Responsibility:
The Systems Assurance function is responsible for the following functions:
I. Systems Development Reviews
Conducts systems assurance phase reviews of MIS development projects to assure ADHERENCE TO established MIS policies, procedures, standards, and operating guidelines.
Systems Assurance reviews examining the adherence to established procedures and standards relative to specific projects will be conducted on a scheduled basis.
Selection of which systems will undergo an evaluation process will be primarily based on the significance of the application to business objectives, operations, or strategic plans.
Selecting from the annual planned objectives of each group within MIS, Systems Assurance reviews objectives with the appropriate MIS development group's management and confirms the systems assurance schedule. On a quarterly basis, the schedule is reviewed with MIS management and updated.
In conducting systems development reviews, a phased approach will be followed. A review will be conducted at the completion of each of the following phases: (See Sequence of Events)
Systems Design Alternatives (SDA)
Systems External Specifications (SES)
Systems Internal Specifications (SIS)
Implementation Phase (IMPL)
Post Implementation (PIR)
Each review will, when applicable, evaluate the following criteria:
design meets business/project/economic objective
conformance to standards/guidelines
clarity of material
operating efficiency
adequacy of controls/security considerations
presence of restart and recovery consideration
file/data retentions
conversion procedures
test procedures
The Systems Assurance staff will have reasonable access to all the information, records, and personnel of the project or activities under review. Certain sensitive information may require user approval for access during the review process. Systems will determine the need for user approval prior to the start of the review.
Formal reports, regarding accuracy of the findings and the achievability of recommendations will be agreed to by both Systems Assurance and the MIS area involved. (See Sequence of Events)
Systems Assurance will follow-up to ensure that all recommendations have a planned implementation date and are completed.
II. Standards Review
Systems Assurance develops and maintains program/plans for conducting systems assurance reviews to assure the ADEQUACY OF MIS policies, procedures, standards, and operating guidelines.
All MIS policies, procedures, standards, and operating guidelines in effect will be utilized by Systems Assurance as the base from which to conduct their reviews.
As well as using this information as a base, there is an inherent responsibility by Systems Assurance to recognize and report the need for change. Recommendations will be provided to the appropriate MIS group's management for approval and implementation. The MIS groups are as follows
Data Processing Services
Systems
Office Information Services
Planning & MIS Services
Policies, procedures, standards, and operating guidelines maintained and utilized by these groups are subject to review and recommendations provided by Systems Assurance.
III. Coordination-Audit
Upon notification by Internal Audit of EDP-related audit reports and findings relative to MIS, the Systems Assurance function will review the recommendations as they relate to MIS policies, standards, and guidelines.
When applicable, Systems Assurance will review proposed changes/improvements to policies and standards with MIS management. A final report will be issued and the changes/improvements will be implemented by the responsible MIS area.
IV. Management Review
Annually, key operational systems will be selected by Systems Assurance for review to determine adherence to standards, procedures, and operating guidelines.
One measure of selection would be based on the volume and frequency of incidence requiring corrective action. Also, Data Center or Systems management can request a review based on their perspective of the systems condition.
Included in these operational reviews will be the examination of contingency planning and file/data retention to guarantee adequate backup provisions.
Strategic planning responsibilities within MIS will necessitate inventory type operational reviews to gain an insight into the current systems environment. Identification of the need to upgrade hardware and/or software to be in line with future planning due to technology or standardization will be recommended.
Acting in an MIS consultative capacity, selective reviews will be performed to evaluate the MIS procedures, standards, and guidelines being followed.
V. Security Standards
Systems Assurance will interface with Data Services Security, Corporate Safety, and Corporate Security through periodic meetings to share in the establishment of uniform MIS safety and security standards and guidelines.
In response to MIS management requests, review of computer centers and/or systems development departments will be performed. The review will cover existing safety and security operational and maintenance elements within the facility. Recommendations will be made to enhance protection and control through new or revised procedures or additional physical protection devices.
No comments:
Post a Comment