Facilitated Compliance Management™(FCM) is a prototyping tool used to develop customized robust IT Regulatory compliant operations management processes.  FCM Software supports achieving at least level 3 maturity across most IT Regulatory Control Domains including those defined in CobiT 3.0/4.0:

Conquer the Audit Universe!

• AI6 - Manage Change
• PO10 - Manage Projects     
• AI2 – Acquire and Maintain Application Software
• PO5 - Manage the IT Investment
• PO9 - Assess Risk
• DS5 - Ensure System Security
• M1- Monitor the Processes
• M2 - Assess Internal Control Adequacy      
• AI4 - Develop and Maintain Procedures     
• DS4 - Ensure Continuous Service   
• DS7 - Educate and Train Users       
• PO4 - Define the IT Organization and Relationships
• DS13 - Manage Operations

are some of the aligned CobiT® framework controls that are evidenced through appropriate use of this form.

Assessment Portal

Regardless of audit framework, the domains, processes, details and audit guidelines for your enterprise. Allowing for each corporation's customized "Audit Universe", the Control Self Assessment Portal includes Industry standard control objectives, such as those in CobiT®, COSO®, various NIST/FIPS, PCI/VISA (CISPV2.3), ISO/IEC 17799:2000 - BS7799:2 and FISCAM, with associated implementation, test and audit guidelines, performance and goal Indicators, success factors, and more. Built for reporting ease and distributed ownership, all standards are categorized at high, mid and detail level description. Extensive mapping allows rapid recognition in overlap and ease in aligning disparate groups using hypbrid control models.

Audit Universe customization is critical to a successful Governance Risk Compliance Architecture. We've known this for many years, so the mapping of audit and process frameworks is a natural evolution of our product.

CobiT®, COSO, ITIL, FISCAM, ISO/IEC 17799:2000, BS7799:2, PCI/VISA, NIST 53a Controls Management shows each control objective with its associated Performance and Goal Indicators, recommendation for implementation, test and if available, diagrams and domain level description.
Reporting by search or keyword allows the user to create customized word documentation pertaining to any area within each identified framework.  The Assessment form allows companies to maintain summary of current and goal maturity, gap details and specific capability.  This information is also used to create a CobiT® Maturity Assessment.

• IT Governance
• M1 - Monitor the Processes
• M2 - Assess Internal Control Adequacy
• M3 - Obtain Independent Assurance
• PO1 - Define the IT Organization and Relationships
• PO7 - Manage Human Resources
• PO9 -  Assess Risks

are some of the aligned CobiT framework controls that are evidenced through appropriate use of this form.

Process Management maps process to Control Domains and Objectives, and implements all stages and versions of a process implementation.  The parent and subcomponent procedures associated to that process are both housed and developed from within this form.  This component of the database is also used to create the word document that is posted to an internal Process library.  Processes can also spawn work instructions, the real life steps to implementing specific procedures as required by the approved process.

• M1- Monitor the Processes
• M2 Assess Internal Control Adequacy
• AI4 - Develop and Maintain Procedures
• DS7 Educate and Train Users
• PO4 Define the IT Organization and Relationships

Work Instruction Management houses all the stages and elements of work instructions or high level training steps associated with performing a process.  In response to the requirements of Sarbanes-Oxley, clients are advised to create detailed work instructions for the maintenance and implementation of any financial controls.  The work instruction form generates step by step word formatted training documentation.

• M1- Monitor the Processes
• AI4 - Develop and Maintain Procedures     
• DS7 Educate and Train Users

Process Object Management is the container for records that represent objects such as business processes, forms, work instructions, job descriptions, modules, and tables.  Object management provides an overall Process catalogue and allows the organization to assign Meta tags, inputs, and outputs to any activity.  It is a way to identify and classify business and technology activity.  Once an object exists, it is assigned to a profile record that is tracked.  Processes are dynamic, so tracking, modifying and managing process is the main objective of the PDTS.

• M1- Monitor the Processes
• M2 Assess Internal Control Adequacy
• AI4 - Develop and Maintain Procedures     

Risk Management Watch List contains high level risk areas associated with process projects.  This form tracks owners and policy associated with Risk Management.  It is a springboard and catalogue of risks that require attention by the Risk Managing Team.  Adheres to the steps:

• Tracks management process
• Establish the context
• Identify the risks
• Analysis of the risks
• Evaluate the risks
• Treat the risks
• Monitor and review
• Communicate and consult
• PO9 - Assess Risk
• AI6 - Manage Change (Risk Elements)
• PO10 - Manage Projects          (Risk Elements)
• PO5 - Manage the IT Investment (Risk Elements)
• DS5 - Ensure System Security (Risk Elements)
• M1- Monitor the Processes (Risk Elements)
• M2 - Assess Internal Control Adequacy            (Risk Elements)
• DS4 - Ensure Continuous Service        (Risk Elements)

RunBooks are for recording all the emergency maintenance and operational procedures per system for an entire enterprise.  This form supports business continuity and disaster recovery requirements.  The reporting on RunBooks provides feedback towards reaching compliance in the following areas.

• AI4 - Develop and Maintain Procedures
• M1- Monitor the Processes
• M2 Assess Internal Control Adequacy
• PO9 - Assess Risk
• AI6 - Manage Change
• PO5 - Manage the IT Investment
• DS5 - Ensure System Security
• M2 - Assess Internal Control Adequacy      
• DS4 - Ensure Continuous Service   

Controlled Servers Form records server, router and critical device information as it pertains to its continuous support, security, backup and management.  The controlled server is the first step in introducing any element to the network and insures a record that can be built into a full RunBook.

• M1- Monitor the Processes
• M2 Assess Internal Control Adequacy
• PO5 - Manage the IT Investment
• DS5 - Ensure System Security
• DS4 - Ensure Continuous Service   
• PO5 - Manage the IT Investment
• DS13 - Manage Operations

Tools and Tool Type Form lists all applications, databases, element management systems, and their function.  The tool table is part of the process where each executable is evaluated in terms of its functions and relative importance to financial and security controls.  Tools are also rated for their importance to business productivity.  The tools table is used to populate numerous dropdown fields in the FCM database.

• M1- Monitor the Processes
• M2 Assess Internal Control Adequacy
• PO5 - Manage the IT Investment
• DS5 - Ensure System Security
• DS4 - Ensure Continuous Service   
• PO5 - Manage the IT Investment

Information Technology Service Management (ITSM) and Change Request Form allows any type of request to be tracked from entrance to delivery throughout all of IT, tracking from request to assignment as “service”, “maintenance”, “change”, “feasibility and ROI”, “project” or “network engineering release”, including all handoffs between.

• DS13 - Manage Operations
• DS5 - Ensure System Security
• DS4 - Ensure Continuous Service   
• AI6 - Manage Change
• PO10 - Manage Projects     
• AI2 – Acquire and Maintain Application Software
• PO9 - Assess Risk
• PO5 - Manage the IT Investment

Information Technology Service Management and Change Requests are not readily typed.  Person's receiving a request for "change" will review the event type, and where appropriate, redirect the request to other processes or applications.
Maintenance=Customer generated service request to existing system, following an existing routine. Requires administrative or code change to a tested and known element.  NOT A NEW CODE PROCESS, but a standard process having history and written procedure.  Will not affect system function, but will have impact to an individual customer security access or process. Does not require change control.
Release=Release of network hardware / software [Not to include maintenance, standard security patch] Technologies; routers, switches, hubs, concentrators, gateways, optical, LAN/WAN, Network Access, power protection, cabling, Network Servers, including Directory, Management systems and intranet. Includes Customer interoperability certifications. Requires change management for implementation.
IT Project =Driven by a business outcome with ROI sponsorship, is a project including multiple phases, approvals, with results including new systems, application, business processes or all of the above. Is defined by complexity; Follows the Software Development Lifecycle.  Requires change management for implementation.
Maintenance=Time Based; Add or change of a tested element; Does not affect a change to a business process; Can be approved in bulk for multiple systems and applied on scheduled basis.  Has been approved as maintenance process through Change Control.
Change Management=Planned and ready change that is a:

• release of a production business software applications, including enhancements.
• change to production systems hardware, configuration and/or related network infrastructure.
• change to the business desktop computing environment, file servers and related networks.
• change to the business desktop standard image (or any generic change to desktops which impact any sizable business group, unit or function).

More information found in the Toolbox under Facilitated Compliance Management

Continue to: Implementation