DS1.1:: Difference between revisions

From HORSE - Holistic Operational Readiness Security Evaluation.
Jump to navigation Jump to search
No edit summary
 
No edit summary
 
(3 intermediate revisions by the same user not shown)
Line 19: Line 19:
'''Risk Association Control Activities:'''<br>
'''Risk Association Control Activities:'''<br>
<br>
<br>
::'''1. Risk: Development and maintenance of system with potential impact to financial reporting bypass processes for identifying business requirements, risks, and for designing needed controls.'''<br>
::'''1. Risk: Development and maintenance of system with potential impact to financial reporting bypass processes for identifying business requirements, risks, and for designing needed controls.'''
:::a. SOX.1.14: Controls provide reasonable assurance that systems with potential impact to financial reporting are developed and maintained in a controlled manner through the use of a development methodology.<br>
<br>
:::a. SOX.1.14: Controls provide reasonable assurance that systems with potential impact to financial reporting are developed and maintained in a controlled manner through the use of a development methodology.
<br>
<br>
<br>
::'''2. Risk: IT function does not meet the organizational needs.'''<br>
::'''2. Risk: IT function does not meet the organizational needs.'''<br>
:::a. SOX.2.0.1: Organizational policies and management procedures are in place to ensure the IT function is controlled properly.<br>
:::a. SOX.2.0.1: Organizational policies and management procedures are in place to ensure the IT function is controlled properly.
<br>
<br>
::'''3. Risk: System security may be undermined by inappropriate external system connections.'''
<br>
:::a. SOX.3.1.3: External system connections should be used for valid business purposes only and controls should be in place to prevent these connections from undermining system security.
<br>
<br>
[[Image:Key-control.jpg]]
<br>
<br>
::'''4. Risk: Poorly managed systems or system functionality does not delivered as required and financial information is not processed as intended. '''
<br>
:::a. [[SOX.1.22:|'''SOX.1.22''']] Service levels are defined and managed to support financial reporting system requirements.
<br>
<br>
::'''3. Risk: System security may be undermined by inappropriate external system connections.'''<br>
:::a. SOX.3.1.3: External system connections should be used for valid business purposes only and controls should be in place to prevent these connections from undermining system security.<br>
<br>
<br>
'''Implementation Guide:'''<br>
'''Implementation Guide:'''<br>
Line 59: Line 72:
<br>
<br>
ITIL 4.3.1 Initial planning activities.<br>
ITIL 4.3.1 Initial planning activities.<br>
An organization has formulated objectives. Business processes take place in an organization in order to achieve these objectives. In executing these processes, the organization becomes increasingly dependent on a well-functioning information supply. In other words organizations are increasingly dependent on IT services to meet their business needs. In this context, information security is not a goal in itself but a means of achieving the business objectives.<br>
The way the information supply is organized depends on the type of organization and the nature of the products or services it delivers in support of its business processes. The organization collects data in order to make products or supply a service. The data is stored, processed and made available at the moment it is needed. Those people concerned have to be able to count on its integrity. And it is equally important to ensure that only those who are authorized to do so can gain access to this information. By the time it is needed, confidentiality, integrity, and availability should no longer be open to discussion. An organization must therefore organize the collection, storage, handling, processing and provision of data in such a way that these conditions are satisfied.<br>
Information security exists to serve the interests of the business or organization. Not all information and not all information services are equally important to the organization. The level of information security has to be appropriate to the importance of the information. This ‘tailored security’ is achieved by finding a balance between the security measures and their associated costs on the one hand and, on the other, the value of the information and the risks in the processing environment. Security forms an important added value for an information system. Having the right security for an information system means that more tasks can be performed in an accountable and responsible manner.<br>
<br>
<br>
'''Implementation guidance'''<br>
'''Implementation guidance'''<br>
Insert guidance in this section if it helps to elaborate upon the subject matter. Examples of evidence that would help guide the end user is desirable.<br>
Insert guidance in this section if it helps to elaborate upon the subject matter. Examples of evidence that would help guide the end user is desirable.<br>
<br>
<br>

Latest revision as of 15:03, 25 June 2006

DS 1.1 Service Level Management Framework

Control Objective:

Define a framework that provides a formalized service level management process between the customer and service provider. The framework maintains continuous alignment with business requirements and priorities and facilitates common understanding between the customer and provider(s). The framework includes processes for creating service requirements, service definitions, service level agreements (SLA), operating level agreements (OLA) and funding sources. These attributes are organized in a service catalogue. The framework defines the organizational structure for service level management, covering the roles, tasks and responsibilities of internal and external service providers and customers.

Applicability:

Sarbanes-Oxley
HIPAA
GLBA
PCI
FISMA
NIST SP 800-66
Ditscap
Control Exception
User Defined


Risk Association Control Activities:

1. Risk: Development and maintenance of system with potential impact to financial reporting bypass processes for identifying business requirements, risks, and for designing needed controls.


a. SOX.1.14: Controls provide reasonable assurance that systems with potential impact to financial reporting are developed and maintained in a controlled manner through the use of a development methodology.



2. Risk: IT function does not meet the organizational needs.
a. SOX.2.0.1: Organizational policies and management procedures are in place to ensure the IT function is controlled properly.



3. Risk: System security may be undermined by inappropriate external system connections.


a. SOX.3.1.3: External system connections should be used for valid business purposes only and controls should be in place to prevent these connections from undermining system security.





4. Risk: Poorly managed systems or system functionality does not delivered as required and financial information is not processed as intended.


a. SOX.1.22 Service levels are defined and managed to support financial reporting system requirements.



Implementation Guide:

Process Narrative
Insert a description of the process narration that is applicable to the existing control statement this narrative refers to.

Process Illustration
Insert a process diagram, flowchart or other visual representation here to illustrate the process narrative.

File:Someimage.jpg

Control Commentary
Insert a description of the control that is applicable to the existing control statement this commentary refers to.

Control Exception Commentary
Insert a description of the control exception that is applicable to the existing control statement this commentary refers to.

Evidence Archive Location
Insert Evidence Description Here.

Control Status and Auditors Commentary
Describe the condition of the applicable control and its effectiveness. Set the color icon to a redlock.jpg, yellowlock.jpg or greenlock.jpg.

File:Redlock.jpg

Remediation Plan
Insert remediation plan, applicability, or any information that indicates what needs to be done.

Supplemental Information:
ITIL Service Delivery, Service Level Management.

ITIL 4.3.1 Initial planning activities.

Implementation guidance
Insert guidance in this section if it helps to elaborate upon the subject matter. Examples of evidence that would help guide the end user is desirable.