Da Tp 1 Desarrollo Y AdquisicióN De Software

IT Deusto: II Máster en Buen Gobierno de las TIC
Desarrollo y Adquisición TIC: Trabajo Práctico DA_TP
1
Titulo:

Evaluación de un proveedor de Servicios. Código: DA-TP 1

Tipo:

Grupal

Objetivo:

Evaluar el enfoque de Auditoría y los Objetivos de Control definidos para el proyecto

Evaluar el alcance y la naturaleza del IS Control Assessment realizado

Establecer fortalezas y debilidades del proyecto

Desarrollar recomendaciones de mejora, en base a la narrativa del Control Assessment

Antecedentes del Proyecto:

Globus Inc., gestiona activos y proyectos de inversión de capital por U$S 13 bn, y ha decidido
adquirir un SW de control de Proyectos de Inversión desarrollado por SolDev Group, así como los
servicios de Hosting de dicha aplicación provistos por la Compañía RedPlaid.

El producto, SD2K, está operativo (parcialmente) y en la actualidad gestiona 12 proyectos, en
modalidad paralelo /prueba.

SD2K es “a project management data warehousing software solution that allows project
managers to manage accumulated costs for projects. The accumulated costs include costs from
equipment, internal labor, contractor labor, project overhead, and expense reporting. The
software has been purchased from SDG to help Globus manage costs on the pipeline system
expansion projects that are currently underway.

As the project data tracking requirements have grown in Globus, SDG was identified as the
technology solution to capture, consolidate, analyze and report on major project data in this area.
The system enables tracking to a level of granularity or currency that supports project managers in
day to day PM decisions.
The system enables collecting detailed incurred costs from the field. At the same time, projected
disbursement data is collected from Globus’ Oracle Financials application. Comparison between
projected and incurred costs provides daily visibility to project metrics and enhances project
management decisions.
Our Firm was engaged by Globus’ Major Projects group to assist in reviewing the controls of the
SDG environment.

Profesor: Ricardo Bria Menéndez 26/12/2008 1

1

Objetivos del proyecto

The overall objective of this project is to assess the SDG application environment with regards to
controls governing security, availability, data integrity and customer service management. Criteria
were developed for each of these controls areas and used as the basis of the review.

Información de referencia

1. BACKGROUND INFORMATION: GLOBUS Inc. .............................................................................. 3

2. BACKGROUND INFORMATION: Solutions Development Group (SolDev Group) ........................ 3

3. IS CONTROL ASSESMENT: SolDev GROUP (SDG) ........................................................................ 6

Presentación:

Oral

Fecha límite: TBD


1
1. BACKGROUND INFORMATION: GLOBUS Inc.

Corporate Overview

Globus Inc. is a leader in energy
transportation and distribution in
North America and
internationally.

An Overview

Globus operates, in Canada and the U.S., the world's longest crude oil and liquids pipeline system.
The company owns and operates Globus Pipelines Inc. and a variety of affiliated pipelines in
Canada, and has an approximate 27% interest in Globus Energy Partners, L.P. which owns the
Pumpkinhead System in the U.S. These pipeline systems have operated for over 55 years and now
comprise approximately 13 500 kilometres (8,500 miles) of pipeline, delivering more than 2 million
barrels per day of crude oil and liquids. Globus is also the sponsor and manager of the Globus
Income Fund.

Globus is also involved in liquids marketing and international energy projects and has a growing
involvement in the natural gas transmission and midstream businesses, through the Ally and
Vostead pipelines and various U.S. assets that transport, gather, process and market natural gas
and other petroleum products.

As a distributor of energy, Globus owns and operates Canada's largest natural gas distribution
company, Globus Gas Distribution, which provides gas to industrial, commercial and residential
customers in Ontario, Quebec and New York State. Globus distributes gas to 1.9 million customers
and is developing a gas distribution network in New Brunswick.

The company employs more than 5,700 people, primarily in Canada, the U.S. and South America.
Globus Inc. common shares trade on the Toronto Stock Exchange in Canada and on the New York
Stock Exchange in the U.S. under the symbol quot;GLBquot;.

2. BACKGROUND INFORMATION: Solutions Development Group (SolDev Group)
While The SolDev Group, Inc. is a Washington state registered company that started in Bellingham,
Washington, the development team collaborates on the internet and is physically dispersed.


1
The SolDev Group has contracted with a Managed Hosting company called RedPlaid to handle all
of our servers and networking needs. I have attached a document that details the services that
The SolDev Group currently obtains from RedPlaid. The SolDev Group does not own our own IP
addresses – these are obtained from RedPlaid as needed.

The SolDev Group develops software solution using database (SQL Anywhere) software on the
back end to store the data.

The front-end or user interface to the data is via Windows application (written in C++) and web
applications written in VBScript, JavaScript and some C#.

The process followed by The SolDev Group (SDG) in delivering software and services is similar to
that of other companies and is as follows:

Customer licenses software.

SDG prepares servers for customer's solution – one server for production, testing and training and
one server as a backup.

SDG supplies SolDev Associates and embedded customer support analysts as requested to help
the customer to acquire knowledge SolDev abilities and skills in SolDev 2k techniques.

The development of SolDev solutions is a process that proceeds independently of the needs of a
particular customer – in much the same way as the development of many software solutions.

SolDev 2k's architecture permits us to manage each customer's unique business rules in a manner
consistent with each customer's needs. The process of identifying and implementing these
business rules is accomplished more efficiently by the use of SolDev Associates and embedded
SolDev Analysts.

Our Mission

We wish to be recognized as a provider of client-empowering, data management solutions. It's
your data. How do you want to manage it? We want to help you and your team to feel that this is
your solution and you are in charge of it - no fear, no uncertainty, no doubt.

Company Profile

The SolDev Group, Inc. are a group of technical and business experts that develop and support
data management solutions for clients in various industries.


1
The SolDev Group partners with Sybase and Microsoft. We also support organizations such as the
Project Management Institute (PMI), the National Petrochemical and Refiners Association (NPRA)
and the Association for the Advancement of Cost Engineering (AACE).

Our combined expertise and training in engineering, project management and computer science
have melded together to provide a useful software engineering design philosophy that is focused
on developing innovative ways to use available tools and tool-sets such as database technology,
scheduling tools, the web, hand-held computing, etc.

Products

SolDev 2000 (SD2k) is the name of a suite of products that provide wide-ranging improvements to
data management solutions in the area of work management. A hallmark of these solutions is the
level to which they empower our customers to implement their best practices and business
processes in the system.

Some of the business areas that we address include:

SolDev 2000/TM - for managing Turnarounds, Shutdowns and Outages

Manage all aspects of your turnaround including logistics, scope management, planning,
materials management, resource management, scheduling and execution.

SolDev 2003/RM

Manage your routine maintenance backlog of work orders and the people, equipment and
materials needed to complete this work.

SolDev 2003/PD

Manage all data that should be widely available to multiple departments and maintained
by multiple departments. Remove the data redundancy that results from the use of ad
hoc spreadsheets, databases, documents, etc. Provide a consistent interface for all of
your team members, while maintaining control of your data.

SolDev 2003/IS

Plants are serviced by Industrial Services contractors. If you work with an Industrial Services
Contractor, you know that you spend a lot of your effort in meeting specific requirements of each
of your customers. SD2003/IS's business rule-driven system provides you with the tools to tailor
your reports and data access to each of your clients' needs while maintaining a consistent system
in-house.


1
3. IS CONTROL ASSESSMENT: SolDev GROUP (SDG)

Control Objective Controls Description / Comments

I Information Security Describe, at a high level: controls in existence that could apply to the
(Logical and Physical) corresponding Control Objective

1. Information
security is
A formalized Security Policy to define, document and provide
managed to guide
standardized guidelines for Information Security does not exist. The only
consistent
security practice referenced by John Doe and Joyce Temple (SDG’s TOP
implementation
Management) is that all new hired employees are required to sign a Non-
of security
practices and that disclosure agreement (NDA).
users are aware of
the organization's The NDA (see: NDA - consulting Agreement in PBC folder) has two
position with articles: Confidentiality and Ownership of Deliverables. In the first one,
regard to Confidential Information is defined and non-disclosure and protection of
information
such information is required. In the Ownership of Deliverables article,
security, as it
Intellectual Property and Company Work Product are defined and rights
pertains to
of the Company are made explicit.
financial reporting
data.

Logical access
2. Logical and
physical access to
As per conversations with John Doe and Paul Jones, the logical access to
IT computing
computer resources is restricted by appropriate identification (unique
resources is
User IDs), authentication (individual passwords) and authorization
appropriately
mechanisms. Logical security is administered by two people: John Doe
restricted by the
implementation and Joe Cook.
of identification,
authentication As related by John, there are basically two categories of employees:
and authorization Developers and Support, and the general approach is that Developers
mechanisms to have access to code, while Support personnel does not.
reduce the risk of
unauthorized / Further written information provided by John revealed one exception to
inappropriate this rule. Paul Jones, listed initially both as an Associate and a Project
access to the
Manager has current access to Globus’s database.
organization’s
relevant financial
Interviewed Paul Jones who related that aside from being the Project
reporting
Manager for the Globus implementation project, he also performs (non-
applications or


1
data technical) development functions.

Although we had no access to a written policy, according to John Doe, the
password policy in effect calls for the following:

system does not remember the previous passwords,
user is not required to give different passwords upon password
change
password expires after 90 days
password must be at least 8 characters in length
passwords are not stored internally
password complexity is enforced
If 5 invalid login attempts are made within 3 minutes, then the login
will be disabled for 3 minutes.

Physical access

All SDG’s resources (servers, communications and additional equipment)
used to provide the SD2K application service to Globus, are physically
located at REDPLAID’s data center in Saint Louis, Missouri.

REDPLAID, a division of Connectria Corporation and responsible for the
physical security of the mentioned resources is located in a highly
secured area and has an on-site Network operations Center monitored
24/7.

Through information gathered (see: REDPLAID Security and Support
Overview for the SolDev Group 8-1-08 in PBC folder) and interviews with
Peter Clumsy and Johnny Piannon from REDPLAID we identified, among
others, the following implemented physical security measures: electronic
security codes to access the building and elevators, additional biometric
and access cards to enter de Data Center, closed circuit digital cameras
and the prohibition of unescorted visitors at any time.

As per John Doe, the process to assign / revoke user ids for new hires,
3. Procedures have
changes and terminated employees, it is not formalized.
been established
so that user
Only John Doe and Joyce Temple (SDG Top Management), have the
accounts are
authority and responsibility for authorizing the assignment, modification
added, modified
and deleted in a and revocation of user ids and access rights to all employees.
timely manner to
The SDG’s Organizational Chart provided by Joyce (see: SolDevOrg in PBC
reduce the risk of


1
unauthorized / folder), shows that the company has only 20 employees (including John
inappropriate and Joyce), distributed in the following areas:
access to the
organization's Development (Client and Server): 7,
relevant financial
Technical Testing: 2,
reporting
applications or
Associates: 4,
data

Project Mangers:2,

Data Analysts: 3 and

Administration: 2.

Given SDG’s two tier organizational structure, the different areas’
assigned responsibilities and the low number of employees, in our view,
the reporting scheme and security function assignment partially act as a
compensatory control for the lack of formality in the assurance of a
timely action regarding user accounts addition, changes and deletions..

4. An effective During our interview with John Doe, he stated that there is not a specific
control process is process in place to achieve this control.
in place to
Reviewing the organizational chart provided, we noted that some of
periodically
SDG’s employees perform more than one function (server development
review the
and client development, client development and technical testing).
appropriateness
of access rights in
In addition, we have learned that the application architecture for Globus
order to reduce
contemplates two Servers; one that holds the production, test and
the risk of
training environments, and a second Serverf used as a backup.
unauthorized /
inappropriate
access to the
organization’s
relevant financial
reporting
applications or
data

5. Physical controls
are in place to
See #2 above.
prevent
unauthorized
access to


1
information
technology and
data.
As described in information provided by John Doe, REDPLAID’s facility
6. Environmental
was designed taking into consideration environmental controls to house
controls are in
critical telecommunications equipment and data centers.
place to prevent
or reduce the
The office is located within a US Federal “No Fly Zone” (airplanes are not
effects of
allowed to fly over the area) and contemplates dual Power Feeds from
disasters, such as
floods, fire and separate Power Grids, redundant UPS systems and 5 1,500 KVA
power surges) Generators, to lower the risks of power outages and surges.

As per the information provided, the Data Center is equipped according
to the best practices for environmental controls for this type of
installation and includes: Anti-Static, Fireproof Raised Floor, Air
conditioned, temperature and humidity controls, water detection and
fire suppression systems.

7. Procedures exist
to protect against
According to information provided by John Doe and Johnny Piannon,
infection by
REDPLAID has deployed, and provides to SDG, an integrated and
computer viruses,
comprehensive set of resources and tools to provide protection from
malicious codes,
virus infection and malicious software that include: Co-Managed Firewall,
and unauthorized
software. Web Console & Security Zone, Network Intrusion Prevention (IPS),
Vulnerability Scanning, Server AntiVirus Protection, Server Hardening Of
Operating Systems & System Software, Server Integrity Monitoring and
Distributed Denial Of Service (DDOS) Protection

Each of these components report back to central management consoles
which are monitored and managed 24/7 by REDPLAID's Network
Operations Center staff.

Any exceptions are escalated to REDPLAID’s Security Incident Response
Team, made up of REDPLAID’s senior security engineers

As an additional service, not yet engaged by SDG, REDPLAID provides the
execution of quarterly Penetration Tests, to assure their perimeter
defenses are not being unduly exposed.

II Program Describe, at a high level: controls in existence that could apply to the


1
Development corresponding
The SD2K application is currently being implemented by an Globus
8. Management has
Implementation Team of 5 people, including an Implementation
controls in place
Manager, and the assistance of Paul Jones, as SDG’s Project Manager,
to ensure that
new program and and John Doe
infrastructure
The following process summary and controls were corroborated with
developments
and acquisitions John Doe and Paul Jones.
have been
approved by an Requirements for SD2K’s new developments and changes are made by
appropriate level the Implementation Team via Word documents and Excel spreadsheets,
of both IT and which are controlled by Globus’s internal issue tracking system.
business
management Upon reception of a requirement, Joe proceeds to its analysis and
categorization (minor, medium and large) depending on impact / effort
required.

Minor requirements can be made by anyone on the Team, but medium
and major ones require the Implementation Manager’s approval.

Currently, no one outside the Implementation is making requirements.
Outstanding requirements are reviewed by the Implementation Manager
on a weekly basis.

John Doe stated that SDG’s intentions were to “provide our Issue
Manager application, eIssues, to Globus to perform as a tool for
managing all aspects of management of all issues, incidents,requests,
etc.”. This would also allow the automated tracking of issues that SDG
today performs manually, via a spreadsheet (see
SolDev_Action_List80820 in the PBC folder).

Based on the above description, it appears that most (if not all) the
control over requirements resides on Globus, as we could not identify, on
SDG’s part, a clearly defined process so assure that only properly
authorized requirements are attended.

In addition to the use of a common tool (workflow) for requirements
tracking and management, an authorization chart for requesting and
approving requirements and changes, we suggest a defined and
formalized change management procedure be implemented.


1
The SolDev application and metadata framework are the basis for
9. Management has
development.
controls in place
to ensure that an
SD2K is actually a proprietary environment where the client data is
adequate
centrally managed, after being consolidated and integrated from
program
different sources and systems. The application is data driven and thus,
development
methodology is in solutions to organize, aggregate and present (report) results for the end
place and is user are flexible and quick to develop.
followed for the
development of SD2K’s architecture allows the management of the customer's business
systems / rules in a manner consistent with their needs, which are first identified
applications used
and then built and implemented.

Although SDG does not have a formal development methodology, there
are standard steps that are followed:

identify the business needs,
identify the supporting data required,
design and build a central repository for the data, and
provide for the client access at the reports and data views as
defined.
10. When new work packages and work items are added and tracked
systems are
implemented or
modified, controls
are either added,
modified, or
redesigned so
that applicable
control objectives
are achieved
Issue Manager provides the framework for the central tracking and
11. Controls exist to
signing off on issues as they progress through their different phases.
ensure there is
adequate testing
This component however, is not yet operational al Globus. Currently, all
for the
requests, documentation, incidents and tracking controls are handled
development of
“manually” via Word or Excel documents. It is estimated that this module
systems /
applications and will be implemented at Globus within the next two weeks.
that testing is
signed off by both
the users at an
appropriate level


1
of IT and business
management

12. A post-
implementation
review is
performed to
ensure that new
financial-reporting
systems/applicati
ons are operating
properly

III Availability Describe, at a high level: controls in existence that could apply to the
corresponding
From the information made available to us to review, we determined
13. Management has
that REDPLAID provides managed backup and recovery services that
implemented
includes Daily Incremental / Weekly Full Data Backups and Offsite Tape
appropriate
backup and Backups
recovery
procedures so
that data,
transactions and
programs that are
necessary for
financial reporting
can be recovered
REDPLAID’s backup environment for The SolDev Group utilizes a large
14. Effective
RAID-protected disk storage environment that is tested and utilized daily.
procedures exist
and are followed
to periodically
test the
effectiveness of
the restoration
process and the
quality of backup
media relevant to
systems and
applications used
during financial
reporting


1
processes

According to information provided by REDPLAID, the backup
15. Appropriate
environment is accessible only by a limited subset of staff. Although
controls are in
there is an option for server and back up encryption, we were told that
place over the
back-up media for the SolDev Group does not currently encrypt their backups.
systems and
For general security, confidentiality and integrity purposes, we
applications used
during financial recommend Globus to consider and evaluate the encryption option
reporting offered by REDPLAID.
processes,
including that
only authorized
people have
access to the
tapes and tape-
storage

IV Data Integrity

16. Management has SolDev's only involvement with financial processes is in the downloading
implemented of the data from Oracle system. No data is passed back to Oracle. SolDev
procedures to 2k is a cost tracking system as opposed to a cost accounting system. As
ensure accuracy,
such, we guess at what costs will be before they are incurred.
completeness,
These are not processes that occur in a cost tracking system.
and timely
processing of
system jobs,
including batch
jobs and
interfaces, for
relevant financial
reporting
applications or
data

17. There are controls These are not processes that occur in a cost tracking system.
in place to ensure
that data
migration retains
its integrity (i.e.,
reconciliations to


1
prove pre and
post balances,
etc)

18. There are controls These are not processes that normally occur in a cost tracking system.
in place to ensure However, where needed we do add protection of appropriate data from
that data changes.
attributes, such as
“date entered”,
“transaction
date”, “data
entered by”, and
other attributes
relevant to the
customer are
captured and
prevented from
modification or
change.
From discussions held, we learned that SD2K users are identified by their
19. Controls exist to
functional role. Approval of budgets, for example, can be done by
provide
managers only, based on the business rules of the group, division,
appropriate
segregation of department, corporation, etc.
duties within key
John also indicated that Globus has implemented 5 Functions, namely:
processes. For
instance, users Planning, Scheduling, Project Management, Contracts Management and
should not be Timekeeping.
able to initiate
In relation to the Segregation of Duties issue, John explained that proper
and approve their
SOD is provided by Roles defined within each Function, according to the
own transaction.
clien’t operational model and rules. In turn, each Role has an associated
Security Level of 0=Read Only, 1=Read Write or 3=Supervisor. The
assignment and maintenance of User ID’s/Roles is done by Globus.
Based on the information available, it appears that the application
provides for the proper controls to assure an adequate SOD among users.

20. Controls are in Yes.. Change management controls are available in SolDev 2k.
place to ensure
that any changes
to the
systems/applicati
ons providing
control over


1
financial reporting
have been
properly
authorized by an
appropriate level
of management
(logging change
requests, change
assessments,
change planning
& scheduling)

21. Controls are in The tools for managing system, user and control documentation are in
place to ensure place and ready to be used.
that system, user
and control
documentation is
modified to
properly reflect
changes to
systems relevant
for financial
reporting

22. Controls are in Financial reporting is not a function that is supported by the SolDev 2k
place to ensure system. However, a regimen of issue resolution that includes the testing
that changes to process is supported.
applications and
systems used
during financial
reporting
processes are
tested, validated,
and approved
prior to being
placed into
production

23. Controls are in Financial reporting is not a part of the SolDev 2k system.
place to restrict
access for
migrating changes
into the
production
environment for


1
systems and
applications used
during financial
reporting
processes

24. Management has These files do not exist as SolDev 2k is not used for Financial reporting.
controls in place
to ensure
unauthorized
changes are not
made to system
files, for
applications used
during financial
reporting
processes,
subsequent to
migration into
production

25. Controls are in The SolDev Group tests software for months before deploying it into
place to production.
appropriately
address
emergency
changes to
systems,
applications, and
infrastructure
configuration

26. Management has Issue Manager is a process for doing this and is currently being
defined and implemented
implemented
problem
management
procedures to
record, analyze,
and resolve
problems, and
errors for systems
and applications
in a timely
manner (problem


1
determination,
problem analysis,
problem
resolution)

27. Management has Issue Manager is the system for managing this process.
defined and
implemented
incident
management
procedures to
record, analyze,
and resolve
incidents, and
errors for systems
and applications
in a timely
manner

28. Management has There is not a formal configuration management system for SolDev
defined and components that is currently in place, however, we do have a list of the
implemented components and can establish a data repository for these that is
configuration
maintained consistently.
management
procedures to
record, analyze,
and resolve errors
for systems and
applications in a
timely manner

29. Management has The SolDev Group's internal process for deployment development and
defined and testing is not yet formalized into a work flow process - but this process is
implemented in the process of being formalized and being implemented.
release
management
procedures to
record, analyze,
and resolve errors
for systems and
applications in a
timely manner
(core release
management


1
activities
established within
the organization;
including:
planning, design,
build, testing,
communication,
acceptance,
hardware
installation,
controlled
software storage,
software
distribution &
installation)

30. Management has Issue manager will handle the service desk functions for SolDev Group.
defined and
implemented
service desk
management to
co-ordinates and
resolve incidents
reported by
customers or
employees

31. Relevant KPIs We do not yet have measures for KPI's for issue management, but plan
such as to implement such measures over the next year.
percentage of
incidents handled
within the agreed
time frame or
solved by the
Service Desk are
regularly and
adequately
calculated and
monitored and
timely actions
undertaken as
needed.


1

32. Management has We do not yet have such a system in place, but we plan to implement
controls in place such a system over the next year.
to ensure that
appropriate
system, user and
control
documentation is
developed for
new systems and
applications

33. Management has SolDev Group plans to implement training processes that are system-
controls in place based - for training new users in SolDev project management (not
to ensure that financial) processes.
users are trained
on new
systems/applicati
ons used during
financial reporting
processes in
accordance with
an appropriately
defined training
plan


Da Tp 1 Desarrollo Y AdquisicióN De Software

Recommended

Recommended

More Related Content

Similar to Da Tp 1 Desarrollo Y AdquisicióN De Software

Similar to Da Tp 1 Desarrollo Y AdquisicióN De Software (20)

Da Tp 1 Desarrollo Y AdquisicióN De Software