8QLYHUVLGDG 1DFLRQDO-PVR) DXVWLQR 6iQFKH] & DUULyQ ) DFXOWDG GH, QJHQLHUtD (VFXHOD $ FDGpPLFR 3URIHVLRQDO GH, QJ HQ L HU t 6 L VW DGH HP DV ($ FDGpPLFR 3UR IHVLRQDO VFXHOD GH, QJHQLHUtD, QIRUPiWLFD & 8562 $ 8 ', 725, $ (1 7 (& 12 / 2 *, $' (/ $, 1) 250 $ &, 21 $ 8 ', 725Ë $' (6 (* 85 '$' (Found on the next page) 7.78 / $ &, 21 6 ($ 0 $ 1 7 ($ 0 7RPDGR SRU ,, Mr. Martin Figueroa Revilla ) XHQWH + HUQiQGH] (GLWRULDO & (& $ 6 0 (72'2 / Ï *, & 2 $ 8 ', 725, $ (1, 1) 250È7, & $ 81 (1) 248 ($ XWRU (QULTXH + HUQiQGH] / HFWXUD GH ³ $ XGLWRUtD 6HFXULW \ 'SiJLQDV - Mr. Martin Figueroa Revilla $ 8 ', 725, $' (6 (* 85 '$' 1. Hardware 2. Applications software 3. Plan contingency and recovery GH 2EMHWLYRV HVWD UHYLVLyQ • • • • Verify that there are plans, policies and pro cedures relating to security within the organization. Confirm that there is a co st / benefit analysis of controls and safety procedures before being implanted. Check plans and security policies and recovery to be broadcast and known to top management. To assess the degree of commitment from top management, user departm ents and IT staff with the successful implementation of plans, policies and proc edures relating to security. • Ensuring the availability and continuity of compu ter equipment time required by users for timely processing of their applications . • Ensure that policies and procedures provide confided to the information hand led in the middle of development, deployment, operation and maintenance. • • • V erify that there is security required for ensuring the integrity of information processed in terms of completeness and accuracy. Notes that provide the necessar y security to the various existing computer equipment in the organization. Check that there are insurance contracts needed for the hardware and software company (elements required for continuous operation of the basic applications). Mr. Martin Figueroa Revilla • Confirm the presence of a responsible role of secu rity management in: • Human resources, material and financial related informatio n technology. • Computer Technology Resources. 1RWH This should be checked with those responsible for computer security, with those responsible for the data cen ter, communications, and users that the auditor considers relevant. DFWLYLWLHV I RU 3ULQFLSDOHV DXGLWDU HVWD iUHD 1. 2. 3. 4. Comparing projects with audit plann ing. Make appointments with the staff to be interviewed. Check the appropriate f orm and see the convenience of updating according to specific business needs. To ratify and formalize the dates of interviews and visits. Conduct interviews and visits required to cover the points of this module. 6. 7. 8. 9. Prepare a draft with the main conclusions and recommendations. Review with the manager of the c omputer audit function. Sort and store the support information on safe storage d evices. Review the draft with the project leader from the areas evaluated. 10. D evelop and formally document the conclusions and final recommendations of this r eview. 11. Attach this information to the document containing the final report. IRU 5HTXHULPLHQWRV HO p [LWR GH OD UHYLVLyQ 1. Formalizing the support of top ma nagement computer auditor to provide the necessary facilities to carry out their work. Some would support actions: Mr. Martin Figueroa Revilla • Top management makes the knowledge of the areas to be audited that some of its functions will be reviewed and requires your support. • Provide information req uired by the auditor in computing. • External auditor comments and suggestions. 2. Auditor's knowledge about the aspects to be evaluated in this module, this ba sically is accomplished by a theoretical-practical training on topics related to computer audit. Techniques for obtaining and evaluating information (see Table E.2) + DUGZDUH aspects to evaluate: 1. Are there policies and procedures concern ing the use and protection of the hardware of the organization? 1.1 If any, indi cate whether they are formally identified the following safety precautions: • Ad ministration of the hardware. • Micros, minis and supercomputers PDLQIUDPHV • communications technology, netwo rks. • Quantification of hardware. • Description of the hardware (basic features ) • Distribution of hardware (physical location) • Areas of computing: user depa rtments and local and remote areas.• Record the hardware installed, decommissio ned in the procurement process, etc. • Using the hardware: development, operatio n, maintenance, monitoring and decision making. • Functions responsible for cont rolling the hardware. Mr. Martin Figueroa Revilla • Others. • Procedures and security controls for the evaluation, selection and purchase of hardware. • Policies aimed at verifying t hat the acquired software covers the following: • Security modules: access to ha rdware (security keys, for example), use of hardware (facilities to monitor the operation) and hardware usage logs (who, when, why, among other things). • Updat ing the hardware: • Policies designed to confirm that the updated hardware shoul d cover the following points: • Authorization through hardware upgrade justifica tion • Impact of the implementation of the hardware in the middle of computing: applications, software and costs • Implications of control in the implementation and use of current hardware • hardware replacement. • Policies to ensure that t he replaced hardware covering the following points: • Authorization through the justification of the replacement. • Impact of the introduction in the middle of computing: applications, hardware and costs. • Implications of control in the im plementation and use of new hardware. 2. As for the support team, they have to h ave the following information: • Physical Location: 1R% UHDN • Team • Other • Ai r Conditioning • Fire Equipment Mr. Martin Figueroa Revilla 3. Does the physical location of computer equipment in the building is the most appropriate considering the various disasters or con tingencies that may occur (demonstrations or strikes, floods, fires, etc.)? 1RWH Check if the building has facilities for emergency escape. 4. Are there procedu res to ensure continuity and availability of computer equipment in case of disas ter or contingency? 4.1 If so, are formally documented and disseminated? Indicat e if you have controls and procedures to: • Classification and justification of staff with access to business data centers and offices where there is stationery or computer related accessories. • Restrict access to computer facilities to au thorized personnel only. • Definition and dissemination of hours of access to da ta center. • Use logs and control access to computer centers. • Define the accep tance of entry to visitors. • Managing special blog for visitors to the counting centers. 1RWH Checking compliance with these controls and procedures. 6. Are th ere security personnel responsible for safeguarding the computer equipment compa ny? 6.1 Is the staff was trained for this work or simply follow the safety rules that apply to banks or industries? 6.2 If there is not so personal, what area o r function belongs physically responsible for protecting your computer? Mr. Martin Figueroa Revilla 1RWH evaluate the degree of trust that provides such personnel to protect the assets of the company. 7. Mention whether there are po licies regarding entry and exit from the hardware to ensure at least the followi ng: • The hardware input and output are: • Revised (content, quantity, destinati on) • Justified (purchasing, testing, replacement, removal, since low, others) • Approved by the controller computer that will receive • Registered (responsible , time, reason, etc..) • Returned (compare with the estimated date of departure) • Returned to the same conditions of entry. • Refunds authorized by a responsib le computing. 8. Is there a role for research, audit or security that engages in ongoing evaluation of software, methods, procedures, etc., Suggested on the mar ket (such as conferences, publications, consultants, research) for the implement ation of new actions on provide continuous security in the operation and care of resources related to computers? 8.l If so, what are the main activities that ar e assigned to this task? 8.2 In the event that this does not happen, what action s safeguard the adequacy of controls and security procedures at the time of impl ementing new technologies? WKH VRIWZDUH $ SOLFDFLRQHV Key issues to assess: 1. D o you have policies and procedures concerning the use and protection of existing software? Mr. Martin Figueroa Revilla 1.1 If any, indicate the following aspects of securi ty silos are formally identified: • Administration • Operating systems software, utilities, packages, etc..• Quantification software (original and copies) • De scription (original) • Distribution (to which computers or secondary storage dev ices is, in which physical location is located: business areas, banks, etc..) • Registration of the software installed , discharged in the process of acquisitio n, etc..) • Using software (type of use, responsible use, among other things) • Procedures and security controls for the evaluation, selection and acquisition o f software. • Policies to ensure that the acquired software covers the following : • Security Module software access, use and usage logs (who, when, what, etc..) • The software update. • Policies to confirm that the updated software covering the following points: • Authorization of the same through the justification for the upgrade. • Impact of the implementation in the medium of computer, applicat ions, hardware and costs. • Implications of control in the implementation and us e the updated software. • Replacement of the current software on the other. • Po licies to ensure that the replaced software covers the following: • Approval by the justification of the replacement. • Impact of the introduction in the middle of computing: applications, hardware and costs. Mr. Martin Figueroa Revilla • Implications of control in the implementation and use of new software. 2. Say if they have policies concerning the entry and exit of the software to ensure at least the following: • The software that comes out of the company is: • Revised (content, quantity, destination) • Be formally regi stered in the company • Justified • Approved responsible for computing • Registe red (who and what time it took) • Returned (compare estimated date of return) • Returned in the same condition it left • The staff are formally committed to not to misuse it (copy , damage, modified.) • The software that the company enter e ither: • Revised (content, quantity, destination) • Justified (evaluation, testi ng or support of business applications) • Approved by the head of informatics • Registered (who and what time you put it) • Returned (Compare with the estimated date of return) • Returned to the same conditions as had at the start • The sta ff are formally committed to not to misuse it (copy, damage, etc.) 3. In terms o f applications (information systems) that are developed in the company, what are the controls and procedures necessary to ensure the minimum security required? 3.1 In the event there, "at least provide the following? • Procedures for fillin g of source documents • Procedures for using the computer • Power and initializa tion of the team • Resetting the computer in case of failures Mr. Martin Figueroa Revilla • Managing logs computer use • Monitoring computer u se • Levels of access (user profile) to the modules: • • • • • Capture Update Co nsultation Report generation backup • Other • Procedures for use of the modules: • Capture • Update • Consultation • Backup • Report generation Others 4. Are there procedures to verify that the co nstruction (programming), testing and implementation of security controls and pr ocedures are formally approved before the system is used? 5. Do they participate monitoring or evaluation of systems, such as auditors or consultants, the appro val of the security controls of the systems before they are formally approved by users? 5.1 If so, what developmental stages are involved? 5.2 What is involved in all development projects? 6. Mention whether the controls ensure that the sys tem provides for the procedures necessary to ensure that information is handled in the same total, accurate, authorized, maintained and updated. 6.1 Are there p rocedures to verify that the totals of the user validation reports are consisten t with the overall computer system validation? 6.2 Source documents are pre-prin ted to capture consecutive numbers are assigned or the user? If the latter happe ns, is there any Mr. Martin Figueroa Revilla of the controls listed below within the system to va lidate the non-repetition or exclusion of any consecutive number? • Control of d iskettes, tapes, stationery, etc. • Control of all movements or transactions rej ected by the system (see incorrect data for the system are recorded, edited, and updated properly fed.) • Understanding and proper use of system messages,as er ror handling. • Using blogs for users and IT staff as 1RWH review all the inspec tions to be resolved by the system and also correspond to the user. 6.3 How do I ensure that during the operation! den control system referred to in paragraph 6 ? Check 1RWH figures there manual or automated control before, during and after the operation of systems to ensure accuracy, completeness, etc.., Of the data. 6 .4 How to ensure that the system be in operation formal and timely compliance wi th safety procedures referred to in its development? a) an audit system audit tr ails. E-reviewed by external consultants F With personal computer reviews 1RWH analyze whether the revisions are planned or emerging from crisis-management. Mr. Martin Figueroa Revilla How do they ensure that user manuals, technical and operational standards meet the SDLC methodology and they are complete? 6.6 How t hey ensure that staff will use these manuals is trained in the use of them? 6.7 Are documented the weaknesses arising from the review of compliance with securit y controls and procedures for the operation of systems? 6.8 If so, please silos classified as: • Weaknesses in the procedures of entry and exit process • Unders tanding or management of computer systems are • Difficulties in communication-co mputer users to handle new requirements or changes to • Other systems 7. As for the maintenance of point if you have a formal procedure to ensure that changes t o the systems are: • Support (support user requirements) • Described (objectives , function, etc.) • Proven in the area development before being transferred to t he production area • Reviewed by control functions (audit systems, consultants, etc.) • Approved by the concerned home before being put into operation logs • Re gistered • Updated changes in documentation as user manuals, technical and opera tional • Implement security controls such changes • Other Mr. Martin Figueroa Revilla 8. Is there a formal procedure to ensure that the re quirements of user departments are recorded, supported, planned, tested and impl emented in accordance with the standard SDLC methodology? 1RWH: It should ensure that this point is closely related to the seventh spot. 9. How tracks the syste m changes suggested by the role of information technology? 1RWH sure if these ch anges will be implemented in the systems, follow the pattern of the seventh poin t. 10. Are there procedures to clearly identify responsibilities for the use of the system, and computer equipment which will be implemented and operated? 11. W hat procedure is used to formally release the system? 1.11 Please indicate wheth er all systems are registered and approved formally released by the users, audit ors, computer role, consultants, etc.. 12. Once the system is operating, what fu nctions verify that the controls and security procedures are met satisfactorily? 13. Are responsible for modifying the program source operating system are well defined? 13.1 If so, how do you ensure that only they have access to these progr ams? 13.2 Is How to ensure that only authorized programs are changed in formal a nd documented in the corresponding manuals? 13.3 How to ensure those responsible for these changes include security controls? Mr. Martin Figueroa Revilla 14. Is there a record of files in each operating sys tem (teachers and movements)? 14.1 If so, is there a procedure to ensure that th ey are only accessed by authorized personnel? 14.2 It is a procedure to specify what functions will be updated, or deleted information consult the files of the systems in operation? 3.14 Are the procedures for updating classified files onli ne or in batch? 15. Are there backup procedures fluent programs, documentation a nd archives in operation? 16. Does the endorsement of the information is in the same building? 17. Is it the same computer equipment? 18. Do you have controls t o ensure that only authorized personnel have access to these backups? 3 FRQWLQJH QFLDV DQ GH \ GH UHFXSHUDFLyQ to assess key aspects: 1.Do you consider that bot h senior management, users and IT staff are aware that all computer-related reso urces are business assets and should be protected from a formal and permanent? W hy? 1.1 Which of the following computer related resources are more important to the organization and which have more and better methods of protection to operate and support business goals in optimal conditions? * GH UDGR LPSRUWDQFLD% O 1 0 16 IRU VX 0pWRGRV IRUPDOHV SURWHFFLyQ + XPDQRV 5HFXUVRV Mr. Martin Figueroa Revilla 0DWHULDOHV * - LPSRUWDQWH EiVLFR = M = N = QHFHVDULR PtQLPR NS - VDEH 1RWH VH QR sure that the resources considered essential, important or necessary to have the security methods to prevent and deal with contingencies in case of absence may be noted t hat such considerations are more theoretical than practical. With regard to the resources of minimal importance or unknown, you may wonder why such claims. 1.2 Are there contingency plans and recovery operations in case of contingency or di saster? 1.3 Give whether those plans include the following: • Network Communicat ions (RC) • Hardware • Software, applications, data • Human Resources • physical places where resources are located above • Other 1.4 If so, what were formally disseminated throughout the organization? Were developed by third parties, perso nal computer, users, or it was a project which involved several areas of the bus iness? 2. In the process of contingency planning and recovery and their implemen tation in the company, indicating which tasks were performed, which are pending, which developing and who are responsible: 'H LQIRUPDWLRQ 7HFQROyJLFRV ) LQDQFLHURV 7DUHD 1. Definition of goals and objectives of the plan 6LWXDFLyQ '7 1O WHUPLQDGRV 3URGXFWRV Mr. Martin Figueroa Revilla 2. Risk assessment and identification 3. Development of actions, policies and procedures by type of risk 4. Documentation of the pla n in May. Adoption and dissemination of the plan in June. Simulation of the plan * 'T = finished developing 1O - 2.1 uninitiated were submitted contingencies ha ve been met with the contingency plan and recovery designed for the company? Wit h what results? 2.2 If you do not have this plan, what actions have been taken t o deal with such eventualities and who have been responsible for running them? 3 . Indicate if you have a security function responsible for verifying and monitor ing the following items: • Update • formal training plans for users and IT staff on the implementation of the procedures provided in the plans • Supervision and guidance mock execution • Assigning responsibility for implementation of activi ties under the plans for: • Prevention of contingencies. • Business support disa ster or contingency in order to minimize the casualties, equipment, data. • Rest art immediately or in the minimum time possible operations of the company. • Oth ers. 4. Are the functions involved in these plans are tested? 7. Plan Update Do you envisage any likely contingency and disaster response in the (s) location (s) where the organization has facilities (strikes, floods, theft, fire, etc.)? Mr. Martin Figueroa Revilla 6. Do the plans cover the procedures necessary to pr event causal elements or restore essential? 7. Is it classified the order to res tart the operation of each application according to the priorities and strategie s of the business? 8. Are there agreements with companies or suppliers with the same technology (or to be the most compatible)? 9. Mention if you have legal con tracts to ensure the following elements of the role of IT and user departments: • Personal (computer and users), computer equipment, software, applications, tel ecommunications, buildings or facilities, among others. 10. Is there a formal pr ocedure for making the whole process of evaluation, selection and recruitment of insurance? What are these procedures? 10.1 maintained or are conducting negotia tions on insurance? 10.2 This process involves experts in risk assessment (admin istrator, security officers, auditors, computer specialists and financial expert s)? 10.3 What deadlines mark this insurance coverage? 10.4 are planned legal act ion to prevent possible breaches by insurance companies? 11.Is there a ranking of priority items for the basic system operation is not interrupted by a disaste r or contingency? 11.1 Indicate whether the classification includes the followin g elements: computer equipment, files, programs, sources, development languages, operating systems, documentation, personnel, among others 1RWH We must establis h whether there is a formal training program for staff and user Computer awarene ss of the importance of the concept of security and the timely and proper applic ation of controls and procedures relating to that concept. Mr. Martin Figueroa Revilla 3 / $ 1 ($ &, I1 '(, 1) 250È7, & $ Methodology Technology Tools Training and upd ating 2EMHWLYRV WKH UHYLVLyQ • Identify the existence, formalization and knowled ge of planning for information technology in key areas of the business • Ensure the Computer planning has been evaluated and approved by senior management. • Ch eck that the computer planning to focus on the support of the objectives, plans, policies and strategies of the company. • To assess the degree of commitment fr om top management with information to determine whether the support provided to the planning computer correctly. • Confirm the existence of a methodology in com puter science. • Investigate whether techniques and productivity tools for the d evelopment of the plan. • Check that there is a formal process training for unde rstanding and successful management of the planning methodology in computer scie nce. • To assess the degree of compliance with the methodology, techniques and t ools in the planning process computer. • Check if the top management, those resp onsible for the user areas and computer makers have been involved in the plannin g process computer. • To determine if the project complies with emerging informa tion technology plan. Mr. Martin Figueroa Revilla • Assess the degree of dominance that has the IT sta ff on the methodology, techniques and productivity tools they use to plan the de velopment of information technology. • Assess the level of standardization that has the computer planning methodology with respect to commonly accepted in the m arket (phases, tasks, activities, finished products, functions and responsibilit ies, reviews, quality assurance, among other items). 1RWH If outsiders do the pl anning computer, ensure that at least meet the above considerations, in addition , to obtain evidence of the seriousness and Confidentiality of such advisers, by the type of information used in this process. DFWLYLWLHV IRU 3ULQFLSDOHV DXGLWD U HVWD iUHD 1. Comparing projects with audit planning. 2. Make appointments with the staff to be interviewed. 3. Check the appropriate form and see the convenie nce of updating according to specific needs of the business. Conduct interviews and visits required to cover the points of this module. 6. Prepare a draft with the main conclusions and recommendations. 7. Review with the manager of the comp uter audit function. 8. Sort and store the support information on safe storage d evices. 9. Review the draft with the project leader from the areas evaluated. 10 . Develop and document the conclusions and final recommendations of this review. 11. Attach this information to the document containing the final report. 4. To ratify and formalize the dates of interviews and visits. Mr. Martin Figueroa Revilla 5HTXHULPLHQWRV IRU WKH p [LWR GH OD UHYLVLyQ 1. Form alizing the support of top management computer auditor to provide the necessary facilities to carry out their work. Some support measures would: • Senior manage ment makes the knowledge of the areas to be audited that some of its functions w ill be reviewed and requires your support. • Provide information required by the auditor in computing. • External auditor comments and suggestions. 2. Auditor's knowledge about the aspects to be evaluated in this module, this basically is a ccomplished by a theoretical-practical training on topics related to computer au dit. Techniques for obtaining and evaluating information (see Table H. 1) 0HWKRGRORJ \ Key issues to assess: 1. Does your area a planning methodology for computing? Lack p. 299 Mr. Martin Figueroa Revilla Mr. Martin Figueroa Revilla 1.1 This approach encompasses what to do, by whom, a nd when to do during the project planning software? 1.2 If so,indicate whether it also covers the steps and guidelines required for the following classificatio n of projects: • Planning information systems to develop and implement (short, m edium and long term). • Development and implementation of systems of different b usiness areas. • Purchase and implementation of market applications. • Adaptatio n of applications acquired from external (market applications). • telecommunicat ions projects. • Research technology (hardware, software, telecommunications, et c.). • Project evaluation and selection of suppliers of products and services. • Project development and implementation of strategic information systems for dec ision making. • Project audit and evaluation of information technology. • Projec t development and implementation of contingency plans and recovery. • training o r upgrading projects executive, technical and user communities. • Redesign of ex isting systems. • Development and implementation of integrated systems in busine ss. • Quality assurance. • Other related to the role of information technology. 1.3 Is this methodology formally documented? 1.4 If so, indicate whether it cove rs each of the following: * • An overview of the methodology • Work equipment su ggested by the type of project Mr. Martin Figueroa Revilla • Stages of the methodology for each stage • Tasks • Sequence the stages and tasks • Responsible and involved at each stage and task . • Finished products for each stage or task. • technical and administrative req uirements to fulfill each task. • formal and informal reviews suggested for each phase. • Estimated duration of each stage of the project. • Considerations for special projects. * The computer auditor should verify that the documentation methodology provides for the various projects listed in question 1.3. 2. How do you ensure a formal commitment to develop and monitor efficient and final approv al of projects if you do not have "a methodology that contains the questions men tioned in 1.3, 1.4 and 3. In case of having a computer planning methodology, "it was developed for pers onal computer company, bought or rent when required? 3.1 personnel were trained in understanding development and practical use of it? 3.2 Indicate whether the t raining was imparted in formal working groups or individually, with case studies or pilot projects. 3.3 evaluated the degree of assimilation of the methodology? How? 3.4 If staff are not trained in the use of the methodology, how is "Since when are using that methodology? ensure their understanding and efficient use fo r the projects? 3.6 What are trained development staff recently joined the company in understand ing and using the methodology? Do you provide the items mentioned in question 3. 2? 3.7 the methodology is updated when necessary? Mr. Martin Figueroa Revilla 3.8 What research or consultation is made to make ch anges or adjustments in the methodology? 3.9 These changes are formally document ed? 3.11 3.10 Who approves the changes to the methodology? "Formally trained sta ff in regard to updating the methodology? 4. Is there a consistency of information technology pl anning methodology How to ensure that the information planning methodologies pur chased or leased to meet external business requirements? 6. Mention what are the stages, tasks, products and responsible for computer planning process that is c arried in the company (check the consistency with more accepted methodological s tandards.) (WDSD 7DUHD 3URGXFWRV 5HVSRQVDEOH as the recommended methodologies. C l standards in the market? 6.1 The steps above should cover at least the following aspects: • Study the current situation and trends in the cultural, technological and econ omic, among others. • Competitive analysis: strengths, weaknesses, image, financ ial, etc. • Expectations and satisfaction of our customers: products, services, expectations, opportunities. • Evaluate the current business situation: cultural , technological and economic information systems, strengths and weaknesses. • An alysis of business plans, goals, objectives, tactical and strategic plans, etc. .. Mr. Martin Figueroa Revilla • Evaluation of each of the areas of the business as pects of information systems, technology, strategic projects, among others.• An alysis and development of areas of opportunity for top management support: basic factors of success, strategic projects, investments, expectations, support requ ired from information technology. • Development and formulation of the computer. • tactical and strategic projects covering the following points: • Information systems, management function, computer equipment, telecommunications, computer a udit, research, computer technology, evaluation and acquisition of products and services, joint projects, top management - information technology, joint project s between users and computing. 7pFQLFDV Key issues to be evaluated: 1. Does the IT staff knows the techniques required for the development, monitoring and docum entation of computer planning stages? 1.2 There are such techniques for planning in the enterprise computing? 1.3 Is formally trained staff of systems developme nt in the use and application of these techniques? 1.4 Is training new recruits in handling them? 1.5 What procedure is used for staff development training in t he use of methodologies and techniques? 2. Explain which of the following techni ques are used in the development of systems for your business: Interviews 7pFQLF D Checklists Checklists quality assurance 6t 1R (VH GRQGH WDSD DSOLFD Mr. Martin Figueroa Revilla Organizational Analysis Project Tracking (business s ystems) Cost / benefit analysis Modeling Documentation Layout Research process a nd data management teams work Other (specify) 3. Who and how to determine what s kills were required for the development and implementation of business informati on systems? 311 "Their use is widespread in the company? Toensurethey How to app ly? + HUUDPLHQWDV Key issues to assess: 1. Is there a ranking of the productivit y tools used by your company in planning computer? (Be understood as productivity tools means computer - hardware or software, and manuals - measuring tools, layout, etc .- Using IT staff in planning.) 1.2 If so, could you indicate which of the followin g use in your company? & RQFHSWR + + HUUDPLHQWDV 6RIWZDUH DUGZDUH PDQXDOHV Word processing spreadsheets graphing submitted diagrams Mr. Martin Figueroa Revilla Generators Generators applications database software engineering productivity indices EHQFKPDUNV Other (specify) 1.3 Do Their use is widespread in the company? How secure is app lied? & DSDFLWDFLyQ DFWXDOL] DFLyQ to assess key aspects: 1. Mention whether there are formal procedures for training staff planning software (or equivalent positions ) at: • Understanding and application of information technology. • Techniques fo r making the planning stages of the computer. • computer tools. 1.2 How are thes e procedures documented? 1.3 Is there a direct responsibility to develop, update , document and define these training procedures? 1.4 How does one ensure the tim ely implementation of such procedures? 1.5 If they exist, are at least contempla te the following? • Calendars courses. • Responsible for the delivery of courses (internal or external staff). productivity required in planning planning method ology Mr. Martin Figueroa Revilla • Post or functions that require such training. • Es timated costs of the courses. • Expected benefits of each course. • Measurement parameters for attendees and exhibitors. • Material required for each course. • Responsible for the organization of the courses. 2. If you do not have a formal training process, how is monitored understanding, use and timely updating of the methodology, techniques and productivity tools required by staff during the pla nning of computer? 3. Is responsible for IT is aware of the importance of contin uous updating and enhancement of personal development information systems for th e deployment of business? 4. Where third (external staff) in planning projects o f information, how do you ensure that the methodology,productivity tools and te chniques they use to cover at least the standards (or standards) of the firm min imum? What happens if the organization does not have such standards defined? $ V SHFWRV FRPSOHPHQWDULRV The computer auditor must recommend at least the followin g: a) formally document these important aspects of business: • Mission • Objecti ves • Strategies • Strengths • Weaknesses • Opportunities • Threats • Plan short , medium and long term Mr. Martin Figueroa Revilla • Policies • primary functions • Basic information f or the functions • Requirements • Other E Direct the computer to plan strategies and business objectives that F is formally approved by senior management. plan. plans aimed at the short, medium and long term. G Involvement of users in the definition, formalization and adoption of H Give the formal monitoring and reviewing planning to develop specific reports. A formal methodology Always use a computer planning. g) The methodology should cover the most important aspects of K's role is to develop computer-based projec ts in L must be an administrative function of M computing projects All projects will have a computer cost / benefit analysis . N periodically conduct studies to have: • An evaluation of the efficiency of computer technology • An assessment of the current technological infrastructure. • An evaluation of information syst ems. • An evaluation of data systems. • An assessment of the role of information technology (administrative). Based on these points, address the following quest ions: 1. Do you have clear and documented strategies for the implementation of p lanning projects? 2. Are they well defined roles and responsibilities of the res ources involved in each project? plan for monitoring the computer, update the pl an, etc. information technology master plan. common methodologies. Mr. Martin Figueroa Revilla 3. Are they aware of senior management and computing the obligation arising from the planning? 4. Is senior management aware of the support required to function computing the satisfactory achievement of each proj ect in the planning? development of certain projects? 6. Are any formal procedur e for selecting the best consultant? 7. Indicate whether you have formal policie s and procedures for projects: • Evaluation and procurement of hardware and soft ware. • Development of information systems. • Telecommunications. • Electronic D ata Interchange. • Office automation. • Automation of production processes. • Ot hers. Are plans for the participation of external consultants in