution, maintaining software & infrastructure, change and configuration management, enabling its use, and implementing the result into the operational environment;

Activities of the ‘organs’ = managing quality, IT risks and projects and lots of monitoring & evaluation techniques and finally procuring those IT resources

COBIT – Plan & Organise (PO)

Posted in COBIT tagged , at 1:57 pm by Molly

There are some basic but informative drawings in the ‘ITSM Library – IT Governance based on COBIT 4.1’ on page 29 of this small handbook, which explains in some visual descriptions the process steps. This book has proved very useful in giving me an overview so far, and I would recommend to anyone new to COBIT, it was also just £11.

The PO domain covers the use of information & technology and how best it can be used in a company to help achieve the company’s goals and objectives. It also highlights the organizational and infrastructural form IT is to take in order to achieve the optimal results and to generate the most benefits from the use of IT.

(1) Plan & Organise (PO)

PROCESSES

PO1 Define a Strategic IT Plan and direction
PO2 Define the Information Architecture
PO3 Determine Technological Direction
PO4 Define the IT Processes, Organization and Relationships
PO5 Manage the IT Investment
PO6 Communicate Management Aims and Direction
PO7 Manage IT Human Resources
PO8 Manage Quality
PO9 Assess and Manage IT Risks
PO10 Manage Projects

Let’s now approach it in more detail and include other processes and activities that are involved.

(1) Business Requirements, External Requirements, AI and DS domain are important inputs into the strategic cluster or ‘heart’ as I shall refer to it here.

(2) The ‘heart’ of this domain includes processes PO1 to PO4, because they are all about defining something. Why is it iterative? Defining a strategic IT plan, the information architecture, technological direction, the IT processes, organisation and relationships will involve some form of iterative exercise to tweak and finally come to some form of operational definition if you like, but it is all about these processes working in harmony.

(3) the second part of this ‘heart’ cluster which can be referred to as the ‘arteries’ are the manage and communication tasks, processes PO5 to PO7, managing the financial and people resources, as well as communication.

(4) as a input to the ‘heart’ we have some additional ‘organs’ which keeps our ‘heart’ pumping away regularly. They are PO8 to P10 and ME1 to ME4. In other words, managing the quality, the IT risks and the projects, as well as regular monitoring and evaluation techniques to make sure it is all aligning correctly.

(5) our last two outputs from our ‘heart’ are the DS domain and the AI domain. Which leads us nicely to the COBIT AI (Acquire and Implement) domain.

SUMMARY

Inputs = Requirements;

Outputs = DS and AI;

Activities of the ‘heart’ = iterative strategic definition stage;

Acitivities of the ‘arteries’ = managing the purse strings, people and communication;

Activities of the ‘organs’ = managing the quality, IT risks and projects and lots of monitoring & evaluation techniques

March 1, 2009

SOX

Posted in Frameworks, SOX tagged at 6:47 pm by Molly

SOX Compliance Roadmap

1) Plan and Scope IT Controls

Assign accountability and responsibility.
Statement on Auditing Standards (SAS) 70 reports are traditionally performed for service organisations.

2) Assess IT Risk

Assess the likelihood and impact of IT systems causing financial statement error or fraud.
Inherent risk rather than residual risk.
Access controls, without them, there is a risk to someone accessing and falsifying transactions into the system.
Perform the following risk assessment:-
* nature of technology
* nature of people
* nature of processes
* past experience
* significance to the financial reports

3) Document Controls

Document application controls.
Document IT general controls.
Identify IT entity-level controls.
Identify application controls – automated controls & IT-dependent manual controls.
Identify IT general controls.
Identify which controls are relevant controls
Consider IT-based antifraud controls
Control documentation (document controls over financial reporting and perform an assessment of their design and operating effectiveness).

4) Evaluate Control Design & Operating Effectiveness

All key controls are documented.
Test controls to confirm their operating effectiveness.
Consider the nature of evidence required.
Forms of evidence:-
* inquiry – seeking info of knowledgeable persons;
* inspection of documentation – inspect reports;
* observation;
* reperformance – independently run exception reports;
Consider the timing of control testing.
Roll-forward testing.

5) Prioritise and Remediate Deficiencies

Impact assessment.
Consider whether compensating controls exist and can be relied upon.
Consider guidance from the SEC and PCAOB
* application-level deficiencies;
* control environment deficiencies;
* failing to remediate a deficiency for an unreasonable period of time;
Identify and assess IT general control deficiencies
* design deficiencies;
* operating effectiveness deficiencies;

6) Build Sustainability

Consider automated controls.
Rationalise to eliminate redundant and duplicate controls.