Headlines - Check out

The OCEG Framework and Foundation level and Domain level guidelines. full story...

Improving Regulatory Reporting; Realizing the Benefits of XBRL, Read recommendations for best practice business process controls full story...

Grandslams go to the teams producing harmonziation and synergy across standards and regulatory requirements. full story

OMG Technical Meeting to take place in Boston - June 26-30, 2006 REGISTER NOW

Compliance GRID Preview

The OMG Regulatory Compliance Alliance (ORCA™) is an open community created to raise awareness of the complex regulatory compliance issues companies face today, and to provide them with resources to make them successful in their compliance efforts. One of ORCA’s most significant endeavors is the development of the Compliance Global Regulatory Information Database (C-GRID™), of which IBM (www.ibm.com) is a charter sponsor. The C-GRID is being developed as an open database of rules, regulations, standards, and government guidance documents that require IT action, and a survey of the regulatory climate around the world. The goal of this project is to provide the de facto compliance reference guide for global IT managers.

On June 27, 2006, the OMG will hold a private event for IT compliance and risk management executives to introduce and demonstrate C-GRID. The event is free, and attendance is limited, with each participant receiving a password for special access to the C-Grid database. Please join your peers for this exclusive, complimentary meeting and lunch. 

You may request more information or registration for the seminar by contacting Jeff Lichtenstein at +1-781-444-0404 or emailing him at jefflich@omg.org, or you can request registration by completing the Registration Request Form.

Compliance GRID Preview Agenda

COSO Guidance for Small Businesses: new publication Guidance for Smaller Public Companies Reporting on Internal Control over Financial Reporting. This guidance, which serves as a supplement to COSO’s Internal Control — Integrated Framework, originally published in 1992, focuses on the unique needs of smaller public companies in regard to compliance with Sarbanes-Oxley (SOX) section 404 full story...

How Does Straight Through Reporting Impact You?

• XBRL Web Services Impacts Management and Stakeholder Reporting
• XBRL Web Services Impacts Credit and Risk Assessments
• XBRL Web Services Impacts Regulatory Assessments
• XBRL Web Services Impacts Investors and Financial Analysts

© 2002-2005 PricewaterhouseCoopers. Contacts: Mike Willis, Global Lead Partner

BPEL and Business Process Language is the path to implementing compliance and SOA full story...

ISACA - Harmonization introduces two great works: "Aligning CobiT®., ITIL® and ISO 17799® for Business Benefit: A Management Briefing, as well as the combined Booz Allen Hamilton, ISACA, ISSA and ASIS release "Convergence of Enterprise Security Organizations" ... full story...

About Common Criteria: The official CC V2.3 is now available Should your products be certified?  Would a quick review of certified products shorten your compliance assurance life cycle? full story...

The 7th International Common Criteria Conference will be held on the 19th to the 21st of September 2006, in Lanzarote, Spain. ...full story

About a Standard for all Standards

Do you get automatic notification for updates to the DISA Checklists / Implementation Guides?  Why not?

http://www.theiia.org/download

Introduction to Visible Ops Simplifying Security Compliance: Phase 1 Discover why effective change controls are a key component to regulatory compliance and how to build a unified change control strategy with the Visible Ops methodology.   full story...

Tripwire Training Events

Proving Control of the Infrastructure: Tripwire full story...

ITPI by Kevin Behr full story...

Corporate Information Security Working Group: Report of the Best Practices and Metrics Teams

New from CMU: Governing for Enterprise Security  Networked Systems Survivability Program

Business Process Management 

(On this page...OASIS - ABPM - EXBRL - Business Intelligence and more)

Process is infinitely more complicated than chocolate cake.

• We hope you'll view on line training for IT Controls Documentation and review
• Facilitated Compliance Management™ detailed in the Process and Services Section of this site.
• Process Development Tracking via Facilitated Compliance Management™
• Implementation and Engagement Profiles show samples of how process work gets done
• Process Management Services offers more about what we do and "how"

For a live demonstration of Facilitated Compliance Management™ please REGISTER. with Phoenix Business & Systems Process. PB&SP will contact you.

Leading Organizations and authority in Business Process Standards

• Is a not-for-profit consortium that produces and maintains industry specifications for interoperable enterprise applications (like real-time and safety-critical applications or embedded systems)
• Creates software standards that improve the process of developing complex applications while increasing return on investment
• Flagship specification is Model Driven Architecture (MDA), which models complex systems and helps companies future-proof their technology investment.
• Middleware platform is CORBA (Common Object Request Broker Architecture) – CORBA applications are composed of objects, individual units of running software that combine functionality and data, and that frequently represent something in the real world, like a shopping cart.
• CORBA’s emphasis is essentially object oriented programming: you define an object that is instantiated by a client; each object’s interface is defined very strictly, but the implementation is hidden (encapsulated) from the rest of the system. Clients access objects only through their advertised interface.
• Any company can join OMG and participate in its standards-setting process; each company, no matter the size, gets one vote.
• Markets for specifications include healthcare, robotics, life sciences, finance, security, and so much more

Be on the lookout for:

Upcoming Monthly Webinars:

Defensible Strategies

When firms become the subject of regulatory enforcement action, good intentions are no defense. Planning ahead for the worst-case scenario includes developing a strategy, similar to IT architecture, that guides investment and decision for each regulation. Based on the attributes of the regulations, firm, and market, this webinar will weigh the ROI and risk considerations for each proposed course of action, and the decisions often involve great uncertainty.

Topics will include: How to partner with competitors — legally — to develop compliance best practices

• How to develop a partnership between IT, Finance, and Legal to facilitate compliance
• Evaluating initiatives for sustainable ROI vs.. defensible compliance
• The realities of Build vs. Buy for Compliance

The ROI of Compliance

This webinar will explore 2 critical aspects of IT compliance management:

• How to measure the financial returns that should be attributed to compliance initiatives.
• How to improve the ROI on compliance initiatives.

While some view compliance costs as a necessary drag on IT , like a tax, others are taking the view that resources allocated to compliance initiatives should be managed – and measured – like other projects. This webinar will first explore the issues of accurately measuring the financial impact of compliance projects. We will then consider best practices for reducing compliance cost and risk while enabling growth-oriented projects based on a flexible, compliance-oriented infrastructure.

Compliance Automation: Opportunities and Limits

IT professionals are facing unprecedented demands for data and process governance and security. Managing access to systems and data is not new, but the rigorous requirements mandated by recent legislation will force the use of new processes and products. This webinar presents an overview of the types of requirements that may be automated, and the types of problems that will still require manual intervention. The presentation is designed to help participants strike an appropriate balance between automated and manual processes to effectively mitigate compliance risks while controlling costs.

What:	OMG and ORCA Present: Exclusive Preview of the Compliance Global Regulatory Information Database (C-GRID™)
When:	Tuesday, June 27, 2006, 10:00 a.m. – 1:00 p.m.
Where:	Hyatt Harborside Hotel in Boston, Mass.
URL:	http://www.omg.org/orca-cd

Dear Members of Regulatory Compliance Community,

As Vice President of the OMG Regulatory Compliance Alliance (ORCA), I would like to invite you to attend an exclusive preview of our “Compliance Global Regulatory Information Database” (C-GRID™). The C-GRID has been developed as an open database of rules, regulations, standards, and government guidance documents that require IT action, and provides a survey of the regulatory climate around the world. The goal of this project is to provide the de facto compliance reference guide for global IT managers. This will be the first public demonstration of the C-GRID. As an attendee, you will be given a password to experience the C-GRID prior to its public release in Q3 2006. Complementary lunch will be provided.

Just a bit of background information, OMG is an open membership, international organization of information system vendors, software vendors, and IT end-user companies. Through its members, the OMG produces and maintains specifications for interoperable software for the enterprise and Internet, for real-time and safety-critical applications, for embedded systems, and other networked environments. ORCA is an open community formed to identify and disseminate IT regulatory compliance resources for its members.

Please let me know if you would like more information or if you have any questions. We welcome you to register for this special event. You can register by visiting http://www.omg.org/orca-cd.

I look forward to seeing you at the event.

Regards,  

Jeffrey S. Lichtenstein

Vice President OMG Regulatory Compliance Alliance (ORCA™) +1-781-444 0404 jefflich@omg.org http://www.omg.org/orca-cd

---

 

	OASIS STANDARD and ISO15000
	ebXML CPPA V 2.0
	ebXML MSG V 2.0
	ebXML RIM V 2.0
	ebXML RS V 2.0
	Specifications
	ebXML BPSS
	ebXML CCTS

ebxml standards http://www.ebxml.org/ 
 

The Association of Business Process Management Professionals is a non-profit, vendor independent professional organization dedicated to the advancement of business process management concepts and its practices.

ABPMP is practitioner-oriented and practitioner-led. 

ABPMP has local chapters in several US areas and has many more forming in the US and internationally.  Individuals wishing to participate who are not located near an existing local chapter are urged to investigate the feasibility of starting a chapter where they are located.  While they are not affiliated with a local operating chapter, members will be part of the Members-At-Large chapter which has its own elected officers and participates in ABPMP activities as any other chapter would.

ABPMP is governed by an elected Board of Directors. Each chapter president is an ex-officio and voting member of the International Board of Directors.  ABPMP has a Board of Advisors made up of some of the most well-known authors, practitioners and thought-leaders in the field.  They are also volunteers and periodically offer the Board of Directors and chapters advice on the industry and how ABPMP can best serve its members.

Get the latest: ABPMP News

 

About Process Engineering

Numbered items reflect CobiT® Control processes

Please consider reviewing Facilitated Compliance Management design and documentation methodology for compliance controls mapped and customized businesses process.

• Procedure Guidelines Documentation
• Work Instructions for FCM™
• RunBook
• Services: Process

Workflow and Transaction Processing - "Business Intelligence"  

• Active Endpoints
• BizTalk and Knet
• Bindview
• Documentum (www.documentum.com).

We offer a high level set of requirements and thoughts:

Understanding the Workflow Requirement

The selection of a working and functional enterprise workflow solution is not possible without clearly defined expectations.  There is a fundamental need for prerequisite understanding of the following:

• work that is to be flowed,
• the nature of users that will participate in workflow,
• the culture of the organization
• a fundamental understanding of how workflow will consume resources external to itself in order to accomplish assigned tasks.

This understanding is independent of the decision to build or buy. 

The 10,000 Foot View: Building for Success

For planning purposes, the workflow engine can be defined in terms of its interfaces; in other words, how it will plug into the enterprise.  We don’t need worry ourselves with how it works internally.   A workflow engine can succeed if we:

• can meet its input and output requirements with supporting infrastructure
• can operate it
• can maintain it

Mission Creep: What the Workflow Engine is Not

A workflow engine is the orchestral conductor of whatever pieces of the enterprise have been entrusted to it.  As such, it should not be used to perform the roles of the things it is conducting.  For example, the workflow engine should not execute a provisioning task, but rather it should ask something else to perform the task.  It should only concern itself with documenting and managing the abstract workflow for which this task is apart.   It is important that the separation of roles is clear, and distinct.  This separation paves the way for real salability and maintainability as a component within the enterprise. 

Workflow cannot exist without process

Process Requires that we:

• Define and concur on objectives, key business drivers, requirements and constraints
• Define roles and handoffs in the process
• Define process flow (current and desired)
• Define metrics to demonstrate progress toward objectives and key business drivers Identify technology and implementation plan to support and enforce the above
• Determine phases and pilot groups
• Define implementation plan (proposed SOW) Identify and assign implementation resources

 

See also: Making Process Real and Procedure Guidelines and Controls Documentation

---

Configuration Management and CMDB

 - What we do, who we are, and how we operate are all a part of the CMDB.  Anything that should be repeated, is a legitimate candidate for a designated CI.

Robin Basham ( see 10 Rules, or all I've figured out up to now is )

---

Policy Management and Content management

Must see products:   We are giving you straight product text.  Please use the product icon to go to their current site for more up to date information.  We just think you should know who they are and what they sell.

[Their text, not ours]© BindView provides the best, most practical, and cost-effective solutions to help organizations manage policies and demonstrate compliance with new and evolving regulations. BindView’s extensive experience and built-in knowledge makes it possible for companies to translate the generalities of regulations into specific IT security controls that can be documented and enforced.

Define Policies — BindView helps you create or customize policies quickly and accurately using customizable policy templates and cross-referenced policy matrices, based on years of experience and expertise. You can then publish IT security policies across your entire enterprise in an automated and auditable manner.

Manage Compliance — BindView helps you translate regulations like SOX, HIPAA, GLBA and frameworks/standards such as COBIT, ISO 17799 or NIST into IT security controls that help you assess and demonstrate compliance. Security and compliance professionals can then document policies and procedures and demonstrate pass/fail adherence to specific controls, and implement remediation as appropriate.

Demonstrate Due Care - Using BindView standards and reporting, you can measure and monitor compliance with approved standards, providing evidence of due care to all stakeholders. Precise reports and analyses demonstrate compliance levels across all major operating systems, databases, applications, and directories.

PRODUCTS FOR Policy & Compliance Management: Policy Manager®, Compliance Manager, Decision Support Center, bv-Control®, bv-Admin® [end quote]

Unsolicited plug: Industry reputation for financial audits that used their products is well established with tremendously high and consistent marks.

[Their text, not ours] © Active Endpoints provides solutions that enable organizations to rapidly integrate their information systems, delivering powerful new composite, high-value applications. Our products are based on BPEL (Business Process Execution Language), the SOA standard for process orchestration.

We are the market leader for BPEL products and services. Our products are used by more customers and partners than any other BPEL technology. Using our solutions, organizations create nimble, scalable applications that drive new market opportunities, reduce operating costs and streamline services delivery. 

Building upon Active Endpoints' heritage of software craftsmanship, we deliver world-class BPEL design tools, enterprise-level servers and a broad range of professional services. By supporting all key SOA standards, our solutions assure organizations that their technology investments will be interoperable, durable and portable. At Active Endpoints, we strive to offer technology partnerships that stand the test of time. [end quote]

Unsolicited plug: We had an engineer using their product with great success in under one month.  Company implemented an application that is really amazing and extremely secure.  Sorry, we can't say more than this.

While researching Open Source Initiatives this company and news of their 8Million in recent VC could only indicate they appear to be doing all the right things with very talented resources.  We are watching "Alfresco Enterprise Content Management" © Alfresco    

"Alfresco is the first open source enterprise-scale content management system with a modern content repository, an out-of-the-box portal framework for managing and using content designed to work with standard portals, and a groundbreaking Common Internet File System (CIFS) interface that provides Microsoft Windows file system compatibility. Built by founder of Documentum using a modern architecture that is easier to use, more scalable and more adaptable. Alfresco is perfect for providing enterprise and departmental portals, compliance applications or replacing uncontrolled shared file drives. Its standards-base allows you to use only the functionality you want or add new functionality with standard tools as requirements grow.

Alfresco is designed to be the open source alternative for enterprise content management. The open source model allows Alfresco to use best-of-breed open source technologies and contributions from the open source community to get higher quality software produced more quickly at much lower cost.

Our goal is to not only provide an open source offering but to surpass commercial offerings in terms of features, functionality and benefits to the user community. Alfresco is built by a team with 15 years experience in Enterprise Content Management (ECM), including the co-founder of Documentum.

• Enterprise Content Management (ECM)
• Document Management
• Collaboration
• Records Management
• Knowledge Management
• Web Content Management
• Imaging

The Benefits of Using Alfresco

Ease-of-Use

• Intelligent Virtual File System – As simple to use as a shared drive through CIFS, WebDAV or FTP
• Google-Like Search and Yahoo-Like Folder Browsing

Developer Productivity

• Aspect Oriented Rules Development through Simple-to-Use Wizards
• Rules and Actions Managed in the Server once for all Interfaces

Best-Practice Collaboration

• Pre-Configured Smart-Space Templates – Project Structure, Content, Logic, Lifecycles
• Forums – Threaded Discussions on Folders or Documents

Administrator Productivity

• Simple Server Install and No Client Install
• Advanced Content Security Management

Advanced Search/Knowledge Management

• Sophisticated Content, Attribute, Location, Object Type and Multiple Taxonomy/Category Search

Distributed Architecture

• Highly Scalable and Fault Tolerant Service Oriented Architecture

Open Source

• Dramatically Lower Cost

The cost, complexity and lack of portal integration of traditional ECM systems prevent them being rolled out to the enterprise successfully. End users turn to the shared drive for simplicity. This causes content to go uncontrolled, unaudited and undiscovered.

Alfresco have integrated state-of-the-art open source and Java technology such as Spring, Hibernate, Lucene, MyFaces, JSR-168, JSR-170 and web services into a simple-to-use, extensible, Enterprise Content Management (ECM) system. The intelligent repository provides out-of-the-box portal integration and full content control with integrated document management, security, document status and workflow. This allows Alfresco to turn your file system into a simple to use, compliant, auditable repository. [end quote]

Content management can only be successful where humans have order to their process.  See PAL, the process asset library and Roles and Responsibilities for Document Asset Management

---

The Newsletter (please sign up for their letter at the NIST site)

NIST's Information Technology Laboratory recently published NIST Special Publication (SP) 800-83, Guide to Malware Incident Handling and Prevention: Recommendations of the National Institute of Standards and Technology. The guide assists organizations and users in planning and implementing security programs to prevent potential malware incidents and to limit damage from unforeseen incidents that might occur.

Written by Peter Mell of NIST and Karen Kent and Joseph Nusbaum of Booz Allen Hamilton, NIST SP 800-83 discusses the different types of malware and recommends prevention and incident handling techniques. The appendices provide additional resources on malware prevention and handling methods, and include detailed techniques and scenarios. A glossary of the many specialized terms used in the guide, a list of acronyms, and an extensive reference list of print and online resources are also provided. The publication is available in electronic format from NIST's website:

"Applying patches to systems is the most common way of mitigating known vulnerabilities in operating systems and applications. Patch management involves several steps, including assessing the criticality of the patches and the impact of applying or not applying them, testing the patches thoroughly, applying the patches in a controlled manner, and documenting the patch assessment and decision process. It is becoming increasingly challenging to deploy patches quickly enough to prevent incidents—the time from the announcement of a major new vulnerability that is a good candidate for malware-based exploitation to the release of malware targeting that vulnerability has decreased from months to weeks or days. Because it often takes weeks to test new patches properly, it is also often not possible or prudent to deploy patches organization-wide immediately. In some cases, it is safer to use other vulnerability mitigation techniques or threat mitigation instead of patching. In addition, even when a patch has been tested thoroughly and found to be acceptable, it is often challenging to ensure that it is applied to every vulnerable machine in the organization, particularly remote systems (e.g., Telecommuters). Nevertheless, applying patches is one of the most effective ways of reducing the risk of malware incidents, and many instances of malware have succeeded because systems were not patched in a timely manner."

The term malware is used to describe malicious code and malicious software that are covertly inserted into an information technology (IT) system to compromise the confidentiality, integrity, or availability of the data, applications, or operating system, or to annoy or disrupt the systems owner. Malware incidents are a significant external threat to the security of many IT systems, often causing widespread damage and disruption, and forcing users and organizations to carry out extensive, costly efforts to restore system security.
Malware includes five categories of inserted programs: viruses, worms, Trojan horses, malicious mobile code, and blended attacks. Viruses and worms are usually designed to carry out their functions without the user's knowledge. Blended attacks use a combination of techniques to insert malicious programs. Malware also includes other attacker tools such as backdoors, rootkits, and keystroke loggers, and tracking cookies which are used as spyware. Spyware, when inserted into a user's system, threatens personal privacy and enables the attacker to monitor personal activities and to carry out financial fraud.
[...] More Information from the NIST Computer Security Resource Center at http://csrc.nist.gov/publications.
Contact Information: Elizabeth B. Lennon- Writer/Editor, Information Technology Laboratory
National Institute of Standards and Technology 100 Bureau Drive, Stop 8900 Gaithersburg, MD 20899-8900 Telephone (301) 975-2832 Fax (301) 975-2378

 

Regarding Ethics & Philosophy Resources, consider:

Ethics Quality: Getting Ethics Into Organizations Improves Performance. www.ethicsquality.com/philosophy.htm

FMEA (information center) www.fmeainfocentre.com and

www.freequality.org

Nine Attributes of Good Ethics Policy NineAttributes

 

---

Can you identify this voice from the past?

"Beaver, go up to your room and document your processes."

"June, don't you think you're being a little hard on the boy?"

"Ward, he'll thank me when his boss puts him in charge of Sarbanes-Oxley compliance."

"Well, I always say a mother knows best.  Got any of that great apple pie left over?"

In case your mother never taught you how...

If you know the answer... you can use this email to to request you our very own world famous refrigerator magnet, stress test and quasi child thermometer. 

Send to: make process bearable

(Supplies are limited, so offer is only good as long as the inventory lasts.)

---