IT Governance, Risk, and Compliance » Data Provisioning

Compliance through Automation: Continuous Monitoring – Part VIII

Robert Davis — Mon, 18 Oct 2010 12:48:21 +0000

Since management is responsible for the entity’s controls, they should have the means to determine, on an ongoing basis, whether selected controls are operating as designed. Continuous monitoring typically addresses management’s responsibility to assess the adequacy and effectiveness of controls. It enhances managerial capabilities and entity-level controls, while striving to enable maintaining acceptable performance levels. Furthermore, with the ability to identify and correct control problems on a timely basis, automated continuous monitoring enriches an entity’s compliance program. Nonetheless, the key to a successful deployment of automated continuous monitoring is process ownership by personnel assigned responsibility for responding to reported exception conditions.

“View Part I of the Compliance through Automation: Continuous Monitoring series here“

Compliance through Automation: Continuous Monitoring – Part VII

Robert Davis — Thu, 14 Oct 2010 15:21:57 +0000

Continuous monitoring allows management to have greater insight into the entity’s current state of compliance. Typically, for IT, continuous monitoring involves ongoing automated testing of selected datum within a given process area against a suite of control protocols. Management can utilize this information to set or reset process guidelines, rules and tests; through applied analytics identifying performance gaps or unusual events that may suggest control failures. This type of continuous monitoring can exist in IT hardware, firmware or software enabled to observe and record automated activities. Therefore, automated continuous monitoring provides a timely feedback mechanism for management to ensure that configuration items and controls are operating as designed and datum are processed appropriately.

“View Part I of the Compliance through Automation: Continuous Monitoring series here“

Compliance through Automation: Continuous Monitoring – Part VI

Robert Davis — Mon, 11 Oct 2010 18:02:25 +0000

To ensure effective continuous monitoring, adequate segregation-of-functions must be sustained. Continuous monitoring and segregation-of-functions are not new control concepts. Yet, technological integration issues can be a barrier to implementing continuous monitoring systems that are: independent of operational processes and capable of easy configuration for specific risk tolerance requirements. Procedurally, achieving appropriate functional independence in an automated system necessitates defining IT and operational user work units considering control context. As a result, when properly deployed, segregation-of-functions assures organizational responsibilities do not impinge upon independence or corrupt information system asset integrity while tracking and collecting datum regarding individual processes.

“View Part I of the Compliance through Automation: Continuous Monitoring series here“

Compliance through Automation: Continuous Monitoring – Part V

Robert Davis — Thu, 07 Oct 2010 12:28:17 +0000

According to The Institute of Internal Auditors, “Continuous monitoring of controls is a process that management puts in place to ensure that its policies and procedures are adhered to, and that business processes are operating effectively.” Though manual performance monitoring may suffice in low technology situations, in most high technology environments automated controls become a necessary part of the IT architecture for ensuring information reliability and integrity. As suggested by John Verver in Risk Management and Continuous Monitoring, the technology underpinnings to enable an effective continuous monitoring strategy should include several key components: independence from the system that processes the datum; the ability to compare data and information across multiple platforms; the ability to process large volumes of datum; and prompt notification to management of items that represent control exceptions.

“View Part I of the Compliance through Automation: Continuous Monitoring series here“

Compliance through Automation: Continuous Monitoring – Part IV

Robert Davis — Mon, 04 Oct 2010 17:25:45 +0000

To enable effective deployment, the three levels of continuous monitoring must operate harmoniously. The data provisioning level supplies raw datum for analysis after completing the collection process. This collected data can be extracted from processed and formatted output that is produced by defined processes and/or through direct data access. The extracted datum is commonly stored in a data repository and/or retained in original form. Certain datum may also need to be stored at the information management level. This includes information about the structure of systems being monitored as well as analytic definitions (such as conditional statements). Analysis of the data is performed utilizing various tools and the output is sent to the presentation medium level for evaluation by designated users.

“View Part I of the Compliance through Automation: Continuous Monitoring series here“

Compliance through Automation: Continuous Monitoring – Part III

Robert Davis — Thu, 30 Sep 2010 18:54:38 +0000

“Monitoring encompasses the tracking of individual processes, so that information on their state can be easily seen, and statistics on the performance of one or more processes can be provided.” Conceptually, continuous monitoring systems generally consist of three levels: data provisioning, information management, and information presentation. Data provisioning is enabled by the collection and storage of specified items in an assigned location. Information management utilizes the combination of IT architecture knowledge, analytic knowledge, as well as collected data to assess processing. Whereby, information presentation provides results from monitored conditions.

“View Part I of the Compliance through Automation: Continuous Monitoring series here“