Services - Phoenix Business & Systems Process; Implementing a Compliance Framework

PB&SP will supply consulting and recommendation in support of IT resource assignment and organization structure as it pertains to support of the Control Objectives for Information and Related Technology.  PB&SP focuses corporations in implementing an overall framework for control and assessment.  Phoenix Business & Systems Process, Inc. guides clients to:

1. Insure preparation to demonstrate effective internal control structure and procedure
2. Demonstrate appropriate standards for gathering evidence and reporting against these findings
3. Establish a system of enterprise wide Risk Assessment
4. Identify financial exposures along with management steps to monitor and control such exposures
5. The scope of IT auditing includes:
   • Reviewing the reliability and integrity of information and the means used to identify measure, classify, and report such information.
   • Reviewing the systems established to ensure compliance with those policies, plans, procedures, laws, and regulations, which could have a significant impact on operations and reports, and determining whether the organization is in compliance.
   • Reviewing the means of safeguarding information (backups), verifying the existence of such backup sets.
   • Appraising the efficiency with which resources are employed.
   • Reviewing operations or programs to ascertain whether results are consistent with established objectives and goals and whether the operations or programs are being carried out as planned.

All tools and procedures supported by Phoenix Business & System Process, Inc. (PB&SP) facilitate meeting SEC requirements on internal control over financial reporting.  PB&SP provides consulting and products that isolate internal control deficiency while supplying both internal assessment reporting and response in the form of written and implemented IT procedures and controls.  Three major elements work together to provide content, guidance and criteria toward a consensus driven strategy for a properly controlled business environment. We refer to this as our compliance framework:

• ITIL® is FORM, content and concept behind IT Control Programs
• Facilitated Compliance Management™ is the FUNCTION, a working data and process model of HOW we manage and capture IT control events
• COBIT®, COSO and other Security Program control programs are the MEASURE or criteria by which we agree to define an IT environment as appropriately controlled.

New and increasing business regulations bring added context to the need for highly mature IT programs.  The main purpose of Sarbanes-Oxley Act, for example, is to protect investors by improving accuracy and reliability of Corporate Disclosures.  This legislation has made it necessary for all publicly traded companies to insure corporate preparation to demonstrate “effective internal control structure and procedure.”   PB&SP facilitates definition of effective internal control, while supplying tools and project implementation to reach this goal.  In addition, non public companies are increasingly aware of SEC driven requirements around security, data management and the demonstrations of other IT controls as required by SAS70.

So, what is the Phoenix approach?

Projects broadly include these elements:

 

Phoenix Business & Systems Process works with many current and relevant organizations and standards including BS7799/ISO17799, PMBOK, NIST and ITL, ITIL® Service Support, Six Sigma Process Control, ISO 9000 and14000, FCAPS, CMM, TMN, to name only a few.  The goal of PB&SP is to assess the implementation of process across all areas of IT. 

For broad and comprehensive IT assessment PB&SP uses COBIT®.

"COBIT® provides management and business process owners with an Information Technology (IT) governance model that helps in understanding and managing the risks associated with IT. COBIT® helps bridge the gaps between business risks, control needs and technical issues. It is a control model to meet the needs of IT governance and ensure the integrity of information and information systems."

COBIT® (Control Objectives for Information and Related Technology) doesn't suggest that it replace all standards, but that it is used to assess whether and to what extent standards are in place both across the IT infrastructure and in the corporate management IT.   

Risk Management and IT Control

• Sarbanes-Oxley Section 404 and COBIT®. Client Training, compliance review
  
• Establishing guidelines and policies representing good governance.
  
• Prescriptive tools approach to remediate low control maturity, matching tools with areas of defined exposure to risk
  
• Sale and Implementation of Methodware Audit and Risk Management software
  
• Security Assessment and risk mitigation plan

All tools and procedures supported by Phoenix Business & System Process (PB&SP) facilitate meeting SEC requirements on internal control over financial reporting. PB&SP provides consulting and products that isolate internal control deficiency while supplying both internal assessment reporting and response in the form of written and implemented IT procedures and controls.

The main purpose of Sarbanes-Oxley Act is to protect investors by improving accuracy and reliability of Corporate Disclosures. This legislation has made it necessary for all publicly traded companies to insure corporate preparation to demonstrate "effective internal control structure and procedure."

Phoenix Business & Systems Process works with all standards including ISO 9000 and14000, BS7799/ISO17799, PMBOK, NIST and ITL, ITIL® Service Support, Six Sigma Process Control, FCAPS, CMM, TMN, to name only a few. The goal of PB&SP is to assess the implementation of process across all areas of IT. For broad and comprehensive IT assessment there is one single best standard, and that is COBIT®.

"COBIT®.provides management and business process owners with an Information Technology (IT) governance model that helps in understanding and managing the risks associated with IT. COBIT®.helps bridge the gaps between business risks, control needs and technical issues. It is a control model to meet the needs of IT governance and ensure the integrity of information and information systems."

COBIT®.(Control Objectives for Information and Related Technology) doesn't suggest that it replace all standards, but that it is used to assess whether and to what extent standards are in place both across the IT infrastructure and in the corporate management IT.

PB&SP will supply consulting and recommendation in support of IT resource assignment and organization structure as it pertains to support of the Control Objectives for Information and Related Technology. PB&SP focuses corporations in implementing an overall framework for control and assessment. Phoenix Business & Systems Process guides clients to:

• Insure preparation to demonstrate effective internal control structure and procedure
  
• Demonstrate appropriate standards for gathering evidence and reporting against these findings
  
• Establish a system of enterprise wide Risk Assessment
  
• Identify financial exposures along with management steps to monitor and control such exposures

Sarbanes-Oxley, Sections 302 and 404: Internal Controls
PB&SP helps clients to recognize appropriate industry models for their organization's needs, and promotes a structure of process development that is consistent with the maturity measurements as defined by COBIT®. PB&SP provides rapid process development services, basing process selection on both standards and business reality. Since the enactment of Sarbanes-Oxley companies need to understand new risk and control requirements. IT Management, Financial, and Audit departments all want to know how they are required to respond. Companies are required to achieve transparency, accountability, and integrity while respecting the needs of a balanced business scorecard.

While no effort to implement a standard is wasted, and all frameworks provide basis for process, the answer to our current need for immediate and comprehensive evidence of internal controls across all systems and information technology is COBIT®. PB&SP will utilize Methodware's COBIT®.Advisor 3rd Edition to provide a single comprehensive tool for internal COBIT®. based assessment.

COBIT®.Training and Implementation

Our Clients receive training and project management support to accomplish the following objectives:

• Knowledge of the COBIT®.Framework and Internal Audit Process
  
• Prioritized process development based in identified control deficiencies
  
• Completed Maturity Matrix with rankings to allow focus on risks
  
• Time phased follow-up audit plan with assigned owners to ensure success

Methodology in Achievement of these objectives is a three phases plan. Each phase will be involve

• Presentation
  
• Individual and group development
  
• Task assignment
  
• Feedback and Follow Up

In a typical implementation our clients purchase Methodware's COBIT®.Advisor 3rd Edition, Multi-User.
Additional tools may be considered throughout the lifecycle of the project, but the COBIT®.Advisor 3rd Edition Multi User is a minimal requirement for the success of this type of engagement. Clients are provided with IT security and control practice research and standards as well as numerous support applications, many of which are free of charge.

We offer on line individual training in support of recognized exam standards. WE DO NOT represent our training in lieu of COBIT or ITIL® foundation, CISA or CISSP certification training, or any recognized standards body effort for certification. We take these exams too. The scope of learning for any of these areas is large and complex. For some, it may be too much to achieve alone.

Our efforts extend learning and help to make concepts stick at a more personal and real level. PB&SP is proud to assist in the efforts of our profession.

As a general level refresher, try the domain challenge:

Aligning controls to the right domain is a great way to start understanding some of COBIT®'s points of alignment and general organization of the controls framework.

This image shows one of the many tools we use to insure our own and our client's success.

Common Language in Controls and Application Controls

The output of any policy or process includes a list of quality measures.  Quality is measured by a set of controls or tests, each designed to provide feedback or align our actions to those policies and procedures.
A “control” over process is characterized by ability to:

• Communicates Repeatable Intention
• Executes As Planned (Implementation Plan)
• Measure (Risk Measurement & Impact Analysis)
• Record (Management Reporting & KPI)
• Respond (Thresholds)
• Archive (Defined Data Retention)
• Controls require a visible and recognized:
• Name
• Owner
• Method –(Automation or Manual)
• Program
• Frequency
• Test
• Activity Definition
• Location
• Test Evidence
• Information Processing Objective
• Sequence ID and method of tracking

Service Catalogue

The OGC defines Service Catalogue as a “written statement of IT services, default levels and options.”  Service management is best organized according to a catalogue of services and is measured against service level baselines.  New products or service become a part of the release process and involve business stakeholders in relationship to a newly established SLA.  In reality, any service comprises a collection of configured items to include what ITIL® refers to as “People, Process, and Technologies”.  This is a common theme IT Service Management. 

Service Configuration and CMDB

The accurate collection and documentation of all service related configuration items or CI’s is facilitated through a single or set of configuration management databases, known as the (CMDB).  The CMDB store each of the configuration items, but more importantly, it formally documents their relationships.  Any information related to delivery of service will have some need of configuration management information systems data.  For example, the CMBD is used as a component of problem resolution, the design of an SLA, human resource planning, accounting and compensation.
 
Figure 14: Configuration Management, Definitive Software and Hardware and CMDB

Part of the CMDB is the recording of running process, a.k.a. the “game plan or play book” used to support a set of system operations as governed by policy and associated with maintaining functional service level.  Historically, data centers have used the process known as the Run Book, or “RunBook” to assure documentation of critical processes necessary to maintain and troubleshoot any system in the path of critical operations or service.  This practice is common in financial industries managing operational risks for compliance with Basel II, Sarbanes-Oxley Act, section 404, and with FISMA. 

 RunBook

A RunBook is a document containing detailed procedures that collectively keep a mission critical system running.   A RunBook is sometimes viewed as an element of the Business Continuity Plan (BCP) or  a step in the execution of Disaster Recovery (DR).  This is because RunBooks are written to assure that an equally skilled technician might step in and administer any system until such time that normal staffing and conditions apply.  RunBooks are a system current document with all the required information needed to understand how a service or system is kept running.  RunBooks are not project plans, and do not maintain information unless it is "in use" and a part of the working system.

A RunBook is used to verify and gather the location of all operational information. A production RunBook is evidence of documentation and control over a service or system.   It provides information on "how" to run procedures without necessarily providing background for the process.  RunBooks are detailed instructions that a user references when performing the process. 
On a per system instance, a RunBook can document a small set of operational procedures and reference various guidelines.  On a larger scale, a service oriented RunBook details the combination of systems and their dependencies in keeping a service available. This is a valid form of meeting both BCP and various other levels of compliance requirements.  Determining this requirement can be as follows:

Why Do RunBooks Focus On Service?

A RunBook is Service Oriented vs. single system oriented.  When documentation does not meet the requirements mentioned above, it is probable that listing the device in an inventory system is sufficient and further documentation is not required.
Where the availability of a critical or core business function depends upon the accurate working of interdependent systems, it is advisable to have a business owner who assures the current and complete Service RunBook.   As is true for any controlled system, the RunBook explains day to day system procedures, but additionally adds some or all of the following elements:

• Functional Overview
• Functional Overview Diagram
• List of Interfaces
• System Overview
• System Overview Diagram (s)
• Network Management Process
• Hardware
• Hardware Management Process

• Software Development and Release
• Third Party Vendor / Software Management
• Performance Monitoring Process
• Database Administration Process
• Quality Assurance
• Vendor Information
• Back Up Processes
• Disaster Recovery Process
• Security
• Problem Management
• Configuration Overview:
• Server/ HW/OS
• Application
• Database Configuration
• Daily cycle
• Fail-over
• Maintenance
• Troubleshooting and Error Messages
• Glossary
• List of files
• Financial Processes
• Test procedure

RunBooks bring visibility to an aggregation of documents and details that collectively support service availability or product delivery.

A RunBook is complete when its contents satisfy the mission of informing support engineer of necessary steps to maintain expected operating service.  RunBooks can be maintained as a word report that is output from a single database system or from a collection of systems.  The process for generating RunBook information can take many forms but the result must always be valid current procedures to operate and maintain service.  RunBooks are populated by both business owners and technology support personnel.

The RunBook processes assure many critical IT controls as defined by CobiT®  numbered  control process symbols.  Completing a RunBook satisfies the requirement known as Acquire and Implement, AI4 “Enable Operation and Use”.  To meet this control requirement is the most mutually rewarding aspect of information technology and audit.  The implementation of a well-tuned RunBook is to the benefit of both business and enterprise stakeholders across all areas of IT service.

“Knowledge about new systems needs to be made available. This process requires the production of documentation and manuals for users and IT, and provides training to ensure proper use and operations of applications and infrastructure.”

Sections following this point are summary by individual process areas and further detail the meaning of various operational functions.