Business Succession Template by ina15542

VIEWS: 102 PAGES: 9

Business Succession Template document sample

More Info
									                                                                 Global Technology Template - SAMPLE


Global Technology Template:
The objective of this template is to ensure proper controls are in place for technology within an organization including: Bus.Continuity, viruses, budgeting, security,
letal/compliance, sofware, legal/compliance, problem/change management, etc.

                           Risk                  Subrisk                                                                                                    Control
Templat                                                                                                                                                                              SR             CP
   e           Risk      Descripti     Subrisk   Descripti Control Procedure         Control Procedure Description                      CP Help            Procedure
                                                                                                                                                                                    Detail         Detail
                            on                     on                                                                                                       Severity
Global
Technolo
           Business                  Bus.                  Change            A mechanism exists to ensure the contingency                   n/a           Med                         n/a              n/a
gy         Continuity                Resum.                Management        environment is maintained in parallel with
Template
                                                                             production.
                                                          Management          Corrective action plans are documented and                    n/a           Low                         n/a              n/a
                                                          Reporting           status is routinely reported to management.

                                                          Off-site            A comprehensive technology recovery plan                      n/a           Very High                   n/a              n/a
                                                          Recoverability      exists for restoration of the application or service
                                                                              to another site including inter-application
                                                                              dependencies, data feeds, duplication of critical
                                                                              items of hardware, software, networks, and third
                                                                              party s


                                                          System Testing      The contingency plan is subject to routine                    n/a           Very High                   n/a              n/a
                                                                              testing and the ability to recover from a remote
                                                                              business contingency site has been verified.

                                                          Test Performance    No major problems from the tests have been                    n/a           Very High                   n/a              n/a
                                                                              reported for this service
                                     Viruses              Anti-virus Software Virus protection software must exist on all                   n/a           Very High                   n/a              n/a
                                                                              relevant devices.
                                                          Currency of AV      Virus protection software is kept current.                    n/a           Very High                   n/a              n/a
                                                          software.
                                                          Scanning Practices Files from all external sources are scanned for                n/a           Low                         n/a              n/a
                                                                              viruses.
                                                          Scope of Scanning All files are periodically scanned for viruses.                 n/a           Med                         n/a              n/a
           Financial                 Financial            Detailed Budget     A detailed budget exists for each project,                    n/a           Very High                   n/a              n/a
                                     Mgt.                                     detailing estimated resources and cost.
                                                          Expenditures vs.    Actual expenditure vs. plan is monitored, and                 n/a           Very High                   n/a              n/a
                                                          Plan                variances are explained on a monthly basis.
                                                          Expense             Expense management reports are issued to                      n/a           Med                         n/a              n/a
                                                          Management          management and clients monthly.
                                                          Reports




            11/30/2010                                                                 1 of 9                                        D:\Docstoc\Working\pdf\a0e690f6-881d-4804-b289-3c6b277a1639.xls
                                                                   Global Technology Template - SAMPLE


Global Technology Template:
The objective of this template is to ensure proper controls are in place for technology within an organization including: Bus.Continuity, viruses, budgeting, security,
letal/compliance, sofware, legal/compliance, problem/change management, etc.

                          Risk                  Subrisk                                                                                                   Control
Templat                                                                                                                                                                            SR             CP
   e          Risk      Descripti     Subrisk   Descripti Control Procedure           Control Procedure Description                   CP Help            Procedure
                                                                                                                                                                                  Detail         Detail
                           on                     on                                                                                                      Severity
          Information               Restoration           Back-up           Businesses have a high degree of confidence                   n/a           Med                         n/a              n/a
                                                          Performance       that their critical data is backed -up and
                                                                            recoverable.
                                                          Back-up Testing   Back-up data is periodically retrieved and                    n/a           Very High                   n/a              n/a
                                                                            tested. Results meet business requirements and
                                                                            are reported to business management.
                                                          Data Back-up      Business requirements for back-ups are                        n/a           Med                         n/a              n/a
                                                          requirements      documented and communicated to all necessary
                                                                            parties.
                                                          Media Worthiness All critical data back-ups are on media which                  n/a           Med                         n/a              n/a
                                                                            can support the business requirements.
                                                          Off-site Storage  All critical data back-ups are stored off-site at a           n/a           Med                         n/a              n/a
                                                                            physically secure location.
                                    Security              Access approval   All access requests are in compliance with                    n/a           Med                         n/a              n/a
                                                          process           established approval processes (e.g. Data
                                                                            Guardian approval) and there is a documented
                                                                            access control plan that is kept up-to-date.

                                                           Adherence to       This platform/product is compliant with the firm's          n/a           Very High                   n/a              n/a
                                                           standards          operating and security standards.
                                                           Data Encryption    Sensitive data is encrypted when carried over               n/a           Low                         n/a              n/a
                                                                              susceptible media (e.g. laptops, airwaves,
                                                                              internet, public lines, etc.)
                                                           Data Guardian      A Data Guardian has been assigned for this                  n/a           Med                         n/a              n/a
                                                                              service.
                                                           Dial-up access     Dial-up access is only through authorized                   n/a           Med                         n/a              n/a
                                                                              means and actively monitored.
                                                           Recertification    All user ID's are re-certified on a periodic basis          n/a           Med                         n/a              n/a
                                                                              by designated managers.
                                                           Security Awareness IRM security policies are documented and                    n/a           Low                         n/a              n/a
                                                                              issued to all staff and consultants.
                                                           Testing            Periodic testing is done to review adherence to             n/a           Low                         n/a              n/a
                                                                              IRM policies.




           11/30/2010                                                                    2 of 9                                    D:\Docstoc\Working\pdf\a0e690f6-881d-4804-b289-3c6b277a1639.xls
                                                                  Global Technology Template - SAMPLE


Global Technology Template:
The objective of this template is to ensure proper controls are in place for technology within an organization including: Bus.Continuity, viruses, budgeting, security,
letal/compliance, sofware, legal/compliance, problem/change management, etc.

                          Risk                  Subrisk                                                                                                       Control
Templat                                                                                                                                                                               SR             CP
   e          Risk      Descripti     Subrisk   Descripti Control Procedure          Control Procedure Description                       CP Help            Procedure
                                                                                                                                                                                     Detail         Detail
                           on                     on                                                                                                          Severity
                                                          User Id           Appropriate controls are in place for user ID's                  n/a           Very High                   n/a              n/a
                                                          Administration    and passwords, including: - Access rights are
                                                                            appropriately assigned to Operating Systems
                                                                            and utilities - Highly sensitive, powerful User ID's
                                                                            are restricted only to appropriate personnel - Us

                                                          User Time -out       Users are logged off for automatically for                    n/a           Med                         n/a              n/a
                                                                               periods of inactivity.
                                                          User termination     Access is immediately revoked for terminated                  n/a           Very High                   n/a              n/a
                                                          procedures.          employees.
                                                          Violation Monitoring A process is in place to identify, track and                  n/a           Med                         n/a              n/a
                                                                               monitor reports detailing key business/security
                                                                               events and violations. Procedures exist to
                                                                               evaluate and manage issues to closure.

          Legal/Regul               Contracts             Audit clauses         Contracts contain appropriate audit clauses.                 n/a           Low                         n/a              n/a
          atory
                                                          Billing reconciliation A billing reconciliation process exists to capture          n/a           Low                         n/a              n/a
                                                                                 vendor error.
                                                          Escalation process An escalation process exists for managing and                   n/a           Low                         n/a              n/a
                                                                                 settling vendor disputes.
                                                          Escape clauses         Contracts contain executable escape clauses                 n/a           Med                         n/a              n/a
                                                                                 and incentives for the vendor to support the
                                                                                 initiative.
                                                          Vendor                 A pointperson is designated to manage                       n/a           Low                         n/a              n/a
                                                          Management             vendor(s).
                                                          Legal review           All contracts are reviewed with approved Legal              n/a           Very High                   n/a              n/a
                                                                                 counsel.
                                                          Performance            A management scorecard process is in place                  n/a           Med                         n/a              n/a
                                                          reporting              with appropriate metrics to evaluate vendor's
                                                                                 performance and identify issues.
                                                          Vendor Adherence Vendors are required to follow all of the firm's                  n/a           Med                         n/a              n/a
                                                          to policies            procedures and policies.
                                    Software              Awareness              A policy exists and is routinely communicated to            n/a           Very High                   n/a              n/a
                                    Lic.                                         all consultants and employees concerning use
                                                                                 of illegal software.


           11/30/2010                                                                    3 of 9                                       D:\Docstoc\Working\pdf\a0e690f6-881d-4804-b289-3c6b277a1639.xls
                                                                    Global Technology Template - SAMPLE


Global Technology Template:
The objective of this template is to ensure proper controls are in place for technology within an organization including: Bus.Continuity, viruses, budgeting, security,
letal/compliance, sofware, legal/compliance, problem/change management, etc.

                          Risk                   Subrisk                                                                                                   Control
Templat                                                                                                                                                                             SR             CP
   e          Risk      Descripti     Subrisk    Descripti Control Procedure             Control Procedure Description                 CP Help            Procedure
                                                                                                                                                                                   Detail         Detail
                           on                      on                                                                                                      Severity
                                                           Compliance testing Reviews of software are periodically run and                 n/a           Med                         n/a              n/a
                                                                                appropriate actions taken for unlicensed
                                                                                software.
                                                           Documentation        License documentation, invoices, original disk,            n/a           Very High                   n/a              n/a
                                                                                CDs and manuals exist for this service's
                                                                                software and can be produced upon request.
                                                           Entitlements         Market Data access is assigned to users based              n/a           Very High                   n/a              n/a
                                                                                on contractual agreement.
                                                           Invoices             Invoices of hardware for this service with pre-            n/a           Low                         n/a              n/a
                                                                                loaded software are kept and can be produced
                                                                                upon request.
                                                           Software inventory An inventory of software for this service exists             n/a           Med                         n/a              n/a
                                                                                for each location.
                                                           Upgrade              Upgrade license documentation exists and can               n/a           Med                         n/a              n/a
                                                           documentation        be readily produced.
          People                    Capabilities           Alternate Sourcing Contingency sourcing strategies have been                    n/a           Med                         n/a              n/a
                                                                                defined and alternate resources are readily
                                                                                available if required.
                                                           Attrition            Attrition rates are within acceptable ranges.              n/a           Very High                   n/a              n/a
                                                           Performance          Internal placement strategies provide                      n/a           Med                         n/a              n/a
                                                           evaluations          challenging and rewarding roles to strong
                                                                                performers.
                                                           Recruiting           Recruiting programs are in place to provide a              n/a           Low                         n/a              n/a
                                                                                pipeline of skilled technologists to meet the
                                                                                businesses' aspirational plans.
                                                           Sourcing Strategy The appropriate staff levels, skill sets, and                 n/a           Very High                   n/a              n/a
                                                                                staff/consultant mix exist, in order to meet or
                                                                                surpass prescribed service levels.
                                                           Staff Retention plan To retain staff and ensure a pipeline of                   n/a           Very High                   n/a              n/a
                                                                                appropriate skills, the following are in place: -
                                                                                career development - training - adequate
                                                                                compensation reviews - performance
                                                                                management
                                                           Succession Plans Succession plans are in place and alternate                    n/a           Med                         n/a              n/a
                                                                                resources are readily available.



           11/30/2010                                                                     4 of 9                                    D:\Docstoc\Working\pdf\a0e690f6-881d-4804-b289-3c6b277a1639.xls
                                                                  Global Technology Template - SAMPLE


Global Technology Template:
The objective of this template is to ensure proper controls are in place for technology within an organization including: Bus.Continuity, viruses, budgeting, security,
letal/compliance, sofware, legal/compliance, problem/change management, etc.

                          Risk                 Subrisk                                                                                                     Control
Templat                                                                                                                                                                            SR             CP
   e          Risk      Descripti     Subrisk  Descripti Control Procedure            Control Procedure Description                   CP Help             Procedure
                                                                                                                                                                                  Detail         Detail
                           on                    on                                                                                                        Severity
                                    Compliance           Adherence to       Technology personnel (both employees and                      n/a           Low                         n/a              n/a
                                                         policies           consultants) abide by firm-specific policies and
                                                                            standards, (e.g. General Rules of Conduct,
                                                                            Data Security policies, etc.).
                                                         Core Values        All employees, consultants and temporary                      n/a           Med                         n/a              n/a
                                                                            workers have access to and are reminded of the
                                                                            Firm's Core Values policies.
                                                         Diversity Training All the firm's officers have attended Diversity               n/a           Low                         n/a              n/a
                                                                            training.
                                                         Work Authorization Managers ensure compliance with the firm's                    n/a           Low                         n/a              n/a
                                                         Policies           policies, work authorization, and completion.
                                                         Policy Review      Regulatory policies and accounting standards                  n/a           Med                         n/a              n/a
                                                                            are periodically reviewed and staff kept current
                                                                            on new regulations.
          Physical                  Physical             Environmental      Environmental controls such as air-conditioning               n/a           Very High                   n/a              n/a
          Security                  Acc.                 controls           and fire prevention function properly, are
                                                                            regularly tested and have appropriate back-up.

                                                          Location security   All access to infrastructure equipment in a                 n/a           Very High                   n/a              n/a
                                                                              physically secure location is restricted and
                                                                              monitored in accordance with the firm's policies.

                                                          Power supply        Electrical power for key components is                      n/a           Med                         n/a              n/a
                                                                              redundant and supplied with UPS and back-up
                                                                              generators.
                                                          Recertifiction      Access list to critical areas are periodically re-          n/a           Med                         n/a              n/a
                                                                              certified.
                                                          Restricted access   Card key access is used to gain access to                   n/a           Med                         n/a              n/a
                                                                              critical areas such as data centers.
                                                          Termination         Terminated employee or consultant access is                 n/a           Very High                   n/a              n/a
                                                          process             removed immediately upon termination.
          Technology                Change                Back-out            All production changes have a documented                    n/a           Very High                   n/a              n/a
                                    Mgt.                                      backout plan.
                                                          Business            Meetings are held with business partners to alert           n/a           Med                         n/a              n/a
                                                          Communication       them of all high risk changes.



           11/30/2010                                                                  5 of 9                                      D:\Docstoc\Working\pdf\a0e690f6-881d-4804-b289-3c6b277a1639.xls
                                                                   Global Technology Template - SAMPLE


Global Technology Template:
The objective of this template is to ensure proper controls are in place for technology within an organization including: Bus.Continuity, viruses, budgeting, security,
letal/compliance, sofware, legal/compliance, problem/change management, etc.

                         Risk                     Subrisk                                                                                               Control
Templat                                                                                                                                                                         SR             CP
   e         Risk      Descripti     Subrisk      Descripti Control Procedure          Control Procedure Description               CP Help            Procedure
                                                                                                                                                                               Detail         Detail
                          on                        on                                                                                                  Severity
                                                            Business Impact   During this review period production changes             n/a           Very High                   n/a              n/a
                                                                              did not cause significant business disruptions
                                                                              (i.e., cause downtime, or significant work
                                                                              alterations).
                                                            Change Integrity  The system or application has a controlled               n/a           Low                         n/a              n/a
                                                                              development and test environment. All changes
                                                                              are moved to a secure library/server.
                                                            Document Process There is a complete set of documented change              n/a           Low                         n/a              n/a
                                                                              management processes in place, detailing the
                                                                              authorization process, testing requirements,
                                                                              backout plans, and impact analysis.

                                                           Emergency Change    All production emergency changes are                    n/a           Very High                   n/a              n/a
                                                           Approval            authorized by a senior business manager.
                                                           Off-site Change     All production change plans contain a                   n/a           Med                         n/a              n/a
                                                           Coordination        component to update business continuity sites
                                                                               to ensure continuous operation.
                                                           Planning &          Production changes are planned in advance to            n/a           Very High                   n/a              n/a
                                                           Scheduling          ensure that conflicts, compatibility and
                                                                               dependency issues have been identified and
                                                                               resolved.
                                                           Process             All production changes go though this process           n/a           Very High                   n/a              n/a
                                                           Compliance          and use the Firm's Change Management
                                                                               System for logging changes.
                                                           Segregation of      Only people responsible for the infrastructure          n/a           Med                         n/a              n/a
                                                           Duties              implement scheduled production changes.
                                                           Testing Changes     All production changes have been subject to             n/a           Very High                   n/a              n/a
                                                                               appropriate testing.
                                   Dependabilit            Adherence to        All technologies implemented are in accordance          n/a           Med                         n/a              n/a
                                   y                       Standards           with the firm's technical standards.

                                                           Assets Inventory    Asset inventories (both hardware and software)          n/a           Low                         n/a              n/a
                                                                               are maintained and reviewed.




          11/30/2010                                                                    6 of 9                                  D:\Docstoc\Working\pdf\a0e690f6-881d-4804-b289-3c6b277a1639.xls
                                                                Global Technology Template - SAMPLE


Global Technology Template:
The objective of this template is to ensure proper controls are in place for technology within an organization including: Bus.Continuity, viruses, budgeting, security,
letal/compliance, sofware, legal/compliance, problem/change management, etc.

                         Risk                 Subrisk                                                                                                    Control
Templat                                                                                                                                                                          SR             CP
   e         Risk      Descripti    Subrisk   Descripti Control Procedure             Control Procedure Description                 CP Help            Procedure
                                                                                                                                                                                Detail         Detail
                          on                    on                                                                                                       Severity
                                                        Capacity Planning Forward capacity planning is performed (6-12                  n/a           Very High                   n/a              n/a
                                                                             months out) to pre-empt service degradation
                                                                             based on business user dialogue and systems
                                                                             based information.
                                                        Hardware Refresh Hardware is kept current and well maintained.                  n/a           Med                         n/a              n/a
                                                        Hardware Reliability Critical hardware components are covered by                n/a           Med                         n/a              n/a
                                                                             Service Contracts (internal and external), reside
                                                                             within an approved environmentally conditioned
                                                                             and physically secure data center and are
                                                                             supported by UPS to minimize service
                                                                             disruptions.
                                                        Level of Business    Disruptions to the businesses are within                   n/a           Very High                   n/a              n/a
                                                        impact               acceptable ranges.
                                                        Managemt.            Services are monitored and reported against                n/a           Low                         n/a              n/a
                                                        Reporting            agreed targets on a regular (monthly or
                                                                             quarterly) basis.
                                                        Performance          Technology performance is measured and                     n/a           Med                         n/a              n/a
                                                        Monitoring           monitored.
                                                        Redundancy           Redundancy (fail-over) is in place and                     n/a           Very High                   n/a              n/a
                                                                             periodically tested for all technology
                                                                             components which support critical business
                                                                             processes.
                                                        SLA's                Service level Agreements are in effect with                n/a           Med                         n/a              n/a
                                                                             internal clients and cover service delivery
                                                                             (availability, mean time to repair, etc.)
                                                        Software Currency Software versions are current and vendor                      n/a           Med                         n/a              n/a
                                                                             supported.
                                   Problem              Documented           There is a complete set of documented problem              n/a           Low                         n/a              n/a
                                   Mgt.                 Process              management processes, which detail problem
                                                                             recording, escalation and communication.

                                                        Help Desk            There is a common contact point (Service Desk)             n/a           Med                         n/a              n/a
                                                                             for all users to report problems.




          11/30/2010                                                                   7 of 9                                    D:\Docstoc\Working\pdf\a0e690f6-881d-4804-b289-3c6b277a1639.xls
                                                                Global Technology Template - SAMPLE


Global Technology Template:
The objective of this template is to ensure proper controls are in place for technology within an organization including: Bus.Continuity, viruses, budgeting, security,
letal/compliance, sofware, legal/compliance, problem/change management, etc.

                         Risk                  Subrisk                                                                                                 Control
Templat                                                                                                                                                                         SR             CP
   e         Risk      Descripti     Subrisk   Descripti Control Procedure           Control Procedure Description                 CP Help            Procedure
                                                                                                                                                                               Detail         Detail
                          on                     on                                                                                                    Severity
                                                         Monitoring and    All critical platforms, processes and applications          n/a           Med                         n/a              n/a
                                                         Alerts            for this service are regularly monitored and
                                                                           alerts are raised for degrading performance.
                                                                           Problem tickets are created and prioritized.

                                                         Problem Reporting  Clear guidelines and predetermined                         n/a           Low                         n/a              n/a
                                                         Process            communication paths exist to ensure that all
                                                                            parties report problems.
                                                         Problem Resolution All significant problems have been corrected               n/a           Very High                   n/a              n/a
                                                                            within an acceptable time frame to the
                                                                            businesses.
                                                         Trend Analysis     Problem trend analysis occurs and proactive                n/a           Very High                   n/a              n/a
                                                                            management approaches are deployed (i.e.
                                                                            solutions are applied across the infrastructure).

                                   Strategy              Business Planning    Business plans around new products,                      n/a           Very High                   n/a              n/a
                                                                              applications, business, growth and transaction
                                                                              volumes, which could impact this service, are
                                                                              routinely discussed and communicated.

                                                         Businesses           Business management has agreed to sponsor                n/a           Very High                   n/a              n/a
                                                         Sponsorship          and consistently support the effort.
                                                         Mgmt. Reporting      Progress against this product's strategy is              n/a           Med                         n/a              n/a
                                                                              regularly tracked and reported.
                                                         Project              Project Plans with with deliverables, dates,             n/a           Med                         n/a              n/a
                                                         Management           milestone management and status are regularly
                                                                              updated and communicated to the businesses.

                                                         Project Marketing    A marketing plan exists for each major                   n/a           Med                         n/a              n/a
                                                                              development, which details vision, strategy,
                                                                              tactics, client communication and key
                                                                              deliverables.
                                                         Service Level        Service Level Agreements are agreed to with              n/a           Med                         n/a              n/a
                                                         Agreements           clients and cost projections exist for new
                                                                              projects.



          11/30/2010                                                                   8 of 9                                   D:\Docstoc\Working\pdf\a0e690f6-881d-4804-b289-3c6b277a1639.xls
                                                              Global Technology Template - SAMPLE


Global Technology Template:
The objective of this template is to ensure proper controls are in place for technology within an organization including: Bus.Continuity, viruses, budgeting, security,
letal/compliance, sofware, legal/compliance, problem/change management, etc.

                         Risk                Subrisk                                                                                                Control
Templat                                                                                                                                                                      SR             CP
   e         Risk      Descripti   Subrisk   Descripti Control Procedure          Control Procedure Description                 CP Help            Procedure
                                                                                                                                                                            Detail         Detail
                          on                   on                                                                                                   Severity
                                                       Strategy Alignment A local product strategy exists which is aligned          n/a           Med                         n/a              n/a
                                                                          with a global strategy.
                                                       Strategy           Strategy is communicated to all developers and            n/a           Low                         n/a              n/a
                                                       Communication      support personnel.




          11/30/2010                                                                9 of 9                                   D:\Docstoc\Working\pdf\a0e690f6-881d-4804-b289-3c6b277a1639.xls

								
To top