Professional Documents
Culture Documents
Disa Project Team 5 Mobile Computing
Disa Project Team 5 Mobile Computing
of
DISA 2.0 Course
Scanned by CamScanner
Table of Contents
Project Report
Project Problem
Project Report (solution)
Auditee Environment
Assessment of Company’s Existing Policies & Practices
Evaluation of Technology Infrastructure of the Company
Evaluation of HR Policy, Access Policy, Security Requirements and
Customer Deliverables
Background
Situation
Summary/Conclusion
Project Report
PROJECT REPORT ON
A. Project Problem
Radisson Ltd is a global Indian IT Solutions provider with development
centres in India and marketing offices across, USA, Asia and Europe. It
has more than 15,000 employees. It offers both standard and
customized products and services to its customers. The company has
highly skilled professionals who are in great demand in the highly
competitive market. The HR department has recently enforced a strict
attendance policy which requires mandatory physical presence at the
office premises for specified number of hours. This has resulted in
increasing dis-content from the employees.
The report will provide the use of Mobile Computing Devices in the
Organization along with the benefits that the organisation will achieve, the
risk that the organisation will experience and the change in the their
Working style which is discussed later in the report. It also includes the
guidance and recommendation based on the actions and best practices
which can be implemented by the organisation to achieve the best results.
(Assumed that the Radisson Ltd is fully IT infrastructure Company but not
uses mobile computing for some reason)
Auditee Environment
(source:https://www.annese.com/blog/how-to-create-your-it-security-policy)
computer hardware
platforms
(Source: https://paginas.fe.up.pt/~als/mis10e/ch5/chpt5-bullettext.htm)
To integrate organisational goals and the IT resources of the organisation
such as hardware and virtual resources, the organisation has implemented
ISO 38500 which includes COBIT 5 framework to fulfil IT governance
responsibilities while delivering value to the business.
While evaluating the policies it has been observed that the organisation has
made an attempt to achieve the transparency about its activities and has
establish accountability so that the person can be made responsible for any
cause that will adversely affect the organisation.
The policy states that only authorised users are granted access to
information systems, and users are limited to specific defined, documented
and approved applications and levels of access rights. For this purpose, the
organisation has given limited rights as per the user level which is achieved
via user IDs that are unique to each individual user to provide individual
accountability.
This policy affects all employees of the organisation, all contractors, vendors,
consultants, temporary employees and business partners. Employees who
deliberately violates this policy will be subject to disciplinary action up to and
including termination.
Any user (remote or internal) accessing the networks and system of the
organisation must be authenticated. The level of authentication implemented
by the organisation includes and also not limited to:
- Automatic log off
- Unique user identifier
- And also installed following where ever required
Biometric authentication
Password
Personal Identification number
Telephonic call back procedure
Token
The organisation has implemented the system access controls based on the
data classification to ensure that it is not improperly disclosed, modified,
deleted or rendered unavailable. the organisation has put in place limiting
user access controls wherein the user logon scripts, menus, session
managers and other access controls limits the user to only those applications
and functions for which they have been authorised. The users have been
granted information in a need to know basis.
Deliverables are the outcome or the result of the activity involving mental or
physical effort of the organisation. Deliverables are the products, services
and results that a project produces. The deliverables of the IT companies are
its softwares and the sources codes they made. This organisation develops
both customised and non - customised softwares. They has developed the
policy as to how the customers to be kept satisfied and develop the products
according to their requirements and also the time limit specified by them.
Some of the products of the organisation are complex and therefore they
also impart training to the customer’s employees and also gives idea about
how to work with products. The organisation is also giving support services
to its customers 24 x 7 for the problems they face during working with the
product.
Background
Radisson Ltd as a global IT solution provider having marketing offices across
USA, Asia and Europe and because of which the company has large
employee base working from outside India. Due to strict attendance policy of
the HR department the employees of the organisation are unable to provide
their best and therefore the customers deliverables are impacted In order to
provide good deliverables and regular support for its products and services
the company is has decided to explore the option of Mobile Computing.
Situation
There has been increase in employee turnover and HR has identified that
one of the reasons for this is the strict office timings which are implemented
by the company. As the productivity of the highly skilled workers can be
assessed based on the project plan and deliverables, so the management
has decided to explore option of using mobile computing to increase
employee productivity and offer convenience of working for employees from
any location.
Auditee team
Infrastructure Required
It will be necessary for Radisson ltd to appoint one coordinator who will be
part of the discussion on the work plan initially and continue to work with
the ARA team till the assignment is complete. Radisson ltd will make
available the necessary computer time, software resources and support
facilities necessary for completing the assignment within the agreed
timeframe. The conduct of the assignment should be adequately
communicated to the required personnel so as to facilitate extensive co-
operation from the respective personnel. During the course of the
assignment, we will require the following infrastructure.
Facilities for discussions amongst our team and your designated staff.
Documentation Required
User Manuals and Technical Manuals relating to System Software and SAP
Organisation chart outlining the organisation hierarchy and job
responsibilities
Audit Approach
Application of COBIT® for formulating IT best practices for the Policy and
procedures of Radisson ltd
Audit plan
Systems\Implementation Team
3. Review how each module in the system has been tested including the
documentation prepared in respect of each.
5. Understand the business processes and review how these have been
mapped in the information systems by tracing the modules with a top down
approach.
8. Review the in-built controls for stored data so as to ensure that only
authorised persons have access to data on computer files.
9. Review the controls established which ensure that all transactions are
input and accepted for further processing and that transactions are not
processed twice.
11. Review the procedures established for back-up and recovery of files in
the package.
Mobile Device refers to wide range of devices that allow people to access
data and information from anywhere at any time from those that fit in to the
pocket to laptops that can help to stay connected. Mobile devices include cell
phones and other portable devices. The devices that can be used in Mobile
Computing includes:
- Laptops
- Smartphones
- Tablets
- Wearable Computers.
Mobile devices can be connected to Local Area Network (LAN) or they can
take advantage of Wireless Fidelity (WIFI) by connecting via a wireless local
area network (WLAN) which includes benefits such as:
(source - http://www.industryweek.com/companies-amp-executives/five-
reasons-why-mobile-computing-accelerating-organizations)
1. Increase in productivity:
Mobile devices can be used out in the filed of various companies,
therefore reducing the time and cost. Due to increase in productivity
the Revenues of the organisation may increase.
2. Portability:
This is the main advantage of Mobile Computing, as there are no
restrictions to one locations in order to have access to the organisation
data and information and can have higher revenues.
3. Storage:
The smartphones and tablets contain inbuilt storage and can helps in
storing of various files.
1. Connectivity Issues:
Mobile devices require either Network Connectivity or Wireless
Connectivity. If these networks are not available the access to the
database of the organisation will be broken.
2. Security Concerns:
The security of wireless communications is more easily compromised
than wired communication. This is further complicated if users are
allowed to cross security domains.
- There are many types of malware that can provide people with
malicious intent the ability to obtain sensitive data stored on a device.
Protecting data can be more of a problem if one makes the mistake of
loading sensitive organizational information on it. Users need to be
aware that they are responsible for protecting the device, preventing
physical tampering, setting security-specific features, and avoiding
supply chains that provide compromised or unsecure mobile devices.
SEVERITY
LOW
This risk has rarely been a problem and LOW MEDIUM MEDIUM
never occurred
PROBABILITY
MEDIUM
This risk will MOST LIKELY occur at this LOW MEDIUM HIGH
event
HIGH
This risk WILL occur at this event, possibly MEDIUM HIGH HIGH
multiple times, and has occurred in the past
Draft Policy
Purpose
Scope
The policy sets standards for the purchase, operation, and support of Mobile
Computing Devices for Radisson Ltd employees. This includes any type of
portable or handheld computing device capable of transmitting packet data
either directly or via connection to another network service (e.g. Wi-Fi
hotspot or cellular service).
Overview
Company Policy
The use, purchase and replacement of cell phone are governed by the “Voice
Communications Devices” policy and the Cell Phone Allowance Policy.
Services
Data stored on mobile devices is often at more risk than data stored
on desktop computers or network shares due to the public
environments that the devices can be used in and their risk of being
lost or stolen. Hence, confidential organisations data must not be
stored on mobile computing devices. In addition, all data stored on
mobile computing devices should be backed up regularly. Due to the
diversity of devices available, security and backups are the
responsibility of the employee.
The IT Service Desk will not visit a member of staff’s home to fix faulty
network issued equipment. Following a call to the IT services desk, any
mobile IT equipment requiring repair should be delivered to one of the
HQ buildings.
The IT Support Desk will provide, to the best of its ability, connectivity
support to the organisations network for all Mobile Computing Devices
that meet organisations network standards. Instructions and
assistance will be provided for access to organisations Email on the
device. Access to organisations software and services cannot be
guaranteed, however selecting devices with a full web browser
experience will increase the likelihood of future service availability.
Summary/Conclusion