SlideShare una empresa de Scribd logo

WLS Services Brochure March 2013

Descargar como DOCX, PDF
Mike Wright
Mike Wright

The WLS value proposition is: -Extensive IT business experience and capability -Demonstrated IT risk and compliance delivery -Proven commercial experience with practical perspectives -Low overhead compared to larger service providers results in a more competitive service -Flexibility in service provision to reflect your business budgetary and resource requirements

TecnologíaEmpresariales
1 de 6
IT Business Risk and Compliance Services Mike Wright Mobile +61(4) 17 044 622 Email: mike@wrightlane.com.au 1 | P a g e Here are some IT Compliance questions you may want to consider: 1. As a business project sponsor or project manager for an IT project, do you need to ensure it is on track? 2. Do you want to benchmark the maturity of your ITIL service management shop? 3. Do you want to better manage IT risk in your organisation? 4. How comfortable are you with your Website management and controls? 5. Are your IT policies current and when were they last reviewed? 6. Has your company outsourced part, or all, of your IT Function? If so, is it working? 7. Does your company adequately govern IT project investment and realise the benefits? 8. Does your Internal Audit department need to assess your IT environment but can't justify a full-time IT Audit resource? 9. Does your business or IT department require support for a new application or service but is not sure how to develop a RFI or RFP? If the answer is yes, read on, Wright Lane Services can be of help! Mike Wright has extensive and proven IT business risk and compliance capability with major international corporations such as Qantas (Australia) and Cable & Wireless, Sainsbury and Esso Petroleum (UK). The value proposition is:  Extensive IT business experience and capability  Demonstrated IT risk and compliance delivery  Proven commercial experience with practical perspectives  Low overhead compared to larger service providers results in a more competitive service  Flexibility in service provision to reflect your business budgetary and resource requirements
IT Business Risk and Compliance Services Mike Wright Mobile +61(4) 17 044 622 Email: mike@wrightlane.com.au 2 | P a g e 1. As a business project sponsor or IT project manager for an IT project, do you need to ensure its on track? There are a number of IT application related reviews or Healthchecks that can be undertaken depending on the development phase of the project or system: Project Management reviews includes the set-up of the project team and validates that adequate project processes are in place, Systems Readiness reviews prior to implementing an application reviews applications controls, adequacy of testing and business readiness, Post-Implementation reviews (PIR) evaluates business feedback and allows the project team to focus on what is needed to successfully close the project, Applications controls review evaluates an application‘s availability, security, integrity & maintainability including the underlying manual business processes necessary from a controls perspective. Approach and Deliverables A series of interviews, with both IT and business stakeholders, are undertaken to ensure that the intended project objectives are agreed and are aligned to meet the business needs. The project management governance model is reviewed and the adequacy of procedures for the maintenance, recovery and data integrity is verified. Verify that potential project risks have been identified and that mitigation plans are in place. The findings and any issues will be discussed with management. Practical recommendations are made in consultation, highlighting practices that are currently being done efficiently and effectively as well as those areas that may require improvements. Agreed actions will be included in a final report following this consultation process. 2. Do you want to benchmark the maturity of your ITIL service management shop? Based on the internationally recognised best practice ISACA CobiT Guide for Services Managers, CobiT focuses on what should be addressed to ensure IT controls, while ITIL provides best practices describing how to plan, design and implement effective service management capabilities. When used together, the power of both approaches is amplified providing an effective way to benchmark and achieve improvement supported by CobiT’s control objectives and practices. Approach and Deliverables Interviews with IT & business stakeholders and the suppliers providing the outsourced service allow the current service management environment to be documented. The current business and supplier service roles and responsibilities are then evaluated against ITIL and Cobit guidelines. A capability assessment using the CobiT maturity model for ITIL V3 processes is used to benchmark the ITIL processes that management wants to review. It’s recommended that service level agreement management and performance monitoring is always undertaken. A benchmark maturity report is produced using the traffic light approach with a recommended Implementation Action Plan agreed with management
IT Business Risk and Compliance Services Mike Wright Mobile +61(4) 17 044 622 Email: mike@wrightlane.com.au 3 | P a g e 3. Do you want to manage IT risk better in your organisation? The ISACA Risk IT framework is about IT risk, but more importantly, business risk related to the use of IT. The framework uses a Top Down business objective and Bottom up Generic IT risk scenarios which can be used to create an IT Improvement Program or alternatively slot into your existing ERM framework such as COSO or ISO 31000. There’s two alternative approaches: I) Full Risk IT Implementation to Create an Ongoing IT Risks Framework for Your Organisation. To fully implement the Risk IT framework is a significant program of work and the objective is to enable your enterprise to identify and manage all significant IT risk types by providing an end-to-end, comprehensive view of all IT related risks. Approach and Deliverables This approach to fully implement the Risk IT framework involves the following: 1. Define Scope of Risk analysis. Determines top strategic business objectives and an oversight of IT. Determines initial scope, initially start with Top 5 Business and Top 5 IT Risks. 2. Collect data. Interview key business and IT stakeholders and available material. Obtain IT incident & audit reports, change logs, risk reports and feedback on IT trend analysis and regulatory requirement changes. 3. Identify common risk factors and cluster interrelated events 4. Estimate IT risk. Apply risk tolerances for determining risk response. 5. Identify risk response options. Review findings with by CIO, CRO and/or relevant business representatives. 6. Review the analysis. Draft interim report from findings. 7. Reporting. Issue initial draft report for discussion and review, seek management feedback and agree an ongoing IT risk ongoing Continuous Improvement Program to feed into the ERM II) Risk IT Lite to Develop a One-Off Continuous Improvement Program A simpler alternative is to work with both the business and IT management using elements of the Risk IT framework to conduct a Risk IT assessment and create a continuous improvement program. Approach and Deliverables This Risk IT Lite approach uses elements of the Risk IT framework and involves the following: 1. Top-Down Business Review - Input from business representatives on areas and assets to take into account Top 5 Business and Top 5 IT Risks and feedback on frequent IT events. 2. Bottom-Up IT Department Risk Review - Obtain IT Risk Register, incident & audit reports, change logs, former risk reports and feedback on IT trend analysis. 3. Analyse Review Results - Review IT Department Risk Register and discussion with IT senior management. Findings are reviewed with CIO & CRO and/or relevant business representatives to agree IT risk rating and response. 4. Reporting - Issue initial IT Risk Continuous Improvement plan to key stakeholders (via email) and amend draft report given IT senior management feedback given senior management feedback
IT Business Risk and Compliance Services Mike Wright Mobile +61(4) 17 044 622 Email: mike@wrightlane.com.au 4 | P a g e 4. How comfortable are you with your Website? The scope of this review assesses the existing website against known best practice and provides a controls related compliance view of the existing website environment. The purpose of this work is to identify any areas of the website for enhancement in order to have a more cost effective, sustainable and secure website environment. Approach and Deliverables Review and map the existing website environment against best practice standards including the Web-based applications in use and the data they use, the controls in place such as application development standards including data validation, change management, and testing. Website accountabilities for access administration, performance monitoring are reviewed. Assess whether adequate processes exist for the management of the existing website environment in regard to a Data Management Strategy and benchmark the existing website infrastructure against the latest multi-layered best practice standards. Create a report with recommendations for consideration including the deficiencies of the existing website and a detailed plan of issues identified during the review. 5. Are your IT policies up-to-date, when were they last reviewed? IT best practice recommends that management review IT policies periodically to ensure they reflect new technology, changes in the environment such as regulatory compliance and significant changes in business processes in exploiting information technology for competitive gain. As such, a practical alternative given the constraints on in-house IT compliance resources is to outsource this activity and Wright Lane Services is in a position to fulfill this requirement. Approach and Deliverables Can either review and revise existing IT policies benchmarked against best practice or supply a new set of IT policies. Evaluate whether the IT policies reflect the existing IT environment including new technology and threats. Evaluate whether the IT Policies reflect the latest governmental, legal and regulatory requirements. Evaluate whether the IT Policy is integrated with the overall corporate policies such as HR and Procurement. Recommend an IT Policy framework including the individual IT policies themselves. Recommend a strategy on how best to implement the IT policies to best affect once agreed by management.
IT Business Risk and Compliance Services Mike Wright Mobile +61(4) 17 044 622 Email: mike@wrightlane.com.au 5 | P a g e 6. Has your company outsourced part or all of your IT Function? If so, is it working? The objective of carrying out an outsourcing review is to determine whether: The risks associated with outsourcing, such as continued availability of services, acceptable levels of services and security of information are adequately and effectively mitigated through appropriate controls that are implemented and functioning. The objectives of outsourcing are being achieved. The IT strategy has been suitably modified to make best use of outsourcing. The outsourcing of IT work involves assessing outsourced risk in relation to software development, application support & maintenance and infrastructure management services. It must look at the total picture. Outsourcing has many benefits but it also needs constant monitoring to evaluate both the technical and business aspects, as necessary, to assess the health of the outsourcing and takes necessary corrective or improvement actions. Approach and Deliverables The review would typically involve reviewing the following: o Services Agreement and Statement of Work o High-level monitoring, connectivity and network security o Data security o Project monitoring and governance o Compliance with regulatory requirements o Benefit measurement o Customer satisfaction o Impact on IT strategy Create a report with recommendations for consideration including the deficiencies of the existing website and a detailed plan of issues identified during the review. 7. Does your company adequately govern IT project investment and realise the benefits? Poor IT project management governance of IT investment can occur due to a lack of project business cases and accountability for benefits realisation. This can be because no formal enterprise wide business justification process exists. Therefore the following approach needs to be given the remit by senior management to establish the following process facilitated by IT but owned by the business unit sponsors. Approach and Deliverables The following steps would be undertaken as per ISACA Val-IT best practice program template: Step 1—Review IT project Initiation document (PID) with all the relevant data followed by analysis of the data concerning: o Step 2—Alignment analysis o Step 3—Financial benefits analysis o Step 4—Non-financial benefits analysis o Step 5—Risk analysis Step 6 —Appraisal and optimisation of the risk/return of the IT-enabled investment Step 7 —The Project Business Case Evaluation would be agreed with IT and lodged with the IT PMO by the Project Manager. Any significant scope changes would be updated to the business
IT Business Risk and Compliance Services Mike Wright Mobile +61(4) 17 044 622 Email: mike@wrightlane.com.au 6 | P a g e case and any benefits realisation impact reviewed. 8. Does Your Internal Audit Department need to assess the IT environment but can't justify a full-time IT Audit resource? Wright Lane Services can provide part time IT audit compliance and IT risk consultancy to supplement existing capability and capacity with a full suite of IT audit services and requirements. Approach and Deliverables Perform IT Audits identified on existing Internal Audit schedule. Perform an IT Risk Assessment to create a 3- Year IT Audit Plan customised to meet your IT environment coupled with the strategic business objectives of your organisation. Perform one off senior management requests such as investigations related to IT applications. Project Healthchecks. 9. Does the business or IT department require support for a new application or service but is not sure how to develop a RFI or RFP? Wright Lane Services can provide the necessary support to interface between IT and the business to ensure that the business requirements for a proposed IT application provision are understood (and in some cases, justified) as part of the RFI & RFP preparation and analysis. This starts by verifying whether a simpler in-house solution already exists and if not, ensuring the business understand and will realise the benefits of a turnkey outsourced supplier solution. Approach and Deliverables The steps involved include: 1. Identifying the Need 2. Development of Specification? 3. Selecting the Procurement Method 4. Developing the Specification and Contract Documents 5. Seeking, Clarifying and Closing Offers 6. Evaluating Offers 7. Identifying the Preferred Supplier 8. Negotiating the Contract 9. Disposals 10. Evaluating the procurement process Group Internal Audit 3-Year IT audit Plan Audit Year IT Audit Name IT Audit Scope IT Audit Objectives IT Risk Rating Generic IT Risk Topics Covered 2011 Network Management and IT Security Review Evaluate the design, implementation and monitoring of logical access controls to ensure the confidentiality, integrity, availability and authorised use of information assets Evaluate network infrastructure security to ensure the confidentiality, integrity, availability and authorised use of the network and information transmitted IT continuity plans to reduce the impact of a major disruption on key business functions exist Preventive, detective and corrective measures are in place (especially up-to-date security patches and virus control) across the organisation to protect information systems and technology from malware (e.g., viruses, worms, spyware, spam). M L Malware and Logical attacks Logical trespassing 2011 Database Management Review Evaluate data administration practices to ensure the integrity and optimisation of databases Evaluate sample of enterprise databases Ensure management of: security policy; user accounts and user access; access login and reviewing; disaster recovery plans; logical and physical access controls for infrastructure; administrative and systemic user access controls L Data(base) integrity 2012 IT Project Management Governance Framework Audit IT Program Management For a sample of large, medium and small IT projects to review that: IT PM methodology followed Cost and performance management are in place Quality plan exists to deliver benefits to business expectations Implementations thus far have been managed adequately Standards are maintained for all development and acquisition and follow the life cycle of the ultimate deliverable, and include sign-off at key milestones based on agreed-upon sign-off criteria. Measure project performance against key project performance scope, schedule, quality, cost and risk criteria. An implementation and fallback/backout plan exists with approval from relevant parties. H M Software implementation, IT project termination and Project delivery & project quality IT programme selection 2013 IT Operations Audit Evaluate operations management to ensure that IT support functions effectively meet business needs Evaluate the use of capacity and performance monitoring tools and techniques to ensure that IT services meet the organisation’s objectives Plan the actions to be taken for the period when IT is recovering and resuming services. Manage facilities, including power and communications equipment, in line with laws and regulations, technical and business requirements, vendor specifications, and health and safety guidelines. Define and implement procedures for backup and restoration of systems, applications, data and documentation in line with business requirements and the continuity plan. L M M L Software performance System capacity Utilities performance Information media 2013 Physical and Environmental Controls Audit Physical Controls Evaluate the design, implementation and monitoring of physical controls to ensure that information assets are adequately safeguarded Environmental Controls Evaluate the design, implementation and monitoring of environmental controls to prevent or minimise loss Define and implement procedures to grant, limit and revoke access to premises, buildings and areas according to business needs Define and implement physical security measures in line with business requirements to secure the location and the physical assets. Include background checks in the IT recruitment process and should be applied for employees, contractors and vendors. L L L Physical and Environmental Infrastructure (hardware) Infrastructure theft and destruction of infrastructure

Recomendados

ICT Association Suriname Presentation On eGovernment 2012
ICT Association Suriname Presentation On eGovernment 2012ICT Association Suriname Presentation On eGovernment 2012
ICT Association Suriname Presentation On eGovernment 2012
Cyril Soeri
 
Donna Febriani
Donna FebrianiDonna Febriani
Donna Febriani
Donna Febriani
 
Audit rizkie hafizzah
Audit rizkie hafizzahAudit rizkie hafizzah
Audit rizkie hafizzah
Rizkie Hafizzah
 
Cobit 41 framework
Cobit 41 frameworkCobit 41 framework
Cobit 41 framework
Yulias Sihombing, Ak, MAk, CIA
 
Cobit 5-one-page
Cobit 5-one-pageCobit 5-one-page
Cobit 5-one-page
Ismail aboulezz
 
It governance
It governanceIt governance
It governance
Mahetab Khan
 
CobiT Foundation Free Training
CobiT Foundation Free TrainingCobiT Foundation Free Training
CobiT Foundation Free Training
EnterpriseGRC Solutions, Inc.
 
IT Performance Measurement using IT Governance Metric
IT Performance Measurement using IT Governance MetricIT Performance Measurement using IT Governance Metric
IT Performance Measurement using IT Governance Metric
PECB
 

Recomendados

ICT Association Suriname Presentation On eGovernment 2012
ICT Association Suriname Presentation On eGovernment 2012ICT Association Suriname Presentation On eGovernment 2012
ICT Association Suriname Presentation On eGovernment 2012
Cyril Soeri
 
Donna Febriani
Donna FebrianiDonna Febriani
Donna Febriani
Donna Febriani
 
Audit rizkie hafizzah
Audit rizkie hafizzahAudit rizkie hafizzah
Audit rizkie hafizzah
Rizkie Hafizzah
 
Cobit 41 framework
Cobit 41 frameworkCobit 41 framework
Cobit 41 framework
Yulias Sihombing, Ak, MAk, CIA
 
Cobit 5-one-page
Cobit 5-one-pageCobit 5-one-page
Cobit 5-one-page
Ismail aboulezz
 
It governance
It governanceIt governance
It governance
Mahetab Khan
 
CobiT Foundation Free Training
CobiT Foundation Free TrainingCobiT Foundation Free Training
CobiT Foundation Free Training
EnterpriseGRC Solutions, Inc.
 
IT Performance Measurement using IT Governance Metric
IT Performance Measurement using IT Governance MetricIT Performance Measurement using IT Governance Metric
IT Performance Measurement using IT Governance Metric
PECB
 
CISA Review Course Slides - Part1
CISA Review Course Slides - Part1CISA Review Course Slides - Part1
CISA Review Course Slides - Part1
Iyad Mourtada, CMA, CIA, CFE, CCSA, CRMA, CPLP
 
IT Governance - COBIT 5 Capability Assessment
IT Governance - COBIT 5 Capability AssessmentIT Governance - COBIT 5 Capability Assessment
IT Governance - COBIT 5 Capability Assessment
Eryk Budi Pratama
 
Integrating ISO 27001, ISO 20000, and Project Management – From Theory to Pra...
Integrating ISO 27001, ISO 20000, and Project Management – From Theory to Pra...Integrating ISO 27001, ISO 20000, and Project Management – From Theory to Pra...
Integrating ISO 27001, ISO 20000, and Project Management – From Theory to Pra...
PECB
 
Cobit, itil and cmmi - a tutorial
Cobit, itil and cmmi - a tutorialCobit, itil and cmmi - a tutorial
Cobit, itil and cmmi - a tutorial
seveman
 
Cobit 2019 framework by ISACA
Cobit 2019 framework by ISACACobit 2019 framework by ISACA
Cobit 2019 framework by ISACA
MDFazlaRabbiAbir
 
Itil,cobit and ıso27001
Itil,cobit and ıso27001Itil,cobit and ıso27001
Itil,cobit and ıso27001
Burcu Pelin TELLİ
 
Cobit
CobitCobit
Cobit
ifourkhushbooshah
 
IT Governance - Capability Assessment using COBIT 5
IT Governance - Capability Assessment using COBIT 5IT Governance - Capability Assessment using COBIT 5
IT Governance - Capability Assessment using COBIT 5
Eryk Budi Pratama
 
Secure Software Development – COBIT5 Perspective
Secure Software Development – COBIT5 PerspectiveSecure Software Development – COBIT5 Perspective
Secure Software Development – COBIT5 Perspective
SPIN Chennai
 
Comprehending Information Technology Governance
Comprehending Information Technology GovernanceComprehending Information Technology Governance
Comprehending Information Technology Governance
Goutama Bachtiar
 
IT Governance Framework
IT Governance FrameworkIT Governance Framework
IT Governance Framework
Sherri Booher
 
COBIT 2019 webinar Use Cases: Tailoring Governance of Your Enterprise IT
COBIT 2019 webinar Use Cases: Tailoring Governance of Your Enterprise ITCOBIT 2019 webinar Use Cases: Tailoring Governance of Your Enterprise IT
COBIT 2019 webinar Use Cases: Tailoring Governance of Your Enterprise IT
Mark Constable
 
Info-Tech Membership Overview
Info-Tech Membership OverviewInfo-Tech Membership Overview
Info-Tech Membership Overview
Info-Tech Research Group
 
PECB Webinar: Aligning COBIT 5.0 and ISO/IEC 38500
PECB Webinar: Aligning COBIT 5.0 and ISO/IEC 38500PECB Webinar: Aligning COBIT 5.0 and ISO/IEC 38500
PECB Webinar: Aligning COBIT 5.0 and ISO/IEC 38500
PECB
 
02. cobit 41 dan iso 17799
02. cobit 41 dan iso 1779902. cobit 41 dan iso 17799
02. cobit 41 dan iso 17799
Mulyadi Yusuf
 
IT Governance - Governing IT: Do or Die?
IT Governance - Governing IT: Do or Die?IT Governance - Governing IT: Do or Die?
IT Governance - Governing IT: Do or Die?
Eryk Budi Pratama
 
CISA Review Courses - Slides Part2
CISA Review Courses - Slides Part2CISA Review Courses - Slides Part2
CISA Review Courses - Slides Part2
Iyad Mourtada, CMA, CIA, CFE, CCSA, CRMA, CPLP
 
Lailatul izzati
Lailatul izzatiLailatul izzati
Lailatul izzati
Lailatul Izzati
 
Executive's Handbook on IT Strategy and Governance
Executive's Handbook on IT Strategy and GovernanceExecutive's Handbook on IT Strategy and Governance
Executive's Handbook on IT Strategy and Governance
Kuda Musundire CA (Z), RPA
 
IT Governance – The missing compass in a technology changing world
IT Governance – The missing compass in a technology changing world IT Governance – The missing compass in a technology changing world
IT Governance – The missing compass in a technology changing world
PECB
 
CISA DOMAIN 2 Governance & Management of IT
CISA DOMAIN 2 Governance & Management of ITCISA DOMAIN 2 Governance & Management of IT
CISA DOMAIN 2 Governance & Management of IT
ShivamSharma909
 
Qwr iso20000 auditor m04 implementing audit and tooling us 06 apr14
Qwr iso20000 auditor m04 implementing audit and tooling us 06 apr14Qwr iso20000 auditor m04 implementing audit and tooling us 06 apr14
Qwr iso20000 auditor m04 implementing audit and tooling us 06 apr14
said missoum
 

Más contenido relacionado

La actualidad más candente

Integrating ISO 27001, ISO 20000, and Project Management – From Theory to Pra...
Integrating ISO 27001, ISO 20000, and Project Management – From Theory to Pra...Integrating ISO 27001, ISO 20000, and Project Management – From Theory to Pra...
Integrating ISO 27001, ISO 20000, and Project Management – From Theory to Pra...
PECB
 
Cobit, itil and cmmi - a tutorial
Cobit, itil and cmmi - a tutorialCobit, itil and cmmi - a tutorial
Cobit, itil and cmmi - a tutorial
seveman
 
COBIT 2019 webinar Use Cases: Tailoring Governance of Your Enterprise IT
COBIT 2019 webinar Use Cases: Tailoring Governance of Your Enterprise ITCOBIT 2019 webinar Use Cases: Tailoring Governance of Your Enterprise IT
COBIT 2019 webinar Use Cases: Tailoring Governance of Your Enterprise IT
Mark Constable
 
02. cobit 41 dan iso 17799
02. cobit 41 dan iso 1779902. cobit 41 dan iso 17799
02. cobit 41 dan iso 17799
Mulyadi Yusuf
 

La actualidad más candente (20)

CISA Review Course Slides - Part1
CISA Review Course Slides - Part1CISA Review Course Slides - Part1
CISA Review Course Slides - Part1
 
IT Governance - COBIT 5 Capability Assessment
IT Governance - COBIT 5 Capability AssessmentIT Governance - COBIT 5 Capability Assessment
IT Governance - COBIT 5 Capability Assessment
 
Integrating ISO 27001, ISO 20000, and Project Management – From Theory to Pra...
Integrating ISO 27001, ISO 20000, and Project Management – From Theory to Pra...Integrating ISO 27001, ISO 20000, and Project Management – From Theory to Pra...
Integrating ISO 27001, ISO 20000, and Project Management – From Theory to Pra...
 
Cobit, itil and cmmi - a tutorial
Cobit, itil and cmmi - a tutorialCobit, itil and cmmi - a tutorial
Cobit, itil and cmmi - a tutorial
 
Cobit 2019 framework by ISACA
Cobit 2019 framework by ISACACobit 2019 framework by ISACA
Cobit 2019 framework by ISACA
 
Itil,cobit and ıso27001
Itil,cobit and ıso27001Itil,cobit and ıso27001
Itil,cobit and ıso27001
 
Cobit
CobitCobit
Cobit
 
IT Governance - Capability Assessment using COBIT 5
IT Governance - Capability Assessment using COBIT 5IT Governance - Capability Assessment using COBIT 5
IT Governance - Capability Assessment using COBIT 5
 
Secure Software Development – COBIT5 Perspective
Secure Software Development – COBIT5 PerspectiveSecure Software Development – COBIT5 Perspective
Secure Software Development – COBIT5 Perspective
 
Comprehending Information Technology Governance
Comprehending Information Technology GovernanceComprehending Information Technology Governance
Comprehending Information Technology Governance
 
IT Governance Framework
IT Governance FrameworkIT Governance Framework
IT Governance Framework
 
COBIT 2019 webinar Use Cases: Tailoring Governance of Your Enterprise IT
COBIT 2019 webinar Use Cases: Tailoring Governance of Your Enterprise ITCOBIT 2019 webinar Use Cases: Tailoring Governance of Your Enterprise IT
COBIT 2019 webinar Use Cases: Tailoring Governance of Your Enterprise IT
 
Info-Tech Membership Overview
Info-Tech Membership OverviewInfo-Tech Membership Overview
Info-Tech Membership Overview
 
PECB Webinar: Aligning COBIT 5.0 and ISO/IEC 38500
PECB Webinar: Aligning COBIT 5.0 and ISO/IEC 38500PECB Webinar: Aligning COBIT 5.0 and ISO/IEC 38500
PECB Webinar: Aligning COBIT 5.0 and ISO/IEC 38500
 
02. cobit 41 dan iso 17799
02. cobit 41 dan iso 1779902. cobit 41 dan iso 17799
02. cobit 41 dan iso 17799
 
IT Governance - Governing IT: Do or Die?
IT Governance - Governing IT: Do or Die?IT Governance - Governing IT: Do or Die?
IT Governance - Governing IT: Do or Die?
 
CISA Review Courses - Slides Part2
CISA Review Courses - Slides Part2CISA Review Courses - Slides Part2
CISA Review Courses - Slides Part2
 
Lailatul izzati
Lailatul izzatiLailatul izzati
Lailatul izzati
 
Executive's Handbook on IT Strategy and Governance
Executive's Handbook on IT Strategy and GovernanceExecutive's Handbook on IT Strategy and Governance
Executive's Handbook on IT Strategy and Governance
 
IT Governance – The missing compass in a technology changing world
IT Governance – The missing compass in a technology changing world IT Governance – The missing compass in a technology changing world
IT Governance – The missing compass in a technology changing world
 

Similar a WLS Services Brochure March 2013

CobiT, Val IT & Balanced Scorecards
CobiT, Val IT & Balanced ScorecardsCobiT, Val IT & Balanced Scorecards
CobiT, Val IT & Balanced Scorecards
Michael Sim
 
Establishing a framework for it governance by dave cunningham 2007
Establishing a framework for it governance by dave cunningham 2007Establishing a framework for it governance by dave cunningham 2007
Establishing a framework for it governance by dave cunningham 2007
David Cunningham
 
IT Governance Presentation by omaha 2008
IT Governance Presentation by omaha 2008IT Governance Presentation by omaha 2008
IT Governance Presentation by omaha 2008
ssusera19f45
 
3 2006 06 cs6 4 gait principles v3a
3 2006 06 cs6 4 gait principles v3a3 2006 06 cs6 4 gait principles v3a
3 2006 06 cs6 4 gait principles v3a
Gene Kim
 

Similar a WLS Services Brochure March 2013 (20)

CISA DOMAIN 2 Governance & Management of IT
CISA DOMAIN 2 Governance & Management of ITCISA DOMAIN 2 Governance & Management of IT
CISA DOMAIN 2 Governance & Management of IT
 
Qwr iso20000 auditor m04 implementing audit and tooling us 06 apr14
Qwr iso20000 auditor m04 implementing audit and tooling us 06 apr14Qwr iso20000 auditor m04 implementing audit and tooling us 06 apr14
Qwr iso20000 auditor m04 implementing audit and tooling us 06 apr14
 
Diskusi buku: Securing an IT Organization through Governance, Risk Management...
Diskusi buku: Securing an IT Organization through Governance, Risk Management...Diskusi buku: Securing an IT Organization through Governance, Risk Management...
Diskusi buku: Securing an IT Organization through Governance, Risk Management...
 
IT Risk assessment and Audit Planning
IT Risk assessment and Audit PlanningIT Risk assessment and Audit Planning
IT Risk assessment and Audit Planning
 
IT Risk Assessments
IT Risk AssessmentsIT Risk Assessments
IT Risk Assessments
 
CobiT, Val IT & Balanced Scorecards
CobiT, Val IT & Balanced ScorecardsCobiT, Val IT & Balanced Scorecards
CobiT, Val IT & Balanced Scorecards
 
Establishing a framework for it governance by dave cunningham 2007
Establishing a framework for it governance by dave cunningham 2007Establishing a framework for it governance by dave cunningham 2007
Establishing a framework for it governance by dave cunningham 2007
 
Sharpening the Lens
Sharpening the LensSharpening the Lens
Sharpening the Lens
 
An IT Governance program
An IT Governance programAn IT Governance program
An IT Governance program
 
Cobi t vs itil
Cobi t vs itilCobi t vs itil
Cobi t vs itil
 
CoBIT 5 (A brief Description)
CoBIT 5 (A brief Description)CoBIT 5 (A brief Description)
CoBIT 5 (A brief Description)
 
Msp It Goverance And Service Delivery Process
Msp It Goverance And Service Delivery ProcessMsp It Goverance And Service Delivery Process
Msp It Goverance And Service Delivery Process
 
IT Governance Presentation by omaha 2008
IT Governance Presentation by omaha 2008IT Governance Presentation by omaha 2008
IT Governance Presentation by omaha 2008
 
3 2006 06 cs6 4 gait principles v3a
3 2006 06 cs6 4 gait principles v3a3 2006 06 cs6 4 gait principles v3a
3 2006 06 cs6 4 gait principles v3a
 
An IT Service Reporting Framework for Effective Implementation of ITIL Contin...
An IT Service Reporting Framework for Effective Implementation of ITIL Contin...An IT Service Reporting Framework for Effective Implementation of ITIL Contin...
An IT Service Reporting Framework for Effective Implementation of ITIL Contin...
 
Control and audit of information System (hendri eka saputra)
Control and audit of information System (hendri eka saputra)Control and audit of information System (hendri eka saputra)
Control and audit of information System (hendri eka saputra)
 
JohanCVJuly2015
JohanCVJuly2015JohanCVJuly2015
JohanCVJuly2015
 
Gaining and Maintaining IT & Business Alignment.pptx
Gaining and Maintaining IT & Business Alignment.pptxGaining and Maintaining IT & Business Alignment.pptx
Gaining and Maintaining IT & Business Alignment.pptx
 
Itil & Process Concepts Awareness Tadawul 5 Of March 2007
Itil & Process Concepts Awareness Tadawul 5 Of March 2007Itil & Process Concepts Awareness Tadawul 5 Of March 2007
Itil & Process Concepts Awareness Tadawul 5 Of March 2007
 
Itil 2
Itil 2Itil 2
Itil 2
 

Último

TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
WSO2
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Victor Rentea
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Jeffrey Haguewood
 
Ransomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfRansomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdf
Overkill Security
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Orbitshub
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Orbitshub
 

Último (20)

MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
CNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In PakistanCNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In Pakistan
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
 
Ransomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfRansomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdf
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor Presentation
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challenges
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 

WLS Services Brochure March 2013

  • 1. IT Business Risk and Compliance Services Mike Wright Mobile +61(4) 17 044 622 Email: mike@wrightlane.com.au 1 | P a g e Here are some IT Compliance questions you may want to consider: 1. As a business project sponsor or project manager for an IT project, do you need to ensure it is on track? 2. Do you want to benchmark the maturity of your ITIL service management shop? 3. Do you want to better manage IT risk in your organisation? 4. How comfortable are you with your Website management and controls? 5. Are your IT policies current and when were they last reviewed? 6. Has your company outsourced part, or all, of your IT Function? If so, is it working? 7. Does your company adequately govern IT project investment and realise the benefits? 8. Does your Internal Audit department need to assess your IT environment but can't justify a full-time IT Audit resource? 9. Does your business or IT department require support for a new application or service but is not sure how to develop a RFI or RFP? If the answer is yes, read on, Wright Lane Services can be of help! Mike Wright has extensive and proven IT business risk and compliance capability with major international corporations such as Qantas (Australia) and Cable & Wireless, Sainsbury and Esso Petroleum (UK). The value proposition is:  Extensive IT business experience and capability  Demonstrated IT risk and compliance delivery  Proven commercial experience with practical perspectives  Low overhead compared to larger service providers results in a more competitive service  Flexibility in service provision to reflect your business budgetary and resource requirements
  • 2. IT Business Risk and Compliance Services Mike Wright Mobile +61(4) 17 044 622 Email: mike@wrightlane.com.au 2 | P a g e 1. As a business project sponsor or IT project manager for an IT project, do you need to ensure its on track? There are a number of IT application related reviews or Healthchecks that can be undertaken depending on the development phase of the project or system: Project Management reviews includes the set-up of the project team and validates that adequate project processes are in place, Systems Readiness reviews prior to implementing an application reviews applications controls, adequacy of testing and business readiness, Post-Implementation reviews (PIR) evaluates business feedback and allows the project team to focus on what is needed to successfully close the project, Applications controls review evaluates an application‘s availability, security, integrity & maintainability including the underlying manual business processes necessary from a controls perspective. Approach and Deliverables A series of interviews, with both IT and business stakeholders, are undertaken to ensure that the intended project objectives are agreed and are aligned to meet the business needs. The project management governance model is reviewed and the adequacy of procedures for the maintenance, recovery and data integrity is verified. Verify that potential project risks have been identified and that mitigation plans are in place. The findings and any issues will be discussed with management. Practical recommendations are made in consultation, highlighting practices that are currently being done efficiently and effectively as well as those areas that may require improvements. Agreed actions will be included in a final report following this consultation process. 2. Do you want to benchmark the maturity of your ITIL service management shop? Based on the internationally recognised best practice ISACA CobiT Guide for Services Managers, CobiT focuses on what should be addressed to ensure IT controls, while ITIL provides best practices describing how to plan, design and implement effective service management capabilities. When used together, the power of both approaches is amplified providing an effective way to benchmark and achieve improvement supported by CobiT’s control objectives and practices. Approach and Deliverables Interviews with IT & business stakeholders and the suppliers providing the outsourced service allow the current service management environment to be documented. The current business and supplier service roles and responsibilities are then evaluated against ITIL and Cobit guidelines. A capability assessment using the CobiT maturity model for ITIL V3 processes is used to benchmark the ITIL processes that management wants to review. It’s recommended that service level agreement management and performance monitoring is always undertaken. A benchmark maturity report is produced using the traffic light approach with a recommended Implementation Action Plan agreed with management
  • 3. IT Business Risk and Compliance Services Mike Wright Mobile +61(4) 17 044 622 Email: mike@wrightlane.com.au 3 | P a g e 3. Do you want to manage IT risk better in your organisation? The ISACA Risk IT framework is about IT risk, but more importantly, business risk related to the use of IT. The framework uses a Top Down business objective and Bottom up Generic IT risk scenarios which can be used to create an IT Improvement Program or alternatively slot into your existing ERM framework such as COSO or ISO 31000. There’s two alternative approaches: I) Full Risk IT Implementation to Create an Ongoing IT Risks Framework for Your Organisation. To fully implement the Risk IT framework is a significant program of work and the objective is to enable your enterprise to identify and manage all significant IT risk types by providing an end-to-end, comprehensive view of all IT related risks. Approach and Deliverables This approach to fully implement the Risk IT framework involves the following: 1. Define Scope of Risk analysis. Determines top strategic business objectives and an oversight of IT. Determines initial scope, initially start with Top 5 Business and Top 5 IT Risks. 2. Collect data. Interview key business and IT stakeholders and available material. Obtain IT incident & audit reports, change logs, risk reports and feedback on IT trend analysis and regulatory requirement changes. 3. Identify common risk factors and cluster interrelated events 4. Estimate IT risk. Apply risk tolerances for determining risk response. 5. Identify risk response options. Review findings with by CIO, CRO and/or relevant business representatives. 6. Review the analysis. Draft interim report from findings. 7. Reporting. Issue initial draft report for discussion and review, seek management feedback and agree an ongoing IT risk ongoing Continuous Improvement Program to feed into the ERM II) Risk IT Lite to Develop a One-Off Continuous Improvement Program A simpler alternative is to work with both the business and IT management using elements of the Risk IT framework to conduct a Risk IT assessment and create a continuous improvement program. Approach and Deliverables This Risk IT Lite approach uses elements of the Risk IT framework and involves the following: 1. Top-Down Business Review - Input from business representatives on areas and assets to take into account Top 5 Business and Top 5 IT Risks and feedback on frequent IT events. 2. Bottom-Up IT Department Risk Review - Obtain IT Risk Register, incident & audit reports, change logs, former risk reports and feedback on IT trend analysis. 3. Analyse Review Results - Review IT Department Risk Register and discussion with IT senior management. Findings are reviewed with CIO & CRO and/or relevant business representatives to agree IT risk rating and response. 4. Reporting - Issue initial IT Risk Continuous Improvement plan to key stakeholders (via email) and amend draft report given IT senior management feedback given senior management feedback
  • 4. IT Business Risk and Compliance Services Mike Wright Mobile +61(4) 17 044 622 Email: mike@wrightlane.com.au 4 | P a g e 4. How comfortable are you with your Website? The scope of this review assesses the existing website against known best practice and provides a controls related compliance view of the existing website environment. The purpose of this work is to identify any areas of the website for enhancement in order to have a more cost effective, sustainable and secure website environment. Approach and Deliverables Review and map the existing website environment against best practice standards including the Web-based applications in use and the data they use, the controls in place such as application development standards including data validation, change management, and testing. Website accountabilities for access administration, performance monitoring are reviewed. Assess whether adequate processes exist for the management of the existing website environment in regard to a Data Management Strategy and benchmark the existing website infrastructure against the latest multi-layered best practice standards. Create a report with recommendations for consideration including the deficiencies of the existing website and a detailed plan of issues identified during the review. 5. Are your IT policies up-to-date, when were they last reviewed? IT best practice recommends that management review IT policies periodically to ensure they reflect new technology, changes in the environment such as regulatory compliance and significant changes in business processes in exploiting information technology for competitive gain. As such, a practical alternative given the constraints on in-house IT compliance resources is to outsource this activity and Wright Lane Services is in a position to fulfill this requirement. Approach and Deliverables Can either review and revise existing IT policies benchmarked against best practice or supply a new set of IT policies. Evaluate whether the IT policies reflect the existing IT environment including new technology and threats. Evaluate whether the IT Policies reflect the latest governmental, legal and regulatory requirements. Evaluate whether the IT Policy is integrated with the overall corporate policies such as HR and Procurement. Recommend an IT Policy framework including the individual IT policies themselves. Recommend a strategy on how best to implement the IT policies to best affect once agreed by management.
  • 5. IT Business Risk and Compliance Services Mike Wright Mobile +61(4) 17 044 622 Email: mike@wrightlane.com.au 5 | P a g e 6. Has your company outsourced part or all of your IT Function? If so, is it working? The objective of carrying out an outsourcing review is to determine whether: The risks associated with outsourcing, such as continued availability of services, acceptable levels of services and security of information are adequately and effectively mitigated through appropriate controls that are implemented and functioning. The objectives of outsourcing are being achieved. The IT strategy has been suitably modified to make best use of outsourcing. The outsourcing of IT work involves assessing outsourced risk in relation to software development, application support & maintenance and infrastructure management services. It must look at the total picture. Outsourcing has many benefits but it also needs constant monitoring to evaluate both the technical and business aspects, as necessary, to assess the health of the outsourcing and takes necessary corrective or improvement actions. Approach and Deliverables The review would typically involve reviewing the following: o Services Agreement and Statement of Work o High-level monitoring, connectivity and network security o Data security o Project monitoring and governance o Compliance with regulatory requirements o Benefit measurement o Customer satisfaction o Impact on IT strategy Create a report with recommendations for consideration including the deficiencies of the existing website and a detailed plan of issues identified during the review. 7. Does your company adequately govern IT project investment and realise the benefits? Poor IT project management governance of IT investment can occur due to a lack of project business cases and accountability for benefits realisation. This can be because no formal enterprise wide business justification process exists. Therefore the following approach needs to be given the remit by senior management to establish the following process facilitated by IT but owned by the business unit sponsors. Approach and Deliverables The following steps would be undertaken as per ISACA Val-IT best practice program template: Step 1—Review IT project Initiation document (PID) with all the relevant data followed by analysis of the data concerning: o Step 2—Alignment analysis o Step 3—Financial benefits analysis o Step 4—Non-financial benefits analysis o Step 5—Risk analysis Step 6 —Appraisal and optimisation of the risk/return of the IT-enabled investment Step 7 —The Project Business Case Evaluation would be agreed with IT and lodged with the IT PMO by the Project Manager. Any significant scope changes would be updated to the business
  • 6. IT Business Risk and Compliance Services Mike Wright Mobile +61(4) 17 044 622 Email: mike@wrightlane.com.au 6 | P a g e case and any benefits realisation impact reviewed. 8. Does Your Internal Audit Department need to assess the IT environment but can't justify a full-time IT Audit resource? Wright Lane Services can provide part time IT audit compliance and IT risk consultancy to supplement existing capability and capacity with a full suite of IT audit services and requirements. Approach and Deliverables Perform IT Audits identified on existing Internal Audit schedule. Perform an IT Risk Assessment to create a 3- Year IT Audit Plan customised to meet your IT environment coupled with the strategic business objectives of your organisation. Perform one off senior management requests such as investigations related to IT applications. Project Healthchecks. 9. Does the business or IT department require support for a new application or service but is not sure how to develop a RFI or RFP? Wright Lane Services can provide the necessary support to interface between IT and the business to ensure that the business requirements for a proposed IT application provision are understood (and in some cases, justified) as part of the RFI & RFP preparation and analysis. This starts by verifying whether a simpler in-house solution already exists and if not, ensuring the business understand and will realise the benefits of a turnkey outsourced supplier solution. Approach and Deliverables The steps involved include: 1. Identifying the Need 2. Development of Specification? 3. Selecting the Procurement Method 4. Developing the Specification and Contract Documents 5. Seeking, Clarifying and Closing Offers 6. Evaluating Offers 7. Identifying the Preferred Supplier 8. Negotiating the Contract 9. Disposals 10. Evaluating the procurement process Group Internal Audit 3-Year IT audit Plan Audit Year IT Audit Name IT Audit Scope IT Audit Objectives IT Risk Rating Generic IT Risk Topics Covered 2011 Network Management and IT Security Review Evaluate the design, implementation and monitoring of logical access controls to ensure the confidentiality, integrity, availability and authorised use of information assets Evaluate network infrastructure security to ensure the confidentiality, integrity, availability and authorised use of the network and information transmitted IT continuity plans to reduce the impact of a major disruption on key business functions exist Preventive, detective and corrective measures are in place (especially up-to-date security patches and virus control) across the organisation to protect information systems and technology from malware (e.g., viruses, worms, spyware, spam). M L Malware and Logical attacks Logical trespassing 2011 Database Management Review Evaluate data administration practices to ensure the integrity and optimisation of databases Evaluate sample of enterprise databases Ensure management of: security policy; user accounts and user access; access login and reviewing; disaster recovery plans; logical and physical access controls for infrastructure; administrative and systemic user access controls L Data(base) integrity 2012 IT Project Management Governance Framework Audit IT Program Management For a sample of large, medium and small IT projects to review that: IT PM methodology followed Cost and performance management are in place Quality plan exists to deliver benefits to business expectations Implementations thus far have been managed adequately Standards are maintained for all development and acquisition and follow the life cycle of the ultimate deliverable, and include sign-off at key milestones based on agreed-upon sign-off criteria. Measure project performance against key project performance scope, schedule, quality, cost and risk criteria. An implementation and fallback/backout plan exists with approval from relevant parties. H M Software implementation, IT project termination and Project delivery & project quality IT programme selection 2013 IT Operations Audit Evaluate operations management to ensure that IT support functions effectively meet business needs Evaluate the use of capacity and performance monitoring tools and techniques to ensure that IT services meet the organisation’s objectives Plan the actions to be taken for the period when IT is recovering and resuming services. Manage facilities, including power and communications equipment, in line with laws and regulations, technical and business requirements, vendor specifications, and health and safety guidelines. Define and implement procedures for backup and restoration of systems, applications, data and documentation in line with business requirements and the continuity plan. L M M L Software performance System capacity Utilities performance Information media 2013 Physical and Environmental Controls Audit Physical Controls Evaluate the design, implementation and monitoring of physical controls to ensure that information assets are adequately safeguarded Environmental Controls Evaluate the design, implementation and monitoring of environmental controls to prevent or minimise loss Define and implement procedures to grant, limit and revoke access to premises, buildings and areas according to business needs Define and implement physical security measures in line with business requirements to secure the location and the physical assets. Include background checks in the IT recruitment process and should be applied for employees, contractors and vendors. L L L Physical and Environmental Infrastructure (hardware) Infrastructure theft and destruction of infrastructure