Mr.

Martin Figueroa Revilla

8QLYHUVLGDG 1DFLRQDO-PVR) DXVWLQR 6iQFKH] & DUULyQ
) DFXOWDG GH, QJHQLHUtD
(VFXHOD $ FDGpPLFR 3URIHVLRQDO GH, QJ HQ L HU t 6 L VW DGH HP DV ($ FDGpPLFR 3UR
IHVLRQDO VFXHOD GH, QJHQLHUtD, QIRUPiWLFD
& 8562
$ 8 ', 725, $ (1 7 (& 12 / 2 *, $' (/ $, 1) 250 $ &, 21 $ 8 ', 725Ë $' (6 (* 85
'$'
(Found on the next page)
7.78 / $ &, 21
6 ($ 0 $ 1
7 ($ 0 7RPDGR SRU
,,
Mr. Martin Figueroa Revilla
) XHQWH
+ HUQiQGH] (GLWRULDO & (& $ 6
0 (72'2 / Ï *, & 2
$ 8 ', 725, $ (1, 1) 250È7, & $ 81 (1) 248 ($ XWRU (QULTXH + HUQiQGH]
/ HFWXUD GH ³ $ XGLWRUtD 6HFXULW \ 'SiJLQDV -
Mr. Martin Figueroa Revilla
$ 8 ', 725, $' (6 (* 85 '$'
1. Hardware 2. Applications software 3. Plan contingency and recovery
GH 2EMHWLYRV HVWD UHYLVLyQ • • • • Verify that there are plans, policies and pro
cedures relating to security within the organization. Confirm that there is a co
st / benefit analysis of controls and safety procedures before being implanted.
Check plans and security policies and recovery to be broadcast and known to top
management. To assess the degree of commitment from top management, user departm
ents and IT staff with the successful implementation of plans, policies and proc
edures relating to security. • Ensuring the availability and continuity of compu
ter equipment time required by users for timely processing of their applications
. • Ensure that policies and procedures provide confided to the information hand
led in the middle of development, deployment, operation and maintenance. • • • V
erify that there is security required for ensuring the integrity of information
processed in terms of completeness and accuracy. Notes that provide the necessar
y security to the various existing computer equipment in the organization. Check
that there are insurance contracts needed for the hardware and software company
(elements required for continuous operation of the basic applications).
Mr. Martin Figueroa Revilla • Confirm the presence of a responsible role of secu
rity management in: • Human resources, material and financial related informatio
n technology. • Computer Technology Resources. 1RWH This should be checked with
those responsible for computer security, with those responsible for the data cen
ter, communications, and users that the auditor considers relevant. DFWLYLWLHV I
RU 3ULQFLSDOHV DXGLWDU HVWD iUHD 1. 2. 3. 4. Comparing projects with audit plann
ing. Make appointments with the staff to be interviewed. Check the appropriate f
orm and see the convenience of updating according to specific business needs. To
ratify and formalize the dates of interviews and visits. Conduct interviews and
visits required to cover the points of this module. 6. 7. 8. 9. Prepare a draft
with the main conclusions and recommendations. Review with the manager of the c
omputer audit function. Sort and store the support information on safe storage d
evices. Review the draft with the project leader from the areas evaluated. 10. D
evelop and formally document the conclusions and final recommendations of this r
eview. 11. Attach this information to the document containing the final report.
IRU 5HTXHULPLHQWRV HO p [LWR GH OD UHYLVLyQ 1. Formalizing the support of top ma
nagement computer auditor to provide the necessary facilities to carry out their
work. Some would support actions:
Mr. Martin Figueroa Revilla
• Top management makes the knowledge of the areas to be audited that some of its
functions will be reviewed and requires your support. • Provide information req
uired by the auditor in computing. • External auditor comments and suggestions.
2. Auditor's knowledge about the aspects to be evaluated in this module, this ba
sically is accomplished by a theoretical-practical training on topics related to
computer audit. Techniques for obtaining and evaluating information (see Table
E.2) + DUGZDUH aspects to evaluate: 1. Are there policies and procedures concern
ing the use and protection of the hardware of the organization? 1.1 If any, indi
cate whether they are formally identified the following safety precautions: • Ad
ministration of the hardware.
• Micros, minis and supercomputers PDLQIUDPHV • communications technology, netwo
rks. • Quantification of hardware. • Description of the hardware (basic features
) • Distribution of hardware (physical location) • Areas of computing: user depa
rtments and local and remote areas.ۥ Record the hardware installed, decommissio
ned in the procurement process, etc. • Using the hardware: development, operatio
n, maintenance, monitoring and decision making. • Functions responsible for cont
rolling the hardware.
Mr. Martin Figueroa Revilla • Others. • Procedures and security controls for the
evaluation, selection and purchase of hardware. • Policies aimed at verifying t
hat the acquired software covers the following: • Security modules: access to ha
rdware (security keys, for example), use of hardware (facilities to monitor the
operation) and hardware usage logs (who, when, why, among other things). • Updat
ing the hardware: • Policies designed to confirm that the updated hardware shoul
d cover the following points: • Authorization through hardware upgrade justifica
tion • Impact of the implementation of the hardware in the middle of computing:
applications, software and costs • Implications of control in the implementation
and use of current hardware • hardware replacement. • Policies to ensure that t
he replaced hardware covering the following points: • Authorization through the
justification of the replacement. • Impact of the introduction in the middle of
computing: applications, hardware and costs. • Implications of control in the im
plementation and use of new hardware. 2. As for the support team, they have to h
ave the following information: • Physical Location: 1R% UHDN • Team • Other • Ai
r Conditioning
• Fire Equipment
Mr. Martin Figueroa Revilla 3. Does the physical location of computer equipment
in the building is the most appropriate considering the various disasters or con
tingencies that may occur (demonstrations or strikes, floods, fires, etc.)? 1RWH
Check if the building has facilities for emergency escape. 4. Are there procedu
res to ensure continuity and availability of computer equipment in case of disas
ter or contingency? 4.1 If so, are formally documented and disseminated? Indicat
e if you have controls and procedures to: • Classification and justification of
staff with access to business data centers and offices where there is stationery
or computer related accessories. • Restrict access to computer facilities to au
thorized personnel only. • Definition and dissemination of hours of access to da
ta center. • Use logs and control access to computer centers. • Define the accep
tance of entry to visitors. • Managing special blog for visitors to the counting
centers. 1RWH Checking compliance with these controls and procedures. 6. Are th
ere security personnel responsible for safeguarding the computer equipment compa
ny? 6.1 Is the staff was trained for this work or simply follow the safety rules
that apply to banks or industries? 6.2 If there is not so personal, what area o
r function belongs physically responsible for protecting your computer?
Mr. Martin Figueroa Revilla 1RWH evaluate the degree of trust that provides such
personnel to protect the assets of the company. 7. Mention whether there are po
licies regarding entry and exit from the hardware to ensure at least the followi
ng: • The hardware input and output are: • Revised (content, quantity, destinati
on) • Justified (purchasing, testing, replacement, removal, since low, others) •
Approved by the controller computer that will receive • Registered (responsible
, time, reason, etc..) • Returned (compare with the estimated date of departure)
• Returned to the same conditions of entry. • Refunds authorized by a responsib
le computing. 8. Is there a role for research, audit or security that engages in
ongoing evaluation of software, methods, procedures, etc., Suggested on the mar
ket (such as conferences, publications, consultants, research) for the implement
ation of new actions on provide continuous security in the operation and care of
resources related to computers? 8.l If so, what are the main activities that ar
e assigned to this task? 8.2 In the event that this does not happen, what action
s safeguard the adequacy of controls and security procedures at the time of impl
ementing new technologies? WKH VRIWZDUH $ SOLFDFLRQHV Key issues to assess: 1. D
o you have policies and procedures concerning the use and protection of existing
software?
Mr. Martin Figueroa Revilla 1.1 If any, indicate the following aspects of securi
ty silos are formally identified: • Administration • Operating systems software,
utilities, packages, etc..€• Quantification software (original and copies) • De
scription (original) • Distribution (to which computers or secondary storage dev
ices is, in which physical location is located: business areas, banks, etc..) •
Registration of the software installed , discharged in the process of acquisitio
n, etc..) • Using software (type of use, responsible use, among other things) •
Procedures and security controls for the evaluation, selection and acquisition o
f software. • Policies to ensure that the acquired software covers the following
: • Security Module software access, use and usage logs (who, when, what, etc..)
• The software update. • Policies to confirm that the updated software covering
the following points: • Authorization of the same through the justification for
the upgrade. • Impact of the implementation in the medium of computer, applicat
ions, hardware and costs. • Implications of control in the implementation and us
e the updated software. • Replacement of the current software on the other. • Po
licies to ensure that the replaced software covers the following: • Approval by
the justification of the replacement. • Impact of the introduction in the middle
of computing: applications, hardware and costs.
Mr. Martin Figueroa Revilla • Implications of control in the implementation and
use of new software. 2. Say if they have policies concerning the entry and exit
of the software to ensure at least the following: • The software that comes out
of the company is: • Revised (content, quantity, destination) • Be formally regi
stered in the company • Justified • Approved responsible for computing • Registe
red (who and what time it took) • Returned (compare estimated date of return) •
Returned in the same condition it left • The staff are formally committed to not
to misuse it (copy , damage, modified.) • The software that the company enter e
ither: • Revised (content, quantity, destination) • Justified (evaluation, testi
ng or support of business applications) • Approved by the head of informatics •
Registered (who and what time you put it) • Returned (Compare with the estimated
 date of return) • Returned to the same conditions as had at the start • The sta
ff are formally committed to not to misuse it (copy, damage, etc.) 3. In terms o
f applications (information systems) that are developed in the company, what are
the controls and procedures necessary to ensure the minimum security required?
3.1 In the event there, "at least provide the following? • Procedures for fillin
g of source documents • Procedures for using the computer • Power and initializa
tion of the team • Resetting the computer in case of failures
Mr. Martin Figueroa Revilla • Managing logs computer use • Monitoring computer u
se • Levels of access (user profile) to the modules: • • • • • Capture Update Co
nsultation Report generation backup
• Other • Procedures for use of the modules: • Capture • Update • Consultation •
Backup • Report generation Others 4. Are there procedures to verify that the co
nstruction (programming), testing and implementation of security controls and pr
ocedures are formally approved before the system is used? 5. Do they participate
monitoring or evaluation of systems, such as auditors or consultants, the appro
val of the security controls of the systems before they are formally approved by
users? 5.1 If so, what developmental stages are involved? 5.2 What is involved
in all development projects? 6. Mention whether the controls ensure that the sys
tem provides for the procedures necessary to ensure that information is handled
in the same total, accurate, authorized, maintained and updated. 6.1 Are there p
rocedures to verify that the totals of the user validation reports are consisten
t with the overall computer system validation? 6.2 Source documents are pre-prin
ted to capture consecutive numbers are assigned or the user? If the latter happe
ns, is there any
Mr. Martin Figueroa Revilla of the controls listed below within the system to va
lidate the non-repetition or exclusion of any consecutive number? • Control of d
iskettes, tapes, stationery, etc. • Control of all movements or transactions rej
ected by the system (see incorrect data for the system are recorded, edited, and
updated properly fed.) • Understanding and proper use of system messages,€as er
ror handling. • Using blogs for users and IT staff as 1RWH review all the inspec
tions to be resolved by the system and also correspond to the user. 6.3 How do I
ensure that during the operation! den control system referred to in paragraph 6
? Check 1RWH figures there manual or automated control before, during and after
the operation of systems to ensure accuracy, completeness, etc.., Of the data. 6
.4 How to ensure that the system be in operation formal and timely compliance wi
th safety procedures referred to in its development? a) an audit system audit tr
ails.
E-reviewed by external consultants
F With personal computer reviews 1RWH analyze whether the revisions are planned
or emerging from crisis-management.
Mr. Martin Figueroa Revilla How do they ensure that user manuals, technical and
operational standards meet the SDLC methodology and they are complete? 6.6 How t
hey ensure that staff will use these manuals is trained in the use of them? 6.7
Are documented the weaknesses arising from the review of compliance with securit
y controls and procedures for the operation of systems? 6.8 If so, please silos
classified as: • Weaknesses in the procedures of entry and exit process • Unders
tanding or management of computer systems are • Difficulties in communication-co
mputer users to handle new requirements or changes to • Other systems 7. As for
the maintenance of point if you have a formal procedure to ensure that changes t
o the systems are: • Support (support user requirements) • Described (objectives
, function, etc.) • Proven in the area development before being transferred to t
he production area • Reviewed by control functions (audit systems, consultants,
etc.) • Approved by the concerned home before being put into operation logs • Re
gistered • Updated changes in documentation as user manuals, technical and opera
tional • Implement security controls such changes • Other
Mr. Martin Figueroa Revilla 8. Is there a formal procedure to ensure that the re
quirements of user departments are recorded, supported, planned, tested and impl
emented in accordance with the standard SDLC methodology? 1RWH: It should ensure
that this point is closely related to the seventh spot. 9. How tracks the syste
m changes suggested by the role of information technology? 1RWH sure if these ch
anges will be implemented in the systems, follow the pattern of the seventh poin
t. 10. Are there procedures to clearly identify responsibilities for the use of
the system, and computer equipment which will be implemented and operated? 11. W
hat procedure is used to formally release the system? 1.11 Please indicate wheth
er all systems are registered and approved formally released by the users, audit
ors, computer role, consultants, etc.. 12. Once the system is operating, what fu
nctions verify that the controls and security procedures are met satisfactorily?
13. Are responsible for modifying the program source operating system are well
defined? 13.1 If so, how do you ensure that only they have access to these progr
ams? 13.2 Is How to ensure that only authorized programs are changed in formal a
nd documented in the corresponding manuals? 13.3 How to ensure those responsible
for these changes include security controls?
Mr. Martin Figueroa Revilla 14. Is there a record of files in each operating sys
tem (teachers and movements)? 14.1 If so, is there a procedure to ensure that th
ey are only accessed by authorized personnel? 14.2 It is a procedure to specify
what functions will be updated, or deleted information consult the files of the
systems in operation? 3.14 Are the procedures for updating classified files onli
ne or in batch? 15. Are there backup procedures fluent programs, documentation a
nd archives in operation? 16. Does the endorsement of the information is in the
same building? 17. Is it the same computer equipment? 18. Do you have controls t
o ensure that only authorized personnel have access to these backups? 3 FRQWLQJH
QFLDV DQ GH \ GH UHFXSHUDFLyQ to assess key aspects: 1.€Do you consider that bot
h senior management, users and IT staff are aware that all computer-related reso
urces are business assets and should be protected from a formal and permanent? W
hy? 1.1 Which of the following computer related resources are more important to
the organization and which have more and better methods of protection to operate
and support business goals in optimal conditions? * GH UDGR LPSRUWDQFLD% O 1 0
16 IRU VX 0pWRGRV
IRUPDOHV
SURWHFFLyQ + XPDQRV
5HFXUVRV
Mr. Martin Figueroa Revilla 0DWHULDOHV
* - LPSRUWDQWH EiVLFR = M = N = QHFHVDULR PtQLPR NS - VDEH 1RWH VH QR sure that
the resources considered essential, important or necessary to have the security
methods to prevent and deal with contingencies in case of absence may be noted t
hat such considerations are more theoretical than practical. With regard to the
resources of minimal importance or unknown, you may wonder why such claims. 1.2
Are there contingency plans and recovery operations in case of contingency or di
saster? 1.3 Give whether those plans include the following: • Network Communicat
ions (RC) • Hardware • Software, applications, data • Human Resources • physical
places where resources are located above • Other 1.4 If so, what were formally
disseminated throughout the organization? Were developed by third parties, perso
nal computer, users, or it was a project which involved several areas of the bus
iness? 2. In the process of contingency planning and recovery and their implemen
tation in the company, indicating which tasks were performed, which are pending,
which developing and who are responsible:
'H LQIRUPDWLRQ
7HFQROyJLFRV
) LQDQFLHURV
7DUHD 1. Definition of goals and objectives of the plan
6LWXDFLyQ '7 1O
WHUPLQDGRV 3URGXFWRV
Mr. Martin Figueroa Revilla 2. Risk assessment and identification 3. Development
of actions, policies and procedures by type of risk 4. Documentation of the pla
n in May. Adoption and dissemination of the plan in June. Simulation of the plan
* 'T = finished developing 1O - 2.1 uninitiated were submitted contingencies ha
ve been met with the contingency plan and recovery designed for the company? Wit
h what results? 2.2 If you do not have this plan, what actions have been taken t
o deal with such eventualities and who have been responsible for running them? 3
. Indicate if you have a security function responsible for verifying and monitor
ing the following items: • Update • formal training plans for users and IT staff
on the implementation of the procedures provided in the plans • Supervision and
guidance mock execution • Assigning responsibility for implementation of activi
ties under the plans for: • Prevention of contingencies. • Business support disa
ster or contingency in order to minimize the casualties, equipment, data. • Rest
art immediately or in the minimum time possible operations of the company. • Oth
ers. 4. Are the functions involved in these plans are tested? 7. Plan Update
Do you envisage any likely contingency and disaster response in the (s) location
(s) where the organization has facilities (strikes, floods, theft, fire, etc.)?
Mr. Martin Figueroa Revilla 6. Do the plans cover the procedures necessary to pr
event causal elements or restore essential? 7. Is it classified the order to res
tart the operation of each application according to the priorities and strategie
s of the business? 8. Are there agreements with companies or suppliers with the
same technology (or to be the most compatible)? 9. Mention if you have legal con
tracts to ensure the following elements of the role of IT and user departments:
• Personal (computer and users), computer equipment, software, applications, tel
ecommunications, buildings or facilities, among others. 10. Is there a formal pr
ocedure for making the whole process of evaluation, selection and recruitment of
insurance? What are these procedures? 10.1 maintained or are conducting negotia
tions on insurance? 10.2 This process involves experts in risk assessment (admin
istrator, security officers, auditors, computer specialists and financial expert
s)? 10.3 What deadlines mark this insurance coverage? 10.4 are planned legal act
ion to prevent possible breaches by insurance companies? 11.€Is there a ranking
of priority items for the basic system operation is not interrupted by a disaste
r or contingency? 11.1 Indicate whether the classification includes the followin
g elements: computer equipment, files, programs, sources, development languages,
operating systems, documentation, personnel, among others 1RWH We must establis
h whether there is a formal training program for staff and user Computer awarene
ss of the importance of the concept of security and the timely and proper applic
ation of controls and procedures relating to that concept.
Mr. Martin Figueroa Revilla
3 / $ 1 ($ &, I1 '(, 1) 250È7, & $ Methodology Technology Tools Training and upd
ating 2EMHWLYRV WKH UHYLVLyQ • Identify the existence, formalization and knowled
ge of planning for information technology in key areas of the business • Ensure
the Computer planning has been evaluated and approved by senior management. • Ch
eck that the computer planning to focus on the support of the objectives, plans,
 policies and strategies of the company. • To assess the degree of commitment fr
om top management with information to determine whether the support provided to
the planning computer correctly. • Confirm the existence of a methodology in com
puter science. • Investigate whether techniques and productivity tools for the d
evelopment of the plan. • Check that there is a formal process training for unde
rstanding and successful management of the planning methodology in computer scie
nce. • To assess the degree of compliance with the methodology, techniques and t
ools in the planning process computer. • Check if the top management, those resp
onsible for the user areas and computer makers have been involved in the plannin
g process computer. • To determine if the project complies with emerging informa
tion technology plan.
Mr. Martin Figueroa Revilla • Assess the degree of dominance that has the IT sta
ff on the methodology, techniques and productivity tools they use to plan the de
velopment of information technology. • Assess the level of standardization that
has the computer planning methodology with respect to commonly accepted in the m
arket (phases, tasks, activities, finished products, functions and responsibilit
ies, reviews, quality assurance, among other items). 1RWH If outsiders do the pl
anning computer, ensure that at least meet the above considerations, in addition
, to obtain evidence of the seriousness and Confidentiality of such advisers, by
the type of information used in this process. DFWLYLWLHV IRU 3ULQFLSDOHV DXGLWD
U HVWD iUHD 1. Comparing projects with audit planning. 2. Make appointments with
the staff to be interviewed. 3. Check the appropriate form and see the convenie
nce of updating according to specific needs of the business. Conduct interviews
and visits required to cover the points of this module. 6. Prepare a draft with
the main conclusions and recommendations. 7. Review with the manager of the comp
uter audit function. 8. Sort and store the support information on safe storage d
evices. 9. Review the draft with the project leader from the areas evaluated. 10
. Develop and document the conclusions and final recommendations of this review.
11. Attach this information to the document containing the final report. 4. To
ratify and formalize the dates of interviews and visits.
Mr. Martin Figueroa Revilla 5HTXHULPLHQWRV IRU WKH p [LWR GH OD UHYLVLyQ 1. Form
alizing the support of top management computer auditor to provide the necessary
facilities to carry out their work. Some support measures would: • Senior manage
ment makes the knowledge of the areas to be audited that some of its functions w
ill be reviewed and requires your support. • Provide information required by the
auditor in computing. • External auditor comments and suggestions. 2. Auditor's
knowledge about the aspects to be evaluated in this module, this basically is a
ccomplished by a theoretical-practical training on topics related to computer au
dit. Techniques for obtaining and evaluating information (see Table H. 1)
0HWKRGRORJ \ Key issues to assess: 1. Does your area a planning methodology for
computing?
Lack p. 299
Mr. Martin Figueroa Revilla
Mr. Martin Figueroa Revilla 1.1 This approach encompasses what to do, by whom, a
nd when to do during the project planning software? 1.2 If so,€indicate whether
it also covers the steps and guidelines required for the following classificatio
n of projects: • Planning information systems to develop and implement (short, m
edium and long term). • Development and implementation of systems of different b
usiness areas. • Purchase and implementation of market applications. • Adaptatio
n of applications acquired from external (market applications). • telecommunicat
ions projects. • Research technology (hardware, software, telecommunications, et
c.). • Project evaluation and selection of suppliers of products and services. •
Project development and implementation of strategic information systems for dec
ision making. • Project audit and evaluation of information technology. • Projec
t development and implementation of contingency plans and recovery. • training o
r upgrading projects executive, technical and user communities. • Redesign of ex
isting systems. • Development and implementation of integrated systems in busine
ss. • Quality assurance. • Other related to the role of information technology.
1.3 Is this methodology formally documented? 1.4 If so, indicate whether it cove
rs each of the following: * • An overview of the methodology • Work equipment su
ggested by the type of project
Mr. Martin Figueroa Revilla • Stages of the methodology for each stage • Tasks •
Sequence the stages and tasks • Responsible and involved at each stage and task
. • Finished products for each stage or task. • technical and administrative req
uirements to fulfill each task. • formal and informal reviews suggested for each
phase. • Estimated duration of each stage of the project. • Considerations for
special projects. * The computer auditor should verify that the documentation
methodology provides for the various projects listed in question 1.3. 2. How do
you ensure a formal commitment to develop and monitor efficient and final approv
al of projects if you do not have "a methodology that contains the questions men
tioned in 1.3, 1.4 and
3. In case of having a computer planning methodology, "it was developed for pers
onal computer company, bought or rent when required? 3.1 personnel were trained
in understanding development and practical use of it? 3.2 Indicate whether the t
raining was imparted in formal working groups or individually, with case studies
or pilot projects. 3.3 evaluated the degree of assimilation of the methodology?
How? 3.4 If staff are not trained in the use of the methodology, how is "Since
when are using that methodology? ensure their understanding and efficient use fo
r the projects?
3.6 What are trained development staff recently joined the company in understand
ing and using the methodology? Do you provide the items mentioned in question 3.
2? 3.7 the methodology is updated when necessary?
Mr. Martin Figueroa Revilla 3.8 What research or consultation is made to make ch
anges or adjustments in the methodology? 3.9 These changes are formally document
ed? 3.11 3.10 Who approves the changes to the methodology? "Formally trained sta
ff in regard to
updating the methodology? 4. Is there a consistency of information technology pl
anning methodology How to ensure that the information planning methodologies pur
chased or leased to meet external business requirements? 6. Mention what are the
stages, tasks, products and responsible for computer planning process that is c
arried in the company (check the consistency with more accepted methodological s
tandards.) (WDSD 7DUHD 3URGXFWRV 5HVSRQVDEOH as the recommended methodologies. C
l standards in the market?
6.1
The steps above should cover at least the following aspects:
• Study the current situation and trends in the cultural, technological and econ
omic, among others. • Competitive analysis: strengths, weaknesses, image, financ
ial, etc. • Expectations and satisfaction of our customers: products, services,
expectations, opportunities. • Evaluate the current business situation: cultural
, technological and economic information systems, strengths and weaknesses. • An
alysis of business plans, goals, objectives, tactical and strategic plans, etc.
..
Mr. Martin Figueroa Revilla • Evaluation of each of the areas of the business as
pects of information systems, technology, strategic projects, among others.ۥ An
alysis and development of areas of opportunity for top management support: basic
factors of success, strategic projects, investments, expectations, support requ
ired from information technology. • Development and formulation of the computer.
• tactical and strategic projects covering the following points: • Information
systems, management function, computer equipment, telecommunications, computer a
udit, research, computer technology, evaluation and acquisition of products and
services, joint projects, top management - information technology, joint project
s between users and computing. 7pFQLFDV Key issues to be evaluated: 1. Does the
IT staff knows the techniques required for the development, monitoring and docum
entation of computer planning stages? 1.2 There are such techniques for planning
in the enterprise computing? 1.3 Is formally trained staff of systems developme
nt in the use and application of these techniques? 1.4 Is training new recruits
in handling them? 1.5 What procedure is used for staff development training in t
he use of methodologies and techniques? 2. Explain which of the following techni
ques are used in the development of systems for your business: Interviews 7pFQLF
D Checklists Checklists quality assurance 6t 1R (VH GRQGH WDSD DSOLFD
Mr. Martin Figueroa Revilla Organizational Analysis Project Tracking (business s
ystems) Cost / benefit analysis Modeling Documentation Layout Research process a
nd data management teams work Other (specify) 3. Who and how to determine what s
kills were required for the development and implementation of business informati
on systems? 311 "Their use is widespread in the company? Toensurethey How to app
ly? + HUUDPLHQWDV Key issues to assess: 1. Is there a ranking of the productivit
y tools used
by your company in planning computer? (Be understood as productivity tools means
computer - hardware or software, and manuals - measuring tools, layout, etc .-
Using IT staff in planning.) 1.2 If so, could you indicate which of the followin
g use in your company? & RQFHSWR + + HUUDPLHQWDV 6RIWZDUH DUGZDUH
PDQXDOHV
Word processing spreadsheets graphing submitted diagrams
Mr. Martin Figueroa Revilla Generators Generators applications database software
engineering productivity indices EHQFKPDUNV
Other (specify) 1.3 Do Their use is widespread in the company? How secure is app
lied?
& DSDFLWDFLyQ DFWXDOL] DFLyQ to assess key aspects: 1. Mention whether there are
formal procedures for training staff planning software (or equivalent positions
) at: • Understanding and application of information technology. • Techniques fo
r making the planning stages of the computer. • computer tools. 1.2 How are thes
e procedures documented? 1.3 Is there a direct responsibility to develop, update
, document and define these training procedures? 1.4 How does one ensure the tim
ely implementation of such procedures? 1.5 If they exist, are at least contempla
te the following? • Calendars courses. • Responsible for the delivery of courses
(internal or external staff). productivity required in planning planning method
ology
Mr. Martin Figueroa Revilla • Post or functions that require such training. • Es
timated costs of the courses. • Expected benefits of each course. • Measurement
parameters for attendees and exhibitors. • Material required for each course. •
Responsible for the organization of the courses. 2. If you do not have a formal
training process, how is monitored understanding, use and timely updating of the
methodology, techniques and productivity tools required by staff during the pla
nning of computer? 3. Is responsible for IT is aware of the importance of contin
uous updating and enhancement of personal development information systems for th
e deployment of business? 4. Where third (external staff) in planning projects o
f information, how do you ensure that the methodology,€productivity tools and te
chniques they use to cover at least the standards (or standards) of the firm min
imum? What happens if the organization does not have such standards defined? $ V
SHFWRV FRPSOHPHQWDULRV The computer auditor must recommend at least the followin
g: a) formally document these important aspects of business: • Mission • Objecti
ves • Strategies • Strengths • Weaknesses • Opportunities • Threats • Plan short
, medium and long term
Mr. Martin Figueroa Revilla • Policies • primary functions • Basic information f
or the functions • Requirements • Other E Direct the computer to plan strategies
and business objectives that F is formally approved by senior management. plan.
plans aimed at the short, medium and long term.
G Involvement of users in the definition, formalization and adoption of
H Give the formal monitoring and reviewing planning to develop specific reports.
A formal methodology Always use a computer planning. g) The methodology should
cover the most important aspects of K's role is to develop computer-based projec
ts in L must be an administrative function of M computing projects All projects
will have a computer cost / benefit analysis . N periodically conduct studies to
have: • An evaluation of the efficiency of computer technology • An assessment
of the current technological infrastructure. • An evaluation of information syst
ems. • An evaluation of data systems. • An assessment of the role of information
technology (administrative). Based on these points, address the following quest
ions: 1. Do you have clear and documented strategies for the implementation of p
lanning projects? 2. Are they well defined roles and responsibilities of the res
ources involved in each project? plan for monitoring the computer, update the pl
an, etc. information technology master plan. common methodologies.
Mr. Martin Figueroa Revilla 3. Are they aware of senior management and computing
the obligation arising from the planning? 4. Is senior management aware of the
support required to function computing the satisfactory achievement of each proj
ect in the planning? development of certain projects? 6. Are any formal procedur
e for selecting the best consultant? 7. Indicate whether you have formal policie
s and procedures for projects: • Evaluation and procurement of hardware and soft
ware. • Development of information systems. • Telecommunications. • Electronic D
ata Interchange. • Office automation. • Automation of production processes. • Ot
hers.
Are plans for the participation of external consultants in