Presentation is loading. Please wait.

Presentation is loading. Please wait.

Confidential THIS DOCUMENT CONTAINS PROPRIETARY INFORMATION, WHICH IS PROTECTED BY COPYRIGHT. ALL RIGHTS RESERVED. NO PART OF THIS DOCUMENT MAY BE PHOTOCOPIED,

Published byProsper McKenzie Modified over 9 years ago

Similar presentations

Presentation on theme: "Confidential THIS DOCUMENT CONTAINS PROPRIETARY INFORMATION, WHICH IS PROTECTED BY COPYRIGHT. ALL RIGHTS RESERVED. NO PART OF THIS DOCUMENT MAY BE PHOTOCOPIED,"— Presentation transcript:

1 Confidential THIS DOCUMENT CONTAINS PROPRIETARY INFORMATION, WHICH IS PROTECTED BY COPYRIGHT. ALL RIGHTS RESERVED. NO PART OF THIS DOCUMENT MAY BE PHOTOCOPIED, REPRODUCED OR TRANSLATED TO ANOTHER LANGUAGE WITHOUT THE PRIOR CONSENT OF QUINT WELLINGTON REDWOOD ACADEMY, AMSTERDAM © Copyright 2003 Quint Wellington Redwood Academy IT Compliance With Sarbanes-Oxley Through an IT Process Oriented Best Practices Framework (ITIL) and an Integrated Process Workflow Model (IPW) Dr. Charles Newman, c.newman@quintacademy.comc.newman@quintacademy.com 305-608-6340

2 Confidential Compliance Framework Compliance Framework is a set of internal controls for managing organizations The Compliance Framework is part of a compliance architecture, which includes technology controls

3 Confidential ITIL ITIL (IT Infrastructure Library) is the most widely accepted approach to IT Service Management in the world. provides a cohesive set of well defined best practices, drawn from the public and private sectors internationally. It is supported by a comprehensive qualification scheme, accredited training organizations, and implementation and assessment tools.

4 Confidential ITIL according to Gartner Base for driving performance and quality improvements in the service management domain. Can be an integral part of a wider quality initiative by combining it with other frameworks such as CMM, CobiT or Six Sigma. Companies need to have an objective assessment of ITIL's current and target process capability to understand what it is trying to achieve. Base for driving performance and quality improvements in the service management domain. Can be an integral part of a wider quality initiative by combining it with other frameworks such as CMM, CobiT or Six Sigma. Companies need to have an objective assessment of ITIL's current and target process capability to understand what it is trying to achieve.

5 Confidential The Role of ITIL When applied to Sarbanes-Oxley IT Control Compliance, in a manner consistent with the overall COSO and COBIT frameworks, ITIL gives companies a proven, practical, highly focused solution for assessing, building and continuously improving a tightly controlled IT environment. It specifically deals with the “how” as well as the “what” for implementing IT Controls.

6 Confidential

7 process people technology IT service “80% of unplanned downtime is due to people and processes.” (source: Gartner Group) Incorporating People, Process and Technology

8 Confidential ITIL Service Management Best Practices

9 Confidential Why Use ITIL for Sarbanes-Oxley Control Compliance A large portion of the IT Control requirement of SOX are covered by ITIL ITIL is an independent, globally accepted standard of best practices which has a history of over 12 years of development, use and continuous improvement by thousands of major companies and tens of thousands of IT professionals. Though ITIL and Quint’s IPW (Integrated Process Workflow Method), a company can be specifically, measured, trained, monitored and continuously improved along a well defined path of process maturity (which is consistant with other standards such as COBIT, CMM, etc.).

10 Confidential ITIL and Sarbanes-Oxley ITIL and controls Change management Improved risk assessment Better assessment of the cost of proposed changes before they are incurred Availability management Single point of accountability for availability is established within the IT organization The required and agreed availability levels are measured and monitored Ensures security aspects - Confidentiality, Integrity and Availability - of data and applications are defined and incorporated within the overall availability design ITIL and controls Change management Improved risk assessment Better assessment of the cost of proposed changes before they are incurred Availability management Single point of accountability for availability is established within the IT organization The required and agreed availability levels are measured and monitored Ensures security aspects - Confidentiality, Integrity and Availability - of data and applications are defined and incorporated within the overall availability design

11 Confidential ITIL and Sarbanes-Oxley / SOX404 ITIL and controls Finance Management Increased confidence in setting and managing budgets Accurate cost information to support IT investment decisions Accurate cost information for determining cost of ownership for ongoing services Security management Segregation of duties Separation of development and production Accountability for Assets Access control in all aspects of IT ITIL and controls Finance Management Increased confidence in setting and managing budgets Accurate cost information to support IT investment decisions Accurate cost information for determining cost of ownership for ongoing services Security management Segregation of duties Separation of development and production Accountability for Assets Access control in all aspects of IT

12 Confidential ITIL and Sarbanes-Oxley ITIL and controls Release management Complete audit trail of changes to the live environment (both HW and SW) Reduced likelihood of illegal copies of software in use at any location Releases are subject to quality control and testing under release management reducing errors Safeguarding of hardware and software assets Service Level management Availability of specific targets against which service quality can be measured ITIL and controls Release management Complete audit trail of changes to the live environment (both HW and SW) Reduced likelihood of illegal copies of software in use at any location Releases are subject to quality control and testing under release management reducing errors Safeguarding of hardware and software assets Service Level management Availability of specific targets against which service quality can be measured

13 Confidential Quint Quest Assessment and SOX IT Control Compliance Quint Wellington Redwood has conducted systematic asessment of the IT Service Management Processes of companies for over 12 years with a proven, highly focused methodology. Quint Quests are largely driven by the best practice framework of ITIL, but also taken to a more integrated process maturity model perspective though Quint’s unique IPW Model (Implementation of Process Oriented Workflow) and through the transformation and change management tool, AURRA.

14 Confidential Quint Quest and SOX continued Now Quint has developed a set of Quint Quest Assessments specifically designed to provide substantive support to the IT Control Compliance efforts of companies regarding Sarbanes-Oxley. These Assessments are conducted by an experienced team of senior consultants who are also available to continue to work as part of a company’s internal Sarbanes-Oxley Compliance Team and with any other external entities that are part of the team.

15 Confidential QuintQuest/SOX Assessment Areas Change Management Service Level Management Configuration Management Security Management Incident Management Problem Management Contigency Planning Availability Management Release Management Capacity Management Financial Management

16 Confidential QuintQuest/SOX Assessment Dimensions Intention (Mission, Policies, Objectives, Definition, Function) Process (Submitting, Classification, Planning, Authorization, Build, Test, Implementation, Acceptance, Finalizing, Communications, Progress) Procedures (Tasks, Tools, Procedures, Urgent Changes Control (Metrics, Reports, Process Analysis, Improvement) Relations (All processes, Senior Level Management, Development))

17 Confidential QuintQuest Assessment Example for the Process Dimension of Change Management Submitting: How are changes (RfC’s) requested? What is the point of entry for a change? Who is permitted to submit a RfC? Does one know where to submit and RfC? What are the possible reasons for submitting an RfC? What information is required in an RfC? Classification: Via what method does classification take place (category, priority, impact, investments, SLA’s)? Planning: Who manages the change calender? Which other persons are involved with organizing the changes? Who performs the actual allocation of time and resources for a change?

18 Confidential Example Assessment Continued Authorization: Who manages the change calender? Which other persons are involved with the organizing of changes? Who performs the actual allocation of time and resources for a change? Build: What phases are defined during building changes? Who is involved in each phase? Is a standardized method of change building used? Test: How does a test take place? Is there a standard script for testing? Does the test script contain both functional and technical issues?

19 Confidential Example Assessment Continued Implementation: When and in what way does the implementation of changes take place? Are there certain dedicated timeframes for the implementation of changes? Is there always a back-out and /or fallback possible and is that defined in a plan? What does that plan look like? Are specialists during an implementation on standby? Acceptance: Who is involved in the actual acceptance and in what way? Based on what criteria is the acceptance performed and are criteria to determine this formalized?

20 Confidential Example Assessment Continued Finalizing: When is a change formally closed? Is there a “decharge” of those involved? Evaluation: Are changes evaluated? How and when are changes evaluated (e.g., size, effort, planning, result, quality)? Communication: Who is informed before and after a change? Progress: How is the progress being monitored and who is involved with this monitoring?

21 Confidential Quint’s IPW™-model Business planning Business Operations Information Magnet. ICT valueing Commercial Policy HRM StrategyArchitecture Finance Strategic Sourcing Supplier Portfolio Strategic Supplier processes Relationship Management Service Level Management Service Development Service Planning Supplier planning Functional Management Demand Management Service Build & Test Service Design Security Management Financial Management Continuity Management Availability Management Capacity Management Supply Management Contract Management Purchase Management Operation Support Change Management Problem Management Configuration Management Incident Management Operations Management Release Management Services Operations Business Support Application Management BITA Supplier Operations Service Desk Business Domain Business ICT Alignment Domain (BITA) ICT Domain Supplier ICT Alignment Domain (SITA) Supplier Domain

22 Confidential How SOX affects the processes in your organization: General IT Controls

23 Confidential How SOX affects the processes in your organization: Application and data-owner process

24 Confidential How SOX affects the processes in your organization: Outsourcing SAS70

25 Confidential Quint’s IPW Maturity Model tm Stage 3 or higher needed for SOX Initial Operational monitoring Operational control Service control Service Improving 1 2 3 4 5 Ops & Measurement Realise “Internal fit” Self steering incorporated Realise “external fit” Dependent processes Environmental conditions / constraints Generic Extended Exceeding Excelling For free...

26 Confidential IPW Maturity Model tm Assessment of ‘as is’ and ‘to be’ Service Support Initial Service improving operational monitoring service control operational control cfm rlm chm pm im improving proactive controlled monitored not identified not performed IPWSM™ is een handelsmerk van Quint Wellington Redwood

27 Confidential Quint’s IPW Maturity Model tm : Improvement experience Logical sequence Aligned with customer maturity Limited parallel improvement Staged improvement Integration with development domain (CMM sm /SPICE) Compliant with ITIL Benchmarking (of outsourcers) possible De-mystify ITIL-consultancy Professional judgement remains necessary

28 Confidential For further information Contact: Dr. Charles Newman Director, Quint Wellington Redwood e-mail: c.newman@quintacademy.com Mobile: 305-608-6340c.newman@quintacademy.com

Download ppt "Confidential THIS DOCUMENT CONTAINS PROPRIETARY INFORMATION, WHICH IS PROTECTED BY COPYRIGHT. ALL RIGHTS RESERVED. NO PART OF THIS DOCUMENT MAY BE PHOTOCOPIED,"

Similar presentations

What is GARP®? GARP® is an Acronym for Generally Accepted Recordkeeping Principles ARMA understands that records must be.

What is GARP®? GARP® is an Acronym for Generally Accepted Recordkeeping Principles ARMA understands that records must be.
Information Risk Management Key Component for HIPAA Security Compliance Ann Geyer Tunitas Group 209-754-9130

Information Risk Management Key Component for HIPAA Security Compliance Ann Geyer Tunitas Group
© 2008 Cisco Systems, Inc. All rights reserved.Cisco Confidential 14854_10_2008_c1 1 Holistic Approach to Information Security Greg Carter, Cisco Security.

© 2008 Cisco Systems, Inc. All rights reserved.Cisco Confidential 14854_10_2008_c1 1 Holistic Approach to Information Security Greg Carter, Cisco Security.
Chapter 10 Accounting Information Systems and Internal Controls

Chapter 10 Accounting Information Systems and Internal Controls
Control and Accounting Information Systems

Control and Accounting Information Systems
Control and Accounting Information Systems

Control and Accounting Information Systems
Chapter 7: Key Process Areas for Level 2: Repeatable - Arvind Kabir Yateesh.

Chapter 7: Key Process Areas for Level 2: Repeatable - Arvind Kabir Yateesh.
ACG 6415 SPRING 2012 KRISTIN DONOVAN & BETH WILDMAN IT Security Frameworks.

ACG 6415 SPRING 2012 KRISTIN DONOVAN & BETH WILDMAN IT Security Frameworks.
COBIT - II.

COBIT - II.
Chapter 5 5-1 © 2009 Pearson Education, Inc. Publishing as Prentice Hall.

Chapter © 2009 Pearson Education, Inc. Publishing as Prentice Hall.
Dr. Julian Lo Consulting Director ITIL v3 Expert

Dr. Julian Lo Consulting Director ITIL v3 Expert
AUDIT COMMITTEE FORUM TM ACF Roundtable IT Governance – what does it mean to you as an audit committee member July 2010 The AUDIT COMMITTEE FORUM TM is.

AUDIT COMMITTEE FORUM TM ACF Roundtable IT Governance – what does it mean to you as an audit committee member July 2010 The AUDIT COMMITTEE FORUM TM is.
Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.

Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.
The Australian/New Zealand Standard on Risk Management

The Australian/New Zealand Standard on Risk Management
Pertemuan 11-12 Matakuliah: A0214/Audit Sistem Informasi Tahun: 2007.

Pertemuan Matakuliah: A0214/Audit Sistem Informasi Tahun: 2007.
Information Security Governance and Risk Chapter 2 Part 1 Pages 21 to 69.

Information Security Governance and Risk Chapter 2 Part 1 Pages 21 to 69.
ITIL: Why Your IT Organization Should Care Service Support

ITIL: Why Your IT Organization Should Care Service Support
Sarbanes-Oxley Project Summary of COSO Framework Presented by Larry Dillehay & Scott Reitan Parkfield Group LLC.

Sarbanes-Oxley Project Summary of COSO Framework Presented by Larry Dillehay & Scott Reitan Parkfield Group LLC.
Integrated IT Service Management

Integrated IT Service Management
Service Design 118COM By Taran Saroya.

Service Design 118COM By Taran Saroya.

Similar presentations

Ads by Google