Article from: CompAct. April 2013 Issue No. 47

Similar documents
WHEN END USERS CREATE TECHNOLOGY. Robert Newsome 9/21/2016

Sarbanes-Oxley: Company Case Study - Viacom Inc. IT General Controls - Sustaining Compliance Efforts. Anthony Noble VP, IT Internal Audit

Law Department Technology Management. July 25th, 2018

Project Management Success, on SharePoint

COSO What s New, What s Changed, Why Does it Matter and Other Frequently Asked Questions

Making Contracting Easier for Legal. Mike Haysley, Consilio Jackson Mayes, Onit

Insight-EA Overview. Fios-Insight, LLC FIOS Insight, LLC

A Simplified and Sustainable Approach to NERC CIP Compliance with Cyberwiz-Pro. NERC CIP Compliance Solutions from WizNucleus

Auditor General s Office REVIEW OF THE CITY SAP COMPETENCY CENTRE APPENDIX 1. June 1, 2010

AVEPOINT CLIENT SERVICES

How a project approach will build change management capability across your organization

Advanced Solutions of Microsoft SharePoint Server 2013

Moving beyond the RPA pilot stage: How P&C insurers can operationalize automation

Program Management Office (PMO)

Business Process Management: The Right Way to Do It

The Blue Sage Group. Sarbanes-Oxley. 404 Compliance Program. The Blue Sage Group

VENDOR RISK MANAGEMENT FCC SERVICES

Roadmap to Success. Leveraging RPA to Drive Growth and Explore New Opportunities for Efficiency

Effective Risk Management With AML Risk Assessment. January 25, 2017

COURSE 20332B: ADVANCED SOLUTIONS OF MICROSOFT SHAREPOINT SERVER 2013

>ModelEye Solution Overview

Course 20332A Advanced Solutions of Microsoft SharePoint Server 2013 Course Duration: 5 days Course Type: Instructor-Led/Classroom

CENTRE (Common Enterprise Resource)

Risk Advisory SERVICES. A holistic approach to implementing effective governance, managing risk and maintaining compliance

Software Project & Risk Management Courses Offered by The Westfall Team

Microsoft moves IT infrastructure management to the cloud with Azure

Enterprise Strategic Analysis for Transformation (ESAT) Overview. Massachusetts Institute of Technology October 2008

CHAPTER 2: IMPLEMENTATION PHASES AND OFFERINGS

Achieving Application Readiness Maturity The key to accelerated service delivery and faster adoption of new application technologies

Job Description (For Positions in CAW Local 555, Unit 1)

CERT Resilience Management Model, Version 1.2

COURSE OUTLINE MOC 20332: ADVANCED SOLUTIONS OF MICROSOFT SHAREPOINT SERVER 2013 MODULE 1: UNDERSTANDING THE SHAREPOINT SERVER 2013 ARCHITECTURE

Course Content Advanced Solutions of Microsoft SharePoint Server Course ID#: W Hours: 35. Course Description:

Proactively Managing ERP Risks. January 7, 2010

Exam /Course 20332B Advanced Solutions of Microsoft SharePoint Server 2013

Why CIP? AIIM International's Certified Information Professional designation was designed to allow information professionals to:

Thesis Executive Summary Nathan C. Roost

September 19, 2007 San Francisco Chapter

HP TRIM and Microsoft SharePoint Optimizing Secure Information Flow and Compliance

A Freshwater Partners White Paper

Final Audit Report. IT Client Services - Application Development and Maintenance Process

Accelerate SharePoint Success: How to Best Plan, Manage & Control Migration Projects

An Introduction to AHEAD s. Azure Governance Framework

MBA BADM559 Enterprise IT Governance 12/15/2008. Enterprise Architecture is a holistic view of an enterprise s processes, information and

BEST PRACTICES: DEPLOYING SPOK MOBILE WITH ENTERPRISE MOBILITY MANAGMENT. spok.com

Job Family Matrix. Core Duties Core Duties Core Duties

ServiceNow Custom Training and Adoption

This resource is associated with the following paper: Assessing the maturity of software testing services using CMMI-SVC: an industrial case study

Enterprise-Wide Security Transformation to Meet Escalating Regulatory Requirements

Who Should be on Your Project Team: The Importance of Project Roles and Responsibilities

SHAREPOINT WILL BE YOUR REPOSITORY FOR GOVERNED CONTENT

CMMI-DEV V1.3 CMMI for Development Version 1.3 Quick Reference Guide

IBG GSA Schedule. IBG's GSA Schedule 70 contract number is: GS-35F-0546W

20332B: Advanced Solutions of Microsoft SharePoint Server 2013

FLORIDA DEPARTMENT OF JUVENILE JUSTICE PROCEDURE. Title: Information Technology (IT) Project Management and Governance Procedures

BMC FootPrints. Service Management Solution Overview.

REALIZING THE POTENTIAL FROM FINANCIAL ANALYSIS APPLICATION INVESTMENTS

Documents the request as clearly and completely as possible on the Change Request Form Submits request to project manager

Streamline your business processes for far-reaching results. EY s Business Process Management Services practice

B U S I N E S S R I S K M A N A G E M E N T L T D

Project Manager CAFM Project (Fixed Term) EHA

White Paper. Veritas Configuration Manager by Symantec. Removing the Risks of Change Management and Impact to Application Availability

The Road to Shared IT Services. John Gohsman, Vice Chancellor and CIO

Follow-up Audit of the CNSC Performance Measurement and Reporting Frameworks, November 2011

Fulfilling CDM Phase II with Identity Governance and Provisioning

Savings Show Success of IT Service Management Initiative

Project Management and Governance Policies - Need for Enterprise Information Management. Terry Saxton Xtensible Solutions

Certified Information Professional 2016 Update Outline

Fixed Scope Offering for Implementation of Oracle Fusion CRM in Cloud

ROSE & ASSOCIATES, the leader in APPRA. risk analysis in the O&G industry, announce the release of their latest software tool,

Avoiding Data Loss Prevention (DLP) Pitfalls A Discussion of Lessons Learned. April 2013

Securing Intel s External Online Presence

Office 365 Governance & Security

AIIM ERM Certificate Programme

10/18/2018. London Governance, Risk, and Compliance

Harnessing Technology to Create Greater Value from Strategic Sourcing

Implementing and Administering Microsoft Visual Studio 2008 Team Foundation Server

ISC: UNRESTRICTED AC Attachment. Virtual Desktop Information Technology

Four P's for User Adoption - Save SharePoint Implementations from Epic Failures!

Data Sheet optimal trace

Integrating COSO s Fraud Risk Management Guide on an Enterprise Scale

Building a Business Case for KYield

Information Management Strategy

Configuresoft RSCA Program. Security and Compliance Assessment Provides Immediate Business Value. Abstract TECHNICAL BRIEF

Orchestrated. Development Management. How to Strike the Right Balance between Speed and Control

GEMS ACADEMY TRAINING CALENDAR 2019

White Paper Operating Windows as a Service processes

Implementation Tips for Revenue Recognition Standards. June 20, 2017

Whitepaper. Gil Makleff, Founding Partner Mauro Angelino, Vice President UMT Consulting Group January 2008

Microsoft Monitoring and Operating a Private Cloud

INITIAL ENTERPRISE CHALLENGE:

Azure Infrastructure for SAP

Enterprise Risk Management: Developing a Model for Organizational Success. White Paper

CMMI-SVC V1.3 CMMI for Services Version 1.3 Quick Reference Guide

Praticamente GDPR Spike Reply PART 1

Hyperion Planning. Ahmad Bilal 8/31/2010

Become a truly service-oriented organization

Focus. Your Organisation. Focus is a toolset to help organisations define, document, prioritise and deliver their portfolio of investments.

Title: HP OpenView Configuration Management Overview Session #: 87 Speaker: Loic Avenel Company: HP

RAI Compliance Activities Overview

Transcription:

Article from: CompAct April 2013 Issue No. 47

Overview of Programmatic Framework and Key Considerations Key elements Description Items to consider Definition and identification of EUCs The statement that defines what constitutes an EUC. The definition generally distinguishes EUCs from IT-developed and supported applications and will determine which EUCs should be placed under management. This is critical to define the scope of the EUC compliance program. As part of the identification, decision criteria should be carefully defined for the organization. For example, are all Microsoft Access databases considered to be EUCs? All spreadsheets? Or only those that directly impact financial statements? whether an application should be considered an EUC? classified? Governance Policies and standards Policies and standards establish a consistent framework for the control of the EUC environment in a company. They define criticality criteria, inventory standards, risk ranking, and control ensure compliance and will provide a structure for auditing and monitoring. a consistent framework for the control of EUCs within your organization? or is it focused on particular business units? Ownership sustainable EUC management program. There are three primary options: centralized governance throughout a project management office, decentralized governance with champions in each business unit, or a hybrid approach that combines aspects of each. defines the ownership of EUCs? model? Monitoring and reporting Key tasks include identification, tracking, and reporting metrics associated with all phases of the EUC management program to key stakeholders and senior management. be tracked and distributed to its stakeholders and senior management? the reporting metrics and objectives? People Roles and responsibilities Training and awareness Identify the key stakeholders in the EUC management program. Once the key stakeholders are identified, the next step is to establish the roles and responsibilities of various stakeholders within the EUC management program. Stakeholder roles include the program sponsor, central program group, steering committee, business unit representatives, EUC users, internal audit, etc. identified above. The training will be targeted to different tiers of the EUC management program. Examples of the training include EUC policies implementation, EUC risks and controls steps, controls tool training involving end users and administrators, etc. holders of EUCs clearly defined? central program group, steering committee, business unit representation, etc. defined? and/or training program that addresses EUC-related activities? these training programs?

Risk ranking and prioritization Define risk ranking framework likelihood of failure-related EUCs. A combination of qualitative (e.g., compliance and operational materiality) and quantitative approaches (e.g., financial materiality) can be utilized to create a risk ranking model. applied to existing EUCs? Application of risk ranking framework Once the risk ranking model is defined, the model should be applied to identified EUCs to determine which should be placed under management. Clear definition of risk categories is important. Examples of possible risk categories could be: comply with all EUC controls, and low-risk EUCs are not required to comply with any EUC controls what steps were taken to prevent gaming the system to avoid additional controls requirements? Process Inventory Define an inventory approach The process of inventorying EUCs often proves to be one of the most challenging and time-consuming elements of the EUC management program. A specific strategy should be defined to determine how the inventorying process will occur, as well as decisions made about manual vs. automated approaches, use of surveys, rollout by business unit vs. geography, etc. Create and maintain a central repository to maintain data Implement a process to create and maintain an up-to-date inventory of business-critical EUCs. The central repository of EUCs contains critical information or metadata about the EUCs. Examples include risk ranking, description of EUCs, business owner and end-user information, business unit, etc. organize the EUC inventory process by business unit, geography, etc? across all business units of the company? (e.g., use of tools, native search features in the network, or via a manual process)? repository? Technical support requirements To help ensure completeness, the organization has the option of using various automated tools to gather EUC Inventory. EUC controls Based on the selected EUC risk model, the organization should define an EUC controls standard that will be implemented for identified EUCs. This standard should be aligned with the risk ranking process. For example, the required control standard for an EUC determined to be high-risk may be different than an EUC determined to be medium-risk. standard? ranking process, as well as other required controls (e.g., Sarbanes-Oxley)? Examples of required controls should include the following: Version control helps ensure that the latest and approved version of EUC is used. Change control helps ensure that the changes to EUCs are appropriately tracked and reviewed. Data integrity control helps ensure data integrity. Access control helps ensure that only authorized users can access EUCs and in what manner (e.g., view, change, delete). Availability control helps ensure that EUCs are available in the event of disaster, accidental deletion, etc.

Template A template is an organizationally accepted guide after which all EUCs entered into the program are modeled. The templates provide consistency, conformity, and standardization of EUCs that are created, as well as documentation with respect to that individual EUC. the EUC program? templates? Process Baselining Baselining is an important step in EUC management. The purpose is to help ensure that the EUC is functioning in accordance with management's intention in a point in time. Baselining involves validating the structures, formulas, calculations, inputs, and outputs of the EUC. Enrolling EUCs that have not been baselined into the EUC management program will provide less assurance that errors will not occur on a go-forward basis. baselining and approving baselined EUCs? created EUCs going forward or are legacy EUCs baselined as well? exercise? Are sufficient resources deployed in this regard? Monitoring To help ensure compliance with the EUC program, a process should be established to perform periodic testing so that EUCs enrolled in the program remain compliant and critical EUCs not under management become enrolled in the program. Testing will also help to ensure that the effectiveness of the EUC program does not degrade over time. effectiveness of EUC controls? addressed? support strategy Any organization attempting to put a high number of EUCs under management (e.g., >200) will experience difficulties without the support of technology enablers. A strategy should be defined for the use of technology enablers supporting inventorying processes, analytical review during baselining and enforcing controls. Specific EUC management software tools can be deployed, or native functionality (such as Microsoft SharePoint) can be used, with various degrees of functionality available. The strategy should balance cost with benefits. managed? Manually, using native functionality, or via automated tools? management been defined?

Define technology requirements assessment enabler requirements should be defined, and then available options such as manual processes vs. automated tools should be evaluated against the specific technical requirements. Vendor demonstrations and/or pilots should be performed. The current IT infrastructure should also be considered. (E.g., is there an existing Microsoft SharePoint deployment that can be leveraged?) Sizing and infrastructure This may be contingent on strategic decisions made. For example, if network file shares will be used to secure EUCs, does the current server population have the estimated capacity to accept the additional load? Other considerations may impact this as well. For example, will one enterprise server be used, or will each global region have a separate server for managing EUCs? evaluated? (e.g., daily versions of the same EUC)? or distributed (by geography or business unit)? Security role design One key control element that should be implemented is the provide different levels of assurance in this regard. For example, using network shares to secure EUCs will only protect access to the EUC file itself, while using a vendor tool may allow for controlling different types of access within an EUC, such as read access vs. change access. The organization will need to develop a detailed security roles design for controlling access (e.g., end users, reviewers, administrators), and then will need to configure the technology enablers accordingly. Processes will need to be established to maintain and administer security on an ongoing basis. been established? of duties conflicts? processes been defined? enterprise security policies and standards? Rollout strategy EUC management is not a trivial undertaking. Many organizations struggle with trying to do too much too quickly. A deliberate rollout strategy should be defined that determines which business units, or regions, and which EUCs (high risk, medium risk, etc.) will be placed under management, and in what order. compliance with laws and regulations, client requirements, etc. and agreed to by stakeholders? geography or business unit? Or another method? conjunction with rollout strategies and project timelines? evaluated?

2024 © businessdocbox.com Privacy Policy | Terms of Service | Feedback