The WLS value proposition is:
-Extensive IT business experience and capability
-Demonstrated IT risk and compliance delivery
-Proven commercial experience with practical perspectives
-Low overhead compared to larger service providers results in a more competitive service
-Flexibility in service provision to reflect your business budgetary and resource requirements
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
WLS Services Brochure March 2013
1. IT Business Risk and Compliance Services
Mike Wright
Mobile +61(4) 17 044 622
Email: mike@wrightlane.com.au 1 | P a g e
Here are some IT Compliance questions you may want to consider:
1. As a business project sponsor or project manager for an IT project, do
you need to ensure it is on track?
2. Do you want to benchmark the maturity of your ITIL service
management shop?
3. Do you want to better manage IT risk in your organisation?
4. How comfortable are you with your Website management and
controls?
5. Are your IT policies current and when were they last reviewed?
6. Has your company outsourced part, or all, of your IT Function? If so,
is it working?
7. Does your company adequately govern IT project investment and
realise the benefits?
8. Does your Internal Audit department need to assess your IT
environment but can't justify a full-time IT Audit resource?
9. Does your business or IT department require support for a new
application or service but is not sure how to develop a RFI or RFP?
If the answer is yes, read on, Wright Lane Services can be of help!
Mike Wright has extensive and proven IT business risk
and compliance capability with major international
corporations such as Qantas (Australia) and Cable &
Wireless, Sainsbury and Esso Petroleum (UK).
The value proposition is:
Extensive IT business experience and capability
Demonstrated IT risk and compliance delivery
Proven commercial experience with practical perspectives
Low overhead compared to larger service providers results in a more
competitive service
Flexibility in service provision to reflect your business budgetary and resource
requirements
2. IT Business Risk and Compliance Services
Mike Wright
Mobile +61(4) 17 044 622
Email: mike@wrightlane.com.au 2 | P a g e
1. As a business project sponsor or IT project manager for an IT project, do you need to ensure its on track?
There are a number of IT application related reviews or Healthchecks that can be undertaken depending on
the development phase of the project or system:
Project Management reviews includes the set-up of the project team and validates that adequate
project processes are in place,
Systems Readiness reviews prior to implementing an application reviews applications controls,
adequacy of testing and business readiness,
Post-Implementation reviews (PIR) evaluates business feedback and allows the project team to
focus on what is needed to successfully close the project,
Applications controls review evaluates an application‘s availability, security, integrity &
maintainability including the underlying manual business processes necessary from a controls
perspective.
Approach and Deliverables
A series of interviews, with both IT and business stakeholders, are
undertaken to ensure that the intended project objectives are
agreed and are aligned to meet the business needs.
The project management governance model is reviewed and the
adequacy of procedures for the maintenance, recovery and data
integrity is verified.
Verify that potential project risks have been identified and that
mitigation plans are in place.
The findings and any issues will be discussed with management.
Practical recommendations are made in consultation, highlighting
practices that are currently being done efficiently and effectively as
well as those areas that may require improvements. Agreed actions
will be included in a final report following this consultation process.
2. Do you want to benchmark the maturity of your ITIL service management shop?
Based on the internationally recognised best practice ISACA CobiT Guide for Services Managers, CobiT focuses on
what should be addressed to ensure IT controls, while ITIL provides best practices describing how to plan, design
and implement effective service management capabilities. When used together, the power of both approaches is
amplified providing an effective way to benchmark and achieve improvement supported by CobiT’s control
objectives and practices.
Approach and Deliverables
Interviews with IT & business stakeholders and the suppliers providing the outsourced
service allow the current service management environment to be documented.
The current business and supplier service roles and responsibilities are then evaluated
against ITIL and Cobit guidelines.
A capability assessment using the CobiT maturity model for ITIL V3 processes is used to
benchmark the ITIL processes that management wants to review. It’s recommended
that service level agreement management and performance monitoring is always
undertaken.
A benchmark maturity report is produced using the traffic light approach with a
recommended Implementation Action Plan agreed with management
3. IT Business Risk and Compliance Services
Mike Wright
Mobile +61(4) 17 044 622
Email: mike@wrightlane.com.au 3 | P a g e
3. Do you want to manage IT risk better in your organisation?
The ISACA Risk IT framework is about IT risk, but more importantly, business risk related to the use of IT. The
framework uses a Top Down business objective and Bottom up Generic IT risk scenarios which can be used to create
an IT Improvement Program or alternatively slot into your existing ERM framework such as COSO or ISO 31000. There’s
two alternative approaches:
I) Full Risk IT Implementation to Create an Ongoing IT Risks Framework for Your Organisation.
To fully implement the Risk IT framework is a significant program of work and the objective is to enable your enterprise
to identify and manage all significant IT risk types by providing an end-to-end, comprehensive view of all IT related
risks.
Approach and Deliverables
This approach to fully implement the Risk IT framework involves the
following:
1. Define Scope of Risk analysis. Determines top strategic business
objectives and an oversight of IT. Determines initial scope,
initially start with Top 5 Business and Top 5 IT Risks.
2. Collect data. Interview key business and IT stakeholders and
available material. Obtain IT incident & audit reports, change
logs, risk reports and feedback on IT trend analysis and
regulatory requirement changes.
3. Identify common risk factors and cluster interrelated events
4. Estimate IT risk. Apply risk tolerances for determining risk
response.
5. Identify risk response options. Review findings with by CIO, CRO
and/or relevant business representatives.
6. Review the analysis. Draft interim report from findings.
7. Reporting. Issue initial draft report for discussion and review,
seek management feedback and agree an ongoing IT risk
ongoing Continuous Improvement Program to feed into the ERM
II) Risk IT Lite to Develop a One-Off Continuous Improvement Program
A simpler alternative is to work with both the business and IT management using elements of the Risk IT
framework to conduct a Risk IT assessment and create a continuous improvement program.
Approach and Deliverables
This Risk IT Lite approach uses elements of the Risk IT framework and involves the following:
1. Top-Down Business Review - Input from business representatives on areas and assets to
take into account Top 5 Business and Top 5 IT Risks and feedback on frequent IT events.
2. Bottom-Up IT Department Risk Review - Obtain IT Risk Register, incident & audit reports, change logs,
former risk reports and feedback on IT trend analysis.
3. Analyse Review Results - Review IT Department Risk Register and discussion with IT senior management.
Findings are reviewed with CIO & CRO and/or relevant business representatives to agree IT risk rating and
response.
4. Reporting - Issue initial IT Risk Continuous Improvement plan to key stakeholders (via email) and amend
draft report given IT senior management feedback given senior management feedback
4. IT Business Risk and Compliance Services
Mike Wright
Mobile +61(4) 17 044 622
Email: mike@wrightlane.com.au 4 | P a g e
4. How comfortable are you with your Website?
The scope of this review assesses the existing website against known best practice and provides a
controls related compliance view of the existing website environment. The purpose of this work is to
identify any areas of the website for enhancement in order to have a more cost effective, sustainable
and secure website environment.
Approach and Deliverables
Review and map the existing website environment against best practice standards including the
Web-based applications in use and the data they use, the controls in place such as application
development standards including data validation, change management, and testing. Website
accountabilities for access administration, performance monitoring are reviewed.
Assess whether adequate processes exist for the management of the existing website
environment in regard to a Data Management Strategy and benchmark the existing website
infrastructure against the latest multi-layered best practice standards.
Create a report with recommendations for consideration including the deficiencies of the existing
website and a detailed plan of issues identified during the review.
5. Are your IT policies up-to-date, when were they last reviewed?
IT best practice recommends that management review IT policies periodically to ensure they reflect new
technology, changes in the environment such as regulatory compliance and significant changes in
business processes in exploiting information technology for competitive gain. As such, a practical
alternative given the constraints on in-house IT compliance resources is to outsource this activity and
Wright Lane Services is in a position to fulfill this requirement.
Approach and Deliverables
Can either review and revise existing IT policies benchmarked against
best practice or supply a new set of IT policies.
Evaluate whether the IT policies reflect the existing IT environment
including new technology and threats.
Evaluate whether the IT Policies reflect the latest governmental, legal
and regulatory requirements.
Evaluate whether the IT Policy is integrated with the overall
corporate policies such as HR and Procurement.
Recommend an IT Policy framework including the individual IT
policies themselves.
Recommend a strategy on how best to implement the IT policies to
best affect once agreed by management.
5. IT Business Risk and Compliance Services
Mike Wright
Mobile +61(4) 17 044 622
Email: mike@wrightlane.com.au 5 | P a g e
6. Has your company outsourced part or all of your IT Function? If so, is it working?
The objective of carrying out an outsourcing review is to determine whether:
The risks associated with outsourcing, such as continued availability of services, acceptable levels of services
and security of information are adequately and effectively mitigated through appropriate controls that are
implemented and functioning.
The objectives of outsourcing are being achieved.
The IT strategy has been suitably modified to make best use of outsourcing.
The outsourcing of IT work involves assessing outsourced risk in relation to software development, application
support & maintenance and infrastructure management services. It must look at the total picture. Outsourcing has
many benefits but it also needs constant monitoring to evaluate both the technical and business aspects, as
necessary, to assess the health of the outsourcing and takes necessary corrective or improvement actions.
Approach and Deliverables
The review would typically involve reviewing the following:
o Services Agreement and Statement of Work
o High-level monitoring, connectivity and network security
o Data security
o Project monitoring and governance
o Compliance with regulatory requirements
o Benefit measurement
o Customer satisfaction
o Impact on IT strategy
Create a report with recommendations for consideration including
the deficiencies of the existing website and a detailed plan of issues
identified during the review.
7. Does your company adequately govern IT project investment and realise the benefits?
Poor IT project management governance of IT investment can occur due to a lack of project business cases and
accountability for benefits realisation. This can be because no formal enterprise wide business justification process
exists. Therefore the following approach needs to be given the remit by senior management to establish the
following process facilitated by IT but owned by the business unit sponsors.
Approach and Deliverables
The following steps would be undertaken as per ISACA Val-IT best practice program template:
Step 1—Review IT project Initiation document (PID) with all the relevant data followed by
analysis of the data concerning:
o Step 2—Alignment analysis
o Step 3—Financial benefits analysis
o Step 4—Non-financial benefits analysis
o Step 5—Risk analysis
Step 6 —Appraisal and optimisation of the risk/return of the IT-enabled investment
Step 7 —The Project Business Case Evaluation would be agreed with IT and lodged with the
IT PMO by the Project Manager. Any significant scope changes would be updated to the business
6. IT Business Risk and Compliance Services
Mike Wright
Mobile +61(4) 17 044 622
Email: mike@wrightlane.com.au 6 | P a g e
case and any benefits realisation impact reviewed.
8. Does Your Internal Audit Department need to assess the IT environment but can't justify a full-time IT Audit
resource?
Wright Lane Services can provide part time IT audit compliance and IT risk consultancy to supplement existing
capability and capacity with a full
suite of IT audit services and
requirements.
Approach and Deliverables
Perform IT Audits
identified on existing
Internal Audit schedule.
Perform an IT Risk
Assessment to create a
3- Year IT Audit Plan
customised to meet your
IT environment coupled
with the strategic
business objectives of
your organisation.
Perform one off senior
management requests
such as investigations
related to IT applications.
Project Healthchecks.
9. Does the business or IT department require support for a new application or service but is not sure how to
develop a RFI or RFP?
Wright Lane Services can provide the necessary support to interface between IT and the business to ensure that the
business requirements for a proposed IT application provision are understood (and in some cases, justified) as part
of the RFI & RFP preparation and analysis. This starts by verifying whether a simpler in-house solution already exists
and if not, ensuring the business understand and will realise the benefits of a turnkey outsourced supplier solution.
Approach and Deliverables
The steps involved include:
1. Identifying the Need
2. Development of Specification?
3. Selecting the Procurement Method
4. Developing the Specification and Contract Documents
5. Seeking, Clarifying and Closing Offers
6. Evaluating Offers
7. Identifying the Preferred Supplier
8. Negotiating the Contract
9. Disposals
10. Evaluating the procurement process
Group Internal Audit 3-Year IT audit Plan
Audit Year
IT Audit Name IT Audit Scope IT Audit Objectives
IT Risk
Rating
Generic IT Risk Topics
Covered
2011
Network Management and
IT Security Review
Evaluate the design, implementation and monitoring of logical
access controls to ensure the confidentiality, integrity, availability and
authorised use of information assets
Evaluate network infrastructure security to ensure the confidentiality,
integrity, availability and authorised use of the network and
information transmitted
IT continuity plans to reduce the impact of a major
disruption on key business functions exist
Preventive, detective and corrective measures are
in place (especially up-to-date security patches and
virus control) across the organisation to protect
information systems and technology from malware
(e.g., viruses, worms, spyware, spam).
M
L
Malware and Logical
attacks
Logical trespassing
2011
Database Management
Review
Evaluate data administration practices to ensure the integrity and
optimisation of databases
Evaluate sample of enterprise databases
Ensure management of: security policy; user
accounts and user access; access login and
reviewing; disaster recovery plans; logical and
physical access controls for infrastructure;
administrative and systemic user access controls
L Data(base) integrity
2012
IT Project Management
Governance Framework
Audit
IT Program Management
For a sample of large, medium and small IT projects to review that:
IT PM methodology followed
Cost and performance management are in place
Quality plan exists to deliver benefits to business expectations
Implementations thus far have been managed adequately
Standards are maintained for all development and
acquisition and follow the life cycle of the ultimate
deliverable, and include sign-off at key milestones
based on agreed-upon sign-off criteria.
Measure project performance against key project
performance scope, schedule, quality, cost and risk
criteria.
An implementation and fallback/backout plan exists
with approval from relevant parties.
H
M
Software implementation,
IT project termination and
Project delivery & project
quality
IT programme selection
2013 IT Operations Audit
Evaluate operations management to ensure that IT support functions
effectively meet business needs
Evaluate the use of capacity and performance monitoring tools and
techniques to ensure that IT services meet the organisation’s
objectives
Plan the actions to be taken for the period when IT
is recovering and resuming services. Manage
facilities, including power and communications
equipment, in line with laws and regulations,
technical and business requirements, vendor
specifications, and health and safety guidelines.
Define and implement procedures for backup and
restoration of systems, applications, data and
documentation in line with business requirements
and the continuity plan.
L
M
M
L
Software performance
System capacity
Utilities performance
Information media
2013
Physical and
Environmental Controls
Audit
Physical Controls
Evaluate the design, implementation and monitoring of physical
controls to ensure that information assets are adequately
safeguarded
Environmental Controls
Evaluate the design, implementation and monitoring of
environmental controls to prevent or minimise loss
Define and implement procedures to grant, limit
and revoke access to premises, buildings and
areas according to business needs
Define and implement physical security measures
in line with business requirements to secure the
location and the physical assets.
Include background checks in the IT recruitment
process and should be applied for employees,
contractors and vendors.
L
L
L
Physical and
Environmental
Infrastructure (hardware)
Infrastructure theft and
destruction of
infrastructure