Management s Response to the Auditor General s Review of Management and Oversight of the Integrated Business Management System (IBMS)

Similar documents
REVIEW OF MANAGEMENT AND OVERSIGHT OF THE INTEGRATED BUSINESS MANAGEMENT SYSTEM (IBMS) January 16, 2009

REPORT 2015/149 INTERNAL AUDIT DIVISION

Memorandum APPENDIX 2. April 3, Audit Committee

In 2017, the Auditor General initiated an audit of the City s information technology infrastructure and assets.

IT Audit Process Prof. Liang Yao Week Six IT Audit Planning

Chapter 8: SDLC Reviews and Audit Learning objectives Introduction Role of IS Auditor in SDLC

PCI Compliance and records management

IT Governance ISO/IEC 27001:2013 ISMS Implementation. Service description. Protect Comply Thrive

Public Safety Canada. Audit of the Business Continuity Planning Program

TX CIO Leadership Journey Texas CIOs Bowden Hight Texas Health and Human Services Commission Tim Jennings Texas Department of Transportation Mark

Accreditation Services Council Governing Charter

STAFF REPORT. January 26, Audit Committee. Information Security Framework. Purpose:

City of Toronto Accessibility Design Guidelines 2015

NHS Fife. 2015/16 Audit Computer Service Review Follow Up

ISO STANDARD IMPLEMENTATION AND TECHNOLOGY CONSOLIDATION

Determining Best Fit for ITIL Implementation

IT MANAGER PERMANENT SALARY SCALE: P07 (R ) Ref:AgriS042/2019 Information Technology Manager. Reporting to. Information Technology (IT)

ITSM20F_Umang. Number: ITSM20F Passing Score: 800 Time Limit: 120 min File Version: 4.0. Exin ITSM20F

Business Continuity Management Standards A Side-by-Side Comparison

CASA External Peer Review Program Guidelines. Table of Contents

Mitigation Framework Leadership Group (MitFLG) Charter DRAFT

NORTH CAROLINA NC MRITE. Nominating Category: Enterprise IT Management Initiatives

VII. GUIDE TO AGENCY PROGRAMS

REPORT 2015/010 INTERNAL AUDIT DIVISION

General Information Technology Controls Follow-up Review

IT Services Policy/Policy Document

ROLE DESCRIPTION IT SPECIALIST

Corporate Information Security Policy

The Project Charter. Date of Issue Author Description. Revision Number. Version 0.9 October 27 th, 2014 Moe Yousof Initial Draft

Organisational Development Programme Update Policy Review & Performance Scrutiny Committee January 2017

KENYA SCHOOL OF GOVERNMENT EMPLOYMENT OPORTUNITY (EXTERNAL ADVERTISEMENT)

REPORT 2015/186 INTERNAL AUDIT DIVISION

CHAIR AND MEMBERS CIVIC WORKS COMMITTEE MEETING ON NOVEMBER 29, 2016

FOR INFORMATION. Date: February 21, Update on the Shared Services Project

ISO / IEC 27001:2005. A brief introduction. Dimitris Petropoulos Managing Director ENCODE Middle East September 2006

MassMutual Business Continuity Disclosure Statement

Information Technology Disaster Recovery Planning Audit Redacted Public Report

EXAMGOOD QUESTION & ANSWER. Accurate study guides High passing rate! Exam Good provides update free of charge in one year!

MANUAL OF UNIVERSITY POLICIES PROCEDURES AND GUIDELINES. Applies to: faculty staff students student employees visitors contractors

Virginia State University Policies Manual. Title: Information Security Program Policy: 6110

Competency Definition

DHS Overview of Sustainability and Environmental Programs. Dr. Teresa R. Pohlman Executive Director, Sustainability and Environmental Programs

Manchester Metropolitan University Information Security Strategy

SAMPLE REPORT. Business Continuity Gap Analysis Report. Prepared for XYZ Business by CSC Business Continuity Services Date: xx/xx/xxxx

AUDIT OF ICT STRATEGY IMPLEMENTATION

WHITE PAPER- Managed Services Security Practices

DEPARTMENT OF HEALTH and HUMAN SERVICES. HANDBOOK for

SUBJECT: PRESTO operating agreement renewal update. Committee of the Whole. Transit Department. Recommendation: Purpose: Page 1 of Report TR-01-17

AUDIT UNITED NATIONS VOLUNTEERS PROGRAMME INFORMATION AND COMMUNICATION TECHNOLOGY. Report No Issue Date: 8 January 2014

Deputy City Manager & Chief Financial Officer. P:\2015\Internal Services\CFO\ec15002cfo (AFS #21364)

North Carolina Visit and Assessment Tom Clarke Vice President for Research and Technology National Center for State Courts

HSCIC Audit of Data Sharing Activities:

4.2 Electronic Mail Policy

Figure 1: Summary Status of Actions Recommended in June 2016 Committee Report. Status of Actions Recommended # of Actions Recommended

Service Plan for Infrastructure Engineering

Subject: University Information Technology Resource Security Policy: OUTDATED

Business continuity management and cyber resiliency

The IDN Variant TLD Program: Updated Program Plan 23 August 2012

WELCOME TO ITIL FOUNDATIONS PREP CLASS AUBREY KAIGLER

Policy. Business Resilience MB2010.P.119

Information Technology General Control Review

OFFICE OF THE CIO MEMORIAL UNIVERSITY OF NEWFOUNDLAND A PRESENTATION FOR THE IM COMMUNITY

Internal Audit Follow-Up Report. Multiple Use Agreements TxDOT Office of Internal Audit

NORTH COUNTY CORRIDOR EXPRESSWAY TRANSPORTATION AUTHORITY. SUBJECT: Jacobs Engineering Contract; Task Order #2 and Task Order #3 Acceptance

Open Data Policy City of Irving

ANZSCO Descriptions The following list contains example descriptions of ICT units and employment duties for each nominated occupation ANZSCO code. And

HPE 3PAR Remote Copy Extension Software Suite Implementation Service

Global Statement of Business Continuity

University of Texas Arlington Data Governance Program Charter

12 Approval of a New PRESTO Agreement Between York Region and Metrolinx

<< Practice Test Demo - 2PassEasy >> Exam Questions CISM. Certified Information Security Manager.

LOUGHBOROUGH UNIVERSITY RESEARCH OFFICE STANDARD OPERATING PROCEDURE. Loughborough University (LU) Research Office SOP 1027 LU

FDIC InTREx What Documentation Are You Expected to Have?

CDISC Operating Procedure COP-001 Standards Development

Exam : A : Assess: Fundamentals of Applying Tivoli Storage Management V3. Title. Version : Demo

HIPAA RISK ADVISOR SAMPLE REPORT

Avoid a DCIM Procurement Disaster

PROJECT INITIATION DOCUMENT

Systems and software engineering Requirements for managers of information for users of systems, software, and services

SYMANTEC: SECURITY ADVISORY SERVICES. Symantec Security Advisory Services The World Leader in Information Security

Unofficial Comment Form Project Modifications to CIP Standards Requirements for Transient Cyber Assets CIP-003-7(i)

Organizational Structure of the Toronto Environment Office

Manager, Infrastructure Services. Position Number Community Division/Region Yellowknife Technology Service Centre

Session 5: Business Continuity, with Business Impact Analysis

AUDITOR GENERAL S REPORT

Audit & Advisory Services. IT Disaster Recovery Audit 2015 Report Date January 28, 2015

Consideration of Issues and Directives Federal Energy Regulatory Commission Order No. 791 June 2, 2014

SCHEME OF DELEGATION (Based on the model produced to the National Governors Association)

Memorandum of Understanding between the Central LHIN and the Toronto Central LHIN to establish a Joint ehealth Program

Internal Audit Report. Electronic Bidding and Contract Letting TxDOT Office of Internal Audit

Urban Resilience Master Plan

TARGET2-SECURITIES INFORMATION SECURITY REQUIREMENTS

Federal Acquisition Service Authorized Federal Supply Schedule Price List

Archived Content. This content was archived on June 24, 2013.

Architecture and Standards Development Lifecycle

Single Academy Trust Structure

Master Information Security Policy & Procedures [Organization / Project Name]

Position Description IT Auditor

Appendix 3 Disaster Recovery Plan

Birmingham Community Healthcare NHS Foundation Trust. 2017/17 Data Security and Protection Requirements March 2018

Transcription:

APPENDI 2 ommendation () () 1. The City Manager in consultation with the Chief Information Officer give consideration to the establishment of an IBMS governance model which provides for senior management approval and prioritization of all IBMS related projects. The governance model follow the process recently established in relation to the development of SAP projects. An IBMS User Group currently meets every second month to discuss current updates to the system and to present new requests for consideration and future development. The prioritization of IBMS capital projects is done in the context of the limited budget allocation made to this system. Management agrees that a new IBMS governance model should be established. The new structure will ensure alignment with corporate priorities through regular reporting to the Business Advisory Panel. The Deputy City Manager of Cluster B, working with the Chief Information Officer, will establish an IBMS Steering Committee, with senior management representation from user divisions, by the end of Q2 2009. 2. The City Manager in consultation with the Chief Information Officer require that divisions identify business risks relating to the IBMS Information Technology System. The Chief Information Officer review all such risks and ensure strategies and processes are in place to address all such risks. Although no specific security risks or breaches were identified in the audit, management agrees that it is important that divisions identify and assess potential risks and develop plans to address these risks. The Deputy City Manager of Cluster B, together with the Chief Information Officer, will work with the divisions using IBMS to document associated business risks by the end of Q4 2009. This will be followed by the development of an action plan to address the risks. Page 1 of 7

APPENDI 2 ommendation () () 3. The City Manager in consultation with the Chief Information Officer and divisions develop IBMS performance measures. Such measures be used to monitor ongoing performance. Where performance does not meet such measures corrective action be taken. Management agrees that performance measures should be developed for IBMS in two key areas: System performance Service delivery to business users work with divisions using IBMS to develop relevant system performance and service delivery performance measures by the end of Q4 2009. This will be done in connection with the development of Service Level ments with each client division in ommendation 5 below. The Deputy City Manager of Cluster B, together with the Chief Information Officer, will work with divisions using IBMS to develop Business Continuity Plans that align with the Corporate Disaster overy Plan. As noted in the response to ommendation 2 above, business risks will be identified by Q4 2009. The development of Business Continuity Plans will be completed by Q2 2010. 4. The City Manager and Chief Information Officer as part of the IBMS governance process give priority to the development of IBMS business continuity plans. Such plans should include disaster and recovery planning. The I & T Division already has a master plan in place that was approved by the Audit Committee for an overall Disaster overy Plan for the City s IT assets. This plan has already been aligned with the Cluster B Disaster overy Plan developed in 2008. The I&T Division s Disaster overy Plan, which includes IBMS, is scheduled to be operational in 2010. In the period until implementation, the IBMS database is backed-up nightly on tape drives which are transported daily to an off-site location. Business Continuity Plans developed by IBMS-user divisions will be aligned with the Corporate Disaster overy Plan. Page 2 of 7

APPENDI 2 ommendation () () At the present time, until formal Business Continuity Plans are developed, if an unexpected system failure occurred, divisions using IBMS would revert to a paper-based system for capturing information until IBMS comes back online for staff use. IBMS would then be updated for any manual transactions that occurred. 5. The City Manager in consultation with the Chief Information Officer develop and formalize service level agreements for information technology services provided to City Divisions by the Information and Technology Division. 6. The City Manager in consultation with the Chief Information Officer review current levels of training available to IBMS users, and solicit input from divisional users in relation to training effectiveness. Deficiencies in regard to training identified by users be appropriately addressed. Management agrees that formal service level agreements between the I& T Division and client divisions are desirable. The implementation of the new IT governance structure across the City includes the establishment of Service Level ments (SLAs). The IBMS training team has received generally positive feedback from client divisions on its training initiatives. However, management recognizes that a limited budget for IBMS training has resulted in some issues as raised by client divisions. develop SLAs with user divisions as part of the IT Transformation Implementation. initiate a process to obtain feedback and input from IBMS user divisions on current training initiatives by the end of Q3 2009. The Chief Information Officer will develop a plan to address any deficiencies. Page 3 of 7

APPENDI 2 ommendation () () 7. The City Manager in consultation with the Chief Information Officer develop and implement a change management protocol for IBMS. Such a protocol take into account the SAP change management protocol. IBMS reports for user divisions are produced and changed at the request of user divisions, but formal approval of the completed changes to reports is not always provided. Management agrees that a more formal change management protocol for IBMS should be developed. develop a new draft change management protocol for IBMS by the end of Q4 2009. The draft change management protocol will be implemented during Q1 2010, with review and evaluation occurring before the end of 2010. 8. The City Manager in consultation with the Chief Information Officer develop security plans, standards and related staff responsibilities for managing and overseeing IBMS security. Although the audit didn t identify any security breach of IBMS, management agrees that more formalized security plans, standards and staff responsibilities should be developed. review existing security plans, standards and responsibilities for IBMS by the end of Q3 2009. Plans to address any gaps will be developed by the end of Q4 2009. A new formal IBMS security plan will be prepared by the end of Q1 2010. Page 4 of 7

APPENDI 2 ommendation () () 9. The City Manager in consultation with the Chief Information Officer be required to conduct periodic reviews of current IBMS user security to ensure access is compatible with user roles. Such review should also include an analysis of the last date of use. Dormant users should be eliminated from system access. 10. The Chief Information Officer develop formal written procedures for granting, changing or removing IBMS user access. 11. The City Manager and Chief Information Officer develop as a priority an electronic interface between IBMS and the City s SAP Financial System. Such an interface would reduce the requirement for manual analysis and processing. Management agrees with this recommendation. The IBMS Security Team has already implemented the practice of regularly reviewing IBMS users for periods of inactivity of greater than 6 months. n-active user accounts are de-activated. In addition, the IBMS Security Team is already providing the business divisions with user access reports for their review and response. However, this activity was not previously done on a regular schedule. Management agrees with this recommendation. Management agrees with the need to develop an electronic interface between SAP and IBMS. There is the opportunity to eliminate hundreds of journal entries each year if IBMS and SAP were linked electronically. Discussions between divisional management and corporate I & T staff on this matter have occurred over The Deputy City Manager of Cluster B working with the Chief Information Officer will ensure that the regular review of IBMS user access rights and user activity is occurring and that inactive users are removed from the system and incorrect access rights are corrected. prepare draft written procedures for granting, changing or removing IBMS user access by the end of Q3 2009. The draft procedures will be reviewed and approved by the IBMS Steering Committee by the end of Q4 2009. The Chief Information Officer and the Deputy City Manager for Cluster B will define the scope of work required to build an IBMS/SAP interface and present this material at the IBMS and SAP Steering Committees for prioritization by the end of Q4, 2009. Page 5 of 7

APPENDI 2 ommendation () () the past 5 years, but the project has not proceeded to date due to other corporate priorities. Management agrees that the scope of work to develop the interface should be defined and prioritized in relation to the other business and IT priorities in the City. 12. The City Manager in consultation with the Chief Information Officer and City Clerk review the record retention policy for all IBMS related records. Such a review include the establishment of policies and procedures for archiving IBMS records. Management agrees with this recommendation. The Deputy City Manager Cluster B will work with the ords and Information Management section of the City Clerk s Division to review the records retention policies for information that is contained in IBMS by the end of Q4 2009. In consultation with the Chief Information Officer, a new records retention policy for IBMS will be developed by the end of Q2 2010. Page 6 of 7

APPENDI 2 ommendation () () 13. The Chief Information Officer obtain a copy of the System source code for the current release of the System software and ensure future releases are accompanied with System software under the terms of the agreement. obtain a copy of the current system source code by the end of Q3 2009 and will ensure that future releases are accompanied by system software under the terms of the agreement. 14. The Chief Information Officer conduct a review of related System users in the City and its Agencies, Boards and Commissions and update the existing software maintenance contract as required. IBMS is built on software called Amanda that is also used by other City divisions. This recommendation relates to divisions using other Amanda based systems. review situations where divisions use Amanda based systems and will update software maintenance agreements where necessary and feasible. 15. The City Manager ensure staff from business units perform the procedure for revising service fees maintained in IBMS and that the process be appropriately documented. Management agrees that the process for revising service fees in IBMS should be consistent, formalized and documented. work with divisional management teams to implement a new process to revise fees in IBMS. The new process will be established by the end of Q4 2009. Page 7 of 7

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback