Wednesday, June 4, 2008

Compliance & Control, Systems & Partner Management


1.0 The Information Office

1.1 Organization



1.2 Responsibilities
The main functions of the Information Office are:
 Establishment of Compliance Office and IS0
 ITGC Implementation – SOX
 Standardized MIS – Cubot
 Realtime Web Analytics – Omniture
 Revenue Recognition Systems – ART
 Workflow Systems – (AdSales ACA)
 RDS – Automated Deployment System
 BDMT – Batch Deployment and Monitoring
 Realtime Web Analytics/Reporting – RWA/R
 Integrated WFS-Campaign Control – WFS-CC
 Sales Force Automation (Salesforce.com)
 Integrated P4C-DSA Sales Automation (Salesforce.com)
 Marketing Automation (Talisma Marketing)
 Access-Control Automation
 HelpDesk System

To move from a state of low/no control to a SOX and ITGC Compliant organization
• Low/No Control à ITGC
• SOX 404 - GCC
• Policies
• Procedures
• Systems
• Reviews
• Audits
• Internal Control Framework
• Internal Testing and attestation
• To move from a manual processes organization to a automated, process oriented, systemic organization
• Email/phone support à Talisma CS
• DB Query Shopper List à Talisma Mktg Automation
• MIS:8080/AdHoc Reports à Cubots
• WebTrends à Omniture
• WebTrends à Realtime Web Analytics
• Sales Leads (notepad) à SFA
• Contract email approvals à WFS
• Manual Campaign Schedule à WFS-CC
• Excel Sheet Rev. Rec à ART
• Manual Entry in SunSystems à ART-SunSys Integration
• Everybody deploys (uploads) à CMR/RDS
• End-user alerts on batch jobs à BDMT
• Manual Access-Control à Access Control System
• Informal Bug reporting à HelpDesk System

1.3 Roles
1.3.1 As Chief Compliance Officer
• Manage the Compliance Office and Implement ITGC
• Own all Policies and Procedures
• Manage Reviews
o Logical Access Reviews
o Segregation of Duties Reviews
o Infrastructure Reviews
o Data Center and Network Security Review
• Internal Audit Schedule

1.3.2 As Chief Information Security Officer
• Manage the Information Security Organization
• Own Risk and Control Matrix
• Conduct Risk Assessment and Planning
• Security and Access Control
• Conduct Security Audits / Reviews

1.3.3 As Director – Information Systems
• Identify which applications create the most value for the business and build and deliver them – on time and budget.
• Roadmap and manage lifecycle
• Direction, Planning, Reviews
• Systems Implementation
• Ensure compliance in all implementations
• Manage Partner Relationships
• Develop Partners

2.0 Compliance and Control

2.1 Responsibilities
The Compliance and Control Office is responsible for the following:
o Information Security
o Access Control
o Change Management
o Systems, Network and Data Security Reviews and Audits
o ITGC - Policy & Control
 Maintain Policy & Control Documentation
• Policies
o IT Security Policy
o Access Control Policy
o IT AUP
o Data Backup/Restore Policy
o Change Management Policy
• Control Documents
o Application Authorization Matrix
o Batch Jobs Document
o End-User Computing Traceability Matrix
o Computing Resources Authorization Matrix
o Conduct Risk Assessment
o Maintain Control / Risk Matrix
o Communications and Monitoring
o Internal Audits

2.2 Internal Control Framework

The Internal Control Framework shows the controlling processes and procedures used to achieve compliance and control in the organization.



2.3 Information Security
2.3.1 Information Security Office
The information security office is responsible for implementing the security policies, conducting information security meetings, conducting security and access control reviews, communicating security policies and conducting security awareness sessions in the organization, defining processes for and reviewing the monitoring of system, network and data security implementations, and conducting internal security audits on a periodic basis.

2.3.2 Chief Information Security Officer
The Information Security Office is headed by the Chief Information Secuirty Officer. His responsibilities are:
• Implement Policies
• Information Security Policy
• Access Control Policy
• Backup/Restoration Policy
• Conduct Information Security Office Meetings
• All meetings to be recorded (MOM)
• Conduct Reviews
– Security, Access Control, AUP, B&R, DR Policy
– Record all Policy Reviews (MOM)
– Policies to be updated and approved
– Updates to policies to be logged
– Publish a review schedule
• Communication
– Information Security Policy and Access Control Policy updates to all employees periodically.
– HR Training calendar for Security and Appropriate Usage sessions.
– Conduct Security Awareness and Appropriate Sessions for new joinees.
• Monitoring
– Review of System Exception Logs, Unauthorized Logins, Authorized Users lists
– All Reviews to be logged and the review reports with findings signed off on.
– Action taken report to be reviewed and signed off-on.
– Publish a review schedule.
• Define
– Data Backup/Restoration Process
– Recovery Testing Process
– Data securing process (tape-to-bank)
• Review
– Data Backup/Restoration Process
– Recovery Testing Process
– Data securing process (tape-to-bank)
– Backup/Restoration/Recovery Testing Log Sheet
– Monthly Tape-To-Bank Log Sheet
– All reviews to be recorded (MOM)
– Publish a review schedule.

2.3.3 Manager – Information Security
There is a Manager for Information Security who assists the Chief Information Security Officer. His responsibilities are:
• Reporting to Chief Information Security Officer
• To assist in identifying and engaging External Security Consultants to periodically carry out tests and submit reports
• To follow up on implementing recommendations of the Reports
• To assist in scheduling and carrying out internal security audits.
• To organize and mobilize all material to be reviewed during the internal and external audits
• Responsible for conducting periodic n/w and systems security testing
• Penetration Test, Intrusion Detection & Vulnerability Analysis for Systems and Network
• Engage External Security Consultants to carry out tests and submit reports
• Reports to be reviewed during the Internal Audit
• Data security
o Backup Ops
o Restoration Ops
o Recovery Testing
• Defined Signatories
– NOC Engineer for backup
– IT Support for Restoration
– DBA for Recovery Testing
– Manager IT: for monthly backup
– Manager IS: for final sign-off on recovery testing & monthly logs
• Tape identification a must
– Each tape to be numbered
– Sheet to clearly identify tape and day to which assigned
– Hard-copies of logs duly signed to be maintained:
– Backup Log: NOC Engineer
– Restoration Log: IT Support
– Recovery Testing: DBA , Manager: IS
– Monthly tape-to-bank: DBA, Manager: IT, Manager: IS.
• Final sign-off must be of the single owner of the process
– Daily recovery testing log and monthly tape-to-bank log to be signed by: Manager: IS.
• All logs to be reviewed during monthly process review

2.4 Access Control
o Access Control
 Centralized Access Control - Systems
• Ad Server
• Sun Systems
• Cubots
• ART
• ACA
• Omniture
• SFA
• Talisma
• OTS / MIS:8080 / Vendors
• Domain
• Email
 User Management of defined servers
 All authorized requests for addition/deletion to be maintained
 Application Authorization Matrix maintenance
 All authorized requests for root and privileged access to be filed and maintained
 User Management of defined servers not in scope (owned by NOC)
 Server Access Authorization Matrix maintenance
 Access logs, Authorized Requests and Authorization Matrix to be reviewed periodically
• Owner: Manager – Process & Control
• Centralized Access Control – Systems
– Ad Server, Sun Systems, Cubots, ART / WFS
– OTS / MIS:8080 / Vendors
– Domain / Email
• Review
– All authorized requests for addition/deletion
– Application Authorization Matrix maintenance
– All authorized requests for root and privileged access
– Server Access Authorization Matrix maintenance
– Reviews to be recorded (MOM)

2.5 Change Management
The office is responsible for overseeing the Change Management process. Its responsibilities are:
 Periodic Review of
• Change Management Process.
• Change Requests submitted.
• Change Request Approvals
• Pending deployments
 Conducting periodic Review Meetings and documenting the findings of the review
 Reviewing Reports with recommendations for re-mediation submitted and approving the recommendations.
 Ensuring that the approved recommendations are carried out.
 Reviewing the re-mediation carried out, approving and signing off on the same.

2.6 Policy Management Information Steering Committee (ISC)
 Policy Reviews and Updates
 Schedule for ISC and Policy Reviews
 Conduct Reviews, report submission.
 Report Approvals, Policy updated and approved.

3.0 Systems

3.1 Business Productivity and Efficiency Systems
 Revenue Reconciliation and Settlement Systems
• Ad Sales Contract and Credit Approval System
• ART – AdSales / ECom / Mobile / Subs
• Common Accounts Manager
 Business Analytics Systems
 Realtime Web Analytics System

3.2 Change Management and Access Control Systems
• Applications Deployment System (RDS)
 Batch Deployment & Monitoring System (BDMT)
 Access Control System
 Help Desk/Problem Management System



4.0 Partner Relations

4.1 Partner EvaluationTo evaluate partners for consultancy, software development or solution implementation.

4.2 Partner AcquisitionNegotiation with the shortlisted partners and completing the NDA and the Agreements.

4.3 Relationship ManagementManaging the relationship so as to derive the maximum benefit and ensure that the projects are delivered on budget and on schedule.

4.4 Project ManagementEnsure Project Delivery by managing various stages of the delivery
• Planning
• Execution
• Review
• Acceptance Test
• Change Management
 Project Management Methodology
o SDLC – Project Plan / RA / FS / SD / UAT
 Change Management
o SCR / CMR / CVS / RDS
 Project Documentation
o RS / FS / DD / UAT / User Guide
o Implementation & Ops Manual
 Customer Management
• Requirement Analysis / Change Request Process
• Acceptance on RA/FS
• UAT
• Training and Support