Академический Документы
Профессиональный Документы
Культура Документы
VOL 1 - NOVEMBER
“
audit post project implementation the business benefits
achieved. The endeavor of this newsletter will be to
reach out to business managers with knowledge of
how businesses can really benefit from latest IT tools.
The first step towards reaping business benefits is a
complete relook at the way a business is run today.
Business managers may seek assistance of external
business advisors or deploy some of internal senior
managers for such a study. applications or study latest IT innovations) to the
side, it will quickly become a completely reactive
If an organization allows itself to be driven primarily environment and will not look forward to properly
by urgent IT issues (application and network down align technology and business objectives. Adherence
times) while putting important IT issues (review new to strong operational and planning practices ensures
that an organization strikes an equal balance between
operational issues and future planning, and continues
to align technical resources with business objectives.
“ Adherence to strong
operational and planning
Business organizations are operating in an environment
that is fast changing. Factors that add competitive
advantage to a business organization are changing.
Lack of timely IT upgrades can set organizations
behind competition eroding their market share and
practices ensures that an profitability. One significant development which is
organization strikes an round the corner is adoption of IFRS (‘International
Financial Reporting Standards’) in India w.e.f 1st April
equal balance between 2011. IFRS may have significant overlap and cross-
operational issues and dependencies with ERP implementation, financial
reporting and consolidation. Our IFRS practitioners
future planning…
“
have outlined an approach companies may adopt.
We trust these articles would help our readers.
Sumit Goswami
VOL 1 - NOVEMBER
It is generally best if one person or a very small team • Adapt - process to modify a software system that
facilitate all of the measurement sessions to insure a has been previously installed. It differs from
consistent approach. The approach may be: updating in that adaptations are initiated by local
events such as changing the environment of
customer site.
• Update - replaces an earlier version of all or part
of a software system with a newer release.
• Version tracking - help the user find and install
updates to software systems installed on PCs and
local networks.
• Uninstallation - removal of a system that is no
longer required.
• The typical roles involved in software deployments
for enterprise applications are:
IT organization structure
Physical security of IT assets is important. Physical In networking, network standards and protocols
security provides the first line of defense in cyber facilitate the creation of an integrated environment of
security - someone who can steal your machine - or application and services communication. A firewall is
sit down at it and start working - represents as much a device (hardware / software) that restricts access
potential disruption to your work or data as cyber between networks. A firewall is implemented to support
incidents do. This may involve locking your workspace the organizational security policy, in that specific
after office hours, placing laptops in inconspicuous restrictions or rules are configured within the firewall
locations when unattended in your office, home, or to restrict access to services and ports. The firewall
hotel room, and using additional measures such as architecture for the organization depends on the type
laptop-locks and computer-locks where appropriate. of protection the organization needs. The architecture
might be designed to protect internal networks from
Hardware acquisition & maintenance external; it might be used to segment different internal
departments and might include packet filtering, stateful
Process to develop specifications and call for bids packet inspection, proxy / application gateways, or a
need to be assessed. Organizations should constantly combination of these. The organization might decide
seek to use technology more efficiently and effectively on hardware- or software-based firewalls to provide
to meet business objectives. Multitasking and multi network protection. Administrative, physical, and
processing features are assessed. Compatibility with technical controls should protect the network and its
other hardware is reviewed. Usually CPU speed and associated components.
Input Output device speeds are critical. Personal
Digital Assistants (PDAs) are becoming important Backup & recovery
for mobility solutions. Written acquisition policies and
process for feasibility studies, requirements gathering Backups are useful primarily for two purposes. The first
and approval process of IT steering committee is to restore a state following a disaster (called disaster
are important. recovery). The second is to restore small numbers
of files after they have been accidentally deleted or
Application security corrupted. Many different techniques have been
developed to optimize the backup procedure. These
Security aspects during SDLC (system development include optimizations for dealing with open files and
life cycle), change (life cycle) management, database live data sources as well as compression, encryption,
security and malware need to be assessed. and de-duplication, among others. Magnetic tape has
long been the most commonly used medium for bulk
License management data storage, backup, archiving, and interchange.
Blu-ray Discs dramatically increase the amount of
Technology that offers integration and automation data possible on a single optical storage disk. Various
is now available and can be leveraged to address schemes can be employed to shrink the size of the
the challenges surrounding software inventory, source data to be stored so that it uses less storage
compliance and license management. Solutions space. Deduplication can occur on a server before
including these capabilities offer visibility into an any data moves to backup media.
organization’s software environment, and work toward
automatically associating all software licenses, use Virus protection
rights and supporting purchase data to their respective
software. Aside from the inconsistent and incomplete Many users install anti-virus software that can detect
publisher and product names, version, edition and and eliminate known viruses after the computer
language data is often published without a common downloads or runs the executable. Most common
format; and in some cases, simply missing altogether. method of virus detection is using a list of virus signature
Further complicating software inventory processes definitions. This works by examining the content of
are the practices of evaluations and bundling. The the computer’s memory (its RAM, and boot sectors)
process of simplifying the everyday complexities and the files stored on fixed or removable drives
of software license management begins with the (hard drives, floppy drives), and comparing those files
implementation of several tasks designed to automate against a database of known virus “signatures”. The
the administrative tasks of matching licenses to their disadvantage of this detection method is that users
discovered instances. are only protected from viruses that pre-date their last
VOL 1 - NOVEMBER
virus definition update. The second method is to use hacker. A firewall is a device or program that blocks
a heuristic algorithm to find viruses based on undesired Internet traffic, including viruses, from
common behaviors. accessing your computer. Manage the user accounts
on your computer, so you can control exactly who can
Email security log into your machine.
Viruses are a major email security hazard that Program change management
companies simply cannot afford to ignore. Various
studies have shown how employees use email to send The purpose of the Change Management Program
out confidential corporate information. Be it because (CMP) is to assure that the negative impact of
they are disgruntled and revengeful, or because they changes to a company’s Information Technology
fail to realize the potentially harmful impact of such a system is minimized by using a standardized process
practice, employees use email to share sensitive data of governance. Develop a Request for Change (RFC).
that was officially intended to remain in-house. Emails Obtain Business Change Acceptance: The decision to
sent by staff containing racist, sexist or other offensive make a change is typically a business decision where
material could prove equally troublesome, not to costs vs. benefits are weighed. Initiate the Development
mention embarrassing. Spammers can use a corporate Project: Development of the change (including testing)
mail server to send out their unsolicited messages, is an IT-guided function. Careful attention must be
often bringing trouble upon the unwitting organization. given to ancillary effects the new change may have
A content checking tool is a must to prevent users on existing systems. Pass the Change Management
from sending out confidential or sensitive corporate Gate: a group of people with different perspectives,
information via email. A reliable virus scanner screens backgrounds and areas of expertise is to review the
all incoming and outbound messages and attachments change from a process and governance standpoint to
for email viruses and worms. assure that all foreseeable risks have been identified
and mitigated, and that compensatory techniques
Logical access are in place for any elements of exposure (things
that could go wrong). The entire process must be
Logical access control refers to the collection of thoroughly documented and the approved process
policies, procedures, organizational structure and must be precisely followed.
electronic access controls designed to enable safe
access to computer software and data files as well Encryption
as to networking. The logical access controls can be
embedded within operating systems, applications, Encryption is used to protect data in transit, for
add-on security packages, or database and example: data being transferred via networks (e.g. the
telecommunication management systems. Internet, e-commerce), mobile telephones, wireless
microphones, wireless intercom systems, bluetooth
Helpdesk management devices and bank automatic teller machines.
Helpdesk must pick up the phone, log and process Version control
incidents. Any non-scripted discussion with the user
will take 5-10 minutes on the average. With automatic Changes are usually identified by a number or letter
HD system (users logging the incidents themselves code, termed the “revision number”, “revision level”,
via portal or email), reassignment, closure and or simply “revision”. Systems to automate some or all
communication with users is full time job for at least of the revision control process have been developed.
one person, if you have 200+ users. Some problems Baseline is an approved revision of a document or
can be solved using Knowledge Base set up, many source file from which subsequent changes can be
things require research / configuration or depend on made. A change list, change set, or patch identifies
interaction with other specialists inside or outside of the set of changes made in a single commit. A check-
your company. out (or co) is the act of creating a local working copy
from the repository. A commit or checkin is the action
Operating system security of writing or merging the changes made in the working
copy back to the repository. The repository is where
Many information systems continue living in an files’ current and historical data are stored, often on
insecure condition that keeps the system at the danger a server.
of a virus infection or at the total compromise by a
VOL 1 - NOVEMBER
Password security & control • Backups made to tape and sent off-site at
regular intervals (preferably daily)
While passwords are a vital component of system • Backups made to disk on-site and automatically
security, they can be cracked or broken relatively easily. copied to off-site disk, or made directly to
One easy way for potential intruders to nab passwords off-site disk
is through social engineering: physically nabbing the • Replication of data to an off-site location,
password off a Post-It from under someone’s keyboard which overcomes the need to restore the data
or through imitating an IT engineer and asking over the (only the systems then need to be restored or
phone. In order to ensure their ongoing effectiveness, synced). This generally makes use of storage
passwords should be changed on a regular basis. area network (SAN) technology
Network managers and administrators can enhance • High availability systems which keep both
the security of their networks by setting strong the data and system replicated off-site,
password policies. The organization’s password policy enabling continuous access to systems
should be integrated into the security policy, and all and data
readers should be made to read the policy and sign-
off on it. They should set password expiration dates • Quality assurance
on all programs being run on the organization’s • Incident management
VOL 1 - NOVEMBER
integration testing;
• Define test case documentation formats; IFRS
• Define test monitoring frameworks and formats; By Ganesh Srinivasan
• Formulate the gap analysis methodology;
• Define the version control and change management
methodology.
International Financial Reporting Standards (IFRS)
Project review is a globally accepted set of accounting standards
and interpretations established by the International
Periodic review must cover: Accounting Standards Board (IASB). On January
22, 2010, the Ministry of Corporate Affairs issued
• Monitor progress of implementation; the road map for transition to IFRS with subsequent
• Identify schedule slippage if any; clarifications in May 2010. The Institute of Chartered
• Analyze the issues if any; Accountants of India (ICAI) has announced that IFRS
• Address issues and schedule slippage and take (International Financial Reporting Standards) will be
appropriate actions; mandatory in India for financial statements for the
• Assess project metrics; periods beginning on or after 1 April 2011. This will
• Evaluate open defects, defect density, defect be done by revising existing accounting standards to
severity, defect priority, defect closure, adherence make them compatible with IFRS. Reserve Bank of
to quality and development standards, resource India has stated that financial statements of banks
allocation, baseline change, critical success need to be IFRS-compliant for periods beginning on
factors, risk mitigation; or after 1 April 2011.
• Periodic review of software performance;
• Periodic review of hardware performance; In the first phase large companies (net worth
• Review ‘go live’ in departments. Rs. 1,000 crores as of 31st March 2009), companies
that are included in Nifty 50 or Sensex 30 and
Change management companies whose securities are listed in a foreign
exchange will adopt the new set of accounting
Change management activities need to be managed: standards. Companies, whether listed or not, having
net worth of more than Rs 500 crore will convert
• Identify change champions and sponsors; their opening balance sheet as at April 1, 2013.
• Define roles and responsibilities; Listed companies having net worth of Rs 500 crore
• Define the stakeholder management plan; or less will convert their opening balance sheet as at
• Develop change management plan; April 1, 2014.
• Define change management roadmap / initiatives
to be undertaken; India has opted for the ‘convergence’ approach
• Develop change management initiatives as per versus the ‘adoption’ approach, while transitioning
transformation roadmap; to IFRS. Indian standard setters can review the
• Define the change communication framework; prevailing IFRS standards, and determine that certain
• Define roles and responsibilities for each node; specific provisions under these standards are not
• Develop the communication templates and acceptable for application in India. One benefit that
protocols within the hierarchy to identify and act supports transition to IFRS is that Indian companies
on change requirements; can use their statutory financial statements to
• Define KPI’s for change management initiatives; raise capital in the overseas markets, and foreign
• Develop templates to capture data and produce investors can interpret financial statements of Indian
metrics; companies easily.
• Review change management and report periodic
status;
• Training employees at different levels in the
hierarchy, in achieving their envisioned roles and
responsibilities after the implementation.
VOL 1 - NOVEMBER
The IFRS Foundation (www.ifrs.org) currently provides statements. During this transition phase, both Indian
free access to the current year’s consolidated GAAP and IFRS accounting and reporting are to be
unaccompanied IFRSs (i.e. the core standards, carried out simultaneously.
without implementation guidance and the basis for
conclusions) in English and the IFRS for SMEs. Phase V – Adoption of IFRS
There are differences between IFRS and Indian The final phase includes switching over to IFRS
Accounting Standards, e.g.: standards by adopting all the reports and statements
that IFRS demands.
1. ‘Prudence’ is an assumption under IFRS
accounting that rules out unrealistic gains out
of available for sale securities.
2. IFRS places more emphasis on the Statement
of Cash Flows as it provides information on
the ability of a company to generate cash and
cash equivalents with timing and certainty.
3. IFRS emphasizes ‘control’ over economic
benefits of an asset and not legal ownership.