Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Information Office Functions
1. The Information Office
Compliance, Control, Systems & Processes
A presentation on the functioning of an Information Systems Department
Mahesh Patwardhan
Digital and New Media Consultant
4. Responsibilities
The main functions of the Information Office are:
Establishment of Compliance Office and IS0
ITGC Implementation – SOX
Standardized MIS – Cubot
Realtime Web Analytics – Omniture
Revenue Recognition Systems – ART
Workflow Systems – (AdSales ACA)
RDS – Automated Deployment System
BDMT – Batch Deployment and Monitoring
Realtime Web Analytics/Reporting – RWA/R
Integrated WFS-Campaign Control – WFS-CC
Sales Force Automation (Salesforce.com)
Integrated P4C-DSA Sales Automation (Salesforce.com)
Marketing Automation (Talisma Marketing)
Access-Control Automation
HelpDesk System
5. Objectives
To move from a state of low/no control to a SOX and ITGC
Compliant organization
• Low/No Control - ITGC
• SOX 404 - GCC
• Policies
• Procedures
• Systems
• Reviews
• Audits
• Internal Control Framework
• Internal Testing and attestation
• To move from a manual processes organization to a
automated, process oriented, systemic organization
6. Objectives
• Email/phone support - Talisma CS
• DB Query Shopper List - Talisma Mktg Automation
• MIS:8080/AdHoc Reports à Cubots
• WebTrends - Omniture
• WebTrends - Realtime Web Analytics
• Sales Leads (notepad) - SFA
• Contract email approvals - WFS
• Manual Campaign Schedule - WFS-CC
• Excel Sheet Rev. Rec - ART
• Manual Entry in SunSystems - ART-SunSys Integration
• Everybody deploys (uploads) - CMR/RDS
• End-user alerts on batch jobs - BDMT
• Manual Access-Control - Access Control System
• Informal Bug reporting - HelpDesk System
7. Roles
As Chief Compliance Officer
Manage the Compliance Office and Implement ITGC
Own all Policies and Procedures
Manage Reviews
Logical Access Reviews
Segregation of Duties Reviews
Infrastructure Reviews
Data Center and Network Security Review
Internal Audit Schedule
8. Roles
As Chief Information Security Officer
Manage the Information Security Organization
Own Risk and Control Matrix
Conduct Risk Assessment and Planning
Security and Access Control
Conduct Security Audits / Reviews
9. Roles
As Director – Information Systems
Identify which applications create the most value for the
business and build and deliver them – on time and budget.
Roadmap and manage lifecycle
Direction, Planning, Reviews
Systems Implementation
Ensure compliance in all implementations
Manage Partner Relationships
Develop Partners
11. Responsibilities
The Compliance and Control Office is responsible for the following:
Information Security
Access Control
Change Management
Systems, Network and Data Security Reviews and Audits
o ITGC - Policy & Control
Maintain Policy & Control Documentation
Policies
IT Security Policy
Access Control Policy
IT AUP
Data Backup/Restore Policy
Change Management Policy
Control Documents
Application Authorization Matrix
Batch Jobs Document
End-User Computing Traceability Matrix
Computing Resources Authorization Matrix
Conduct Risk Assessment
Maintain Control / Risk Matrix
Communications and Monitoring
12. Internal Control Framework
The Internal Control Framework shows the controlling
processes and procedures used to achieve compliance and
control in the organization.
13. Information Security
Information Security Office
The information security office is responsible for
implementing the security policies
conducting information security meetings
conducting security and access control reviews
communicating security policies
conducting security awareness sessions in the organization
defining processes for and reviewing the monitoring of system,
network and data security implementations,
conducting internal security audits on a periodic basis.
14. …Information Security
Chief Information Security Officer
Responsibilities are:
Implement Policies
Information Security Policy
Access Control Policy
Backup/Restoration Policy
Conduct Information Security Office Meetings
All meetings to be recorded (MOM)
Conduct Reviews
Security, Access Control, AUP, B&R, DR Policy
Record all Policy Reviews (MOM)
Policies to be updated and approved
Updates to policies to be logged
Publish a review schedule
15. …Information Security
Communication
Information Security Policy and Access Control Policy updates to all
employees periodically.
HR Training calendar for Security and Appropriate Usage sessions.
Conduct Security Awareness and Appropriate Sessions for new
joinees.
Monitoring
Review of System Exception Logs, Unauthorized Logins, Authorized
Users lists
All Reviews to be logged and the review reports with findings signed
off on.
Action taken report to be reviewed and signed off-on.
Publish a review schedule.
16. …Information Security
Define
Data Backup/Restoration Process
Recovery Testing Process
Data securing process (tape-to-bank)
Review
Data Backup/Restoration Process
Recovery Testing Process
Data securing process (tape-to-bank)
Backup/Restoration/Recovery Testing Log Sheet
Monthly Tape-To-Bank Log Sheet
All reviews to be recorded (MOM)
Publish a review schedule.
17. Access Control
Centralized Access Control – Systems
Ad Server
Sun Systems
Cubots
ART
ACA
Omniture
SFA
Talisma
OTS / MIS:8080 / Vendors
Domain
Email
Review
– All authorized requests for addition/deletion
– Application Authorization Matrix maintenance
– All authorized requests for root and privileged access
– Server Access Authorization Matrix maintenance
– Reviews to be recorded (MOM)
18. …Access Control
User Management of defined servers
All authorized requests for addition/deletion to be maintained
Application Authorization Matrix maintenance
All authorized requests for root and privileged access to be filed and
maintained
User Management of defined servers not in scope (owned by NOC)
Server Access Authorization Matrix maintenance
Access logs, Authorized Requests and Authorization Matrix to be
reviewed periodically
Owner: Manager – Process & Control
Centralized Access Control – Systems
Ad Server, Sun Systems, Cubots, ART / WFS
OTS / MIS:8080 / Vendors
Domain / Email
19. Change Management
Periodic Review of
Change Management Process.
Change Requests submitted.
Change Request Approvals
Pending deployments
Conducting periodic Review Meetings and documenting the
findings of the review
Reviewing Reports with recommendations for re-mediation
submitted and approving the recommendations.
Ensuring that the approved recommendations are carried out.
Reviewing the re-mediation carried out, approving and signing
off on the same.
20. Policy Management
Policy Reviews and Updates
Schedule for ISC and Policy Reviews
Conduct Reviews, report submission.
Report Approvals, Policy updated and approved.
23. Business Productivity Systems
Revenue Reconciliation and Settlement Systems
Ad Sales Contract and Credit Approval System
ART – AdSales / ECom / Mobile / Subs
Common Accounts Manager
Business Analytics Systems
Realtime Web Analytics System
24. Change Management & Access Control
Systems
Applications Deployment System (RDS)
Batch Deployment & Monitoring System (BDMT)
Access Control System
Help Desk/Problem Management System
26. Partner Relationship Management
Partner Evaluation
To evaluate partners for consultancy, software development or
solution implementation.
Partner Acquisition
Negotiation with the shortlisted partners and completing the
NDA and the Agreements.
Relationship Management
Managing the relationship so as to derive the maximum benefit
and ensure that the projects are delivered on budget and on
schedule.
27. Project Management
Ensure Project Delivery by managing various stages of the
delivery
Planning
Execution
Review
Acceptance Test
Change Management
Project Management Methodology
SDLC – Project Plan / RA / FS / SD / UAT
Change Management
SCR / CMR / CVS / RDS
28. …Project Management
Project Documentation
RS / FS / DD / UAT / User Guide
Implementation & Ops Manual
Customer Management
Requirement Analysis / Change Request Process
Acceptance on RA/FS
UAT
Training and Support
29. The Information Office
Compliance, Control, Systems & Processes
A presentation on the functioning of an Information Systems Department
Mahesh Patwardhan
Digital and New Media Consultant