IT Governance, Risk, and Compliance


October 21, 2010  6:24 PM

Service Level Management of Cloud Computing – Part I



Posted by: Robert Davis
Cloud Computing, Critical Success Factors, CSF, IT Service Delivery, IT Support, ITSM, Key Performance Indicators, KPI, Service Level Agreement, Service Level Management, SLA, SLM

Service Level Management (SLM) defines, negotiates, controls, reports and monitors agreed-upon service levels within predefined standard service parameters. Usually, effective IT service delivery is considered adequate when system issues are swiftly redressed to the satisfaction of users. An entity’s ability to sustain appropriate IT service is heavily dependent on building service commitments and managing service levels.

SLM deployments can flounder because IT management skews service focus towards technology centric measurements specific to categorized domains. Correctively, the IT service department should provide circumspective insight into service levels that management understands. Furthermore, objective achievement should reflect building and measuring service-based contractual arrangements. Not only do service-based negotiations encourage directed dialog between IT and business units, but also promote IT practices unification across configuration items supporting computer applications and business processes.

October 18, 2010  12:48 PM

Compliance through Automation: Continuous Monitoring – Part VIII



Posted by: Robert Davis
Compliance Management, Compliance Verification Systems, Continuous Monitoring, Control System, Data Provisioning, Decision Techniques, Enterprise Resource Planning, ERP, Exception Reporting Systems, Expert Systems, Inference Engine, Knowledge Acquisition, Knowledge Engineer, Knowledge-base, Management Information Systems, MIS

Since management is responsible for the entity’s controls, they should have the means to determine, on an ongoing basis, whether selected controls are operating as designed. Continuous monitoring typically addresses management’s responsibility to assess the adequacy and effectiveness of controls. It enhances managerial capabilities and entity-level controls, while striving to enable maintaining acceptable performance levels. Furthermore, with the ability to identify and correct control problems on a timely basis, automated continuous monitoring enriches an entity’s compliance program. Nonetheless, the key to a successful deployment of automated continuous monitoring is process ownership by personnel assigned responsibility for responding to reported exception conditions.

View Part I of the Compliance through Automation: Continuous Monitoring series here


October 14, 2010  3:21 PM

Compliance through Automation: Continuous Monitoring – Part VII



Posted by: Robert Davis
Compliance Management, Compliance Verification Systems, Continuous Monitoring, Control System, Data Provisioning, Decision Techniques, Enterprise Resource Planning, ERP, Exception Reporting Systems, Expert Systems, Inference Engine, Knowledge Acquisition, Knowledge Engineer, Knowledge-base, Management Information Systems, MIS

Continuous monitoring allows management to have greater insight into the entity’s current state of compliance. Typically, for IT, continuous monitoring involves ongoing automated testing of selected datum within a given process area against a suite of control protocols. Management can utilize this information to set or reset process guidelines, rules and tests; through applied analytics identifying performance gaps or unusual events that may suggest control failures. This type of continuous monitoring can exist in IT hardware, firmware or software enabled to observe and record automated activities. Therefore, automated continuous monitoring provides a timely feedback mechanism for management to ensure that configuration items and controls are operating as designed and datum are processed appropriately.

View Part I of the Compliance through Automation: Continuous Monitoring series here


October 11, 2010  6:02 PM

Compliance through Automation: Continuous Monitoring – Part VI



Posted by: Robert Davis
Compliance Management, Compliance Verification Systems, Continuous Monitoring, Control System, Data Provisioning, Decision Techniques, Enterprise Resource Planning, ERP, Exception Reporting Systems, Expert Systems, Inference Engine, Knowledge Acquisition, Knowledge Engineer, Knowledge-base, Management Information Systems, MIS

To ensure effective continuous monitoring, adequate segregation-of-functions must be sustained. Continuous monitoring and segregation-of-functions are not new control concepts. Yet, technological integration issues can be a barrier to implementing continuous monitoring systems that are: independent of operational processes and capable of easy configuration for specific risk tolerance requirements. Procedurally, achieving appropriate functional independence in an automated system necessitates defining IT and operational user work units considering control context. As a result, when properly deployed, segregation-of-functions assures organizational responsibilities do not impinge upon independence or corrupt information system asset integrity while tracking and collecting datum regarding individual processes.

View Part I of the Compliance through Automation: Continuous Monitoring series here


October 7, 2010  12:28 PM

Compliance through Automation: Continuous Monitoring – Part V



Posted by: Robert Davis
Compliance Management, Compliance Verification Systems, Continuous Monitoring, Control System, Data Provisioning, Decision Techniques, Enterprise Resource Planning, ERP, Exception Reporting Systems, Expert Systems, Inference Engine, Knowledge Acquisition, Knowledge Engineer, Knowledge-base, Management Information Systems, MIS

According to The Institute of Internal Auditors, “Continuous monitoring of controls is a process that management puts in place to ensure that its policies and procedures are adhered to, and that business processes are operating effectively.” Though manual performance monitoring may suffice in low technology situations, in most high technology environments automated controls become a necessary part of the IT architecture for ensuring information reliability and integrity. As suggested by John Verver in Risk Management and Continuous Monitoring, the technology underpinnings to enable an effective continuous monitoring strategy should include several key components: independence from the system that processes the datum; the ability to compare data and information across multiple platforms; the ability to process large volumes of datum; and prompt notification to management of items that represent control exceptions.

View Part I of the Compliance through Automation: Continuous Monitoring series here


October 4, 2010  5:25 PM

Compliance through Automation: Continuous Monitoring – Part IV



Posted by: Robert Davis
Compliance Management, Compliance Verification Systems, Continuous Monitoring, Control System, Data Provisioning, Decision Techniques, Exception Reporting Systems, Expert Systems, Inference Engine, Knowledge Acquisition, Knowledge Engineer, Knowledge-base, Management Information Systems

To enable effective deployment, the three levels of continuous monitoring must operate harmoniously. The data provisioning level supplies raw datum for analysis after completing the collection process. This collected data can be extracted from processed and formatted output that is produced by defined processes and/or through direct data access. The extracted datum is commonly stored in a data repository and/or retained in original form. Certain datum may also need to be stored at the information management level. This includes information about the structure of systems being monitored as well as analytic definitions (such as conditional statements). Analysis of the data is performed utilizing various tools and the output is sent to the presentation medium level for evaluation by designated users.

View Part I of the Compliance through Automation: Continuous Monitoring series here


September 30, 2010  6:54 PM

Compliance through Automation: Continuous Monitoring – Part III



Posted by: Robert Davis
Compliance Management, Compliance Verification Systems, Continuous Monitoring, Control System, Data Provisioning, Decision Techniques, Exception Reporting Systems, Expert Systems, Inference Engine, Knowledge Acquisition, Knowledge Engineer, Knowledge-base, Management Information Systems

Monitoring encompasses the tracking of individual processes, so that information on their state can be easily seen, and statistics on the performance of one or more processes can be provided.” Conceptually, continuous monitoring systems generally consist of three levels: data provisioning, information management, and information presentation. Data provisioning is enabled by the collection and storage of specified items in an assigned location. Information management utilizes the combination of IT architecture knowledge, analytic knowledge, as well as collected data to assess processing. Whereby, information presentation provides results from monitored conditions.

View Part I of the Compliance through Automation: Continuous Monitoring series here


September 27, 2010  5:30 PM

Compliance through Automation: Continuous Monitoring – Part II



Posted by: Robert Davis
Compliance Management, Compliance Verification Systems, Continuous Monitoring, Control System, Decision Techniques, Exception Reporting Systems, Expert Systems, Inference Engine, Knowledge Acquisition, Knowledge Engineer, Knowledge-base, Management Information Systems

An entity’s MIS represents the aggregation of personnel, computer hardware and software, with associated policies and procedures, allowing data processing to generate utilizable information for decision-making. Pre-specified and routine decisions, which form the policies and procedures that are typically documented by an entity, are designed to provide time for managers to address non-routine activities and consider improvements to the currently deployed control processes through removal from the more mundane aspects of day-to-day operations. However, process monitoring is required to ensure: expected outcomes are achieved for assigned functional responsibilities and irregular activities are detected on a timely basis.

View Part I of the Compliance through Automation: Continuous Monitoring series here


September 23, 2010  2:10 PM

Compliance through Automation: Continuous Monitoring – Part I



Posted by: Robert Davis
Compliance Management, Compliance Verification Systems, Continuous Monitoring, Control System, Decision Techniques, Exception Reporting Systems, Expert Systems, Inference Engine, Knowledge Acquisition, Knowledge Engineer, Knowledge-base, Management Information Systems

Commonly, a Management Information System (MIS) is deployed to permit performance monitoring to assess compliance with adopted standards and enable corrective actions and/or process improvements to an entity’s control systems. Generally accepted key elements enabling successfully managing the risks inherent in many control systems resides in the ability to monitor processes independently and continuously as close to the execution point as possible. Yet, analytic technologies capable of continuous monitoring are typically lacking in MIS deployments. Therefore, a continuous monitoring system conjunctively implemented within operational configuration items can enhance variance detection as well as improve compliance verification and exception reporting systems.


September 20, 2010  12:21 PM

Compliance through Automation: Expert Systems – Part VIII



Posted by: Robert Davis
Business Analyst, Compliance Management, Control System, Decision Techniques, Expert Systems, Inference Engine, Knowledge Acquisition, Knowledge Engineer, Knowledge-base, Protocol Analysis, System Analyst

From a technical perspective, the typical expert system can be divided into two essential parts: the knowledge base and the inference engine. The knowledge base contains the body of knowledge, or set of facts and relationships, obtained from the knowledge acquisition phase. The rules associated with a knowledge base tend to be heuristic and take the form of conditional statements. Whereas, the inference engine is a collection of computer routines that control the system paths through the knowledge base to enable recommendations. In addition, the inference engine serves as a bridge between the knowledge base and user.

Methodologically, the knowledge engineer defines the ambit of issues that the purposed system will address because one logic path too broad may result in a system too difficult to manage and may generate a system crash. Contrastingly, the knowledge engineer must be careful not to limit an issue too much because a logic path too narrow will produce a system so rudimentary that results will be worthless.

View Part I of the Compliance through Automation: Expert Systems series here


Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: