Professional Documents
Culture Documents
New Methodology For PPE 03
New Methodology For PPE 03
IT Resources
Hardware & Operating System
Software
Network Communication
People
Data
Information Criteria
To Judge IT Performance:
Confidentiality / Security
Integrity
Availability & Reliability
Effectiveness & Efficiency
Compliance
Information Criteria
Confidentiality / Security
concerns the protection of sensitive information from unauthorized disclosure.
Integrity
relates to the accuracy and completeness of information as well as to its validity
in accordance with business values and expectations.
Availability & Reliability
relates to information being available when required by the business process
now and in the future. It also concerns the safeguarding of necessary resources
and associated capabilities.
Effectiveness & Efficiency
deals with information being relevant and pertinent to the business process as
well as being delivered in a timely, correct, consistent and usable manner. It also
concerns the provision of information through the optimal (most productive and
economical) use of IT resources.
Compliance
deals with complying with those laws, regulations and contractual arrangements
to which the business process is subject
IT Resources
1. DATA 4. Aplication 5. Technology
1.1. Current Account 4.1. SIBS 5.1. AS/400
1.2. Saving 4.2. Middleware 5.2. PC Server (Data Center)
1.3. Time De posit & CoD 4.3. Mosaic 5.3. Network Device
1.4. Loan 4.4. ATM 5.4. Internal Network Connection
1.5. Credit Card 4.5. NPA
5.5. Eksternal Network Connection
1.6. CIF 4.6. NA
5.6. Security Device
2. People 4.7. NG@
5.7. Branch Server
2.1. Progame r 4.8. Equation
5.8. ATM
2.2. Project Manage r 4.9. Eximbills
5.9. Printer
2.3. Ope ration Manager 4.10. Efficient
2.4. Ope ration Do-er 4.11. RTGS
3. Facilities 4.12. SWIFT
3.1. Gedung 4.13. SAP
3.2. UPS 4.14. SQL Database
3.3. Gene rator
3.4. AC
3.5. Estenguiser
Criteria
ity y
ntial b ility i enc e
e ty l ia i c nc
onfid egri & Re & Eff p lia
/C Int ty s m
urity i labili n es Co
c a e
Se Av tiv
ffec
E
Processes
Data
Technology
Facilities
Application System
Sub Processes
People
IT Processes
Activities
s
u rce
o
R es
IT
Auditable Unit/ Object
ITOG
ISDG
EDSG
OPRG
CSM
Pacomnet
Infomedia Nusantara
Data Integrity
Process ITOG ISDG CSM EDSG OPRG IN Pacomnet Data Integrity
1. IT PLANNING & ORGANIZING
1.1. Determine IT Strategic Plan
1.2. Determine IT Architecture
1.3. Manage Human Resources
1.4. Assess Risk
1.5. Determine IT Policy & Procedures
1.6. Manage IT Investment
1.7. Manage IT Quality
2. DATA CENTER M ANAGEM ENT
2.1. Console Operation
2.2. Backup Activity
2.3. Physical Security
2.4. Problem Handling
2.5. Manage Data
2.6. Housekeeping/Purging
3. M ANAGE INFRASTRUCTURE
3.1. Manage Hardware
3.2. Manage Network & Communication
3.3. Manage PC & End Use r Computing
3.4. Contingency Planning
3.5. Manage IT Environment
3.6. Manage Internet & Intranet Facilities
4. ACQUISITION & IM PLEM ENTATION
4.1. Hardware Acquisition
4.2. Software Acquisition
4.3. Manage Outsource Solution
5. DATA INTEGRITY
5.1. Current Account
5.2. Saving
5.3. Time Deposit & CoD
5.4. Loan
5.5. Credit Card
5.6. CIF
Judging Methods:
On Site Inspection
Risk Assessment
SAQ
Audit Program
Fieldwork
Report
Off Site Monitoring (monthly)
SLA Report Executive Sumaary
Help Desk Report Significant Issue
Significant Finding
RQM Report
• Data Center Management
Program Instalation Report • Manage Infrastructure
Operating Plan Report • System Development
Project Report • Etc
Internal Memo
Notulen Meeting
Etc
Residual Risk of IT
Key Performance Indicator Off Site
On Site
Processes Confidentiality Integrity Availability Effectiveness Compliance Monitoring
Inspection
& Security & Reliability & Efficiency
IT Planning &
Organizing
Computer
Operation
System
Development
Manage
Infrastructure
Project
Management
Technology
Aplication
People
OVERALL
Security
Confidentiality &
Integrity
Efficiency
Effectiveness &
Compliance
Organizing
Integrity
Efficiency
Effectiveness &
Compliance
Computer Operation
Console Operation
Back up Activity
Physical Security
Logical Security
Problem Handling
Manage performance & Capacity
Program Installation
Manage service availability
Manage Supporting peripherals
OVERALL
Security
Confidentiality &
Integrity
Efficiency
Effectiveness &
Compliance
System Development
Define SOR
Feasibility studies
System analysis & design
Internal program development
Manage Third Party Program Development
System integration test
Manual development (UIM)
Training
UAT
Conversion
System implementation / Change Management
Procurement & acquisition
Technical documentation
OVERALL
Security
Confidentiality &
Integrity
Efficiency
Effectiveness &
Compliance
Manage Infrastructure
Manage 3rd Party Service (Network Service Provider & Hardware Vendors)
Capacity Analysis
Manage Intranet Facilities
Procurement & Acquisition
Contingency Plan
Installation Management
Manage user-id & ip address
Manage network security
OVERALL
Security
Confidentiality &
Integrity
Efficiency
Effectiveness &
Compliance
Project Management
Project Initiation
Time Management
Resources Management
Controlling & Reporting
OVERALL
Compliance
Effectiveness &
Efficiency
Availability & Reliability
Integrity
Confidentiality &
Security
Hardware & Operating System
Resources
Software
Network
Security
Confidentiality &
Integrity
Efficiency
Effectiveness &
Compliance
Determine IT Strategic Plan
OVERALL
Integrity
Efficiency
Effectiveness &
Compliance
Determine IT Architecture
OVERALL
Security
Confidentiality &
Integrity
Efficiency
Effectiveness &
Compliance
aims & directions
OVERALL
Integrity
Efficiency
Effectiveness &
Compliance
Manage human resource
OVERALL
Security
Confidentiality &
Integrity
Efficiency
Effectiveness &
Compliance
external requirement
OVERALL
Integrity
Efficiency
Effectiveness &
Compliance
Assess risk
OVERALL
Integrity
Efficiency
Effectiveness &
Compliance
Determine IT Security Policy
OVERALL
Security
Confidentiality &
Integrity
Efficiency
Effectiveness &
Compliance
Strategy
OVERALL
Integrity
Efficiency
Effectiveness &
Compliance
Console Operation
OVERALL
Integrity
Efficiency
Effectiveness &
Compliance
Back up Activity
OVERALL
Note : Excellent Good Fair Poor Very Poor Not Applicable
Security
Confidentiality &
Integrity
Efficiency
Effectiveness &
Compliance
Physical Security
OVERALL
Integrity
Efficiency
Effectiveness &
Compliance
Logical Security
OVERALL
Integrity
Efficiency
Effectiveness &
Compliance
Problem Handling
OVERALL
Note : Excellent Good Fair Poor Very Poor Not Applicable
Manage performance &
Security
Confidentiality &
Integrity
Efficiency
Effectiveness &
Compliance
Capacity
OVERALL
Integrity
Efficiency
Effectiveness &
Compliance
Program Installation
OVERALL
Integrity
Efficiency
Effectiveness &
Compliance
Manage service availability
OVERALL
Security
Confidentiality &
Integrity
Efficiency
Effectiveness &
Compliance
peripherals
OVERALL
Integrity
Efficiency
Effectiveness &
Compliance
Define SOR
OVERALL
Note : Excellent Good Fair Poor Very Poor Not Applicable
Security
Confidentiality &
Integrity
Efficiency
Effectiveness &
Compliance
Feasibility studies
OVERALL
Note : Excellent Good Fair Poor Very Poor Not Applicable
Security
Confidentiality &
Integrity
Efficiency
Effectiveness &
Compliance
System analysis & design
OVERALL
Security
Confidentiality &
Integrity
Efficiency
Effectiveness &
Compliance
development
OVERALL
Security
Confidentiality &
Integrity
Efficiency
Effectiveness &
Compliance
Program Development
OVERALL
Integrity
Efficiency
Effectiveness &
Compliance
System integration test
OVERALL
Integrity
Efficiency
Effectiveness &
Compliance
Manual development (UIM)
OVERALL
Integrity
Efficiency
Effectiveness &
Compliance
Training
OVERALL
Integrity
Efficiency
Effectiveness &
Compliance
UAT
OVERALL
Integrity
Efficiency
Effectiveness &
Compliance
Conversion
OVERALL
Security
Confidentiality &
Integrity
Efficiency
Effectiveness &
Compliance
Change Management
Keberadaan tools untuk melakukan change management.
Standar security set up terhadap change management
tools terutama mengenai kewengan user.
Dilakukan pemisahan akses antara petugas development,
UAT dan production.
Adanya mekanisme persetujuan atas install
program/object file, mulai dari tahapan pengembangan,
perubahan system / program sampai ke production.
Adanya detail penanganan yang harus diambil bila
implementasi gagal / fall back procedure / contingency
plan dan adanya stategi implementasi misalnya pilotting
atau parallel run
Adanya internal control untuk memastikan
perubahan/pengembangan yang dilakukan adalah benar,
pendistribusian dilakukan secara benar, terintegrasi dan
pada saat yang tepat, termasuk dengan adanya log
perubahan sebagai media audit trail dalam melakukan
tracing back.
OVERALL
Note : Excellent Good Fair Poor Very Poor Not Applicable
Security
Confidentiality &
Integrity
Efficiency
Effectiveness &
Compliance
Procurement & acquisition
OVERALL
Note : Excellent Good Fair Poor Very Poor Not Applicable
Security
Confidentiality &
Integrity
Efficiency
Effectiveness &
Compliance
Technical documentation
OVERALL
Security
Confidentiality &
Integrity
Efficiency
Effectiveness &
Compliance
(Network Service Provider &
Hardware Vendors)
Pencantuman klausula non disclosure
agreement pada perjanjian kerjasama.
Penerapan SLA terhadap pihak ketiga dan selalu
dimonitor pencapaiannya secara periodic dimana
didalamnya termuat ketentuan pinalty yang jelas
dan mudah diukur.
Terdapat mekanisme problem handling yang
memadai.
Terdapat contingency procedure / back up.
Terdapat PKS yang telah disetujui kedua belah
pihak dan telah mendapat legal opinion.
Dilakukan tendering secara konsisten setiap kali
akan memakai jasa pihak ketiga.
Adanya Maintenance Agreement terhadap
peralatan yang dibeli.
OVERALL
Note : Excellent Good Fair Poor Very Poor Not Applicable
Security
Confidentiality &
Integrity
Efficiency
Effectiveness &
Compliance
Capacity Analysis
OVERALL
Integrity
Efficiency
Effectiveness &
Compliance
Manage Intranet Facilities
Integrity
Efficiency
Effectiveness &
Compliance
Installation Management
OVERALL
Integrity
Efficiency
Effectiveness &
Compliance
Procurement & Acquisition
OVERALL
Integrity
Efficiency
Effectiveness &
Compliance
Contingency Plan
OVERALL
Note : Excellent Good Fair Poor Very Poor Not Applicable
Manage user-id & ip
Security
Confidentiality &
Integrity
Efficiency
Effectiveness &
Compliance
address
OVERALL
Integrity
Efficiency
Effectiveness &
Compliance
Manage network security
OVERALL
Integrity
Efficiency
Effectiveness &
Compliance
Project Initiation
OVERALL
Integrity
Efficiency
Effectiveness &
Compliance
Time Management
OVERALL
Integrity
Efficiency
Effectiveness &
Compliance
Resources Management
OVERALL
Integrity
Efficiency
Effectiveness &
Compliance
Controlling & Reporting
Integrity
Efficiency
Effectiveness &
Compliance
Software
OVERALL
Security
Confidentiality &
Integrity
Efficiency
Effectiveness &
Compliance
System
OVERALL
Note : Excellent Good Fair Poor Very Poor Not Applicable
Security
Confidentiality &
Integrity
Efficiency
Effectiveness &
Compliance
Network
Security
Confidentiality &
Integrity
Efficiency
Effectiveness &
Compliance
Computer Operation
Console Operation
Back up Activity
Physical Security
Problem Handling
Manage performance & Capacity
Program Installation
Manage service availability
Manage Supporting peripherals
OVERALL
Note : Excellent Good Fair Poor Very Poor Not Applicable
Offsite Monitoring:
Security
Confidentiality &
Integrity
Efficiency
Effectiveness &
Compliance
System Development
Define SOR
Feasibility studies
System analysis & design
Internal program development
Manage Third Party Program Development
System integration test
Manual development (UIM)
Training
UAT
Conversion
System implementation / Change Management
Procurement & acquisition
Technical documentation
OVERALL
Offsite Monitoring:
Security
Confidentiality &
Integrity
Efficiency
Effectiveness &
Compliance
Manage Infrastructure
Manage 3rd Party Service (Network Service Provider & Hardware Vendors)
Capacity Analysis
Manage Intranet Facilities
Procurement & Acquisition
Contingency Plan
Installation Management
Manage user-id & ip address
Manage network security
OVERALL
Note : Excellent Good Fair Poor Very Poor Not Applicable
Offsite Monitoring:
Security
Confidentiality &
Integrity
Efficiency
Effectiveness &
Compliance
Project Management
Project Initiation
Time Management
Resources Management
Controlling & Reporting
OVERALL
Nowadays Big Projects: Additional Offsite Report :
SICS Status Achievement
Dual Data Center Constrains & Action Plans
FAPG Project Changes (Scope, Time Frame, etc)
Loan Origination,etc Audit Point of View (Risk, Impact, etc)
Security
Confidentiality &
Integrity
Efficiency
Effectiveness &
Compliance
Software, Hardware, &
Network
Software
Hardware & Operating System
Network
Strategic Issues:
Major Changes to IT Architecture / IT Blue Print