Upload
guestdc453b
View
306
Download
0
Embed Size (px)
Citation preview
IT Deusto: II Máster en Buen Gobierno de las TIC Desarrollo y Adquisición TIC: Trabajo Práctico
DA_TP
1
Profesor: Ricardo Bria Menéndez 26/12/2008 1 1 Page 1
Titulo:
Evaluación de un proveedor de Servicios. Código: DA-TP 1
Tipo:
Grupal
Objetivo:
Evaluar el enfoque de Auditoría y los Objetivos de Control definidos para el proyecto
Evaluar el alcance y la naturaleza del IS Control Assessment realizado
Establecer fortalezas y debilidades del proyecto
Desarrollar recomendaciones de mejora, en base a la narrativa del Control Assessment
Antecedentes del Proyecto:
Globus Inc., gestiona activos y proyectos de inversión de capital por U$S 13 bn, y ha decidido
adquirir un SW de control de Proyectos de Inversión desarrollado por SolDev Group, así como los
servicios de Hosting de dicha aplicación provistos por la Compañía RedPlaid.
El producto, SD2K, está operativo (parcialmente) y en la actualidad gestiona 12 proyectos, en
modalidad paralelo /prueba.
SD2K es “a project management data warehousing software solution that allows project
managers to manage accumulated costs for projects. The accumulated costs include costs from
equipment, internal labor, contractor labor, project overhead, and expense reporting. The
software has been purchased from SDG to help Globus manage costs on the pipeline system
expansion projects that are currently underway.
As the project data tracking requirements have grown in Globus, SDG was identified as the technology solution to capture, consolidate, analyze and report on major project data in this area. The system enables tracking to a level of granularity or currency that supports project managers in day to day PM decisions.
The system enables collecting detailed incurred costs from the field. At the same time, projected disbursement data is collected from Globus’ Oracle Financials application. Comparison between projected and incurred costs provides daily visibility to project metrics and enhances project management decisions.
Our Firm was engaged by Globus’ Major Projects group to assist in reviewing the controls of the SDG environment.
IT Deusto: II Máster en Buen Gobierno de las TIC Desarrollo y Adquisición TIC: Trabajo Práctico
DA_TP
1
Profesor: Ricardo Bria Menéndez 26/12/2008 2 2 Page 2
Objetivos del proyecto
The overall objective of this project is to assess the SDG application environment with regards to
controls governing security, availability, data integrity and customer service management. Criteria
were developed for each of these controls areas and used as the basis of the review.
Información de referencia
1. BACKGROUND INFORMATION: GLOBUS Inc. .............................................................................. 3
2. BACKGROUND INFORMATION: Solutions Development Group (SolDev Group) ........................ 3
3. IS CONTROL ASSESMENT: SolDev GROUP (SDG) ........................................................................ 6
Presentación:
Oral
Fecha límite: TBD
IT Deusto: II Máster en Buen Gobierno de las TIC Desarrollo y Adquisición TIC: Trabajo Práctico
DA_TP
1
Profesor: Ricardo Bria Menéndez 26/12/2008 3 3 Page 3
1. BACKGROUND INFORMATION: GLOBUS Inc.
Corporate Overview
Globus Inc. is a leader in energy
transportation and distribution in
North America and
internationally.
An Overview
Globus operates, in Canada and the U.S., the world's longest crude oil and liquids pipeline system. The company owns and operates Globus Pipelines Inc. and a variety of affiliated pipelines in Canada, and has an approximate 27% interest in Globus Energy Partners, L.P. which owns the Pumpkinhead System in the U.S. These pipeline systems have operated for over 55 years and now comprise approximately 13 500 kilometres (8,500 miles) of pipeline, delivering more than 2 million barrels per day of crude oil and liquids. Globus is also the sponsor and manager of the Globus Income Fund.
Globus is also involved in liquids marketing and international energy projects and has a growing involvement in the natural gas transmission and midstream businesses, through the Ally and Vostead pipelines and various U.S. assets that transport, gather, process and market natural gas and other petroleum products.
As a distributor of energy, Globus owns and operates Canada's largest natural gas distribution company, Globus Gas Distribution, which provides gas to industrial, commercial and residential customers in Ontario, Quebec and New York State. Globus distributes gas to 1.9 million customers and is developing a gas distribution network in New Brunswick.
The company employs more than 5,700 people, primarily in Canada, the U.S. and South America. Globus Inc. common shares trade on the Toronto Stock Exchange in Canada and on the New York Stock Exchange in the U.S. under the symbol "GLB".
2. BACKGROUND INFORMATION: Solutions Development Group (SolDev Group)
While The SolDev Group, Inc. is a Washington state registered company that started in Bellingham, Washington, the development team collaborates on the internet and is physically dispersed.
IT Deusto: II Máster en Buen Gobierno de las TIC Desarrollo y Adquisición TIC: Trabajo Práctico
DA_TP
1
Profesor: Ricardo Bria Menéndez 26/12/2008 4 4 Page 4
The SolDev Group has contracted with a Managed Hosting company called RedPlaid to handle all of our servers and networking needs. I have attached a document that details the services that The SolDev Group currently obtains from RedPlaid. The SolDev Group does not own our own IP addresses – these are obtained from RedPlaid as needed. The SolDev Group develops software solution using database (SQL Anywhere) software on the back end to store the data. The front-end or user interface to the data is via Windows application (written in C++) and web applications written in VBScript, JavaScript and some C#. The process followed by The SolDev Group (SDG) in delivering software and services is similar to that of other companies and is as follows: Customer licenses software. SDG prepares servers for customer's solution – one server for production, testing and training and one server as a backup. SDG supplies SolDev Associates and embedded customer support analysts as requested to help the customer to acquire knowledge SolDev abilities and skills in SolDev 2k techniques. The development of SolDev solutions is a process that proceeds independently of the needs of a particular customer – in much the same way as the development of many software solutions. SolDev 2k's architecture permits us to manage each customer's unique business rules in a manner consistent with each customer's needs. The process of identifying and implementing these business rules is accomplished more efficiently by the use of SolDev Associates and embedded SolDev Analysts.
Our Mission
We wish to be recognized as a provider of client-empowering, data management solutions. It's your data. How do you want to manage it? We want to help you and your team to feel that this is your solution and you are in charge of it - no fear, no uncertainty, no doubt.
Company Profile
The SolDev Group, Inc. are a group of technical and business experts that develop and support data management solutions for clients in various industries.
IT Deusto: II Máster en Buen Gobierno de las TIC Desarrollo y Adquisición TIC: Trabajo Práctico
DA_TP
1
Profesor: Ricardo Bria Menéndez 26/12/2008 5 5 Page 5
The SolDev Group partners with Sybase and Microsoft. We also support organizations such as the Project Management Institute (PMI), the National Petrochemical and Refiners Association (NPRA) and the Association for the Advancement of Cost Engineering (AACE).
Our combined expertise and training in engineering, project management and computer science have melded together to provide a useful software engineering design philosophy that is focused on developing innovative ways to use available tools and tool-sets such as database technology, scheduling tools, the web, hand-held computing, etc.
Products
SolDev 2000 (SD2k) is the name of a suite of products that provide wide-ranging improvements to data management solutions in the area of work management. A hallmark of these solutions is the level to which they empower our customers to implement their best practices and business processes in the system.
Some of the business areas that we address include:
SolDev 2000/TM - for managing Turnarounds, Shutdowns and Outages
Manage all aspects of your turnaround including logistics, scope management, planning, materials management, resource management, scheduling and execution.
SolDev 2003/RM
Manage your routine maintenance backlog of work orders and the people, equipment and materials needed to complete this work.
SolDev 2003/PD
Manage all data that should be widely available to multiple departments and maintained by multiple departments. Remove the data redundancy that results from the use of ad hoc spreadsheets, databases, documents, etc. Provide a consistent interface for all of your team members, while maintaining control of your data.
SolDev 2003/IS
Plants are serviced by Industrial Services contractors. If you work with an Industrial Services Contractor, you know that you spend a lot of your effort in meeting specific requirements of each of your customers. SD2003/IS's business rule-driven system provides you with the tools to tailor your reports and data access to each of your clients' needs while maintaining a consistent system in-house.
IT Deusto: II Máster en Buen Gobierno de las TIC Desarrollo y Adquisición TIC: Trabajo Práctico
DA_TP
1
Profesor: Ricardo Bria Menéndez 26/12/2008 6 6 Page 6
3. IS CONTROL ASSESSMENT: SolDev GROUP (SDG)
Control Objective Controls Description / Comments
I Information Security
(Logical and Physical)
Describe, at a high level: controls in existence that could apply to the
corresponding Control Objective
1. Information security is managed to guide consistent implementation of security practices and that users are aware of the organization's position with regard to information security, as it pertains to financial reporting data.
A formalized Security Policy to define, document and provide
standardized guidelines for Information Security does not exist. The only
security practice referenced by John Doe and Joyce Temple (SDG’s TOP
Management) is that all new hired employees are required to sign a Non-
disclosure agreement (NDA).
The NDA (see: NDA - consulting Agreement in PBC folder) has two
articles: Confidentiality and Ownership of Deliverables. In the first one,
Confidential Information is defined and non-disclosure and protection of
such information is required. In the Ownership of Deliverables article,
Intellectual Property and Company Work Product are defined and rights
of the Company are made explicit.
2. Logical and physical access to IT computing resources is appropriately restricted by the implementation of identification, authentication and authorization mechanisms to reduce the risk of unauthorized / inappropriate access to the organization’s relevant financial reporting applications or
Logical access
As per conversations with John Doe and Paul Jones, the logical access to
computer resources is restricted by appropriate identification (unique
User IDs), authentication (individual passwords) and authorization
mechanisms. Logical security is administered by two people: John Doe
and Joe Cook.
As related by John, there are basically two categories of employees:
Developers and Support, and the general approach is that Developers
have access to code, while Support personnel does not.
Further written information provided by John revealed one exception to
this rule. Paul Jones, listed initially both as an Associate and a Project
Manager has current access to Globus’s database.
Interviewed Paul Jones who related that aside from being the Project
Manager for the Globus implementation project, he also performs (non-
IT Deusto: II Máster en Buen Gobierno de las TIC Desarrollo y Adquisición TIC: Trabajo Práctico
DA_TP
1
Profesor: Ricardo Bria Menéndez 26/12/2008 7 7 Page 7
data technical) development functions.
Although we had no access to a written policy, according to John Doe, the
password policy in effect calls for the following:
system does not remember the previous passwords,
user is not required to give different passwords upon password change
password expires after 90 days
password must be at least 8 characters in length
passwords are not stored internally
password complexity is enforced
If 5 invalid login attempts are made within 3 minutes, then the login will be disabled for 3 minutes.
Physical access
All SDG’s resources (servers, communications and additional equipment)
used to provide the SD2K application service to Globus, are physically
located at REDPLAID’s data center in Saint Louis, Missouri.
REDPLAID, a division of Connectria Corporation and responsible for the
physical security of the mentioned resources is located in a highly
secured area and has an on-site Network operations Center monitored
24/7.
Through information gathered (see: REDPLAID Security and Support
Overview for the SolDev Group 8-1-08 in PBC folder) and interviews with
Peter Clumsy and Johnny Piannon from REDPLAID we identified, among
others, the following implemented physical security measures: electronic
security codes to access the building and elevators, additional biometric
and access cards to enter de Data Center, closed circuit digital cameras
and the prohibition of unescorted visitors at any time.
3. Procedures have been established so that user accounts are added, modified and deleted in a timely manner to reduce the risk of
As per John Doe, the process to assign / revoke user ids for new hires,
changes and terminated employees, it is not formalized.
Only John Doe and Joyce Temple (SDG Top Management), have the
authority and responsibility for authorizing the assignment, modification
and revocation of user ids and access rights to all employees.
The SDG’s Organizational Chart provided by Joyce (see: SolDevOrg in PBC
IT Deusto: II Máster en Buen Gobierno de las TIC Desarrollo y Adquisición TIC: Trabajo Práctico
DA_TP
1
Profesor: Ricardo Bria Menéndez 26/12/2008 8 8 Page 8
unauthorized / inappropriate access to the organization's relevant financial reporting applications or data
folder), shows that the company has only 20 employees (including John
and Joyce), distributed in the following areas:
Development (Client and Server): 7,
Technical Testing: 2,
Associates: 4,
Project Mangers:2,
Data Analysts: 3 and
Administration: 2.
Given SDG’s two tier organizational structure, the different areas’
assigned responsibilities and the low number of employees, in our view,
the reporting scheme and security function assignment partially act as a
compensatory control for the lack of formality in the assurance of a
timely action regarding user accounts addition, changes and deletions..
4. An effective control process is in place to periodically review the appropriateness of access rights in order to reduce the risk of unauthorized / inappropriate access to the organization’s relevant financial reporting applications or data
During our interview with John Doe, he stated that there is not a specific
process in place to achieve this control.
Reviewing the organizational chart provided, we noted that some of
SDG’s employees perform more than one function (server development
and client development, client development and technical testing).
In addition, we have learned that the application architecture for Globus
contemplates two Servers; one that holds the production, test and
training environments, and a second Serverf used as a backup.
5. Physical controls are in place to prevent unauthorized access to
See #2 above.
IT Deusto: II Máster en Buen Gobierno de las TIC Desarrollo y Adquisición TIC: Trabajo Práctico
DA_TP
1
Profesor: Ricardo Bria Menéndez 26/12/2008 9 9 Page 9
information technology and data.
6. Environmental controls are in place to prevent or reduce the effects of disasters, such as floods, fire and power surges)
As described in information provided by John Doe, REDPLAID’s facility
was designed taking into consideration environmental controls to house
critical telecommunications equipment and data centers.
The office is located within a US Federal “No Fly Zone” (airplanes are not
allowed to fly over the area) and contemplates dual Power Feeds from
separate Power Grids, redundant UPS systems and 5 1,500 KVA
Generators, to lower the risks of power outages and surges.
As per the information provided, the Data Center is equipped according
to the best practices for environmental controls for this type of
installation and includes: Anti-Static, Fireproof Raised Floor, Air
conditioned, temperature and humidity controls, water detection and
fire suppression systems.
7. Procedures exist to protect against infection by computer viruses, malicious codes, and unauthorized software.
According to information provided by John Doe and Johnny Piannon,
REDPLAID has deployed, and provides to SDG, an integrated and
comprehensive set of resources and tools to provide protection from
virus infection and malicious software that include: Co-Managed Firewall,
Web Console & Security Zone, Network Intrusion Prevention (IPS),
Vulnerability Scanning, Server AntiVirus Protection, Server Hardening Of
Operating Systems & System Software, Server Integrity Monitoring and
Distributed Denial Of Service (DDOS) Protection
Each of these components report back to central management consoles
which are monitored and managed 24/7 by REDPLAID's Network
Operations Center staff.
Any exceptions are escalated to REDPLAID’s Security Incident Response
Team, made up of REDPLAID’s senior security engineers
As an additional service, not yet engaged by SDG, REDPLAID provides the
execution of quarterly Penetration Tests, to assure their perimeter
defenses are not being unduly exposed.
II Program Describe, at a high level: controls in existence that could apply to the
IT Deusto: II Máster en Buen Gobierno de las TIC Desarrollo y Adquisición TIC: Trabajo Práctico
DA_TP
1
Profesor: Ricardo Bria Menéndez 26/12/2008 10 10 Page 10
Development corresponding
8. Management has controls in place to ensure that new program and infrastructure developments and acquisitions have been approved by an appropriate level of both IT and business management
The SD2K application is currently being implemented by an Globus
Implementation Team of 5 people, including an Implementation
Manager, and the assistance of Paul Jones, as SDG’s Project Manager,
and John Doe
The following process summary and controls were corroborated with
John Doe and Paul Jones.
Requirements for SD2K’s new developments and changes are made by
the Implementation Team via Word documents and Excel spreadsheets,
which are controlled by Globus’s internal issue tracking system.
Upon reception of a requirement, Joe proceeds to its analysis and
categorization (minor, medium and large) depending on impact / effort
required.
Minor requirements can be made by anyone on the Team, but medium
and major ones require the Implementation Manager’s approval.
Currently, no one outside the Implementation is making requirements.
Outstanding requirements are reviewed by the Implementation Manager
on a weekly basis.
John Doe stated that SDG’s intentions were to “provide our Issue
Manager application, eIssues, to Globus to perform as a tool for
managing all aspects of management of all issues, incidents,requests,
etc.”. This would also allow the automated tracking of issues that SDG
today performs manually, via a spreadsheet (see
SolDev_Action_List80820 in the PBC folder).
Based on the above description, it appears that most (if not all) the
control over requirements resides on Globus, as we could not identify, on
SDG’s part, a clearly defined process so assure that only properly
authorized requirements are attended.
In addition to the use of a common tool (workflow) for requirements
tracking and management, an authorization chart for requesting and
approving requirements and changes, we suggest a defined and
formalized change management procedure be implemented.
IT Deusto: II Máster en Buen Gobierno de las TIC Desarrollo y Adquisición TIC: Trabajo Práctico
DA_TP
1
Profesor: Ricardo Bria Menéndez 26/12/2008 11 11 Page 11
9. Management has controls in place to ensure that an adequate program development methodology is in place and is followed for the development of systems / applications used
The SolDev application and metadata framework are the basis for
development.
SD2K is actually a proprietary environment where the client data is
centrally managed, after being consolidated and integrated from
different sources and systems. The application is data driven and thus,
solutions to organize, aggregate and present (report) results for the end
user are flexible and quick to develop.
SD2K’s architecture allows the management of the customer's business
rules in a manner consistent with their needs, which are first identified
and then built and implemented.
Although SDG does not have a formal development methodology, there
are standard steps that are followed:
identify the business needs,
identify the supporting data required,
design and build a central repository for the data, and
provide for the client access at the reports and data views as defined.
10. When new systems are implemented or modified, controls are either added, modified, or redesigned so that applicable control objectives are achieved
work packages and work items are added and tracked
11. Controls exist to ensure there is adequate testing for the development of systems / applications and that testing is signed off by both the users at an appropriate level
Issue Manager provides the framework for the central tracking and
signing off on issues as they progress through their different phases.
This component however, is not yet operational al Globus. Currently, all
requests, documentation, incidents and tracking controls are handled
“manually” via Word or Excel documents. It is estimated that this module
will be implemented at Globus within the next two weeks.
IT Deusto: II Máster en Buen Gobierno de las TIC Desarrollo y Adquisición TIC: Trabajo Práctico
DA_TP
1
Profesor: Ricardo Bria Menéndez 26/12/2008 12 12 Page 12
of IT and business management
12. A post-implementation review is performed to ensure that new financial-reporting systems/applications are operating properly
III Availability Describe, at a high level: controls in existence that could apply to the
corresponding
13. Management has implemented appropriate backup and recovery procedures so that data, transactions and programs that are necessary for financial reporting can be recovered
From the information made available to us to review, we determined
that REDPLAID provides managed backup and recovery services that
includes Daily Incremental / Weekly Full Data Backups and Offsite Tape
Backups
14. Effective procedures exist and are followed to periodically test the effectiveness of the restoration process and the quality of backup media relevant to systems and applications used during financial reporting
REDPLAID’s backup environment for The SolDev Group utilizes a large
RAID-protected disk storage environment that is tested and utilized daily.
IT Deusto: II Máster en Buen Gobierno de las TIC Desarrollo y Adquisición TIC: Trabajo Práctico
DA_TP
1
Profesor: Ricardo Bria Menéndez 26/12/2008 13 13 Page 13
processes
15. Appropriate controls are in place over the back-up media for systems and applications used during financial reporting processes, including that only authorized people have access to the tapes and tape-storage
According to information provided by REDPLAID, the backup
environment is accessible only by a limited subset of staff. Although
there is an option for server and back up encryption, we were told that
the SolDev Group does not currently encrypt their backups.
For general security, confidentiality and integrity purposes, we
recommend Globus to consider and evaluate the encryption option
offered by REDPLAID.
IV Data Integrity
16. Management has implemented procedures to ensure accuracy, completeness, and timely processing of system jobs, including batch jobs and interfaces, for relevant financial reporting applications or data
SolDev's only involvement with financial processes is in the downloading
of the data from Oracle system. No data is passed back to Oracle. SolDev
2k is a cost tracking system as opposed to a cost accounting system. As
such, we guess at what costs will be before they are incurred.
These are not processes that occur in a cost tracking system.
17. There are controls in place to ensure that data migration retains its integrity (i.e., reconciliations to
These are not processes that occur in a cost tracking system.
IT Deusto: II Máster en Buen Gobierno de las TIC Desarrollo y Adquisición TIC: Trabajo Práctico
DA_TP
1
Profesor: Ricardo Bria Menéndez 26/12/2008 14 14 Page 14
prove pre and post balances, etc)
18. There are controls in place to ensure that data attributes, such as “date entered”, “transaction date”, “data entered by”, and other attributes relevant to the customer are captured and prevented from modification or change.
These are not processes that normally occur in a cost tracking system.
However, where needed we do add protection of appropriate data from
changes.
19. Controls exist to provide appropriate segregation of duties within key processes. For instance, users should not be able to initiate and approve their own transaction.
From discussions held, we learned that SD2K users are identified by their
functional role. Approval of budgets, for example, can be done by
managers only, based on the business rules of the group, division,
department, corporation, etc.
John also indicated that Globus has implemented 5 Functions, namely:
Planning, Scheduling, Project Management, Contracts Management and
Timekeeping.
In relation to the Segregation of Duties issue, John explained that proper
SOD is provided by Roles defined within each Function, according to the
clien’t operational model and rules. In turn, each Role has an associated
Security Level of 0=Read Only, 1=Read Write or 3=Supervisor. The
assignment and maintenance of User ID’s/Roles is done by Globus.
Based on the information available, it appears that the application
provides for the proper controls to assure an adequate SOD among users.
20. Controls are in place to ensure that any changes to the systems/applications providing control over
Yes.. Change management controls are available in SolDev 2k.
IT Deusto: II Máster en Buen Gobierno de las TIC Desarrollo y Adquisición TIC: Trabajo Práctico
DA_TP
1
Profesor: Ricardo Bria Menéndez 26/12/2008 15 15 Page 15
financial reporting have been properly authorized by an appropriate level of management (logging change requests, change assessments, change planning & scheduling)
21. Controls are in place to ensure that system, user and control documentation is modified to properly reflect changes to systems relevant for financial reporting
The tools for managing system, user and control documentation are in
place and ready to be used.
22. Controls are in place to ensure that changes to applications and systems used during financial reporting processes are tested, validated, and approved prior to being placed into production
Financial reporting is not a function that is supported by the SolDev 2k
system. However, a regimen of issue resolution that includes the testing
process is supported.
23. Controls are in place to restrict access for migrating changes into the production environment for
Financial reporting is not a part of the SolDev 2k system.
IT Deusto: II Máster en Buen Gobierno de las TIC Desarrollo y Adquisición TIC: Trabajo Práctico
DA_TP
1
Profesor: Ricardo Bria Menéndez 26/12/2008 16 16 Page 16
systems and applications used during financial reporting processes
24. Management has controls in place to ensure unauthorized changes are not made to system files, for applications used during financial reporting processes, subsequent to migration into production
These files do not exist as SolDev 2k is not used for Financial reporting.
25. Controls are in place to appropriately address emergency changes to systems, applications, and infrastructure configuration
The SolDev Group tests software for months before deploying it into
production.
26. Management has defined and implemented problem management procedures to record, analyze, and resolve problems, and errors for systems and applications in a timely manner (problem
Issue Manager is a process for doing this and is currently being
implemented
IT Deusto: II Máster en Buen Gobierno de las TIC Desarrollo y Adquisición TIC: Trabajo Práctico
DA_TP
1
Profesor: Ricardo Bria Menéndez 26/12/2008 17 17 Page 17
determination, problem analysis, problem resolution)
27. Management has defined and implemented incident management procedures to record, analyze, and resolve incidents, and errors for systems and applications in a timely manner
Issue Manager is the system for managing this process.
28. Management has defined and implemented configuration management procedures to record, analyze, and resolve errors for systems and applications in a timely manner
There is not a formal configuration management system for SolDev
components that is currently in place, however, we do have a list of the
components and can establish a data repository for these that is
maintained consistently.
29. Management has defined and implemented release management procedures to record, analyze, and resolve errors for systems and applications in a timely manner (core release management
The SolDev Group's internal process for deployment development and
testing is not yet formalized into a work flow process - but this process is
in the process of being formalized and being implemented.
IT Deusto: II Máster en Buen Gobierno de las TIC Desarrollo y Adquisición TIC: Trabajo Práctico
DA_TP
1
Profesor: Ricardo Bria Menéndez 26/12/2008 18 18 Page 18
activities established within the organization; including: planning, design, build, testing, communication, acceptance, hardware installation, controlled software storage, software distribution & installation)
30. Management has defined and implemented service desk management to co-ordinates and resolve incidents reported by customers or employees
Issue manager will handle the service desk functions for SolDev Group.
31. Relevant KPIs such as percentage of incidents handled within the agreed time frame or solved by the Service Desk are regularly and adequately calculated and monitored and timely actions undertaken as needed.
We do not yet have measures for KPI's for issue management, but plan
to implement such measures over the next year.
IT Deusto: II Máster en Buen Gobierno de las TIC Desarrollo y Adquisición TIC: Trabajo Práctico
DA_TP
1
Profesor: Ricardo Bria Menéndez 26/12/2008 19 19 Page 19
32. Management has controls in place to ensure that appropriate system, user and control documentation is developed for new systems and applications
We do not yet have such a system in place, but we plan to implement
such a system over the next year.
33. Management has controls in place to ensure that users are trained on new systems/applications used during financial reporting processes in accordance with an appropriately defined training plan
SolDev Group plans to implement training processes that are system-
based - for training new users in SolDev project management (not
financial) processes.