confidential this document contains proprietary information, which is protected by copyright. all...
TRANSCRIPT
Confidential
THIS DOCUMENT CONTAINS PROPRIETARY INFORMATION, WHICH IS PROTECTED BY COPYRIGHT. ALL RIGHTS RESERVED. NO PART OF THIS DOCUMENT MAY BE PHOTOCOPIED, REPRODUCED OR TRANSLATED TO ANOTHER LANGUAGE WITHOUT THE PRIOR CONSENT OF QUINT WELLINGTON REDWOOD ACADEMY, AMSTERDAM© Copyright 2003 Quint Wellington Redwood Academy
IT Compliance WithSarbanes-Oxley
Through an IT Process Oriented BestPractices Framework (ITIL) and an
Integrated Process Workflow Model (IPW)
Dr. Charles Newman,[email protected] 305-608-6340
Confidential
Compliance Framework
Compliance Framework is a set of internal controls for
managing organizations
The Compliance Framework is part of a compliance
architecture, which includes technology controls
Confidential
ITIL
ITIL (IT Infrastructure Library) is the most widely
accepted approach to IT Service Management in the
world. • provides a cohesive set of well defined best practices,
drawn from the public and private sectors internationally.
It is supported by a comprehensive qualification scheme,
accredited training organizations, and implementation
and assessment tools.
Confidential
ITIL according to GartnerITIL according to Gartner
Base for driving performance and quality improvements in
the service management domain.
Can be an integral part of a wider quality initiative by
combining it with other frameworks such as CMM, CobiT or
Six Sigma.
Companies need to have an objective assessment of ITIL's
current and target process capability to understand what it is
trying to achieve.
Base for driving performance and quality improvements in
the service management domain.
Can be an integral part of a wider quality initiative by
combining it with other frameworks such as CMM, CobiT or
Six Sigma.
Companies need to have an objective assessment of ITIL's
current and target process capability to understand what it is
trying to achieve.
Confidential
The Role of ITIL
When applied to Sarbanes-Oxley IT Control Compliance,
in a manner consistent with the overall COSO and COBIT
frameworks, ITIL gives companies a proven, practical,
highly focused solution for assessing, building and
continuously improving a tightly controlled IT
environment.
It specifically deals with the “how” as well as the “what”
for implementing IT Controls.
Confidential
COSO Component
ITIL Process COBIT Area Contr
ol
Envir
onm
ent
Ris
k
Assessm
ent
Contr
ol
Activitie
s
Info
rmation
and
Com
munic
ation
Monitori
ng
Plan and Organize (IT Environment)
IT strategic planning ● ● ● ●Information architecture ● ●Determine technological direction
IT organization and relationships ● ●Manage the IT investmentCommunication of management aims anddirection
● ● ●
Management of human resources ● ●Compliance with external requirements ● ●
Availabilty Management Assessment of risks ●
Change Mangement Manage projects
Service Level Management Management of quality ● ● ● ●Acquire and Implement (Program Development and Program Change)
Identify automated solutions
Release Management Acquire or develop application software ●
Release Management Acquire technology infrastructure ●
Release ManagementDevelop and maintain policies andprocedures
● ●
Release ManagementInstall and test application software andtechnology infrastructure
●
Change Mangement Manage changes ● ●Deliver and Support (Computer Operations and Access to Programs and Data)
Service Level Management Define and manage service levels ● ● ●Manage third-party services ● ● ● ●
Capacity Management Manage performance and capacity ● ●Service Continuity Mgt Ensure continuous service
Availabilty Management Ensure systems security ● ● ●Financial Management Indentify and allocate costs
Release Management Educate and train users ● ●Incident Management Assist and advise customers
Configuration Management Manage the configuration ● ●
Incident/Problem Management Manage problems and incidents ● ● ●
Availabilty Management Manage data ● ●Manage facilities ●Manage operations ● ●
Monitor and Evaluate (IT Environment)
Incident Management Monitoring ● ●Adequacy of internal controls ●Independent assurance ● ●Internal audit ●
Confidential
processprocess
peoplepeople technologytechnology
IT IT serviceservice
“80% of unplanned
downtime is due to people
and processes.”
(source: Gartner Group)
Incorporating People, Processand Technology
Confidential
ITIL Service Management Best Practices
Confidential
Why Use ITIL for Sarbanes-Oxley ControlCompliance
A large portion of the IT Control requirement of SOX are
covered by ITIL
ITIL is an independent, globally accepted standard of best
practices which has a history of over 12 years of development,
use and continuous improvement by thousands of major
companies and tens of thousands of IT professionals.
Though ITIL and Quint’s IPW (Integrated Process Workflow
Method), a company can be specifically, measured, trained,
monitored and continuously improved along a well defined path
of process maturity (which is consistant with other standards
such as COBIT, CMM, etc.).
Confidential
ITIL and Sarbanes-OxleyITIL and Sarbanes-Oxley
ITIL and controls• Change management
Improved risk assessment
Better assessment of the cost of proposed changes before they are incurred
• Availability management
Single point of accountability for availability is established within the IT
organization
The required and agreed availability levels are measured and monitored
Ensures security aspects - Confidentiality, Integrity and Availability - of data and applications are defined and incorporated within the overall availability design
ITIL and controls• Change management
Improved risk assessment
Better assessment of the cost of proposed changes before they are incurred
• Availability management
Single point of accountability for availability is established within the IT
organization
The required and agreed availability levels are measured and monitored
Ensures security aspects - Confidentiality, Integrity and Availability - of data and applications are defined and incorporated within the overall availability design
Confidential
ITIL and Sarbanes-Oxley / SOX404ITIL and Sarbanes-Oxley / SOX404
ITIL and controls• Finance Management
Increased confidence in setting and managing budgets
Accurate cost information to support IT investment decisions
Accurate cost information for determining cost of ownership for ongoing services
• Security management
Segregation of duties
Separation of development and production
Accountability for Assets
Access control in all aspects of IT
ITIL and controls• Finance Management
Increased confidence in setting and managing budgets
Accurate cost information to support IT investment decisions
Accurate cost information for determining cost of ownership for ongoing services
• Security management
Segregation of duties
Separation of development and production
Accountability for Assets
Access control in all aspects of IT
Confidential
ITIL and Sarbanes-OxleyITIL and Sarbanes-Oxley
ITIL and controls• Release management
Complete audit trail of changes to the live environment (both HW and SW)
Reduced likelihood of illegal copies of software in use at any location
Releases are subject to quality control and testing under release management
reducing errors
Safeguarding of hardware and software assets
• Service Level management
Availability of specific targets against which service quality can be measured
ITIL and controls• Release management
Complete audit trail of changes to the live environment (both HW and SW)
Reduced likelihood of illegal copies of software in use at any location
Releases are subject to quality control and testing under release management
reducing errors
Safeguarding of hardware and software assets
• Service Level management
Availability of specific targets against which service quality can be measured
Confidential
Quint Quest Assessment and SOX ITControl Compliance
Quint Wellington Redwood has conducted systematic
asessment of the IT Service Management Processes of
companies for over 12 years with a proven, highly
focused methodology.
Quint Quests are largely driven by the best practice
framework of ITIL, but also taken to a more integrated
process maturity model perspective though Quint’s
unique IPW Model (Implementation of Process Oriented
Workflow) and through the transformation and change
management tool, AURRA.
Confidential
Quint Quest and SOX continued
Now Quint has developed a set of Quint Quest
Assessments specifically designed to provide substantive
support to the IT Control Compliance efforts of companies
regarding Sarbanes-Oxley.
These Assessments are conducted by an experienced
team of senior consultants who are also available to
continue to work as part of a company’s internal
Sarbanes-Oxley Compliance Team and with any other
external entities that are part of the team.
Confidential
QuintQuest/SOX Assessment Areas
Change Management Service Level Management Configuration Management Security Management Incident Management Problem Management Contigency Planning Availability Management Release Management Capacity Management Financial Management
Confidential
QuintQuest/SOX Assessment Dimensions
Intention (Mission, Policies, Objectives, Definition, Function)
Process (Submitting, Classification, Planning, Authorization, Build,
Test, Implementation, Acceptance, Finalizing, Communications,
Progress)
Procedures (Tasks, Tools, Procedures, Urgent Changes
Control (Metrics, Reports, Process Analysis, Improvement)
Relations (All processes, Senior Level Management, Development))
Confidential
QuintQuest Assessment Example for theProcess Dimension of Change Management
Submitting: How are changes (RfC’s) requested? What is
the point of entry for a change? Who is permitted to
submit a RfC? Does one know where to submit and RfC?
What are the possible reasons for submitting an RfC?
What information is required in an RfC? Classification: Via what method does classification take
place (category, priority, impact, investments, SLA’s)? Planning: Who manages the change calender? Which
other persons are involved with organizing the changes?
Who performs the actual allocation of time and resources
for a change?
Confidential
Example Assessment Continued
Authorization: Who manages the change calender?
Which other persons are involved with the organizing of
changes? Who performs the actual allocation of time and
resources for a change?
Build: What phases are defined during building changes?
Who is involved in each phase? Is a standardized method
of change building used?
Test: How does a test take place? Is there a standard
script for testing? Does the test script contain both
functional and technical issues?
Confidential
Example Assessment Continued
Implementation: When and in what way does the
implementation of changes take place? Are there certain
dedicated timeframes for the implementation of changes?
Is there always a back-out and /or fallback possible and is
that defined in a plan? What does that plan look like? Are
specialists during an implementation on standby?
Acceptance: Who is involved in the actual acceptance
and in what way? Based on what criteria is the
acceptance performed and are criteria to determine this
formalized?
Confidential
Example Assessment Continued
Finalizing: When is a change formally closed? Is there a
“decharge” of those involved?
Evaluation: Are changes evaluated? How and when are
changes evaluated (e.g., size, effort, planning, result,
quality)?
Communication: Who is informed before and after a
change?
Progress: How is the progress being monitored and who
is involved with this monitoring?
Confidential
Quint’s IPW™-model
Businessplanning
BusinessOperations
InformationMagnet.
ICTvalueing
CommercialPolicy
HRM Strategy Architecture FinanceStrategic Sourcing
Supplier Portfolio
StrategicSupplier
processes
Relationship Management
Service Level Management
ServiceDevelopment
Service Planning
Supplierplanning
FunctionalManagement
DemandManagement
Service Build &
Test
Service Design
SecurityManagement
FinancialManagement
ContinuityManagement
AvailabilityManagement
CapacityManagement
SupplyManagement
ContractManagement
PurchaseManagement
OperationSupport
ChangeManagement
ProblemManagement
ConfigurationManagement
IncidentManagement
OperationsManagement
ReleaseManagement
ServicesOperations
BusinessSupport
ApplicationManagement
BITA BITA
SupplierOperations
Service Desk
BusinessDomain
Business ICT AlignmentDomain (BITA)
ICT DomainSupplier ICT Alignment
Domain (SITA)Supplier Domain
Confidential
How SOX affects the processes in your organization: General IT Controls
Confidential
How SOX affects the processes in your organization: Application and data-owner process
Confidential
How SOX affects the processes in your organization: Outsourcing
•SAS70
Confidential
Quint’s IPW Maturity Modeltm
Stage 3 or higher needed for SOX
Initial
Operationalmonitoring
Operationalcontrol
Servicecontrol
ServiceImproving
1
2
3
4
5
Ops &Measurement
Realise“Internal fit”
Self steeringincorporated
Realise“external fit”
Dependent processes
Environmental conditions / constraints
GenericGeneric
ExtendedExtended
ExceedingExceeding
ExcellingExcelling
For For freefree......
Confidential
IPW Maturity Modeltm Assessment of ‘as is’ and ‘to be’
Ser
vice
Su
pp
ort
InitialServiceimproving
operationalmonitoring
servicecontrol
operationalcontrol
cfm
rlm
chm
pm
im
improvingproactivecontrolledmonitorednot identifiednot performed
IPWSM™ is een handelsmerk van Quint Wellington Redwood
Confidential
Quint’s IPW Maturity Modeltm : Improvement experience
Logical sequence Aligned with customer maturity Limited parallel improvement Staged improvement Integration with development domain (CMMsm/SPICE) Compliant with ITIL Benchmarking (of outsourcers) possible De-mystify ITIL-consultancy Professional judgement remains necessary
Confidential
For further informationContact:Dr. Charles NewmanDirector, Quint Wellington Redwoode-mail: [email protected]: 305-608-6340