| 2.8 Compliance
11. Compliance Control | |
|---|
| 2.8.11. Compliance Control: | | An application service consists of one or more operational application services and one or more demonstration application services. While ad-hoc changes can be applied to any demonstration application service, a compliant change control system is mandated by law for any operational application service. |
| 2. Ownership: | | The ownership of data is very simple with each person who authors CRM data being the owner of that CRM data and the Owner owning all data. In this context, data includes business document templates that are owned by the Owner - programming is not involved. |
| 3. Change Control: | | Ad-hoc changes can be applied to any demonstration application service because those changes will not have any financial implications on any party. | | FSA approved change control is mandated for any change applied to any operational application service. Any change could be fraudulent and could have financial implications on one or more parties. |
| Owner Data: | | Where a person working for the Owner wishes to change CRM data that they own and where that data is not frozen, then the person is provided with on-line real-time facilities to make such changes with a read-only history of every field value change made. This read-only history of changes is an adequate change control service that is compliance with FSA regulation. |
| What we do: | | Where the Owner (or agent acting for and on behalf of the Owner) wishes the ASP to apply some change to the scheme data or documents, then the formal Information Technology Infrastructure Library (ITIL) change control system is employed. The Compliance Officer has dictated the following formal procedure that shall be deployed when any operational data is to be changed. |
| 1. Improvement Request: | | An appointed officer of the Owner shall specify what improvement is required to the data or document in the form of an Improvement Request. The Improvement Request is an online form that will act as a permanent record of the Ownere instruction. The Improvement Request is sent by a person appointed by the Owner to the Change Manager and when it is completed it is returned. |
| 2. Change Manager: | | ITIL 3.1 defines the scope of work that must be undertaken by the Change Manager. The Improvement Request will be approved for implementation with due consideration for other changes and activities that may be underway or scheduled. The Improvement Request is communicated by the Change Manager to the Planning and Support Project Manager. |
| 3. Planning and Support Project Manager: | | ITIL 3.2 defines the scope of work that must be undertaken by the Planning and Support Project Manager. The Improvement Request will be planned and coordinated with suitable resources to deploy the new data release. Budget and time schedules are assigned to the Change work Request. The Improvement Request is communicated by the Project Manager to the Customization Manager. |
| 4. Development and Customization Manager: | | ITIL 3.3 defines the scope of work that must be undertaken by the Application Development and Customization Manager. The data is exported from the secure operational application service via an archive and imported into a suitable demonstration application service where Information engineers can be granted rights to make suitable changes. Engineers make whatever changes are needed by way of customization of data and associated business document templates - all changes are validated using applicable testing techniques and methods. Where applicable, interested parties may be able to view the pending data changes fully working in a demonstration application service. The Improvement Request is communicated by the Customization Manager to the Release and Deployment Manager. |
| 5. Release and Deployment Manager: | | ITIL 3.4 defines the scope of work that must be undertaken by the Release and Deployment Manager. The data is exported from the demonstration application service into an archive and then imported to the secure operational application service. The Improvement Request is communicated by the Deployment Manager to the Service Validation and Test Manager. |
| 6. Service Validation and Test Manager: | | ITIL 3.5 defines the scope of work that must be undertaken by the Service Validation and Test Manager. Data is validated as a released package that will match user expectations and the Owners instructions. An important aspect of validation is to ensure that unauthorized extra changes have not been applied. The Improvement Request is communicated by the Validation Manager to the Service Asset and Configuration Manager. |
| 7. Service Asset and Configuration Manager: | | ITIL 3.6 defines the scope of work that must be undertaken by the Service Asset and Configuration Manager. The Improvement Request is indexed and documentation communicated to the Capacity Manager, Knowledge Manager and other Managers who may be impacted by the change. The Improvement Request is communicated by the Configuration Manager to the Change Manager. |
| Compliance Manager: | | ITIL 2.8 defines the scope of work that must be undertaken by the Compliance Manager. ITIL defines the method of working that must be undertaken for each procedure and how work is coordinated with other Managers. Coordination with ITIL 2.4 Capacity Manager, ITIL 2.7 Information Security Manager and ITIL 2.1 Catalogue Manager is required. | | Principal: | | 1. ITIL change control of operational scheme data demands that the Owner specifies and authorizes each and every scheme data change. | | 2. ITIL secure operations ensure that scheme data cannot be accidentally or fraudulently changed. | | 3. Regulation requires that the manager who approves the change must not be the person who implements the change. | | 4. Regulation requires that the manager who validates that the change has been completed must not be the person who implemented the change. | | 5. Techniques must be employed to ensure that additional changes that were not authorized have not been implemented. |
| Change Control System: | | ITIL has been accepted as the standard and best practice for operating Information Technology Infrastructure providing application services. The ASP has implemented ITIL with more than 30 job roles that ensure best practice is delivered for all customers. | | Every operational data change is stored as an archive so an audit trail can be used as evidence in any audit. Operational data releases are validated before delivery, but must also be verified by the data owner as the Owner or agent of the Owner. |
| Summary: | | Operational Owner scheme data and associated business document templates are subject to compliant change control procedures implemented by the Owner (or agent acting for and on behalf of the Owner). The ASP may be provided with a Improvement Request by the Owner for a change to be applied to the Owners scheme data using the documented ITIL change control procedure. | | Information security procedures ensure that the ASP do not have rights to make changes to operational data; however the ASP may be requested by data owners to make changes on behalf of the data owner. The ASP shall only implement a change to an application service where that change is requested by the owner. Continual improvements to application services are included for the owner and subject to normal deployment and release control procedures. | | An application service improvement is not the same as a change to operational data. |
| Compliant: | | Compliant means that the threat of fraud has been designed out of all application services - by design; all application services can be trusted by all parties. Trust is created by all parties becoming aware that fraud is physically not possible no matter what people do. | | By definition, we do not know anyway for a fraud to take place, but if you can identify a weakness in the application service and data design, then please raise it as an application support request before our compliance penetration consultants discover the weakness. |
| Threat Analysis: | | Years of in-depth analysis by security auditors has identified that 90% of all fraud is caused by in-house staff who discover ways to hide their criminal actions. The role of compliance is to remove all possibilities of staff becoming criminals and removing any possibility that a fraudulent action could remain undiscovered. | | The job of the compliance officer is to root out any possible application service that may be defective and have it corrected to it could never be used for fraudulent purposes. Internal penetration tests will test all paths and services to verify that no matter what a user does, they could not change what has been approved or change what has been billed. At least four times each year, compliance testing is undertaken using every user role to discover if a user could emulate what should be done by a different user role or if a change could be made that was undetectable by others. |
| Legal Obligations: | | SIS data flows across national boundaries and so it must be designed to military compliance and security specification. Inter-Government legal audits could be involved and so each and every European Directive must be fully implemented, together with compliance with each countries local data protection laws. The Cloud Security Alliance (CSA) report can be viewed with a link from the application support page - this proves that Application Services are in the top 5% of secure application services. |
| Cloud Security Alliance: | | SIS begins with an extensive set of sign in layers of security that comply and exceed all documented business requirements. What is certain is that any criminal behaviour will be detected and the criminal will be blacklisted. The dual interlocking audit trails of "What Did I Do" and "History" means that each and every field value change can be identified with a specific person at a specific date and time - and any change can be reversed. Financial transactions take on an extra layer of security in that not a single change can be made and if a criminal did find a way to change a transaction, it would quickly be detected because large sets of transactions in different location must balance. What was known as double entry bookkeeping has evolved to multiple entry bookkeeping with a unique account for each party, but management information that must strike a balance across all accounts. |
| Compliant Services | | Compliance means conformity with ITIL, ISO and PCI-DSS standards, regulations and best practice. Compliance is provided with several different security frameworks and as each security standard may overlap with others, then application services potentially conform with most security standards and frameworks that exist in the world. | | The ASP organizational structure follows Information Technology Infrastructure Library (ITIL) standards so job titles, job descriptions and procedures can be validated with a search of the Internet. Compliance is implemented with ISO 27000 Information Security Management (ISM) standards because it fits in with ITIL and is truely international in scope. Payment Card Industry - Data Security Standard (PCI-DSS) is the regulatory framework used for audit purposes and provides best practice guidelines on how secure standards should be implemented. |
| Continual Testing: | | Criminals attack our application services many hundreds of times each day, so external penetration testing and Distributed Denial of Service (DDOS) testing is actually carried out each and every day. More formal internal and external penetration tests are carried out as regular audits with published findings. By definiton, if any defect was uncovered, it would instantly be a top priority task with all resources dedicated to a rapid resolution. |
| Security as a Service: | | As a positive benefit to customers, the ASP is in a position to provide the very best of secure dedicated infrastructures that are needed and will be needed in the future. Where a company has a public face that would make it likely to be the target of criminal or terrorist attacks, then it is in a position to provide a safe and secure application service that is designed to circumvent such attacks. While it would not be reasonable to disclose companies that could be seen as targets, it is clear that some companies need to spend a bit more on security to ensure that attacks do not disrupt the business. | | A USA or UK company with a trading office in some countries of the world may be seen by terrorists as a potential target. A company operating anywhere in the world with valuable data may be seen by criminals as a potential target. The APS is able to provide secure application services to such companies using dedicated servers in very secure data centers to the extent that exceeds what the company could be expected to provide by its own means. |
|
|