WLS Services Brochure March 2013

IT Business Risk and Compliance Services

Here are some IT Compliance questions you may want to consider:

1. As a business project sponsor or project manager for an IT project, do you need to ensure it is on track?

2. Do you want to benchmark the maturity of your ITIL service management shop?

3. Do you want to better manage IT risk in your organisation?4. How comfortable are you with your Website management and

controls?5. Are your IT policies current and when were they last reviewed?6. Has your company outsourced part, or all, of your IT Function? If so, is it

working?7. Does your company adequately govern IT project investment and realise

the benefits? 8. Does your Internal Audit department need to assess your IT environment

but can't justify a full-time IT Audit resource?9. Does your business or IT department require support for a new application

or service but is not sure how to develop a RFI or RFP?

If the answer is yes, read on, Wright Lane Services can be of help!

Mike Wright has extensive and proven IT business risk and compliance capability with major international corporations such as Qantas (Australia) and Cable & Wireless, Sainsbury and Esso Petroleum (UK).

The value proposition is: Extensive IT business experience and capability Demonstrated IT risk and compliance delivery Proven commercial experience with practical perspectives Low overhead compared to larger service providers results in a more

competitive service Flexibility in service provision to reflect your business budgetary and resource

requirements

Mike WrightMobile +61(4) 17 044 622Email: [email protected] 1 | P a g e

mailto:[email protected]


1. As a business project sponsor or IT project manager for an IT project, do you need to ensure its on track? There are a number of IT application related reviews or Healthchecks that can be undertaken depending on

the development phase of the project or system: Project Management reviews includes the set-up of the project team and validates that adequate

project processes are in place, Systems Readiness reviews prior to implementing an application reviews applications controls,

adequacy of testing and business readiness, Post-Implementation reviews (PIR) evaluates business feedback and allows the project team to

focus on what is needed to successfully close the project, Applications controls review evaluates an application‘s availability, security, integrity &

maintainability including the underlying manual business processes necessary from a controls perspective.

Approach and Deliverables A series of interviews, with both IT and business stakeholders, are

undertaken to ensure that the intended project objectives are agreed and are aligned to meet the business needs.

The project management governance model is reviewed and the adequacy of procedures for the maintenance, recovery and data integrity is verified.

Verify that potential project risks have been identified and that mitigation plans are in place.

The findings and any issues will be discussed with management. Practical recommendations are made in consultation, highlighting practices that are currently being done efficiently and effectively as well as those areas that may require improvements. Agreed

actions will be included in a final report following this consultation process.

2. Do you want to benchmark the maturity of your ITIL service management shop? Based on the internationally recognised best practice ISACA CobiT Guide for Services Managers, CobiT focuses on what should be addressed to ensure IT controls, while ITIL provides best practices describing how to plan, design and implement effective service management capabilities. When used together, the power of both approaches is amplified providing an effective way to benchmark and achieve improvement supported by CobiT’s control objectives and practices.

Approach and Deliverables Interviews with IT & business stakeholders and the suppliers providing the outsourced

service allow the current service management environment to be documented. The current business and supplier service roles and responsibilities are then evaluated

against ITIL and Cobit guidelines. A capability assessment using the CobiT maturity model for ITIL V3 processes is used to

benchmark the ITIL processes that management wants to review. It’s recommended that service level agreement management and performance monitoring is always undertaken.




A benchmark maturity report is produced using the traffic light approach with a recommended Implementation Action Plan agreed with management

3. Do you want to manage IT risk better in your organisation? The ISACA Risk IT framework is about IT risk, but more importantly, business risk related to the use of IT. The framework uses a Top Down business objective and Bottom up Generic IT risk scenarios which can be used to create an IT Improvement Program or alternatively slot into your existing ERM framework such as COSO or ISO 31000. There’s two alternative approaches:

I) Full Risk IT Implementation to Create an Ongoing IT Risks Framework for Your Organisation.

To fully implement the Risk IT framework is a significant program of work and the objective is to enable your enterprise to identify and manage all significant IT risk types by providing an end-to-end, comprehensive view of all IT related risks.

Approach and DeliverablesThis approach to fully implement the Risk IT framework involves the following:

1. Define Scope of Risk analysis. Determines top strategic business objectives and an oversight of IT. Determines initial scope, initially start with Top 5 Business and Top 5 IT Risks.

2. Collect data. Interview key business and IT stakeholders and available material. Obtain IT incident & audit reports, change logs, risk reports and feedback on IT trend analysis and regulatory requirement changes.

3. Identify common risk factors and cluster interrelated events 4. Estimate IT risk. Apply risk tolerances for determining risk

response. 5. Identify risk response options. Review findings with by CIO, CRO

and/or relevant business representatives. 6. Review the analysis. Draft interim report from findings.7. Reporting. Issue initial draft report for discussion and review,

seek management feedback and agree an ongoing IT risk ongoing Continuous Improvement Program to feed into the ERM

II) Risk IT Lite to Develop a One-Off Continuous Improvement ProgramA simpler alternative is to work with both the business and IT management using elements of the Risk IT framework to conduct a Risk IT assessment and create a continuous improvement program.

Approach and Deliverables This Risk IT Lite approach uses elements of the Risk IT framework and involves the following:

1. Top-Down Business Review - Input from business representatives on areas and assets to take into account Top 5 Business and Top 5 IT Risks and feedback on frequent IT events.

2. Bottom-Up IT Department Risk Review - Obtain IT Risk Register, incident & audit reports, change logs, former risk reports and feedback on IT trend analysis.




3. Analyse Review Results - Review IT Department Risk Register and discussion with IT senior management. Findings are reviewed with CIO & CRO and/or relevant business representatives to agree IT risk rating and response.

4. Reporting - Issue initial IT Risk Continuous Improvement plan to key stakeholders (via email) and amend draft report given IT senior management feedback given senior management feedback




4. How comfortable are you with your Website? The scope of this review assesses the existing website against known best practice and provides a controls related compliance view of the existing website environment. The purpose of this work is to identify any areas of the website for enhancement in order to have a more cost effective, sustainable and secure website environment.

Approach and Deliverables Review and map the existing website environment against best practice standards including the

Web-based applications in use and the data they use, the controls in place such as application development standards including data validation, change management, and testing. Website accountabilities for access administration, performance monitoring are reviewed.

Assess whether adequate processes exist for the management of the existing website environment in regard to a Data Management Strategy and benchmark the existing website infrastructure against the latest multi-layered best practice standards.

Create a report with recommendations for consideration including the deficiencies of the existing website and a detailed plan of issues identified during the review.

5. Are your IT policies up-to-date, when were they last reviewed? IT best practice recommends that management review IT policies periodically to ensure they reflect new technology, changes in the environment such as regulatory compliance and significant changes in business processes in exploiting information technology for competitive gain. As such, a practical alternative given the constraints on in-house IT compliance resources is to outsource this activity and Wright Lane Services is in a position to fulfill this requirement.

Approach and Deliverables Can either review and revise existing IT policies benchmarked against best practice or supply a new set of IT policies. Evaluate whether the IT policies reflect the existing IT environment including new technology and threats.Evaluate whether the IT Policies reflect the latest governmental, legal and regulatory requirements.Evaluate whether the IT Policy is integrated with the overall corporate policies such as HR and Procurement.Recommend an IT Policy framework including the individual IT policies themselves.Recommend a strategy on how best to implement the IT policies to best affect once agreed by management.




6. Has your company outsourced part or all of your IT Function? If so, is it working? The objective of carrying out an outsourcing review is to determine whether: The risks associated with outsourcing, such as continued availability of services, acceptable levels of services

and security of information are adequately and effectively mitigated through appropriate controls that are implemented and functioning.

The objectives of outsourcing are being achieved. The IT strategy has been suitably modified to make best use of outsourcing.

The outsourcing of IT work involves assessing outsourced risk in relation to software development, application support & maintenance and infrastructure management services. It must look at the total picture. Outsourcing has many benefits but it also needs constant monitoring to evaluate both the technical and business aspects, as necessary, to assess the health of the outsourcing and takes necessary corrective or improvement actions.

Approach and Deliverables The review would typically involve reviewing the following:

o Services Agreement and Statement of Worko High-level monitoring, connectivity and network securityo Data securityo Project monitoring and governanceo Compliance with regulatory requirementso Benefit measuremento Customer satisfactiono Impact on IT strategy

Create a report with recommendations for consideration including the deficiencies of the existing website and a detailed plan of issues identified during the review.

7. Does your company adequately govern IT project investment and realise the benefits? Poor IT project management governance of IT investment can occur due to a lack of project business cases and accountability for benefits realisation. This can be because no formal enterprise wide business justification process exists. Therefore the following approach needs to be given the remit by senior management to establish the following process facilitated by IT but owned by the business unit sponsors.

Approach and Deliverables The following steps would be undertaken as per ISACA Val-IT best practice program template: Step 1—Review IT project Initiation document (PID) with all the relevant data followed by analysis of the data concerning:

o Step 2—Alignment analysiso Step 3—Financial benefits analysiso Step 4—Non-financial benefits analysiso Step 5—Risk analysis

Step 6 —Appraisal and optimisation of the risk/return of the IT-enabled investment Step 7 —The Project Business Case Evaluation would be agreed with IT and lodged with the IT PMO by the Project Manager. Any significant scope changes would be updated to the business




case and any benefits realisation impact reviewed.

8. Does Your Internal Audit Department need to assess the IT environment but can't justify a full-time IT Audit resource?Wright Lane Services can provide part time IT audit compliance and IT risk consultancy to supplement existing

capability and capacity with a full suite of IT audit services and requirements.

Approach and Deliverables Perform IT Audits

identified on existing Internal Audit schedule.

Perform an IT Risk Assessment to create a 3- Year IT Audit Plan customised to meet your IT environment coupled

with the strategic business objectives of your organisation.

Perform one off senior management requests such as investigations related to IT applications.

Project Healthchecks.

9. Does the business or IT department require support for a new application or service but is not sure how to develop a RFI or RFP?Wright Lane Services can provide the necessary support to interface between IT and the business to ensure that the business requirements for a proposed IT application provision are understood (and in some cases, justified) as part of the RFI & RFP preparation and analysis. This starts by verifying whether a simpler in-house solution already exists and if not, ensuring the business understand and will realise the benefits of a turnkey outsourced supplier solution.

Approach and DeliverablesThe steps involved include:


Group Internal Audit 3-Year IT audit Plan

Audit Year

IT Audit Name

IT Audit Scope

IT Audit Objectives IT Risk Rating

Generic IT Risk Topics Covered

2011

Network Management and IT Security Review

Evaluate the design, implementation and monitoring of logical access controls to ensure the confidentiality, integrity, availability and authorised use of information assets

Evaluate network infrastructure security to ensure the confidentiality, integrity, availability and authorised use of the network and information transmitted

IT continuity plans to reduce the impact of a major disruption on key business functions exist

Preventive, detective and corrective measures are in place (especially up-to-date security patches and virus control) across the organisation to protect information systems and technology from malware (e.g., viruses, worms, spyware, spam).

M

L

Malware and Logical attacks Logical trespassing

2011 Database Management Review

Evaluate data administration practices to ensure the integrity and optimisation of databases

Evaluate sample of enterprise databases

Ensure management of: security policy; user accounts and user access; access login and reviewing; disaster recovery plans; logical and physical access controls for infrastructure; administrative and systemic user access controls

L Data(base) integrity

2012

IT Project Management Governance Framework Audit

IT Program Management

For a sample of large, medium and small IT projects to review that: IT PM methodology followed Cost and performance management are in place Quality plan exists to deliver benefits to business expectations Implementations thus far have been managed adequately

Standards are maintained for all development and acquisition and follow the life cycle of the ultimate deliverable, and include sign-off at key milestones based on agreed-upon sign-off criteria.

Measure project performance against key project performance scope, schedule, quality, cost and risk criteria.

An implementation and fallback/backout plan exists with approval from relevant parties.

H

M

Software implementation, IT project termination and Project delivery & project quality IT programme selection

2013 IT Operations Audit

Evaluate operations management to ensure that IT support functions effectively meet business needs

Evaluate the use of capacity and performance monitoring tools and techniques to ensure that IT services meet the organisation’s objectives

Plan the actions to be taken for the period when IT is recovering and resuming services. Manage facilities, including power and communications equipment, in line with laws and regulations, technical and business requirements, vendor specifications, and health and safety guidelines.

Define and implement procedures for backup and restoration of systems, applications, data and documentation in line with business requirements and the continuity plan.

L

M

M

L

Software performance System capacity Utilities performance Information media

2013 Physical and Environmental Controls Audit

Physical Controls Evaluate the design, implementation and monitoring of physical

controls to ensure that information assets are adequately safeguarded

Environmental Controls Evaluate the design, implementation and monitoring of

environmental controls to prevent or minimise loss

Define and implement procedures to grant, limit and revoke access to premises, buildings and areas according to business needs

Define and implement physical security measures in line with business requirements to secure the location and the physical assets.

Include background checks in the IT recruitment process and should be applied for employees, contractors and vendors.

L

L

L

Physical and Environmental Infrastructure (hardware) Infrastructure theft and destruction of infrastructure



1. Identifying the Need2. Development of Specification?3. Selecting the Procurement Method4. Developing the Specification and Contract Documents5. Seeking, Clarifying and Closing Offers6. Evaluating Offers7. Identifying the Preferred Supplier8. Negotiating the Contract9. Disposals10. Evaluating the procurement process



WLS Services Brochure March 2013

Technology

Transcript of WLS Services Brochure March 2013