Procedure Guidelines and Controls Documentation December 11, 2005 © Robin Basham, M.Ed., M.IT, CISA, ITSM, CGEIT, CRISC, ACC

 

Now Available in PDF at AuditNet.org

EnterpriseGRC Solutions, Inc. is proud to be listed with and to support Jim Kaplan's AuditNet.org

http://www.isaca.org/Template.cfm?Section=Archives&template=/TaggedPage/TaggedPageDisplay.cfm&TPLID=7&UserDefinedDate1=11/01/2006

Portions of this page are published in the ISACA Control Journal.  Copyright © 2006 ISACA. All rights reserved.

 For a live view of the article as published, please visit ISACA Control Journal

TEMPLATE [Company Name]

Sample Document for use as model for corporate process guidelines and procedures Content is protected by Copyright, ALL RIGHTS RESERVED

Process Profile
Process Owners:
Owners Department(s):
Process Owner At Release:
Release Approval List:
Distribution List:
Document Authors:
Data Classification: Confidential
Effective Date:
Revision Date:

Version Control

Revision Notes

Revision Code

Rev-Author

RevRel Date

Release App by

         

[This is a prototype for the benefit of persons seeking a model for an overall compliance program.]

Purpose and Scope

Procedure Guidelines and Controls Documentation outlines how to create and modify procedures, work instructions, policies, and RunBooks as they currently exist in their correct location and format and as aligned to the requirements of document security.

Change control, information asset location, and documentation format standards are the combined responsibility of Security Management, Quality Assurance, and Process Engineering.  In the context of creation, iteration, approval, and posting, the Process Librarian manages documentation.

Process Engineering manages quality over documentation as demonstrated by document templates.

Security Management defines policy and access rules for the recording, adherence to, and monitoring of procedures involving data integrity, privacy, and security across any enterprise-level configuration.

Policy Statement

All changes, additions, and deletions to the production documentation library require management approval.  Managers should notify Process Engineering of changes to production process.

Requirements

The primary security elements of any document library management process are:

  • Auditable changes
  • Evidence of document library and document lifecycle management that is readily available for those who need to monitor this activity.

Documentation strategies need to:

  • Reduce complexity.
  • Prioritize key control processes
  • Reflect  COMPANY process architecture
  • Represent real functions and real activities

Document Library Management Program

A formal document library management program manages the Process Asset Library and monitors compliance with document lifecycle objectives (i.e., annual document reviews). The program must include, but is not limited to, the following controls:

  • Documented procedures for updating production documentation.
  • Defined roles and responsibilities that support defined procedures for document and document library maintenance.
  • Accountability for document content integrity.
  • Education, notification, and awareness process to inform all necessary stakeholders affected by document modifications.
  • Separation of production and non-production documentation.
  • A defined data retention goal for each document or class of document. Documents are maintained for the lifecycle of the process. If aligned to key controls and loaded in [Name of core product or service], the document is retained as part of SAS 70 evidence.

Document lifecycle control procedures must detail the process for: (Process Profile Creation doc - sections embedded in this doc)

  • Reviewing new or changed documents.
  • Approving and rejecting documents.
  • Posting documentation.
  • Documenting information about documentation (metadata).
  • Auditing the lifecycle of documents in the library.

Roles and Responsibilities

Document and document class owners shall:

  • Ensure the integrity, confidentiality, and availability of production documentation and the library environment through the implementation of documented programs, procedures and standards.
  • Approve all changes affecting their domain of control and responsibility.
  • Ensure all changes have been approved and properly communicated prior to posting.
  • Ensure that their employees understand and abide by this policy and its control requirements.
  • Report any violation of this policy to the CTO and CSO or its designated representatives, within a timely manner.

The Process Engineering Team will endeavor to assist  COMPANY operations with many time-consuming functions not core to their roles.  Process and technical documentation is central to the creation of user guides and training materials and is currently aligned to the  COMPANY Process Engineering group.  As  COMPANY may add or extend this function, the process librarian function will continue to assist with the design and deployment of training materials and user guides.

These duties may include:

  • Assist with writing and maintaining procedures and controls. The data owner will usually write procedures.
  • Providing methods to maintain and meet record keeping obligations.
  • Assisting with the design and modeling of management reports and control checklists.
  • Assisting with workflow and process design.
  • Acting as a liaison with business, compliance, and development to implement and/or update procedures, controls, and system enhancements.

Process Librarian

The Process Librarian controls the process information directory structure and makes sure the integrity of the folders is maintained.  The librarian function catalogues and categorizes documentation assets and aligns documentation standards to the needs of the business and technology functions.

Where changes are required to existing process documentation, the process librarian handles the registration and posting of new procedures to the established process location.

Any new folders must be requested via email to the process librarian, currently [Name of Process Librarian], at This email address is being protected from spambots. You need JavaScript enabled to view it..  The librarian insures name and contents integrity within Facilitated Compliance Management process tracking.  \\...\PAL\Facilitated Compliance Management\Facilitated Compliance Management2000FCM.mdb

People who administer access to process assets will adhere to sanctioned user access process, providing resource access to employees as determined by their role and the approval of their management.  The Resource Administrator will not add or modify folders outside the boundaries defined by the Process Engineering Team.  Specifically, once a business area is provided space for information assets, modification to root level file hierarchy is not permitted.  This rule is established to assure inventory over information and in no way limits the productivity of any business area.  Information can be created in subfolders within the designated file share.  Persons with write access can create subfolders within the root of their information domain.

The Security Administrator will create file shares and folders as requested by the Process Librarian, and will allow changes within the files as determined by the business owner for the share information.

Business Unit and Department Data Owners

Data owners are accountable to the reasonable use of their designated drive space, assuring proper classification and location of their data. Business owners define users and establish access rules based on a need to know principal. Where a business area needs folders that extend beyond the current process architecture, the Business Unit must gain approval through process engineering and security, insuring proper rules for classification and the avoiding of duplicate information.  (See Current PAL Contents and File Location Description of Use)

Business owners are accountable to the periodic review of information on their drive.  This review is to assure appropriate use of file naming conventions, validity of process, completed procedures, and to archive out of date content.  Business owners are accountable to understanding their data privacy and retention requirements and to communicate these requirements to their personnel.

Access Control

Access to the production library contents must be controlled in the same manner as the production environment to ensure that only authorized users can access the documents. Access controls must be established to ensure only authorized individuals can view, edit, and update documents according to appropriate roles.

Default access controls include:

  • Process Librarian has administrative privileges to the PAL and provides Security Administration with the Functional Business Owner for each directory in the PAL.
  • System Administrator has administrative privileges to the PAL and may grant user access according to Manager Approval.
  • Functional Managers, such as Support, Change Management and Process Engineering, have read/write/update/delete privileges to their file share on the PAL. Policy dictates they should not create or delete folders without notice and approval from the Process Librarian.
  • Employees (non managers) have read only privileges unless granted write privilege by the Functional Manager.  Employees do not have delete privilege.

Audienceand Audit Considerations

This process profile serves as reference for  COMPANY.  Groups may be referenced by functional email notification names such as This email address is being protected from spambots. You need JavaScript enabled to view it..  Group functional emails are used to support communication trails and facilitate rules for review, approval, and timely business communication.

Procedures are detailed documents, generally derived from parent policy and implemented to the spirit (intent) of the policy statement.  Therefore, all procedures written and implemented by  COMPANY align to Security Policy, HR Policy, Program Change Policy, and specific requirements for Data Classification, Data Retention, and Data Privacy as defined by senior management.

Writing Standards

Procedures are written in a clear, concise, and easily understood manner. Procedures document business processes (administrative and operational) and their controls. Procedures are created by upper and middle management as a means to translate policy to practice.

Change Requirements

Procedures, represented as processes, work instructions, standard operating procedures, work-specific training materials, and production support procedures (i.e., RunBooks), are dynamic, changing to fit current business operational practices. They must reflect the regular changes in business focus and environment. Reviews and updates of procedures are essential if they are to be relevant. Therefore,  COMPANY provides notice to business management of all changes and new instances of process.   Both internal and external auditors will review procedures to identify, evaluate, and thereafter test controls over business processes. Given this knowledge, it is the responsibility of the process owner to keep current any process documentation and to notify the process librarian of any process change via This email address is being protected from spambots. You need JavaScript enabled to view it..

Additionally, part of change approval includes validation that all training and support procedures are current.)

Key Controls

The controls embedded in procedures are evaluated to ensure that they fulfill necessary control objectives while making the process as efficient and practical as possible. Some controls are designated as "key" and represent reported controls evidence in support of  COMPANY regulatory attestation.  Where operational practices do not match documented procedures or where documented procedures do not exist, it is difficult (for management and auditors) to identify controls and ensure that they are in continuous operation.  While not all situations of this type represent control failure, each situation requires review and response based on the risk to safe and effective process management.

Documentation is a key control in that proper documentation directly supports every aspect of  COMPANY control framework.  The absence of documented process is a risk to operations and to  COMPANY.  Failure to properly document control procedures is an indication of management and control deficiencies.

NOTE: Missing or incomplete critical process documentation is not tolerated as acceptable business practice.

Key control objectives are mapped to documentation and other evidence of control. Currently the tool to manage this is [Name of core product or service].

Data Classification and Data Owners

The CobiT Planning and Organization Control objective "Define the Information Architecture, 2.3 Data Classification Scheme" requires a general classification framework established with regard to placement of data in information classes (i.e., security categories) as well as allocation of ownership. The "access rules", as in who can access what type of data as well as the restrictions over where that data may reside, on a per classification basis, should be appropriately defined.  This is a co-dependency on Security and Security Administration, where Process assists in the implementation of classification standards, and access is further supervised and implemented through Security programs.

Process Librarian and Data Owners are dependent upon the accurate "classification of information assets" as defined by the Security Policy.  End-user managers and the security administrators require classifications to accurately determine who should be able to access what. The Process Librarian assists in the design of file share information, whereas the Data Owner is accountable for the classification and administration of its use.  The Process Librarian assists the business to manage data assets by location and classification.  The Process Librarian further supports requirements to have an information inventory of internal process and work products.

Naming Conventions

Naming conventions are a part of the  COMPANY overall security design and are an integral part of information asset accounting. In accordance with an approved set of access rules stipulating users (or groups of users) authorized to access a resource (such as a dataset or file) and at what level (such as read or update) the access control mechanism applies these rules whenever a user attempts to access or use a protected resource. Data is maintained by location such that access is appropriately restricted.

These general naming conventions and associated files are required in a computer environment to establish and maintain personal accountability and segregation of duties in the access of data. The owners of the data or application, with the help of the security officer and process librarian, establish the name of files and subfolders for their business information.   It is important to establish naming conventions that both promote the implementation of efficient access rules and simplify security administration. Naming conventions for system resources are an important prerequisite for efficient administration of security controls.

Process Engineering Key Controls and Risks can be reviewed in Process Documentation Compliance Control - CobiT Function - CobiT Detail Objective and Risks and Associated Controls

Document Types and Their Use

What Type of Document Do I Need To Write?

Writing a document may sound easy, but it is really very complex. Documentation strategies are designed to reduce complexity, prioritize Key Control Processes, reflect a common Process Architecture; (ITIL and CobiT frameworks), and above all else, represent REAL Functions and REAL activities.

Factors that influence the type of document that we write are:

  • Sustainability, how often detail within the process will change and
  • "High Level not Vague" Achieving the Highest Level of information possible before document details become formless, blurry or vague

Forms and Templates sample list.

Process documentation is designed for a specific layer of abstraction.  Process engineering works with the document author to select a template that meets the writer's minimal requirements.

Guided writing is a process that facilitates creating consistent standard quality documentation. Writing takes many forms, each best suited to serve a different purpose.  The following sections explain the different types of templates or writing guides, including application interface, word templates and diagrams.

Getting Started:

Prior to creating a procedure, persons are asked to review available formats for documentation. Once the type and topic for documentation is established, Process Engineering is available to review and validate the intended process.  Process Engineering catalogues corporation documentation and is able to prevent wasted or duplicated documentation efforts.

How: Send notice of intention to create documentation to This email address is being protected from spambots. You need JavaScript enabled to view it.. The following details provide notice to the Process Librarian of an intended process product.  This request minimally requires the following information:

Process documentation

New Object Support Request

For each intended process object, please fill in the section below.  Please copy the questions for each title.

  1. Is this a Process, Work Procedures, a Policy, a Program Definition or a Form?
  2. Management or Department Function:
  3. Title:
  4. Owner:
  5. Purpose:
  6. Affirmation Team:
  7. Associated Key Control:

The Process Team will select a template or document format and refine the title and scope to best align the output with existing process architecture and requirements.   Templates exist in the template folder for each functional area.  A master file of business templates can be found in\\...\PAL\Templates.  A comprehensive list of approved templates is in Facilitated Compliance Management, located in the Forms and Templates Section.


How Do I Validate My Document?

Before embarking on a procedure, policy, process or any type of controls documentation, contact the process librarian so the intended object can be verified and catalogued in the process objects database.

validate process
Figure 1. Validate a Process Object

Document Type - Process Profile

The purpose of a process profile is to capture and document essential elements associated with a business process. A process is a series of actions, changes, or functions bringing about a result.

Elements included in a process profile are selected by the process team. Generally, the elements include, but are not limited to:

  • Version Control And Change History
  • Purpose And Scope
  • Associated Control Objectives
  • Critical Success Factors
  • Performance Indicators  -Baseline Performance
  • Goals/Measures
  • Service Level Considerations
  • Related /Source Documents
  • Forms And Templates
  • Quality Records - Including SQM
  • Process Diagram
  • Process Deviations And Current State
  • Trigger And Exit Criteria
  • Acronyms/Definitions
  • Safety Issues
  • Risk Management Plan
  • Process Definition (Inputs And Outputs To Other Processes)
  • Status Codes-Metadata

Characteristics of Process

Highest level of abstraction and lowest level of detailHigh level set of steps that collectively accomplish a business function:Typically includes sub or component level processesOften used by more than one program or department

Consider whether the following statements are true.

The process flow diagram demonstrates the steps involved in creating any process object.  If this is viewed on line, the flow includes all process properties in the flow objects.  For more information, see Appendix A.

stepsprocess

Figure 2.Should I write a process profile?

Where Do I Find the Process Profile Template?

\\...\PAL\Templates\Process Profile Template.dot

Process Lifecycle

Figure 3.What are the steps and controls in writing a process profile?

Document Type - Policy Profile

Policy is the underlying principle upon which process and programs are built. One might consider that a policy is "Commander's Intent", and it is up to the persons governed to determine the best practice or process to attain their goal within the confines of the policy.  While not every program requires a policy, information technology practice is largely determined by the Security Policy, Change Policy and Data Classification Policy.  In addition, most business practice is in some way governed by the Human Resource Policy.  Policy is implemented by programs that enact processes.  Policy is generally required for legal and regulatory compliance.  Policy is enforced through system, application and organizational controls.  A policy is typically designed to be true across all departments and for all persons.  Where a policy is highly specific to a program or department, it is generally a department policy, but not a formally distributed corporate policy.

Elements:

  • Policy Area
  • Effective Date
  • Revision Date
  • Contacts:
  • Summary
  • Goals
  • Applicability
  • Policy Statement
  • Roles and Responsibilities
  • Compliance
  • Exemptions
  • Appeals
  • Authority
  • Related Documents
  • Definitions

Should I Write A Policy Profile?

Consider whether the following statements are true.

PolicyQuestion

Figure 4.Should I write a policy profile?

\\...\PAL\TEMPLATES\Policy Profile.dot

Document Type - Program Profile

Program Profiles are sometimes referred to as a program or department charter and are used to define the scope of a group as well as the requirements of its organization.  This document outlines the overall organizational or department function and is aligned with departments and individual performance reviews.  Program profiles may include job descriptions or job profiles and are represented by organizational diagram.  These are supporting documents, often associated to the program profile.

Attributes of a program include:

  • Manages Control Systems and Events
  • Owns Initiatives and Business and IT Systems
  • Responsible For Supporting Functions
  • Is Measured
  • Program profiles support the ability to perform:
  • Personnel Recruitment and Promotion
  • Benchmark Personnel Qualifications
  • Designate Roles and Responsibilities
  • Plan and Deliver Personnel Training
  • Implement Cross-Training or Staff Back-up
  • Verify Personnel Clearance Procedures
  • Design and Perform Employee Job Performance Evaluation
  • Determine Job Change and Termination Requirements

Program Profile Elements:

  • Purpose and Scope:
  • Roles and Responsibilities:
  • Program Elements:
  • Tools:
  • Program Controls and Measures

Should I Write A Program Profile?

Program profiles are not required, but can facilitate a great many other functions including Audit and Training or Organization Requirements Definition.  Where a program profile supports the organization to explain a department charter, it is a simple and useful tool that may benefit employees and auditors equally.

Consider whether the following statements are true.

IsThisAProgram

Figure 5.Should I write a program profile?

Where Do I Find The Template?

\\...\PAL\Templates\Program Profile Template.dot

Templates that describe positions or assist in the design of a program organizational chart are located in:

\\...\PAL\IT Process Asset Library\Human Resources\Template\Job Description Template.dot

\\...\PAL\IT Process Asset Library\Human Resources\Template\Employee Warning Notice.dot

\\...\PAL\IT Process Asset Library\Human Resources\Template\Job Analysis Questionnaire.dot

Document Type - Work Instruction or SOP

Work Instructions, also known as Standard Operating Procedures, (SOP) represent:

  • Greatest level of technical detail
  • Are tool dependent;
  • Change  when technology changes
  • Are updated often
  • Stored in knowledge management systems or help desk database
  • Associated with specific tools and tasks
  • Used to guide and train work at the task implementation level
  • Are part of an already approved process

Work instructions or SOP's can be located within a functional area and are often embedded in help files within systems.  RunBooks (explained in the next section) reference work instructions to facilitate answering the question, "Where do I find directions to perform this task?"  Whereas process changes are a part of standard change management, a work instruction may be updated as a course of an individual's personal need to track how detailed steps are done.  A work instruction may have general or highly specialized use.  Where work instructions are critical to the control of a process, it is the business manager's responsibility to insure that routine work procedures exist and are followed within their functional area.

All service affecting operational processes must be documented to prevent service disruption caused by the absence of primary staff.  Any procedure required to maintain operations, that is not already documented as a part of routine system functions, (i.e., already located in general product help files), must be documented to assure that in the absence of primary staff, the process can be sustained by others. At a minimum, all personnel are accountable to documentation to the extent that a similarly trained staff could stand in for emergency coverage and be able to use directions to maintain required operations.  Where staff fail to keep their work instructions up to date, the failure is both on the part of the individual and the area manager.

Work instructions or SOPs are a simple list of steps that explain in clear terms, how to achieve a specific result.

Directories containing work instructions and SOPs should be clearly labeled and information should be current.  Work instructions can exist in all event-tracking systems and are not centrally located, but are accessible and known to all persons within the user department.

Should I Write A Work Instruction - SOP?

Consider whether the following statements are true.

defineworkinstruct

Figure 6.Should I write a Work Instruction - SOP

Where Do I Find The Template?

The template to write a simple set of work instructions is located in:

\\...\PAL\Templates\Work Instruction Template. dot

Document Type - RunBook

A RunBook, sometimes known as playbook, is a document containing detailed procedures that collectively keep a mission critical system running.   A RunBook is sometimes viewed as an element of Business Continuity Planning (BCP) or Disaster Recover (DR).  This is because they are written to assure that an equally skilled administrator would be able to use the RunBook to step in and administer the system until such time that normal staffing and conditions apply.  RunBooks are a system current document with all the required information needed to understand how a service or system is kept running.  RunBooks are not project plans and do not maintain information unless it is "in use" and a part of the working system.

A RunBook is used to verify and gather the location of all operational information. A production RunBook is evidence of documentation and control over a service or system.   It provides information on "how" to run procedures without necessarily providing background for the process.  RunBooks are detailed instructions that a user references when performing the process.

On a per system instance, a RunBook can document a small set of operational procedures and reference various guidelines.  On a larger scale, a service oriented RunBook details the combination of systems and their dependencies in keeping a service available. This is a valid form of meeting both BCP and various other levels of compliance requirements.  Determining this requirement can be as follows:

Why Do RunBooks Focus On Service?

A RunBook is Service Oriented vs. single system oriented.  When documentation does not meet the requirements mentioned above, it is probable that listing the device in an inventory system is sufficient and further documentation is not required.

Where the availability of a critical or core business function depends upon the accurate working of interdependent systems, it is advisable to have a business owner who assures the current and complete Service RunBook.   As is true for any controlled system, the RunBook explains day to day system procedures, but additionally adds some or all of the following elements:

  • Functional Overview
  • Functional Overview Diagram
  • List of Interfaces
  • System Overview
  • System Overview Diagram (s)
  • Network Management Process
  • Hardware
  • Hardware Management Process
  • Software Development and Release
  • Third Party Vendor / Software Management
  • Performance Monitoring Process
  • Database Administration Process
  • Quality Assurance
  • Vendor Information
  • Back Up Processes
  • Disaster Recovery Process
  • Security
  • Problem Management
  • Configuration Overview:
  • Server/ HW/OS
  • Application
  • Database Configuration
  • Daily cycle
  • Fail-over
  • Maintenance
  • Troubleshooting and Error Messages
  • Glossary
  • List of files
  • Financial Processes
  • Test procedure

Should I Write A RunBook?

Consider whether the following statements are true.

RunBook

Figure 7.Should I write a RunBook?

Where Do I Get The Information That Goes Into The RunBook?

Consider the following sources.

What Goes in a Runbook

RunBooks bring visibility to an aggregation of documents and details that collectively support service availability or product delivery.

When Is A RunBook Complete?

Consider whether the following statements are true.

NewProcessNewRunBookorNoChange


RunBooks can be maintained as a word report that is output from a single database system or from a collection of systems.  The form used to gather RunBook elements (today) is in Facilitated Compliance Management. This is a location that is subject to change.  The tool that gathers RunBook details is not critical to the process.  The tool for gathering elements can also be a word document, as identified in the template section.  The process for generating RunBook information is not important, so long as visibility of how systems run is maintained for the business owner and technology support personnel.

RunBookLifeCycle

Figure 8.RunBook Process

runbook550

Example Interface for gathering RunBook elements by Service Title

Where Do I Find The Template?

\\...\pal\Facilitated Compliance Management\...

\\...\pal\Templates\RunBook Template.dot

The current procedure for RunBook is to use our system database and generate a RunBook report as needed.

RunBook Document Elements

The following section is written to address addition questions pertaining to document elements, storing and managing information and how steps and controls are specifically captured to support the internal audit of IT program and application level controls.  Sections include:

Where Does My Document Belong?

\\...\PAL\IT Process Asset Library\

  1. Static Process versus Process Output (Evidence of Using Process)

\\...\PAL\IT Work Product Library\

  1. Other Work Products and Controlled Documentation:
  2. Version Control versus VSS (Microsoft Visual SourceSafe)
  3. Test Scripts, Utilities, and Event Tracking Systems
  4. Assets, Inventories and Configuration Baselines
  5. Controls and Key Controls
  6. Product, Application Development, and Quality Templates
  7. Flow Diagram

How Do I Find Or Store My Document?

PAL\ IT Process Asset Library

Process documents are stored in the IT Process Asset Library (PAL).

SOAProjects

Figure 9.What is in the PAL?

\\...\PAL\IT PROCESS ASSET LIBRARY\

PAL\ IT Work Products

When Do I Need To Create A Work Product?

There are a variety of Word and Excel files used during the workday.  These documents may include spreadsheets used for analysis, client contact files, miscellaneous notes, etc.  These are not considered forms or procedures and remain within their respective locations on the network.  In conditions where documents or spreadsheets represent evidence of a process output, the materials are "Work Products" and should reside in the functional work products directory.  Not all data is work product.  A test of whether information belongs in the work products area is answering yes to the following question:

Is this the output of a template, process, form, and is this evidence of a process?

Where Do We Keep Current And Archived Work Products?

\\...\PAL\IT WORK PRODUCT LIBRARY\

SOAProjects

Figure 10.What are the work product folders?

Current Inventory of Folder and Contents is maintained by Process Engineering, in \\...\PAL\IT Work Product Library\Process Engineering\PAL Folders.xls

Where Do I Find Reference, Benchmark and Industry Guidelines

Methodology and standards documentation is maintained in the Standards and External Reference folder.  Corporate Policy and Templates also reside at this level of the PAL.  These folder locations allow for all personnel to have equal access to information used to support and design any process.

work folders

Figure 11.Standards and Reference folders

Other Work Products and Controlled Documentation:

Figure 13.How [other] artifacts are captured in system event logs and software design templates?

Version Control versus VSS (Microsoft Visual SourceSafe)

When Do I Use VSS?

Software Development work products have particular control requirements that are satisfied through the use of VSS, (Visual SourceSafe).  Where procedures for component level code movement are highly specialized, development documentation is maintained under a more stringent and restricted environment. Development documentation is maintained in VSS.  VSS is used to ensure document or code approval, version control and ability for roll back.  Where documentation and code requires peer review and product management approval, VSS provides control over status and review notes. Additionally, where more than one person may be required to use or modify a same document, VSS provides a check in and check out process, further supporting evidence of valid authorization for release.

How are software development artifacts captured in system event logs and software design templates?

Test Scripts, Utilities and Event Tracking Systems

What Is A Test Script Or Test Templates?

Programs, systems and releases have associated tests and test results.  QA and Security maintain secure test plans and test results.  Tests related to Software Quality are run from, and secured in, the [Name of Testing or Quality Assurance Application] Application.

Security scripts and networking utilities are maintained in secure location with the highest degree in limited access.  These items are by design, neither visible or accessible to the general user.

Where Do I Find QA Test Templates?

Test templates are maintained in the QA Process directory

\\...\PAL\IT Process Asset Library\Quality Assurance\Template\

Security Program Test templates are maintained in Security Management directory

\\...\PAL\IT Process Asset Library\Security Management\Program Test Plans\

Assets, Inventories and Configuration Baselines

Networking devices, servers and application servers have both inventory and configuration control requirements.  Configuration baseline refers to the minimum secure configuration applied to any device at build.  Changes to the configuration beyond this point are associated to business requirements, product release and project management.  Data Center Operations and Support manage an inventory of items and baseline configuration. These records are tables in Facilitated Compliance Management but are scheduled to be moved into [Name of core product or service].

Where configuration records include IP addressing and other information that could be used to compromise network security, the information is not made available beyond person's who support and networking and [Name of core product or service] platform availability.

WhenDo I Need To Create A Controlled Server Object?

Consider whether the following statements are true.

controlitemsInCMDB

Figure 15.Should I document a controlled server in our system inventory database?

Where Are Devices Inventoried As Assets?

Controlled Server Records will reside in [Name of core product or service] but are currently staged in Facilitated Compliance Management

Where Do I Find Server Control Records?

\\...\pal\Facilitated Compliance Management\Shortcut to Controlled Servers in Facilitated Compliance Management2000FCM.MAT [links are for example and are not enabled over the internet]

FCM ControlAssets

Figure 16.Controlled Server Form

Control Items in Standard Configuration

Figure 17.Each controlled item has associated security exemptions and standard OS and Application build

Which Tools Store Server and Application Information?

The data center maintains a list of devices and tools or applications with their respective controls and resource owners.  This information is maintained in Facilitated Compliance Management.

All systems, applications or Tools are inventoried assets

Where Is The List Of Tools And Tool Types?

Tools and Tool types are listed in the Tools and Tool Type table in the Facilitated Compliance Management2000FCM database.  Servers and devices are recorded in the Controlled Server Form, located in the Facilitated Compliance Management database.

Controls and Key Controls

When Do I Need To Document A Control Object?

Controls practices provide reasonable assurance that business rules exist and are optimized such that negative impact of undesirable events are captured, responded to and mitigated.  IT Control is the right mixture of policies, procedures, practices and organizational structures that assure business objectives are met, while preventing, detecting or correcting any or all undesired events.

Control Definitions exist within each process and are an inherent feature in policy.

Control Over Process Is Demonstrated When:

  • It Communicates Repeatable Intention
  • Executes As Planned (Implementation Plan)
  • Measures (Risk Measurement & Impact Analysis)
  • Records (Management Reporting & KPI)
  • Archives (Defined Data Retention)
  • Control Items capture
  • Control Name
  • Owner
  • Control Method
  • Automation or Manual
  • Program
  • Frequency
  • Test Information
  • Activity Definition
  • Location of Test and Test Evidence
  • Information Processing Objective
  • Sequence ID and Key Tracking

For more information, review section Document Elements: Flow Diagram, "Visio Shapes and Custom Properties for Evidence of Process Controls"

Where Are Controls Catalogued?

Controls are cataloged by Name, Associated Processes, and Owners within Technology's [Name of core product or service] system.  The information is used for ongoing Control Self Assessment and Compliance Documentation.

Controls are cataloged in Facilitated Compliance Management and in [Name of core product or service].  Controls are also identified within every Process Flow Diagram and Program Definition.  Key Controls align to the CobiT framework and are visible on the CobiT Assessment form within Facilitated Compliance Management.

CommonFrameworks

Figure 18.What Process Engineering, Auditors, and Quality Gather Regarding Corporate Key Controls

runbook

Figure 19. Process Diagrams call information from the Facilitated Compliance Management database.  Key controls pull information from the Key Controls Table.

Controlled Items

Figure 20.An example of a Key Controls

FCM Audit Universe

commonframeworks550

Figure 21.Key Controls Form

Where Do I Find The Form or Template?

http://www.COMPANY.com Technology-Controls (Login Required)

\\...\PAL\Templates\Internal Control Testing Template.dot

Product, Application Development, and Quality Templates

Object Name

Function

Owners

Approve Date

Change Committee Review Board

The Change Committee Review Board Template guides the completion of documentation for the purpose of enterprise or high priority/impact Change Management.

[Name of Chief Technology Officer]

 

Change Review Board Checklist

Checklist identifies validation items before a change control can be approved or closed

   

Emergency Deployment Authorization

Emergency code change requires written approval by Quality, Development, and CTO.  The Emergency deployment form represents signed approval by all necessary parties and is submitted to the Network or Data Center Operations prior to emergency deployment of code to production.   Emergency change is subject to Change Management policy and is reviewed prior to and post change implementation.

[Name of Chief Security Officer]

 

High-Level Test Plan

Template is used to document high-level aspects of a test plan

[Name of Chief Technology Officer], [Name of Quality Assurance Manager]

 

ICQ Physical Security

Template is used to generate a new unique instance of  ICQ Physical Security. Templates, when used, constitute a work product, which is processed and then stored as control evidence in the \\...\PAL\IT Process Asset Library\Process and Procedures\Security Management\Template\ folder

[Name of Chief Security Officer], [Name of Chief Technology Officer]

 

ICQ Security Policy

Template is used to generate a new unique instance of  ICQ Security Policy. Templates, when used, constitute a work product, which is processed and then stored as control evidence in the \\...\PAL\IT Process Asset Library\Process and Procedures\Security Management\Template\ folder.

[Name of Chief Security Officer], [Name of Chief Technology Officer]

 

Implementation Planning Template

Provides documentation format for an implementation.

[Name of Process Librarian]

 

Internal Control Testing Template

Template is used to document all aspects of testing an internal control

[Name of Process Librarian]

 

Meeting Agenda and Minutes.dot

 

[Name of Process Librarian]

 

Meeting Form Letter

This letter is linked in the console as a template.

[Name of Process Librarian]

 

Meeting Minutes Template.dot

 

[Name of Process Librarian]

 

Network Change Identification Form

Template is used when changes and/or security violations are found on the network, to systems, or to servers that did not go through the formal change control process.

[Name of Chief Security Officer]

 

Policy Profile

     

Process Profile Template

Template is used to document all areas of a process

[Name of Process Librarian]

 

Program Profile Template

Template is used to document all areas of a program

[Name of Process Librarian]

 

Project Charter

Template is used to document the scope, assurance, and resources of a project

[Name of Process Librarian]

 

Project Plan Definition

Template is used to document all areas of a Project Plan

   

QA Planning Kickoff Check List

Template is used to guide documents and tasks needed prior to QA Planning

   

Request For Exemption

Template is used to document all areas of risk associated with requested exemption

[Name of Chief Security Officer]

June 23, 2005

Request For Removal of Media

Template is used to generate a new unique instance of  Request For Removal of Media Template. Templates, when used, constitute a work product, which is processed and then stored as control evidence in the \\...\PAL\IT Process Asset Library\Process and Procedures\Security Management\Template\ folder.

[Name of Chief Security Officer], [Name of Chief Technology Officer]

 

Requirements Completeness Checklist

Template is used to guide the review of requirements to assure completeness across all areas.

, [Name of Product or Project Management Director]

 

Risk Criteria

Template is used to generate a new unique instance of Risk Criteria Template.  Templates, when used, constitute a work product, which is processed and then stored as control evidence in the \\...\PAL\IT Process Asset Library\Process and Procedures\Security Management\Template\ folder.

   

RunBook Security Section What to Describe

Template is used to generate a new unique instance of RunBook Security Section What to Describe Template:  (For financial/high-risk servers). Templates, when used, constitute a work product, which is processed and then stored as control evidence in the \\...\PAL\IT Process Asset Library\Process and Procedures\Security Management\Template\ folder.

[Name of Chief Security Officer], [Name of Chief Technology Officer]

 

Secure Email and File Transfer

Template is used to document electronic security regarding email and file transfer.

[Name of Chief Security Officer]

 

Security Infrastructure Plan

The purpose of the Security Infrastructure Plan is to establish strategic, tactical and annual information security plans for  COMPANY.

[Name of Chief Security Officer]

 

Security Program and Program Test Profile

Template is used to generate a new unique instance of Security Program and Program Test Profile Template.  Templates, when used, constitute a work product, which is processed and then stored as control evidence in the \\...\PAL\IT Process Asset Library\Process and Procedures\Security Management\Template\ folder.

   

Situation Evaluation Form

Template is used to used to capture and fully develop and analyze security risks.

[Name of Chief Security Officer]

 

Software Requirement Specifications Template

Template is used to document all requirements for software

Thom Gray, [Name of Product or Project Management Director]

 

RunBook Template

The RunBook or System Documentation book contains information necessary to run and maintain a core business system.  In the event of emergency staffing change, this document serves to guide a new employee through the support of this system.

   

System Operational Requirement

Template is used to document all operational requirements for a system

   

Test Plan Template

Template is used to document all areas of a Test Plan

   

User Access Program Checklist

Template is used to generate a new unique instance of User Access Controls Work Program Template. Templates, when used, constitute a work product, which is processed and then stored as control evidence in the \\...\PAL\IT Process Asset Library\Process and Procedures\Security Management\Template\ folder.

[Name of Chief Security Officer], [Name of Chief Technology Officer]

 

Employee Warning Notice

Template is used to warn an employee when they do something inappropriate and how to improve.

   

Job Analysis Questionnaire

Job Analysis Questionnaire template is used to describe employee's responsibilities and duties among other things.

   

Job Description Template

Template is used to provide a brief description of the general nature of the position, an overview of why the job exists, and what the job is to accomplish.

   

[Name of the core product or service] R# Internal Release Notes

The purpose of these release notes is to describe the feature enhancements and fixes that were included in [Name of core product or service] Release ###.

   

Which Tool Stores Process and Work Instruction information?

Process Engineering manages a list of all Work Instructions and Processes in the Facilitated Compliance Management Object table. There are a variety of reports that summarize the function for all processes as well as provide an overview of all process flow diagrams.

FCM Front Menu

Figure 22. Facilitated Compliance Management provides summary reports for many object types

Tools Report

Figure 23. Facilitated Compliance Management Allows Process Librarian to capture and catalog all process objects

Flow Diagram

EnterpriseGRC Solutions, Inc. Consultants are famous for documentation

visioonsteroids

When Do I Use A Flow Diagram?

Flow Diagrams are developed to provide a high-level summary of steps in any process or procedure.  They are "High Level", not vague.  Controls are also listed in Flow Diagrams, further demonstrating constraints that either prevent error or reinforce correct movement.  Key control template objects are created by process engineering in response to the current controls in scope for audit.  These items detail all aspects that control a process.

Following are my favorite choices for simple Process Objects and some suggestions for using Visio to capture and automate their propertiessampleofabusinessprocessimage

 p change managementp change measurement and evaluation

See or download "Sample of A Business Process" in Word 2016 (please virus scan all downloads)

Visio Shapes and Custom Properties for Evidence of Process Controls

Process Objects

Process Identification Attributes

Process Title and Scope

Document Title, Scope, Revision, Release Date, Editors, Affirmation Team
Always Sequence 0.0

Parent

Parent Process Owners Scope

Reference to other process documents and to full processes outside of the scope of the current document.
Part of processes sequence

activity

Activity Attributes including controls

Identifies process activity, noting control issues and potential gaps, owners and event sequence.
Part of processes sequence

decision

Decision

Decision point and criteria for movement
Part of processes sequence

Grouping

group

Grouping allows representation of simultaneous events
Sequence should parent-child the subgroup of activities

Loop Limit

Loop Limit - Versus Automation Hell

Loop limits usually reflect key controls

Various Data Types - All are important Information Objects Data Management: What data is used, how is it classified, retained, transferred, accessed
inputs and outputs are controls Exit and entrance criteria are in input and output rows. They are all forms of measurement and control. Data Management: What data is used, how is it classified, retained, transferred, accessed
Start and End are triggers that are measured Terminator and Start of Process - Only one start and finish

List of external documents used to complete the process, the status of use in controls evidence, creation frequency, description of use Sequence is always 9.9 so that all data sources are clustered to the bottom of the process report.

Control Object Attributes Controls on process

Exit and entrance criteria for movement from one activity to the next.  Where criteria for movement is monitored by a system and is critical to control activity, this should be filled in.  Where this is true, there would be an expected control.

Database attributes are very important Database Controls are very important

Trigger and Exit criteria
The sequence is always 0.1 so that all triggers and exit criteria are clustered to the top of the process report.

 Acronym Glossary and Definitions

Acronyms

Definition

Approver

An individual who reviews the change to ensure the integrity and reliability of the document and grants approval for the document to be posted.

Document Owner

Manager designated as having ownership of all documents associated with the production system and, thereby, having the authority to change it.

Dual control

Two people are required for an important activity to be accomplished.

Employee

Person, including contractors and temporary staff, who have been granted access to ARL resources.

Owner

Manager of a department or business unit responsible for production processes, systems, applications, platforms or users. In accordance with Information Security policies, and standards, owners determine the level of sensitivity and confidentiality of their information. As such, they determine changes, access, and dissemination of their information.

Activity

An element of work performed during the course of a project. An activity normally has an expected duration

CISA

Certified Information Systems Auditor

CobiT

The COBIT (Control Objectives for Information and Related Technology) framework was released in 1996 and updated in 1998 and 2000 by the Information Systems Audit and Control Foundation (ISACF) in response to the need for a reference framework for security and control in information technology. In 2000, the IT Governance Institute and ISACA developed the Management Guidelines for COBIT. These guidelines respond to a need by Management for control and measurability of IT, for the purpose of ensuring that IT activities achieve business objectives.

Control

The policies, procedures, practices and organizational structures designed to provide reasonable assurance that business objectives will be achieved and that undesired events will be prevented or detected and corrected

Document or Source Document

A sample document that adheres to the criteria necessary for completion of a process and includes the essential contents defined in the template.

Function

A group of related actions contributing to a larger action. Security Policy, Access Control, and Perimeter Security represent security functions.

IT Control Objective

A statement of the desired result or purpose to be achieved by implementing control procedures in a particular IT activity

ITIL

Information Technology Infrastructure Library

Process

A series of tasks that transform inputs into desired outputs. The term procedure is sometimes used interchangeably with the process in this methodology.  Administer Accounts, Perform Risk Assessment, Audit Perimeter Security, Install Hardware are example

Process Management Architecture

A high-level description of the system that provides a fully integrated Knowledge Base [of process information].  The Knowledge Base, in turn, provides control of process change and access to all processes and procedures.

Task

A task is a specific action performed as part of a process.  Disable accounts, Interview Network Manager, and run Crack on the Unix machine are examples of security tasks.

Template

A skeleton document, spreadsheet, or graphic presentation that represents the essential requirements for deliverable content.

default/img/items.gif); background-position: 0% 100%;">Comprehensive Glossary of all Corporate Terms

glossaries

EnterpriseGRC Solutions, Inc., Inc. FCM™ Actual Glossary has over 5000 terms.

Related Documents

The COBIT (Control Objectives for Information and Related Technology) framework was released in 1996 and updated in 1998 and 2000 by the Information Systems Audit and Control Foundation (ISACF) in response to the need for a reference framework for security and control in information technology. In 2000, the IT Governance Institute and ISACF developed the Management Guidelines for COBIT.  These guidelines respond to a need by Management for control and measurability of IT, for ensuring that IT activities achieve business objectives.http://www.isaca.org/cobithorizon.htm

The IT Infrastructure Library, ITIL (®), is a series of documents that are used to aid the implementation of a framework for IT Service Management (ITSM). This framework defines how Service Management is applied within specific organizations. Being a framework, it is completely customizable for application within any type of business or organization that has a reliance on IT infrastructure.
http://www.itil-itsm-world.com/

Project Management Skill and Knowledge Requirements in an Information Technology Environment (ISACA)

A Guide to the Project Management Body of Knowledge (PMBOK® Guide)-2000 Edition, Project Management Institute, Project Management Institute, Inc., Newtown Square, PA, USA, 2000

Six Sigma Project Management: A Pocket Guide, by Jeffrey N., Ph.D. Lowenthal, (American Society for Quality; Spiral edition, August 1, 2001)

Risks and Associated Controls  (SAMPLE)

Significance

Likelihood * Impact

Risk Items

Control

How implemented  and actual review schedule

2 * 5

[RiskWatch id here]

Authorization:
In addition to the limit access to documentation from within the corporate network, persons are further restricted from reading and modifying documents through the use of security properties on process asset folders.  Approval to post or modify a process is in accordance with management's general policies and procedures. Access to assets is further restricted through the use of hyperlinks in place of attachments, enforcing limits for viewing documents based on the person's profile within the organization.

PAL infrastructure is carefully managed by process engineering, with administrative controls as provided within Windows 2000 server and as enforced by the data owners.

1 * 5

[RiskWatch id here]

Configuration/Account Mapping Controls: System configuration controls restrict non-authorized users from deleting and modifying files.  Process approval is required in order to post new or modified process.

Security is managed by Network or Data Center Operations and is enforced by Process Engineering and the Data Owner.

2 * 5

[RiskWatch id here]

Interface/Conversion Controls: Data Integrity - (data is not changed or manipulated) and security (no one can access it). Interfaces/conversion includes controls in these areas. Data management (date/time stamps, file names) Processing (no missing, duplicate, or redundant data and to ensure completeness and accuracy.) Validation/reconciliation (on-line edits, batch totals) Over the detection and correction of exceptions and errors.

When data cannot be altered without explicit audit trail and approval, it is managed in VSS.  When code or documentation appears changed, VSS allows for review of edits and roll back.   Data integrity in code is assured via promotion to the production process, where the code is tested in the Quality environment and then approved for movement.  
The PAL is backed up nightly and content change is evident via time stamp.

3 * 5

[RiskWatch id here]

Key Performance Indicators KPI's:  Periodic review by Process Engineering enforces the goal of having processes documented for all management functional areas.  Where information indicates a need for process optimization, process engineering notes this requirement and reviews the timely completion of required process change.  Process engineering also catalogs reviews and guides process development and collection.

There is Risk that Management may fail to assure that procedures are finished in a timely manner or that existing processes are not routinely reviewed to insure their validity or usability.

The PAL XLS and inventories within Facilitated Compliance Management database allow the Process Engineering team visibility on the key performance of process items as required for SAS 70 audit and as agreed upon by department owners.

1 * 1

[RiskWatch id here]

Segregation of Duties (SOD):
The separation of duties and responsibilities of a business process to prevent individuals from being in a position to both perpetrate and conceal an error or irregularity.

Reconciliation of existing rights within the PAL to rights as designed and approved by department owners demonstrates that persons who should not have access to documentation types are segregated.  Roles in the approval process deny persons authority to review and approve their own work.

2 * 5

[RiskWatch id here]

Risk of accidental or intentional distribution of classified private and or sensitive information:

Documentation practice

  • Hyperlink vs. Attachment
  • manager enforcement of storing
  • data in proper file location
  • department role based limit to user access
  • enforcing control related Data Owners
  • document property capture of key control data
  • document classification,

-are all control activities that make the likelihood of this risk negligible.   Each business or management functional owner has access to modify contents inside their own area but cannot modify files outside their Process domain.   Remaining risk is file shares that still require review for misplaced content.

Process "Piece of Cake!"

howdoIdocument

Now can you ask and answer the question: "What Type of Document Should I Write?"

IT Process Asset Library - Recommendations for information organization and visibility over document assets

PAL Contents - File Location, Use

Management\Function Folder Document Type Subfolders Content Description Subfolders allowed Classification
Backup and Recovery        
Backup and Recovery Flowcharts Backup and Recovery Flowcharts folder contain process flow diagrams including those used in process and procedure documentation. No Confidential
Backup and Recovery Process and Procedure Backup and Recovery Process and Procedure folder contain process profile documentation. No Confidential
Backup and Recovery Program Definition Backups and Recovery Program Definition folder contain program profile documentation. No Confidential
Backup and Recovery Template Backup and Recovery Template folder contains shortcuts to approved templates and forms as required for this management function. No Confidential

Change Management

       
Change Management Flowcharts Change Management Flowcharts folder contains process flow diagrams including those used in process and procedure documentation. No Confidential
Change Management Process and Procedure Change Management Process and Procedure folder contain process profile documentation. No Confidential
Change Management Program Definition Change Management Program Definition folder contains program profile documentation. No Confidential
Change Management Template Change Management Template folder contains shortcuts to approved templates and forms as required for this management function. No Confidential

Configuration Management

Configuration Management Flowcharts Configuration Management Flowcharts folder contains process flow diagrams including those used in process and procedure documentation. No Confidential
Configuration Management Process and Procedure Configuration Management Process and Procedure folder contain process profile documentation. No Confidential
Configuration Management Program Definition Configuration Management Program Definition folder contains program profile documentation. No Confidential
Configuration Management RunBook CMDB Configuration Management RunBook CMDB folder contains RunBook process and guidelines. Temporary/ Until all data is moved to database Confidential
Configuration Management Module Configuration Configuration Management Solutions Development-Client Configuration folder contains program profile documentation. This is limited to the area of Master Template configuration guidelines Subfolder as needed Confidential
Configuration Management Template Configuration Management Template folder contains shortcuts to approved templates and forms as required for this management function. No Confidential

Human Resources

Human Resources Flowcharts Human Resources Flowcharts folder contains process flow diagrams including those used in process and procedure documentation. No Confidential
Human Resources Process and Procedure Human Resources Process and Procedure folder contain process profile documentation. No Confidential
Human Resources Program Definition Human Resources Program Definition folder contains program profile documentation. No Confidential
Human Resources Template Human Resources Template folder contains shortcuts to approved templates and forms as required for this management function. No Confidential

Network Management

Network Management Architectures Architecture as Diagrams, long-term strategic IT Vision, infrastructure planning and technical documentation. Subfolder as needed

Sensitive

Network Management Flowcharts Network Management Flowcharts folder contains process flow diagrams including those used in process and procedure documentation. No Confidential
Network Management Process and Procedure Network Management Process and Procedure folder contain process profile documentation. No Confidential
Network Management Program Definition Network Management Program Definition folder contains program profile documentation. No Confidential
Network Management Template Network Management Template folder contains shortcuts to approved templates and forms as required for this management function. No Confidential

Performance Management

Performance Management Flowcharts Performance Management Flowcharts folder contains process flow diagrams including those used in process and procedure documentation. No Confidential
Performance Management Process and Procedure Performance Management Process and Procedure folder contain process profile documentation.  This area includes database process optimization. No Confidential
Performance Management Template Performance Management Template folder contains shortcuts to approved templates and forms as required for this management function. No Confidential

Process Engineering Management

Process Engineering Management Flowcharts Process Engineering Management Flowcharts folder contains process flow diagrams including those used in process and procedure documentation. No Confidential
Process Engineering Management Process and Procedure Process Engineering Management Process and Procedure folder contain process profile documentation. No Confidential
Process Engineering Management Process Profile Process Engineering Management Process Profile folder contains program profile documentation. No Confidential
Process Engineering Management Template Process Engineering Management Template folder contains shortcuts to approved templates and forms as required for this management function. No Confidential
Product Management
Product Management Flowcharts Product Management Flowcharts folder contains process flow diagrams including those used in the process and procedure documentation. No Confidential
Product Management Process and Procedure Product Management Process and Procedure folder contain process profile documentation. No Confidential
Product Management Program Definition Product Management Program Definition folder contains program profile documentation. No Confidential
Product Management Template Product Management Template folder contains shortcuts to approved templates and forms as required for this management function. No Confidential

Quality Assurance

Quality Assurance Flowcharts Quality Assurance Flowcharts folder contains process flow diagrams including those used in process and procedure documentation. No Confidential
Quality Assurance Process and Procedure Quality Assurance Process and Procedure folder contain process profile documentation. No Confidential
Quality Assurance Program Definition Quality Assurance Program Definition folder contains program profile documentation. No Confidential
Quality Assurance Template Quality Assurance Template folder contains shortcuts to approved templates and forms as required for this management function. No Confidential

Security Management

Security Management Flowcharts Security Management Flowcharts folder contains process flow diagrams including those used in process and procedure documentation. No Confidential
Security Management Process and Procedure Security Management Process and Procedure folder contains process profile documentation. No Confidential
Security Management Program Profiles Security Management Program Profiles folder contains program profile documentation. No Confidential
Security Management Program Test Plans Security Management Program Test Plans folder contains security specific program control test plans. No Confidential
Security Management Template Security Management Template folder contains shortcuts to approved templates and forms as required for this management function. No Confidential

Software Development

Software Development Flowcharts Software Development Flowcharts folder contains process flow diagrams including those used in process and procedure documentation. No Confidential
Software Development Process and Procedure Software Development Process and Procedure folder contains process profile documentation. No Confidential
Software Development Program Profiles Software Development Program Profiles folder contains program profile documentation. No Confidential
Software Development Template Software Development Template folder contains shortcuts to approved templates and forms as required for this management function. No Confidential

Standard Operation Procedures

Standard Operation Procedures Forms   No Confidential
Standard Operation Procedures General Use Flowcharts Standard Operation Procedures General Use Flowcharts folder contains process flow diagrams including those used in process and procedure documentation. No Confidential
Standard Operation Procedures RunBook Output of the RunBook Database is a paper copy of the RunBook.  RunBooks live in the database, but a single paper copy may be posted here as SAS70 summary evidence.  This folder could also be removed. No Confidential
Standard Operation Procedures SOP By Domain Standard operating procedures are any set of directions used to maintain or operate any production system. Folders should be set but if an area is needed/ add Confidential
Standard Operation Procedures …\Citrix …\Desktop …\LAN Access Distribution …\Oracle DB …\Oracle Server …\SQL Server …\Unix …\VPN …\WAN Backbone …\WINTEL Each folder is a holding place for short instructions related to the maintenance and care of any technology type.  If a person creates any work instructions, be it in email or as a word file, this a place to store a record of the work so that the SOP doesn't have to be created again.  SOP is less strict than process in that the owner of the technology maintains their current instructions and does not require approval to add to their folder.  Manager is responsible for insuring that any high risk process is documented and that the process could be followed by a person of equal skill in the event that the primary support staff was not available. Sub folder as needed for specific servers and systems. Sensitive
Standard Operation Procedures Template Standard Operation Procedures Template folder contains shortcuts to approved templates and forms as required for this management function. No Confidential

Support Management

       
Support Management Flowcharts Support Management Flowcharts folder contains process flow diagrams including those used in process and procedure documentation. No Confidential
Support Management Process and Procedure Support Management Process and Procedure folder contains process profile documentation. No Confidential
Support Management Program Definition Support Management Program Definition folder contains program profile documentation. No Confidential
Support Management Template Support Management Template folder contains shortcuts to approved templates and forms as required for this management function. No Confidential
IT Work Product Library        

Change Management

       
Change Management Production Release and Change Review Meetings This area will be relocated to RiskConsole once the Change Management program is operational No Confidential
Change Management …\Agendas …\Meeting Minutes Change requests and change review meeting records No Confidential

Network or Data Center Operations Planning and Infrastructure

Network or Data Center Operations Planning and Infrastructure Infrastructure Planning Documentation pertaining to infrastructure planning and development including any current projects.  This area will support numerous project specific subfolders. No Confidential
Network or Data Center Operations Planning and Infrastructure …\patch Create a folder for infrastructure item and keep all planning for that change or project in the folder Sub folder on a per project basis Confidential
Network or Data Center Operations Planning and Infrastructure Performance Management Output of monitoring performance, shows evidence of monitoring activity Sub folder on a per monitoring area as needed Confidential

Process Meeting Minutes

         
Process Meeting Minutes Meeting Minutes and Review Planning Meeting Minutes and approvals for Process Engineering team and program No Confidential

Product Management

         
Product Management Meetings Meetings pertaining to any release are captured and stored here No Confidential
Product Management Project Planning Release tasks by release and other evidence of project structure No Confidential
Product Management Requirements Current list of requirements belongs in VSS, but this location is an evidence pointer showing the requirements in play and recent past.  This folder should have a short cut the actual location in VSS and someone who can walk the auditor through those folders. No Confidential
Product Management [Company Core Product or Service] Release Notes Past and current release notes, evidence folder No Confidential
Product Management Module Configuration Output of planning for Master Template service related tasks. Subfolder as needed Confidential
Product Management Status Reports Staff reports to managers regarding work activity  

Sensitive

Product Training

       
Product Training [Company Core Product or Service] User Guide-External Product training output/ evidence folder No Confidential
Product Training [Company Core Product or Service] User Technical Guide-Internal Product training output/ evidence folder No Confidential

Quality Assurance

       
Quality Assurance Quarterly Reports Documentation pertaining to infrastructure planning and development including any current projects.  This area will support numerous project specific subfolders. Subfolders created by quarter as needed Confidential
Quality Assurance [Company Core Product or Service] QA Testing By Release Test planning documentation and a link to the current tests in Test inProduct. This is a "pointer file" used to assist auditor in finding the evidence. Subfolders are not limited.  This is a place to store in process work. Confidential
Quality Assurance Test Output Used to gather the Internal Controls Testing Plans and the most current snapshot of testing as used for evidence in the upcoming SAS 70.  The actual testing information must reside in its secure location within TestDirector.  This is an output for evidence purposes only. Subfolders limited to the Internal Control Testing program Confidential
Quality Assurance fs02 main Quality Assurance the QA folder on FILESSHARE should be relocated to the process and work product areas.   Confidential

Release-Software Development

Release-Software Development Release Plan-Evidence Copy for current review cycle Documentation in VSS must remain in VSS. This is a pointer file and demonstration of current content on current release.  VSS link should be here. No Confidential
Release-Software Development Release Request Email outtakes and meeting notes where a release related activity is requested.  Release requests live in DevTrack, but can start as emails or notes.  This is where the document record is stored.  All details would show up as a DevTrack ID. No Confidential
Release-Software Development [Company Core Product or Service] Design Specifications from VSS are here as process evidence and are read only.  This is a placeholder for audit data.  Auditor should not be in VSS clicking through directories as this would raise issues around items that are out of date.  Better strategy is to put what we want to show here. No Confidential

Security Management

       
Security Management Exemption Requests Business requests for policy exception based in need to maintain operations with given technology constraints.  All exemptions should also be logged in a table where CSO can maintain visibility on such items.  RC is good candidate for this, especially as tied to Risk area. No

Sensitive

Security Management ...\Situation Evaluation Forms Output of situation review and decisions based on Exceptions to policy. No

Sensitive

Security Management Meetings Notes and Incident Review Records Meeting notes from any security meeting or incident response meeting No

Sensitive

Security Management ...\ Agendas …\Minutes Recommend a format for file name that shows Security, date and meeting type.  Agenda can be a place holder for meeting plans and meeting minutes are just meeting minutes. No

Sensitive

Security Management Program Policy Approval Email outtakes and copy of documents indicating approval to implement security programs.  I have a concern about storing electronic image of signatures and request that files state that signature is locked in a file. Straight evidence folder/ NO

Sensitive

Security Management Security Infrastructure and Program Planning Infrastructure planning document and information related to the planning of any security program. Create a subfolder for any program.

Sensitive

Security Management …\Awareness Awareness program documents, including planned presentations and documents for the development of the program Subfolder as needed

Sensitive

Security Management Test Output DS5 related internal control test plans and output One folder per program tested

Sensitive

Security Management Tracking and Reconciliation Reports Output of security scans and processes. Subfolder as needed

Sensitive

Security Management …\Tools ….\...\Last Login Scripts …\...\...\pbandsp Domain …\...\...\Company Domain Evidence of security monitoring activity Subfolder as needed

Sensitive

Portions of this page are reprinted with permission from its author, and are also located at http://www.pbandsp.com/process/procedureguidelines.html, with parts of this publication also published in the ISACA Control Journal.  To view this paper from the ISACA web site, click here.

http://www.isaca.org/Template.cfm?Section=Archives&template=/TaggedPage/TaggedPageDisplay.cfm&TPLID=7&UserDefinedDate1=11/01/2006 Please Join us on FacebookChicks are cool3/2/2012

Copyright © 2006 ISACA. All rights reserved. www.isaca.org.

Talk2me.  Chat back. Send me a tweet.