Da Tp 1 Desarrollo Y AdquisicióN De Software

IT Deusto: II Máster en Buen Gobierno de las TIC Desarrollo y Adquisición TIC: Trabajo Práctico

DA_TP

1

Profesor: Ricardo Bria Menéndez 26/12/2008 1 1 Page 1

Titulo:

Evaluación de un proveedor de Servicios. Código: DA-TP 1

Tipo:

Grupal

Objetivo:

Evaluar el enfoque de Auditoría y los Objetivos de Control definidos para el proyecto

Evaluar el alcance y la naturaleza del IS Control Assessment realizado

Establecer fortalezas y debilidades del proyecto

Desarrollar recomendaciones de mejora, en base a la narrativa del Control Assessment

Antecedentes del Proyecto:

Globus Inc., gestiona activos y proyectos de inversión de capital por U$S 13 bn, y ha decidido

adquirir un SW de control de Proyectos de Inversión desarrollado por SolDev Group, así como los

servicios de Hosting de dicha aplicación provistos por la Compañía RedPlaid.

El producto, SD2K, está operativo (parcialmente) y en la actualidad gestiona 12 proyectos, en

modalidad paralelo /prueba.

SD2K es “a project management data warehousing software solution that allows project

managers to manage accumulated costs for projects. The accumulated costs include costs from

equipment, internal labor, contractor labor, project overhead, and expense reporting. The

software has been purchased from SDG to help Globus manage costs on the pipeline system

expansion projects that are currently underway.

As the project data tracking requirements have grown in Globus, SDG was identified as the technology solution to capture, consolidate, analyze and report on major project data in this area. The system enables tracking to a level of granularity or currency that supports project managers in day to day PM decisions.

The system enables collecting detailed incurred costs from the field. At the same time, projected disbursement data is collected from Globus’ Oracle Financials application. Comparison between projected and incurred costs provides daily visibility to project metrics and enhances project management decisions.

Our Firm was engaged by Globus’ Major Projects group to assist in reviewing the controls of the SDG environment.


DA_TP

1


Objetivos del proyecto

The overall objective of this project is to assess the SDG application environment with regards to

controls governing security, availability, data integrity and customer service management. Criteria

were developed for each of these controls areas and used as the basis of the review.

Información de referencia

1. BACKGROUND INFORMATION: GLOBUS Inc. .............................................................................. 3

2. BACKGROUND INFORMATION: Solutions Development Group (SolDev Group) ........................ 3

3. IS CONTROL ASSESMENT: SolDev GROUP (SDG) ........................................................................ 6

Presentación:

Oral

Fecha límite: TBD


DA_TP

1


1. BACKGROUND INFORMATION: GLOBUS Inc.

Corporate Overview

Globus Inc. is a leader in energy

transportation and distribution in

North America and

internationally.

An Overview

Globus operates, in Canada and the U.S., the world's longest crude oil and liquids pipeline system. The company owns and operates Globus Pipelines Inc. and a variety of affiliated pipelines in Canada, and has an approximate 27% interest in Globus Energy Partners, L.P. which owns the Pumpkinhead System in the U.S. These pipeline systems have operated for over 55 years and now comprise approximately 13 500 kilometres (8,500 miles) of pipeline, delivering more than 2 million barrels per day of crude oil and liquids. Globus is also the sponsor and manager of the Globus Income Fund.

Globus is also involved in liquids marketing and international energy projects and has a growing involvement in the natural gas transmission and midstream businesses, through the Ally and Vostead pipelines and various U.S. assets that transport, gather, process and market natural gas and other petroleum products.

As a distributor of energy, Globus owns and operates Canada's largest natural gas distribution company, Globus Gas Distribution, which provides gas to industrial, commercial and residential customers in Ontario, Quebec and New York State. Globus distributes gas to 1.9 million customers and is developing a gas distribution network in New Brunswick.

The company employs more than 5,700 people, primarily in Canada, the U.S. and South America. Globus Inc. common shares trade on the Toronto Stock Exchange in Canada and on the New York Stock Exchange in the U.S. under the symbol "GLB".

2. BACKGROUND INFORMATION: Solutions Development Group (SolDev Group)

While The SolDev Group, Inc. is a Washington state registered company that started in Bellingham, Washington, the development team collaborates on the internet and is physically dispersed.


DA_TP

1


The SolDev Group has contracted with a Managed Hosting company called RedPlaid to handle all of our servers and networking needs. I have attached a document that details the services that The SolDev Group currently obtains from RedPlaid. The SolDev Group does not own our own IP addresses – these are obtained from RedPlaid as needed. The SolDev Group develops software solution using database (SQL Anywhere) software on the back end to store the data. The front-end or user interface to the data is via Windows application (written in C++) and web applications written in VBScript, JavaScript and some C#. The process followed by The SolDev Group (SDG) in delivering software and services is similar to that of other companies and is as follows: Customer licenses software. SDG prepares servers for customer's solution – one server for production, testing and training and one server as a backup. SDG supplies SolDev Associates and embedded customer support analysts as requested to help the customer to acquire knowledge SolDev abilities and skills in SolDev 2k techniques. The development of SolDev solutions is a process that proceeds independently of the needs of a particular customer – in much the same way as the development of many software solutions. SolDev 2k's architecture permits us to manage each customer's unique business rules in a manner consistent with each customer's needs. The process of identifying and implementing these business rules is accomplished more efficiently by the use of SolDev Associates and embedded SolDev Analysts.

Our Mission

We wish to be recognized as a provider of client-empowering, data management solutions. It's your data. How do you want to manage it? We want to help you and your team to feel that this is your solution and you are in charge of it - no fear, no uncertainty, no doubt.

Company Profile

The SolDev Group, Inc. are a group of technical and business experts that develop and support data management solutions for clients in various industries.


DA_TP

1


The SolDev Group partners with Sybase and Microsoft. We also support organizations such as the Project Management Institute (PMI), the National Petrochemical and Refiners Association (NPRA) and the Association for the Advancement of Cost Engineering (AACE).

Our combined expertise and training in engineering, project management and computer science have melded together to provide a useful software engineering design philosophy that is focused on developing innovative ways to use available tools and tool-sets such as database technology, scheduling tools, the web, hand-held computing, etc.

Products

SolDev 2000 (SD2k) is the name of a suite of products that provide wide-ranging improvements to data management solutions in the area of work management. A hallmark of these solutions is the level to which they empower our customers to implement their best practices and business processes in the system.

Some of the business areas that we address include:

SolDev 2000/TM - for managing Turnarounds, Shutdowns and Outages

Manage all aspects of your turnaround including logistics, scope management, planning, materials management, resource management, scheduling and execution.

SolDev 2003/RM

Manage your routine maintenance backlog of work orders and the people, equipment and materials needed to complete this work.

SolDev 2003/PD

Manage all data that should be widely available to multiple departments and maintained by multiple departments. Remove the data redundancy that results from the use of ad hoc spreadsheets, databases, documents, etc. Provide a consistent interface for all of your team members, while maintaining control of your data.

SolDev 2003/IS

Plants are serviced by Industrial Services contractors. If you work with an Industrial Services Contractor, you know that you spend a lot of your effort in meeting specific requirements of each of your customers. SD2003/IS's business rule-driven system provides you with the tools to tailor your reports and data access to each of your clients' needs while maintaining a consistent system in-house.

http://www.sybase.com/

http://www.microsoft.com/

http://www.pmi.org/

http://www.npradc.org/

http://www.aacei.org/

http://www.teamworkgroup.com/prod01.htm





DA_TP

1


3. IS CONTROL ASSESSMENT: SolDev GROUP (SDG)

Control Objective Controls Description / Comments

I Information Security

(Logical and Physical)

Describe, at a high level: controls in existence that could apply to the

corresponding Control Objective

1. Information security is managed to guide consistent implementation of security practices and that users are aware of the organization's position with regard to information security, as it pertains to financial reporting data.

A formalized Security Policy to define, document and provide

standardized guidelines for Information Security does not exist. The only

security practice referenced by John Doe and Joyce Temple (SDG’s TOP

Management) is that all new hired employees are required to sign a Non-

disclosure agreement (NDA).

The NDA (see: NDA - consulting Agreement in PBC folder) has two

articles: Confidentiality and Ownership of Deliverables. In the first one,

Confidential Information is defined and non-disclosure and protection of

such information is required. In the Ownership of Deliverables article,

Intellectual Property and Company Work Product are defined and rights

of the Company are made explicit.

2. Logical and physical access to IT computing resources is appropriately restricted by the implementation of identification, authentication and authorization mechanisms to reduce the risk of unauthorized / inappropriate access to the organization’s relevant financial reporting applications or

Logical access

As per conversations with John Doe and Paul Jones, the logical access to

computer resources is restricted by appropriate identification (unique

User IDs), authentication (individual passwords) and authorization

mechanisms. Logical security is administered by two people: John Doe

and Joe Cook.

As related by John, there are basically two categories of employees:

Developers and Support, and the general approach is that Developers

have access to code, while Support personnel does not.

Further written information provided by John revealed one exception to

this rule. Paul Jones, listed initially both as an Associate and a Project

Manager has current access to Globus’s database.

Interviewed Paul Jones who related that aside from being the Project

Manager for the Globus implementation project, he also performs (non-


DA_TP

1


data technical) development functions.

Although we had no access to a written policy, according to John Doe, the

password policy in effect calls for the following:

system does not remember the previous passwords,

user is not required to give different passwords upon password change

password expires after 90 days

password must be at least 8 characters in length

passwords are not stored internally

password complexity is enforced

If 5 invalid login attempts are made within 3 minutes, then the login will be disabled for 3 minutes.

Physical access

All SDG’s resources (servers, communications and additional equipment)

used to provide the SD2K application service to Globus, are physically

located at REDPLAID’s data center in Saint Louis, Missouri.

REDPLAID, a division of Connectria Corporation and responsible for the

physical security of the mentioned resources is located in a highly

secured area and has an on-site Network operations Center monitored

24/7.

Through information gathered (see: REDPLAID Security and Support

Overview for the SolDev Group 8-1-08 in PBC folder) and interviews with

Peter Clumsy and Johnny Piannon from REDPLAID we identified, among

others, the following implemented physical security measures: electronic

security codes to access the building and elevators, additional biometric

and access cards to enter de Data Center, closed circuit digital cameras

and the prohibition of unescorted visitors at any time.

3. Procedures have been established so that user accounts are added, modified and deleted in a timely manner to reduce the risk of

As per John Doe, the process to assign / revoke user ids for new hires,

changes and terminated employees, it is not formalized.

Only John Doe and Joyce Temple (SDG Top Management), have the

authority and responsibility for authorizing the assignment, modification

and revocation of user ids and access rights to all employees.

The SDG’s Organizational Chart provided by Joyce (see: SolDevOrg in PBC


DA_TP

1


unauthorized / inappropriate access to the organization's relevant financial reporting applications or data

folder), shows that the company has only 20 employees (including John

and Joyce), distributed in the following areas:

Development (Client and Server): 7,

Technical Testing: 2,

Associates: 4,

Project Mangers:2,

Data Analysts: 3 and

Administration: 2.

Given SDG’s two tier organizational structure, the different areas’

assigned responsibilities and the low number of employees, in our view,

the reporting scheme and security function assignment partially act as a

compensatory control for the lack of formality in the assurance of a

timely action regarding user accounts addition, changes and deletions..

4. An effective control process is in place to periodically review the appropriateness of access rights in order to reduce the risk of unauthorized / inappropriate access to the organization’s relevant financial reporting applications or data

During our interview with John Doe, he stated that there is not a specific

process in place to achieve this control.

Reviewing the organizational chart provided, we noted that some of

SDG’s employees perform more than one function (server development

and client development, client development and technical testing).

In addition, we have learned that the application architecture for Globus

contemplates two Servers; one that holds the production, test and

training environments, and a second Serverf used as a backup.

5. Physical controls are in place to prevent unauthorized access to

See #2 above.


DA_TP

1


information technology and data.

6. Environmental controls are in place to prevent or reduce the effects of disasters, such as floods, fire and power surges)

As described in information provided by John Doe, REDPLAID’s facility

was designed taking into consideration environmental controls to house

critical telecommunications equipment and data centers.

The office is located within a US Federal “No Fly Zone” (airplanes are not

allowed to fly over the area) and contemplates dual Power Feeds from

separate Power Grids, redundant UPS systems and 5 1,500 KVA

Generators, to lower the risks of power outages and surges.

As per the information provided, the Data Center is equipped according

to the best practices for environmental controls for this type of

installation and includes: Anti-Static, Fireproof Raised Floor, Air

conditioned, temperature and humidity controls, water detection and

fire suppression systems.

7. Procedures exist to protect against infection by computer viruses, malicious codes, and unauthorized software.

According to information provided by John Doe and Johnny Piannon,

REDPLAID has deployed, and provides to SDG, an integrated and

comprehensive set of resources and tools to provide protection from

virus infection and malicious software that include: Co-Managed Firewall,

Web Console & Security Zone, Network Intrusion Prevention (IPS),

Vulnerability Scanning, Server AntiVirus Protection, Server Hardening Of

Operating Systems & System Software, Server Integrity Monitoring and

Distributed Denial Of Service (DDOS) Protection

Each of these components report back to central management consoles

which are monitored and managed 24/7 by REDPLAID's Network

Operations Center staff.

Any exceptions are escalated to REDPLAID’s Security Incident Response

Team, made up of REDPLAID’s senior security engineers

As an additional service, not yet engaged by SDG, REDPLAID provides the

execution of quarterly Penetration Tests, to assure their perimeter

defenses are not being unduly exposed.

II Program Describe, at a high level: controls in existence that could apply to the


DA_TP

1


Development corresponding

8. Management has controls in place to ensure that new program and infrastructure developments and acquisitions have been approved by an appropriate level of both IT and business management

The SD2K application is currently being implemented by an Globus

Implementation Team of 5 people, including an Implementation

Manager, and the assistance of Paul Jones, as SDG’s Project Manager,

and John Doe

The following process summary and controls were corroborated with

John Doe and Paul Jones.

Requirements for SD2K’s new developments and changes are made by

the Implementation Team via Word documents and Excel spreadsheets,

which are controlled by Globus’s internal issue tracking system.

Upon reception of a requirement, Joe proceeds to its analysis and

categorization (minor, medium and large) depending on impact / effort

required.

Minor requirements can be made by anyone on the Team, but medium

and major ones require the Implementation Manager’s approval.

Currently, no one outside the Implementation is making requirements.

Outstanding requirements are reviewed by the Implementation Manager

on a weekly basis.

John Doe stated that SDG’s intentions were to “provide our Issue

Manager application, eIssues, to Globus to perform as a tool for

managing all aspects of management of all issues, incidents,requests,

etc.”. This would also allow the automated tracking of issues that SDG

today performs manually, via a spreadsheet (see

SolDev_Action_List80820 in the PBC folder).

Based on the above description, it appears that most (if not all) the

control over requirements resides on Globus, as we could not identify, on

SDG’s part, a clearly defined process so assure that only properly

authorized requirements are attended.

In addition to the use of a common tool (workflow) for requirements

tracking and management, an authorization chart for requesting and

approving requirements and changes, we suggest a defined and

formalized change management procedure be implemented.


DA_TP

1


9. Management has controls in place to ensure that an adequate program development methodology is in place and is followed for the development of systems / applications used

The SolDev application and metadata framework are the basis for

development.

SD2K is actually a proprietary environment where the client data is

centrally managed, after being consolidated and integrated from

different sources and systems. The application is data driven and thus,

solutions to organize, aggregate and present (report) results for the end

user are flexible and quick to develop.

SD2K’s architecture allows the management of the customer's business

rules in a manner consistent with their needs, which are first identified

and then built and implemented.

Although SDG does not have a formal development methodology, there

are standard steps that are followed:

identify the business needs,

identify the supporting data required,

design and build a central repository for the data, and

provide for the client access at the reports and data views as defined.

10. When new systems are implemented or modified, controls are either added, modified, or redesigned so that applicable control objectives are achieved

work packages and work items are added and tracked

11. Controls exist to ensure there is adequate testing for the development of systems / applications and that testing is signed off by both the users at an appropriate level

Issue Manager provides the framework for the central tracking and

signing off on issues as they progress through their different phases.

This component however, is not yet operational al Globus. Currently, all

requests, documentation, incidents and tracking controls are handled

“manually” via Word or Excel documents. It is estimated that this module

will be implemented at Globus within the next two weeks.


DA_TP

1


of IT and business management

12. A post-implementation review is performed to ensure that new financial-reporting systems/applications are operating properly

III Availability Describe, at a high level: controls in existence that could apply to the

corresponding

13. Management has implemented appropriate backup and recovery procedures so that data, transactions and programs that are necessary for financial reporting can be recovered

From the information made available to us to review, we determined

that REDPLAID provides managed backup and recovery services that

includes Daily Incremental / Weekly Full Data Backups and Offsite Tape

Backups

14. Effective procedures exist and are followed to periodically test the effectiveness of the restoration process and the quality of backup media relevant to systems and applications used during financial reporting

REDPLAID’s backup environment for The SolDev Group utilizes a large

RAID-protected disk storage environment that is tested and utilized daily.


DA_TP

1


processes

15. Appropriate controls are in place over the back-up media for systems and applications used during financial reporting processes, including that only authorized people have access to the tapes and tape-storage

According to information provided by REDPLAID, the backup

environment is accessible only by a limited subset of staff. Although

there is an option for server and back up encryption, we were told that

the SolDev Group does not currently encrypt their backups.

For general security, confidentiality and integrity purposes, we

recommend Globus to consider and evaluate the encryption option

offered by REDPLAID.

IV Data Integrity

16. Management has implemented procedures to ensure accuracy, completeness, and timely processing of system jobs, including batch jobs and interfaces, for relevant financial reporting applications or data

SolDev's only involvement with financial processes is in the downloading

of the data from Oracle system. No data is passed back to Oracle. SolDev

2k is a cost tracking system as opposed to a cost accounting system. As

such, we guess at what costs will be before they are incurred.

These are not processes that occur in a cost tracking system.

17. There are controls in place to ensure that data migration retains its integrity (i.e., reconciliations to

These are not processes that occur in a cost tracking system.


DA_TP

1


prove pre and post balances, etc)

18. There are controls in place to ensure that data attributes, such as “date entered”, “transaction date”, “data entered by”, and other attributes relevant to the customer are captured and prevented from modification or change.

These are not processes that normally occur in a cost tracking system.

However, where needed we do add protection of appropriate data from

changes.

19. Controls exist to provide appropriate segregation of duties within key processes. For instance, users should not be able to initiate and approve their own transaction.

From discussions held, we learned that SD2K users are identified by their

functional role. Approval of budgets, for example, can be done by

managers only, based on the business rules of the group, division,

department, corporation, etc.

John also indicated that Globus has implemented 5 Functions, namely:

Planning, Scheduling, Project Management, Contracts Management and

Timekeeping.

In relation to the Segregation of Duties issue, John explained that proper

SOD is provided by Roles defined within each Function, according to the

clien’t operational model and rules. In turn, each Role has an associated

Security Level of 0=Read Only, 1=Read Write or 3=Supervisor. The

assignment and maintenance of User ID’s/Roles is done by Globus.

Based on the information available, it appears that the application

provides for the proper controls to assure an adequate SOD among users.

20. Controls are in place to ensure that any changes to the systems/applications providing control over

Yes.. Change management controls are available in SolDev 2k.


DA_TP

1


financial reporting have been properly authorized by an appropriate level of management (logging change requests, change assessments, change planning & scheduling)

21. Controls are in place to ensure that system, user and control documentation is modified to properly reflect changes to systems relevant for financial reporting

The tools for managing system, user and control documentation are in

place and ready to be used.

22. Controls are in place to ensure that changes to applications and systems used during financial reporting processes are tested, validated, and approved prior to being placed into production

Financial reporting is not a function that is supported by the SolDev 2k

system. However, a regimen of issue resolution that includes the testing

process is supported.

23. Controls are in place to restrict access for migrating changes into the production environment for

Financial reporting is not a part of the SolDev 2k system.


DA_TP

1


systems and applications used during financial reporting processes

24. Management has controls in place to ensure unauthorized changes are not made to system files, for applications used during financial reporting processes, subsequent to migration into production

These files do not exist as SolDev 2k is not used for Financial reporting.

25. Controls are in place to appropriately address emergency changes to systems, applications, and infrastructure configuration

The SolDev Group tests software for months before deploying it into

production.

26. Management has defined and implemented problem management procedures to record, analyze, and resolve problems, and errors for systems and applications in a timely manner (problem

Issue Manager is a process for doing this and is currently being

implemented


DA_TP

1


determination, problem analysis, problem resolution)

27. Management has defined and implemented incident management procedures to record, analyze, and resolve incidents, and errors for systems and applications in a timely manner

Issue Manager is the system for managing this process.

28. Management has defined and implemented configuration management procedures to record, analyze, and resolve errors for systems and applications in a timely manner

There is not a formal configuration management system for SolDev

components that is currently in place, however, we do have a list of the

components and can establish a data repository for these that is

maintained consistently.

29. Management has defined and implemented release management procedures to record, analyze, and resolve errors for systems and applications in a timely manner (core release management

The SolDev Group's internal process for deployment development and

testing is not yet formalized into a work flow process - but this process is

in the process of being formalized and being implemented.


DA_TP

1


activities established within the organization; including: planning, design, build, testing, communication, acceptance, hardware installation, controlled software storage, software distribution & installation)

30. Management has defined and implemented service desk management to co-ordinates and resolve incidents reported by customers or employees

Issue manager will handle the service desk functions for SolDev Group.

31. Relevant KPIs such as percentage of incidents handled within the agreed time frame or solved by the Service Desk are regularly and adequately calculated and monitored and timely actions undertaken as needed.

We do not yet have measures for KPI's for issue management, but plan

to implement such measures over the next year.


DA_TP

1


32. Management has controls in place to ensure that appropriate system, user and control documentation is developed for new systems and applications

We do not yet have such a system in place, but we plan to implement

such a system over the next year.

33. Management has controls in place to ensure that users are trained on new systems/applications used during financial reporting processes in accordance with an appropriately defined training plan

SolDev Group plans to implement training processes that are system-

based - for training new users in SolDev project management (not

financial) processes.

Documents

Da Tp 1 Desarrollo Y AdquisicióN De Software