Process Mapping and Process Documentation

(as written in ©2003

All tools and procedures supported by Phoenix Business & System Process (PB&SP) facilitate meeting SEC requirements on internal control over financial reporting. PB&SP provides consulting and products that isolate internal control deficiency while supplying both internal assessment reporting and response in the form of written and implemented IT procedures and controls.

The main purpose of Sarbanes-Oxley Act is to protect investors by improving accuracy and reliability of Corporate Disclosures. This legislation has made it necessary for all publicly traded companies to insure corporate preparation to demonstrate “effective internal control structure and procedure”. This has everyone asking, what is process? Which standard is the best for my needs? Is there a map to compare the standards? They all seem the same. Can't we just map one standard to the next, translating any process across any standard? ... No.

Phoenix Business & Systems Process doesn't encourage the practice of "mapping" one standard to another, swapping from CMM to COBIT®.or from ISO/IEC 17799:2000 to Six Sigma for example. Though it is very true that standards have common domains and processes, each is written to serve a unique organizational purpose. What is important in selecting a model or standard is audience and intent.

PB&SP works with all standards including ISO 9000 and 14000, BS7799/ISO17799, PMBOK, NIST and ITL, ITIL® Service Support, Six Sigma Process Control, FCAPS, CMM, TMN, to name only a few. The goal of PB&SP is to assess the implementation of process across all areas of IT. For broad and comprehensive IT assessment there is one single best standard, and that is COBIT®.

"COBIT®.provides management and business process owners with an Information Technology (IT) governance model that helps in understanding and managing the risks associated with IT. COBIT®.helps bridge the gaps between business risks, control needs and technical issues. It is a control model to meet the needs of IT governance and ensure the integrity of information and information systems."

COBIT®.(Control Objectives for Information and Related Technology) doesn't suggest that it replace all standards, but that it be used to assess whether and to what extent standards are in place both across the IT infrastructure and in the corporate management IT.

Consider the following example. A Configuration Management team might apply the principals of ITIL® Service Support, but ITIL® is not specifically concerned with identifying financial exposures along with management steps to monitor and control such exposures. Even though ITIL® does an outstanding job of putting configuration management into an entire IT context, it is not written to support of transparent reporting such that the entire business model is both supported and enabled by Configuration Management.

A configuration team might also use Software Program Managers Network's Little Book of Configuration Management. This Airlie Software Council publication provides outstanding resource and best practice for any manager hoping to better his or her program for configuration management. Still, neither The Little Book of Configuration Management nor ITIL® Service Support's Annex 7B satisfy requirements for internal control assessment. ITIL®'s specific responsibilities of the Configuration Management team does adequately guide the organization in proposing sound Configuration Management controls. It does not, however, provide as its core purpose, the assessment of implemented standards and a rating of overall maturity. It is true that ITIL® Service Support's list of Configuration Manager responsibilities has many points in common with COBIT®.s DS9, Delivery and Support, Manage The Configuration. The intent behind the standard however, is that one is written to design, and the other is a framework for control and assessment.

PB&SP focuses corporations in implementing an overall framework for control and assessment. Phoenix Business & Systems Process guides clients to:

Sarbanes-Oxley, Sections 302 and 404: Internal Controls

PB&SP helps clients to recognize appropriate industry models for their organization's needs, and promotes a structure of process development that is consistent with the maturity measurements as defined by COBIT®. PB&SP provides rapid process development services, basing process selection on both standards and business reality. Since the enactment of Sarbanes-Oxley companies need to understand new risk and control requirements. IT Management, Financial, and Audit departments all want to know how they are required to respond. Companies are required to achieve transparency, accountability, and integrity while respecting the needs of a balanced business scorecard.

While no effort to implement a standard is wasted, and all frameworks provide basis for process, the answer to our current need for immediate and comprehensive evidence of internal controls across all systems and information technology is COBIT®. We don't stop there. We also use ITIL®, NIST, FIPS, ISO, PCI/VISA CISPV2.3, COSO, and virtually all known standards in our projects supporting both process and regulatory compliance.

Continue to:  Philosophy & Mission

Next TOC

Reference

A Guide to the Project Management Body of Knowledge (PMBOK® Guide)-2000 Edition, Project Management Institute, Project Management Institute, Inc., Newtown Square, PA, USA, 2000

Six Sigma Project Management: A Pocket Guide, by Jeffrey N., Phd Lowenthal,(American Society for Quality; Spiral edition,August 1, 2001)

The COBIT®.(Control Objectives for Information and Related Technology) framework was released in 1996 and updated in 1998 and 2000 by the Information Systems Audit and Control Foundation (ISACF) in response to the need for a reference framework for security and control in information technology. In 2000, the IT Governance Institute and ISACF developed the Management Guidelines for COBIT®. These guidelines respond to a need by Management for control and measurability of IT, for the purpose of ensuring that IT activities achieve business objectives.

LITTLE BOOK OF CONFIGURATION MANAGEMENT, (AIRLIE SOFTWARE COUNCIL, Arlington, VA
NOVEMBER 1998) http://www.spmn.com, Software Program Managers Network.
Copyright © 1998 by Computers & Concepts Associates, a division of Integrated Computer Engineering, Inc., in the performance of Federal Systems Integration and Management Center (FEDSIM)

The ITIL® website www.itil.co.uk is a useful repository of information about ITIL®. There you will find information about how ITIL® publications are developed, including latest news about books in development, and details of most of the books in the set. In addition, there is a Frequently Asked Questions page, and links to most of the important partners in the ITIL® family (ITSMF, TSO, BSI, ISEB, EXIN), separate secure sites for ITIL® book development teams and links to on-line ordering.

The Information Technology Security Office (ITSO) is the focal point for addressing NIST-wide information technology (IT) security issues. Functions of the ITSO include establishing, implementing, and testing information security policies, procedures, and technologies for NIST's administrative and scientific environments. The ITSO also investigates computer security breaches by a NIST user or through a NIST system. To report a security incident or to discuss an IT concern related to NIST, contact the IT Security Officer at nist-itso@nist.gov or 301-975-2901. The role of the ITSO should not be confused with that of the Information Technology Laboratory's Computer Security Division. Under the Computer Security Act of 1987, the Computer Security Division develops security standards and guidelines for sensitive (unclassified) Federal IT systems and works with industry to help improve the security of commercial IT products. The Division has key focused activities in the areas of cryptographic standards and applications, security of emerging technologies, security management, and security testing. The ITSO benefits from having access to subject matter experts, and the division benefits from having the environment to apply the research conducted and to contribute operational experience to its activities. For more information on the ITL Computer Security Division, see http://csrc.nist.gov.

United States Congress, Sarbanes-Oxley Act of 2002, 15 U.S.C. §7201 (2002), "Sarbanes-Oxley Act of 2002", "SOX", in Public Law 107-204, H.R. 3763, S. 2673, & Congressional Record Vol. 148 (2002), Washington: U.S. Government Printing Office, 116 STAT. 745-810.

COBIT®. Retrieved December 1, 2005 http://www.isaca.org/Template.cfm?Section=COBIT&
Template=/TaggedPage/TaggedPageDisplay.cfm&TPLID=55&ContentID=7981.

COSO, Committee of Sponsoring Organizations of the Treadway Commission. Retrieved December 1, 2005 http://www.coso.org/.

ITIL®, Information Technology Infrastructure Library. Retrieved December 1, 2005 http://www.ogc.gov.uk/index.asp?id=2261.

BSI, British Standards Institute, "BS ISO/IEC 17799:2005", in British Standard ISO/IEC 27001:2005, London, United Kingdom: The Stationary Office, 2005.

ISACA, Information Systems Audit and Control Association. Retrieved December 1, 2005 http://www.isaca.org/.

OGC, Office of Government Commerce, "ICT Infrastructure Management", in ITIL® Series, London, United Kingdom: The Stationary Office, 2002.

NIST, National Institute of Standards and Technology. FIPS, Federal Information Processing Standards Publication. Retrieved December 1, 2005 from http://www.itl.nist.gov/fipspubs/.

United States Congress, "FISMA", "Federal Information Security Management Act of 2002", in Public Law 107-347, H. R. 2458-48, Title III, Washington: U.S. Government Printing Office, SEC 301-305.

U.S. Department of Homeland Security. FEMA, Federal Emergency Management Agency. Retrieved December 1, 2005 from http://www.fema.gov/.

GAO Accounting and Information Division. FISCAM, Federal Information System Controls Audit Manual Volume I: Financial Statement Audits, Washington: Government Accountability Office, 1999. Retrieved December 1, 2005 from http://www.gao.gov/special.pubs/ai12.19.6.pdf.

 

 

"Making Process Real", first published in 2002, was used to create a large portion of this content. Recent publications have added to these concepts.

PB&SP consulting engagements include Siemens, Raytheon, Journal Communications, MA/COM, CTC Communications, Fleet Bank, State Street Bank, Fidelity Investments, Sun Life Financial, Cincinnati Bell (Core), AON, IDC, OFFSITE Inc., Lucent Technologies, SanDisk, OCC, Financial Times Interactive Data and more.

In addition to on site engineering and project management, PB&SP provides daily and hourly web based COBIT®. ITIL® and ISO9001 & 17799 series compliance and Process training. Trainers have expertise and experience including recent certification by ISACA as COBIT® certified, and ISEB ITIL® foundation certified.

Many clients use our services for CISSP, CISA and ITIL® certification readiness.

PB&SP is able to work within any client schedule, to include national web conferencing, evening and weekend service delivery.

Sample:
COBIT® 3.0 quick domain reviewSample preparation summary View Sample
Training delivered to ITIL® organization ITsMF New England
itsmf

CobiT 4.0

(COBIT® content is registered and fully owned by ISACA. We are proud to assist in support of their mission.)