©2006
Services
Where Does My Document Belong?
- \\...\PAL\IT Process Asset Library\
- Static Process versus Process Output (Evidence of Using Process)
- \\...\PAL\IT Work Product Library\
- Other Work Products and Controlled Documentation:
- Version Control versus VSS (Microsoft Visual SourceSafe)
- Test Scripts, Utilities and Event Tracking Systems
- Assets, Inventories and Configuration Baselines
- Controls and Key Controls
- Product, Application Development and Quality Templates
- Flow Diagram
How Do I Find Or Store My Document?
PAL\ IT Process Asset Library
Process documents are stored in the IT Process Asset Library (PAL).
\\...\PAL\IT PROCESS ASSET LIBRARY\
PAL\ IT Work Products
When Do I Need To Create A Work Product?
There are a variety of Word and Excel files used during the workday. These documents may include spreadsheets used for analysis, client contact files, miscellaneous notes, etc. These are not considered forms or procedures and remain within their respective locations on the network. In conditions where documents or spreadsheets represent evidence of a process output, the materials are "Work Products" and should reside in the functional work products directory. Not all data is work product. A test of whether information belongs in the work products area is answering yes to the following question:
Is this the output of a template, process, form, and is this evidence of a process?
Where Do We Keep Current And Archived Work Products?
\\...\PAL\IT WORK PRODUCT LIBRARY\
Figure 10. What are the work product folders?
Current Inventory of Folder and Contents is maintained by Process Engineering, in \\...\PAL\IT Work Product Library\Process Engineering\PAL Folders.xls
Where Do I Find Reference, Benchmark and Industry Guidelines
Methodology and standards documentation is maintained in the Standards and External Reference folder. Corporate Policy and Templates also reside at this level of the PAL. These folder locations allow for all personnel to have equal access to information used to support and design any process.
Figure 11.Standards and Reference folders
Other Work Products and Controlled Documentation:
[image removed for sanitization]
Figure 13. How [other] artifacts are captured in system event logs and software design templates?
Version Control versus VSS (Microsoft Visual SourceSafe)
When Do I Use VSS?
Software Development work products have particular control requirements that are satisfied through the use of VSS, (Visual SourceSafe). Where procedures for component level code movement are highly specialized, development documentation is maintained under a more stringent and restricted environment. Development documentation is maintained in VSS. VSS is used to ensure document or code approval, version control and ability for roll back. Where documentation and code requires peer review and product management approval, VSS provides control over status and review notes. Additionally, where more than one person may be required to use or modify a same document, VSS provides a check in and check out process, further supporting evidence of valid authorization for release.
[image removed for sanitization]
How are software development artifacts captured in system event logs and software design templates?
Test Scripts, Utilities and Event Tracking Systems
What Is A Test Script Or Test Templates?
Programs, systems and releases have associated tests and test results. QA and Security maintain secure test plans and test results. Tests related to Software Quality are run from, and secured in, the [Name of Testing or Quality Assurance Application] Application.
Security scripts and networking utilities are maintained in secure location with the highest degree in limited access. These items are by design, neither visible or accessible to the general user.
Where Do I Find QA Test Templates?
Test templates are maintained in the QA Process directory
\\...\PAL\IT Process Asset Library\Quality Assurance\Template\
Security Program Test templates are maintained in Security Management directory
\\...\PAL\IT Process Asset Library\Security Management\Program Test Plans\
Assets, Inventories and Configuration Baselines
Networking devices, servers and application servers have
both inventory and configuration control requirements. Configuration baseline refers to the minimum
secure configuration applied to any device at build. Changes to the configuration beyond this
point are associated to business requirements, product release and project
management.
Where configuration records include IP addressing and other information that could be used to compromise network security, the information is not made available beyond person's who support and networking and [Name of core product or service] platform availability.
WhenDo I Need To Create A Controlled Server Object?
Consider whether the following statements are true.
Figure 15. Should I document a controlled server in our system inventory database?
Where Are Devices Inventoried As Assets?
Controlled Server Records will reside in [Name of core product or service] but are currently staged in Facilitated Compliance Management
Where Do I Find Server Control Records?
\\...\pal\Facilitated Compliance Management\Shortcut to Controlled Servers in Facilitated Compliance Management2000FCM.MAT [links are for example and are not enabled over the internet]
Figure 16.Controlled Server Form
Figure 17.Each controlled item has associated security exemptions and standard OS and Application build
Which Tools Store Server and Application Information?
The data center maintains a list of devices and tools or applications with their respective controls and resource owners. This information is maintained in Facilitated Compliance Management.
All systems, applications or Tools are inventoried assets
Where Is The List Of Tools And Tool Types?
Tools and Tool types are listed in the Tools and Tool Type table in the Facilitated Compliance Management2000FCM database. Servers and devices are recorded in the Controlled Server Form, located in the Facilitated Compliance Management database.
Controls and Key Controls (see Control Self Assessment Portal)
When Do I Need To Document A Control Object?
Controls practices provide reasonable assurance that business rules exist and are optimized such that negative impact of undesirable events are captured, responded to and mitigated. IT Control is the right mixture of policies, procedures, practices and organizational structures that assure business objectives are met, while preventing, detecting or correcting any or all undesired events.
Control Definitions exist within each process and are an inherent feature in policy.
Control Over Process Is Demonstrated When:
- It Communicates Repeatable Intention
- Executes As Planned (Implementation Plan)
- Measures (Risk Measurement & Impact Analysis)
- Records (Management Reporting & KPI)
- Archives (Defined Data Retention)
- Control Items capture
- Control Name
- Owner
- Control Method
- Automation or Manual
- Program
- Frequency
- Test Information
- Activity Definition
- Location of Test and Test Evidence
- Information Processing Objective
- Sequence ID and Key Tracking
For more information, review section Document Elements: Flow Diagram , "Visio Shapes and Custom Properties for Evidence of Process Controls"
Where Are Controls Catalogued?
Controls are catalogued by Name, Associated Processes and Owners within Technology's [Name of core product or service] system. The information is used for ongoing Control Self Assessment and Compliance Documentation.
Controls are catalogued in Facilitated Compliance Management and in [Name of core product or service]. Controls are also identified within every Process Flow Diagram and Program Definition. Key Controls align to the CobiT framework and are visible on the CobiT Assessment form within Facilitated Compliance Management.
Figure 18.What Process Engineering, Auditors and Quality Gather Regarding Corporate Key Controls
Figure 19. Process Diagrams call information from the Facilitated Compliance Management database. Key controls pull information from the Key Controls Table.
Figure 20.Example of a Key Controls
Figure 21.Key Controls Form
Where Do I Find The Form or Template?
http://www.COMPANY.com Technology-Controls (Login Required)
\\...\PAL\Templates\Internal Control Testing Template.dot
Product, Application Development and Quality Templates
Object Name |
Function |
Owners |
Approve Date |
Change Committee Review Board |
The Change Committee Review Board Template guides the completion of documentation for the purpose of enterprise or high priority/impact Change Management. |
[Name of Chief Technology Officer] |
|
Change Review Board Checklist |
Checklist identifies validation items before a change control can be approved or closed |
||
Emergency Deployment Authorization |
Emergency code change requires written approval by Quality, Development, and CTO. The Emergency deployment form represents signed approval by all necessary parties and is submitted to the Network or Data Center Operations prior to emergency deployment of code to production. Emergency change is subject to Change Management policy and is reviewed prior to and post change implementation. |
[Name of Chief Security Officer] |
|
High Level Test Plan |
Template is used to document high level aspects of a test plan |
[Name of Chief Technology Officer], [Name of Quality Assurance Manager] |
|
ICQ Physical Security |
Template is used to generate a new unique instance of ICQ Physical Security. Templates, when used, constitute a work product, which is processed and then stored as control evidence in the \\...\PAL\IT Process Asset Library\Process and Procedures\Security Management\Template\ folder |
[Name of Chief Security Officer], [Name of Chief Technology Officer] |
|
ICQ Security Policy |
Template is used to generate a new unique instance of ICQ Security Policy. Templates, when used, constitute a work product, which is processed and then stored as control evidence in the \\...\PAL\IT Process Asset Library\Process and Procedures\Security Management\Template\ folder. |
[Name of Chief Security Officer], [Name of Chief Technology Officer] |
|
Implementation Planning Template |
Provides documentation format for an implementation. |
[Name of Process Librarian] |
|
Internal Control Testing Template |
Template is used to document all aspects of testing an internal control |
[Name of Process Librarian] |
|
Meeting Agenda and Minutes.dot |
[Name of Process Librarian] |
||
Meeting Form Letter |
This letter is linked in console as a template. |
[Name of Process Librarian] |
|
Meeting Minutes Template.dot |
[Name of Process Librarian] |
||
Network Change Identification Form |
Template is used when changes and/or security violations are found on the network, to systems, or to servers that did not go through the formal change control process. |
[Name of Chief Security Officer] |
|
Policy Profile |
|||
Process Profile Template |
Template is used to document all areas of a process |
[Name of Process Librarian] |
|
Program Profile Template |
Template is used to document all areas of a program |
[Name of Process Librarian] |
|
Project Charter |
Template is used to document the scope, assurance and resources of a project |
[Name of Process Librarian] |
|
Project Plan Definition |
Template is used to document all areas of a Project Plan |
||
QA Planning Kickoff Check List |
Template is used to guide documents and tasks needed prior to QA Planning |
||
Request For Exemption |
Template is used to document all areas of risk associated with requested exemption |
[Name of Chief Security Officer] |
June 23, 2005 |
Request For Removal of Media |
Template is used to generate a new unique instance of Request For Removal of Media Template. Templates, when used, constitute a work product, which is processed and then stored as control evidence in the \\...\PAL\IT Process Asset Library\Process and Procedures\Security Management\Template\ folder. |
[Name of Chief Security Officer], [Name of Chief Technology Officer] |
|
Requirements Completeness Checklist |
Template is used to guide review of requirements to assure completeness across all areas. |
, [Name of Product or Project Management Director] |
|
Risk Criteria |
Template is used to generate a new unique instance of Risk Criteria Template. Templates, when used, constitute a work product, which is processed and then stored as control evidence in the \\...\PAL\IT Process Asset Library\Process and Procedures\Security Management\Template\ folder. |
||
RunBook Security Section What to Describe |
Template is used to generate a new unique instance of RunBook Security Section What to Describe Template: (For financial/high risk servers). Templates, when used, constitute a work product, which is processed and then stored as control evidence in the \\...\PAL\IT Process Asset Library\Process and Procedures\Security Management\Template\ folder. |
[Name of Chief Security Officer], [Name of Chief Technology Officer] |
|
Secure Email and File Transfer |
Template is used to document electronic security regarding email and file transfer. |
[Name of Chief Security Officer] |
|
Security Infrastructure Plan |
The purpose of the Security Infrastructure Plan is to establish strategic, tactical and annual information security plans for COMPANY. |
[Name of Chief Security Officer] |
|
Security Program and Program Test Profile |
Template is used to generate a new unique instance of Security Program and Program Test Profile Template. Templates, when used, constitute a work product, which is processed and then stored as control evidence in the \\...\PAL\IT Process Asset Library\Process and Procedures\Security Management\Template\ folder. |
||
Situation Evaluation Form |
Template is used to used to capture and fully develop and analyze security risks. |
[Name of Chief Security Officer] |
|
Software Requirement Specifications Template |
Template is used to document all requirements for software |
Thom Gray, [Name of Product or Project Management Director] |
|
RunBook Template |
The RunBook or System Documentation book contains information necessary to run and maintain a core business system. In the event of emergency staffing change, this document serves to guide a new employee through the support of this system. |
||
System Operational Requirement |
Template is used to document all operational requirements for a system |
||
Test Plan Template |
Template is used to document all areas of a Test Plan |
||
User Access Program Checklist |
Template is used to generate a new unique instance of User Access Controls Work Program Template. Templates, when used, constitute a work product, which is processed and then stored as control evidence in the \\...\PAL\IT Process Asset Library\Process and Procedures\Security Management\Template\ folder. |
[Name of Chief Security Officer], [Name of Chief Technology Officer] |
|
Employee Warning Notice |
Template is used to warn an employee when they do something inappropriate and how to improve. |
||
Job Analysis Questionnaire |
Job Analysis Questionnaire template is used to describe employee's responsibilities and duties among other things. |
||
Job Description Template |
Template is used to provide a brief description of the general nature of the position, an overview of why the job exists, and what the job is to accomplish. |
||
[Name of core product or service] R# Internal Release Notes |
The purpose of these release notes is to describe the feature enhancements and fixes that were included in [Name of core product or service] Release ###. |
Which Tool Stores Process and Work Instruction information?
Process Engineering manages a list of all Work Instructions and Processes in the Facilitated Compliance Management Object table. There are a variety of reports that summarize the function for all processes as well as provide an overview of all process flow diagrams.
Figure 22. Facilitated Compliance Management provides summary reports for many object types
PB&SP Consultants are famous for
When Do I Use A Flow Diagram?
Flow Diagrams are developed to provide a high level summary of steps in any process or procedure. They are "High Level", not vague. Controls are also listed in Flow Diagrams, further demonstrating constraints that either prevent error or reinforce correct movement. Key control template objects are created by process engineering in response to the current controls in scope for audit. These items detail all aspects that control a process. Following are my favorite choices for simple Process Objects and some suggestions for using Visio to capture and automate their properties
See or download "Sample of A Business Process" in Word 2003 (please virus scan all downloads)
Visio Shapes and Custom Properties for Evidence of Process Controls
|
 |
Document Title, Scope, Revision, Release Date, Editors, Affirmation Team |
|
 |
Reference to other process documents and to full processes outside of the scope of the current document. |
|
 |
Identifies process activity, noting control issues and potential gaps, owners and event sequence. |
|
 |
Decision point and criteria for movement |
|
 |
Grouping allows representation of simultaneous events |
|
 |
Loop limits usually reflect key controls |
 |
 |
Data Management: What data is used, how is it classified, retained, transferred, accessed |
 |
 |
Data Management: What data is used, how is it classified, retained, transferred, accessed |
 |
 |
List of external documents used to complete process, status of use in controls evidence, creation frequency, description of use Sequence is always 9.9 so that all data sources are clustered to the bottom of the process report. |
 |
 |
Exit and entrance criteria for movement from one activity to the next. Where criteria for movement is monitored by a system and is critical to control activity, this should be filled in. Where this is true, there would be an expected control. |
 |
 |
Trigger and Exit criteria |
Acronym Glossary and Definitions
Acronyms |
Definition |
Approver |
An individual who reviews the change to ensure the integrity and reliability of the document and grants approval for the document to be posted. |
Document Owner |
Manager designated as having ownership of all documents associated with the production system and, thereby, having the authority to change it. |
Dual control |
Two people are required for an important activity to be accomplished. |
Employee |
Person, including contractors and temporary staff, who have been granted access to ARL resources. |
Owner |
Manager of a department or business unit responsible for production processes, systems, applications, platforms or users. In accordance with Information Security policies, and standards, owners determine the level of sensitivity and confidentiality of their information. As such, they determine changes, access and dissemination of their information. |
Activity |
An element of work performed during the course of a project. An activity normally has an expected duration |
CISA |
Certified Information Systems Auditor |
CobiT |
The COBIT (Control Objectives for Information and Related Technology) framework was released in 1996 and updated in 1998 and 2000 by the Information Systems Audit and Control Foundation (ISACF) in response to the need for a reference framework for security and control in information technology. In 2000, the IT Governance Institute and ISACF developed the Management Guidelines for COBIT. These guidelines respond to a need by Management for control and measurability of IT, for the purpose of ensuring that IT activities achieve business objectives. |
Control |
The policies, procedures, practices and organizational structures designed to provide reasonable assurance that business objectives will be achieved and that undesired events will be prevented or detected and corrected |
Document or Source Document |
A sample document that adheres to the criteria necessary for completion of a process and includes the essential contents defined in the template. |
Function |
A group of related actions contributing to a larger action. Security Policy, Access Control, and Perimeter Security represent security functions. |
IT Control Objective |
A statement of the desired result or purpose to be achieved by implementing control procedures in a particular IT activity |
ITIL |
Information Technology Infrastructure Library |
Process |
A series of tasks that transform inputs into desired outputs. The term procedure is sometimes used interchangeably with process in this methodology. Administer Accounts, Perform Risk Assessment, Audit Perimeter Security, Install Hardware are example |
Process Management Architecture |
A high level description of the system that provides a fully integrated Knowledge Base [of process information]. The Knowledge Base in turn provides control of process change and access to all processes and procedures. |
Task |
A task is a specific action performed as part of a process. Disable accounts, Interview Network Manager, and run Crack on the Unix machine are examples of security tasks. |
Template |
A skeleton document, spreadsheet, or graphic presentation that represents the essential requirements for deliverable content. |
Comprehensive Glossary of all Corporate Terms
PB&SP Actual Glossary has over 5000 terms.
Related Documents
The COBIT (Control Objectives for Information and Related Technology) framework was released in 1996 and updated in 1998 and 2000 by the Information Systems Audit and Control Foundation (ISACF) in response to the need for a reference framework for security and control in information technology. In 2000, the IT Governance Institute and ISACF developed the Management Guidelines for COBIT. These guidelines respond to a need by Management for control and measurability of IT, for ensuring that IT activities achieve business objectives. http://www.isaca.org/cobithorizon.htm
The IT Infrastructure Library, ITIL (®), is a series of
documents that are used to aid the implementation of a framework for IT Service
Management (ITSM). This framework defines how Service Management is applied
within specific organizations. Being a framework, it is completely customizable
for application within any type of business or organization that has a reliance
on IT infrastructure.
http://www.itil-itsm-world.com/
Project Management Skill and Knowledge Requirements in an Information Technology Environment (ISACA)
http://www.pbandspcom/security/ProcessProject/projectmanagement.pdf
A Guide to the Project Management Body of Knowledge (PMBOK®
Guide)-2000 Edition, Project Management Institute, Project Management
Institute, Inc.,
Six Sigma Project Management: A Pocket Guide, by Jeffrey N., PhD Lowenthal, (American Society for Quality; Spiral edition, August 1, 2001)
Risks and Associated Controls (SAMPLE)
Significance Likelihood * Impact |
Risk Items |
Control |
How implemented and actual review schedule |
2 * 5 |
[RiskWatch id here] |
Authorization: |
PAL infrastructure is carefully managed by process engineering, with administrative controls as provided within Windows 2000 server and as enforced by the data owners. |
1 * 5 |
[RiskWatch id here] | Configuration/Account Mapping Controls: |
Security is managed by Network or Data Center Operations and is enforced by Process Engineering and the Data Owner. |
2 * 5 |
[RiskWatch id here] |
Interface/Conversion Controls: Data Integrity - (data is not changed or manipulated) and security (no one can access it). Interfaces/conversion includes controls in these areas. Data management (date/time stamps, file names) Processing (no missing, duplicate, or redundant data and to ensure completeness and accuracy.) Validation/reconciliation (on-line edits, batch totals) Over the detection and correction of exceptions and errors. |
When data cannot be altered without explicit audit trail
and approval, it is managed in VSS. When code or documentation appears changed, VSS allows for review of
edits and roll back. Data integrity
in code is assured via promotion to production process, where code is tested
in the Quality environment and then approved for movement. |
3 * 5 |
[RiskWatch id here] |
Key Performance Indicators KPI's: Periodic review by Process Engineering enforces the goal of having processes documented for all management functional areas. Where information indicates a need for process optimization, process engineering notes this requirement and reviews timely completion of required process change. Process engineering also catalogues reviews and guides process development and collection. There is Risk that Management may fail to assure that procedures are finished in a timely manner or that existing processes are not routinely reviewed to insure their validity or usability. |
The PAL XLS and inventories within Facilitated Compliance Management database allow the Process Engineering team visibility on key performance of process items as required for SAS 70 audit and as agreed upon by department owners. |
1 * 1 |
[RiskWatch id here] | Segregation of Duties (SOD): |
Reconciliation of existing rights within the PAL to rights as designed and approved by department owners demonstrates that persons who should not have access to documentation types are segregated. Roles in the approval process deny persons authority to review and approve their own work. |
2 * 5 |
[RiskWatch id here] |
Risk of accidental or intentional distribution of classified private and or sensitive information: |
Documentation practice
-are all control activities that make likelihood of this risk negligible. Each business or management functional owner has access to modify contents inside their own area but cannot modify files outside their Process domain. Remaining risk are file shares that still require review for misplaced content. |
Process "Piece of Cake!"
Now can you ask and answer the question: "What Type of Document Should I Write?"
Example of PAL Contents - File Location, Description of Use
| Management\Function Folder | Document Type Subfolders | Content Description | Subfolders allowed | Classification | |
| Backup and Recovery | |||||
| Backup and Recovery | Flowcharts | Backup and Recovery Flowcharts folder contains process flow diagrams including those used in process and procedure documentation. | No | Confidential | |
| Backup and Recovery | Process and Procedure | Backup and Recovery Process and Procedure folder contains process profile documentation. | No | Confidential | |
| Backup and Recovery | Program Definition | Backups and Recovery Program Definition folder contains program profile documentation. | No | Confidential | |
| Backup and Recovery | Template | Backup and Recovery Template folder contains shortcuts to approved templates and forms as required for this management function. | No | Confidential | |
Change Management |
|||||
| Change Management | Flowcharts | Change Management Flowcharts folder contains process flow diagrams including those used in process and procedure documentation. | No | Confidential | |
| Change Management | Process and Procedure | Change Management Process and Procedure folder contains process profile documentation. | No | Confidential | |
| Change Management | Program Definition | Change Management Program Definition folder contains program profile documentation. | No | Confidential | |
| Change Management | Template | Change Management Template folder contains shortcuts to approved templates and forms as required for this management function. | No | Confidential | |
Configuration Management |
|||||
| Configuration Management | Flowcharts | Configuration Management Flowcharts folder contains process flow diagrams including those used in process and procedure documentation. | No | Confidential | |
| Configuration Management | Process and Procedure | Configuration Management Process and Procedure folder contains process profile documentation. | No | Confidential | |
| Configuration Management | Program Definition | Configuration Management Program Definition folder contains program profile documentation. | No | Confidential | |
| Configuration Management | RunBook CMDB | Configuration Management RunBook CMDB folder contains RunBook process and guidelines. | Temporary/ Until all data is moved to database | Confidential | |
| Configuration Management | Module Configuration | Configuration Management Solutions Development-Client Configuration folder contains program profile documentation. This is limited to the area of Master Template configuration guidelines | Subfolder as needed | Confidential | |
| Configuration Management | Template | Configuration Management Template folder contains shortcuts to approved templates and forms as required for this management function. | No | Confidential | |
Human Resources |
|||||
| Human Resources | Flowcharts | Human Resources Flowcharts folder contains process flow diagrams including those used in process and procedure documentation. | No | Confidential | |
| Human Resources | Process and Procedure | Human Resources Process and Procedure folder contains process profile documentation. | No | Confidential | |
| Human Resources | Program Definition | Human Resources Program Definition folder contains program profile documentation. | No | Confidential | |
| Human Resources | Template | Human Resources Template folder contains shortcuts to approved templates and forms as required for this management function. | No | Confidential | |
Network Management |
|||||
| Network Management | Architectures | Architecture as Diagrams, long term strategic IT Vision, infrastructure planning and technical documentation. | Subfolder as needed | Sensitive |
|
| Network Management | Flowcharts | Network Management Flowcharts folder contains process flow diagrams including those used in process and procedure documentation. | No | Confidential | |
| Network Management | Process and Procedure | Network Management Process and Procedure folder contains process profile documentation. | No | Confidential | |
| Network Management | Program Definition | Network Management Program Definition folder contains program profile documentation. | No | Confidential | |
| Network Management | Template | Network Management Template folder contains shortcuts to approved templates and forms as required for this management function. | No | Confidential | |
Performance Management |
|||||
| Performance Management | Flowcharts | Performance Management Flowcharts folder contains process flow diagrams including those used in process and procedure documentation. | No | Confidential | |
| Performance Management | Process and Procedure | Performance Management Process and Procedure folder contains process profile documentation. This area includes database process optimization. | No | Confidential | |
| Performance Management | Template | Performance Management Template folder contains shortcuts to approved templates and forms as required for this management function. | No | Confidential | |
Process Engineering Management |
|||||
| Process Engineering Management | Flowcharts | Process Engineering Management Flowcharts folder contains process flow diagrams including those used in process and procedure documentation. | No | Confidential | |
| Process Engineering Management | Process and Procedure | Process Engineering Management Process and Procedure folder contains process profile documentation. | No | Confidential | |
| Process Engineering Management | Process Profile | Process Engineering Management Process Profile folder contains program profile documentation. | No | Confidential | |
| Process Engineering Management | Template | Process Engineering Management Template folder contains shortcuts to approved templates and forms as required for this management function. | No | Confidential | |
| Product Management | |||||
| Product Management | Flowcharts | Product Management Flowcharts folder contains process flow diagrams including those used in process and procedure documentation. | No | Confidential | |
| Product Management | Process and Procedure | Product Management Process and Procedure folder contains process profile documentation. | No | Confidential | |
| Product Management | Program Definition | Product Management Program Definition folder contains program profile documentation. | No | Confidential | |
| Product Management | Template | Product Management Template folder contains shortcuts to approved templates and forms as required for this management function. | No | Confidential | |
Quality Assurance |
|||||
| Quality Assurance | Flowcharts | Quality Assurance Flowcharts folder contains process flow diagrams including those used in process and procedure documentation. | No | Confidential | |
| Quality Assurance | Process and Procedure | Quality Assurance Process and Procedure folder contains process profile documentation. | No | Confidential | |
| Quality Assurance | Program Definition | Quality Assurance Program Definition folder contains program profile documentation. | No | Confidential | |
| Quality Assurance | Template | Quality Assurance Template folder contains shortcuts to approved templates and forms as required for this management function. | No | Confidential | |
Security Management |
|||||
| Security Management | Flowcharts | Security Management Flowcharts folder contains process flow diagrams including those used in process and procedure documentation. | No | Confidential | |
| Security Management | Process and Procedure | Security Management Process and Procedure folder contains process profile documentation. | No | Confidential | |
| Security Management | Program Profiles | Security Management Program Profiles folder contains program profile documentation. | No | Confidential | |
| Security Management | Program Test Plans | Security Management Program Test Plans folder contains security specific program control test plans. | No | Confidential | |
| Security Management | Template | Security Management Template folder contains shortcuts to approved templates and forms as required for this management function. | No | Confidential | |
Software Development |
|||||
| Software Development | Flowcharts | Software Development Flowcharts folder contains process flow diagrams including those used in process and procedure documentation. | No | Confidential | |
| Software Development | Process and Procedure | Software Development Process and Procedure folder contains process profile documentation. | No | Confidential | |
| Software Development | Program Profiles | Software Development Program Profiles folder contains program profile documentation. | No | Confidential | |
| Software Development | Template | Software Development Template folder contains shortcuts to approved templates and forms as required for this management function. | No | Confidential | |
Standard Operation Procedures |
|||||
| Standard Operation Procedures | Forms | No | Confidential | ||
| Standard Operation Procedures | General Use Flowcharts | Standard Operation Procedures General Use Flowcharts folder contains process flow diagrams including those used in process and procedure documentation. | No | Confidential | |
| Standard Operation Procedures | RunBook | Output of the RunBook Database is a paper copy of the RunBook. RunBooks live in the database, but a single paper copy may be posted here as SAS70 summary evidence. This folder could also be removed. | No | Confidential | |
| Standard Operation Procedures | SOP By Domain | Standard operating procedures are any set of directions used to maintain or operate any production system. | Folders should be set but if an area is needed/ add | Confidential | |
| Standard Operation Procedures | …\Citrix …\Desktop …\LAN Access Distribution …\Oracle DB …\Oracle Server …\SQL Server …\Unix …\VPN …\WAN Backbone …\WINTEL | Each folder is a holding place for short instructions related to the maintenance and care of any technology type. If a person creates any work instructions, be it in email or as a word file, this a place to store a record of the work so that the SOP doesn't have to be created again. SOP is less strict than process in that the owner of the technology maintains their current instructions and does not require approval to add to their folder. Manager is responsible for insuring that any high risk process is documented and that the process could be followed by a person of equal skill in the event that the primary support staff was not available. | Sub folder as needed for specific servers and systems. | Sensitive | |
| Standard Operation Procedures | Template | Standard Operation Procedures Template folder contains shortcuts to approved templates and forms as required for this management function. | No | Confidential | |
Support Management |
|||||
| Support Management | Flowcharts | Support Management Flowcharts folder contains process flow diagrams including those used in process and procedure documentation. | No | Confidential | |
| Support Management | Process and Procedure | Support Management Process and Procedure folder contains process profile documentation. | No | Confidential | |
| Support Management | Program Definition | Support Management Program Definition folder contains program profile documentation. | No | Confidential | |
| Support Management | Template | Support Management Template folder contains shortcuts to approved templates and forms as required for this management function. | No | Confidential | |
| IT Work Product Library | |||||
Change Management |
|||||
| Change Management | Production Release and Change Review Meetings | This area will be relocated to RiskConsole once the Change Management program is operational | No | Confidential | |
| Change Management | …\Agendas …\Meeting Minutes | Change requests and change review meeting records | No | Confidential | |
Network or Data Center Operations Planning and Infrastructure |
|||||
| Network or Data Center Operations Planning and Infrastructure | Infrastructure Planning | Documentation pertaining to infrastructure planning and development including any current projects. This area will support numerous project specific subfolders. | No | Confidential | |
| Network or Data Center Operations Planning and Infrastructure | …\patch | Create a folder for infrastructure item and keep all planning for that change or project in the folder | Sub folder on a per project basis | Confidential | |
| Network or Data Center Operations Planning and Infrastructure | Performance Management | Output of monitoring performance, shows evidence of monitoring activity | Sub folder on a per monitoring area as needed | Confidential | |
Process Meeting Minutes |
|||||
| Process Meeting Minutes | Meeting Minutes and Review Planning | Meeting Minutes and approvals for Process Engineering team and program | No | Confidential | |
Product Management |
|||||
| Product Management | Meetings | Meetings pertaining to any release are captured and stored here | No | Confidential | |
| Product Management | Project Planning | Release tasks by release and other evidence of project structure | No | Confidential | |
| Product Management | Requirements | Current list of requirements belongs in VSS, but this location is an evidence pointer showing the requirements in play and recent past. This folder should have a short cut the actual location in VSS and someone who can walk the auditor through those folders. | No | Confidential | |
| Product Management | [Company Core Product or Service] Release Notes | Past and current release notes, evidence folder | No | Confidential | |
| Product Management | Module Configuration | Output of planning for Master Template service related tasks. | Subfolder as needed | Confidential | |
| Product Management | Status Reports | Staff reports to managers regarding work activity | Sensitive |
||
Product Training |
|||||
| Product Training | [Company Core Product or Service] User Guide-External | Product training output/ evidence folder | No | Confidential | |
| Product Training | [Company Core Product or Service] User Technical Guide-Internal | Product training output/ evidence folder | No | Confidential | |
Quality Assurance |
|||||
| Quality Assurance | Quarterly Reports | Documentation pertaining to infrastructure planning and development including any current projects. This area will support numerous project specific subfolders. | Subfolders created by quarter as needed | Confidential | |
| Quality Assurance | [Company Core Product or Service] QA Testing By Release | Test planning documentation and a link to the current tests in Test in TestDirector. This is a "pointer file" used to assist auditor in finding the evidence. | Subfolders are not limited. This is a place to store in process work. | Confidential | |
| Quality Assurance | Test Output | Used to gather the Internal Controls Testing Plans and the most current snapshot of testing as used for evidence in the upcoming SAS 70. The actual testing information must reside in its secure location within TestDirector. This is an output for evidence purposes only. | Subfolders limited to the Internal Control Testing program | Confidential | |
| Quality Assurance | fs02 main Quality Assurance | the QA folder on FS02 Main should be relocated to the process and work product areas. | Confidential | ||
Release-Software Development |
|||||
| Release-Software Development | Release Plan-Evidence Copy for current review cycle | Documentation in VSS must remain in VSS. This is a pointer file and demonstration of current content on current release. VSS link should be here. | No | Confidential | |
| Release-Software Development | Release Request | Email outtakes and meeting notes where a release related activity is requested. Release requests live in DevTrack, but can start as emails or notes. This is where the document record is stored. All details would show up as a DevTrack ID. | No | Confidential | |
| Release-Software Development | [Company Core Product or Service] | Design Specifications from VSS are here as process evidence and are read only. This is a placeholder for audit data. Auditor should not be in VSS clicking through directories as this would raise issues around items that are out of date. Better strategy is to put what we want to show here. | No | Confidential | |
Security Management |
|||||
| Security Management | Exemption Requests | Business requests for policy exception based in need to maintain operations with given technology constraints. All exemptions should also be logged in a table where CSO can maintain visibility on such items. RC is good candidate for this, especially as tied to Risk area. | No | Sensitive |
|
| Security Management | ...\Situation Evaluation Forms | Output of situation review and decisions based on Exceptions to policy. | No | Sensitive |
|
| Security Management | Meetings Notes and Incident Review Records | Meeting notes from any security meeting or incident response meeting | No | Sensitive |
|
| Security Management | ...\ Agendas …\Minutes | Recommend a format for file name that shows Security, date and meeting type. Agenda can be a place holder for meeting plans and meeting minutes are just meeting minutes. | No | Sensitive |
|
| Security Management | Program Policy Approval | Email outtakes and copy of documents indicating approval to implement security programs. I have a concern about storing electronic image of signatures and request that files state that signature is locked in a file. | Straight evidence folder/ NO | Sensitive |
|
| Security Management | Security Infrastructure and Program Planning | Infrastructure planning document and information related to the planning of any security program. | Create a subfolder for any program. | Sensitive |
|
| Security Management | …\Awareness | Awareness program documents, including planned presentations and documents for the development of the program | Subfolder as needed | Sensitive |
|
| Security Management | Test Output | DS5 related internal control test plans and output | One folder per program tested | Sensitive |
|
| Security Management | Tracking and Reconciliation Reports | Output of security scans and processes. | Subfolder as needed | Sensitive |
|
| Security Management | …\Tools ….\...\Last Login Scripts …\...\...\pbandsp Domain …\...\...\Company Domain | Evidence of security monitoring activity | Subfolder as needed | Sensitive |
|
