« The North West | Main| Software Marketing. »

Sarbox, ITIL, Documentation and User management processes...

Category    
Bookmark : del.icio.us  Technorati  Digg This  Add To Furl  Add To YahooMyWeb  Add To Reddit  Add To NewsVine 

On a recent visit to a very large site, they stated that they were Sarbanes Oxley complaint, and it was an enormous Pain In the Ass to update the dammed documentation. To such an extent that it seriously prevented them overhauling processes. Life was just too short.

Which then leads me to this rather interesting idea. Our product - FirM - is a user and group proxy administration tool for Lotus Domino, Active Directory and BlackBerry. Only one of our customers (so far) is Sarbox, and a number of potential customers are ITIL or Sarbox compliant. And a big issue is that our software is complex, and its a complete PITA to document stuff - especially if we add new features, change screens, etc.

Which brings me to the point (finally) of this post. What kind of documentation would someone want to spit out of an automated User ID provisioning, group resource managing, proxy administration system? Something suitable to slay the dragon of the Sarbox guys ? And would you want it to be flexible, so that you could add stuff to it ? It would be very useful to see pointers on what folks have already done, or to some standards based stuff, so I could understand the level required...

Posted by Bill Buchan On 01/12/2008 | Digg This |

Comments

Gravatar Image1 - SOX compliance quite often relies on CoBIT ({ Link } for IT processes governance. That might be the best place to have a look.

Posted by Duncan Anderson At 12:26:39 On 01/12/2008 | - Website - |


Gravatar Image2 - Bill you probably also want to consider validation in that too, all Pharma's need validation for systems which deal with patient data and security. Ad normally has to fit in with valication. Look up 21 CFR part 11.

What is comes down to is Four things.

Process and SOP. Having the right documentation which tells you what to do and the right process with which to do the work. i.e. change request->authority to exectue->execution log->close request

Secondly it's about audit trail and confirmation. What was changed by whom, when and what the original data was.

Thirdly it's about security and anti tamper. I.e. the processes are carried out by whomever you said it was and authorised by whomever it said it was and was not changed between time of creating, logging and reading.

Finally you'll gather it's a shedload of information you are generating. Therefore you need to be able to Archive the logs and audit trails in such a way that they can be rebuilt and "traced" in the event of an audit.

Hope this helps.

Posted by NeilT At 13:35:09 On 01/12/2008 | - Website - |


Gravatar Image3 - Och Bill, what a wonderful slip:
'Sarbanes Oxley complaint'

ROFL!

Posted by Lars Berntrop-Bos At 15:22:12 On 01/12/2008 | - Website - |


Gravatar Image4 - Ah. I thought about correcting it, but I thought *not*.

Neil. After working for a Pharma, I thought I'd exclude them without a trillion dollar surcharge for putting up with the crap thats generated by Government in their industry. Like everyone else there.

---* Bill

Posted by Bill At 21:54:22 On 01/12/2008 | - Website - |


Gravatar Image5 - Quote from a particular Pharma Validation training course.

"Validation is a Tree Killing pain in the ass".

I concur.

Posted by NeilT At 14:41:15 On 02/12/2008 | - Website - |


Gravatar Image6 - New Star provides sales, process consulting, configuration and training for the ITSM suite of applications BMC Remedy, HP Service Desk from Service-now.

Posted by newstar At 09:22:26 On 02/01/2009 | - Website - |


Gravatar Image7 - New Star provides sales, process consulting, configuration and training for the ITSM suite of applications BMC Remedy, HP Service Desk from Service-now.

Posted by newstar At 09:22:28 On 02/01/2009 | - Website - |


Post A Comment

:-D:-o:-p:-x:-(:-):-\:angry::cool::cry::emb::grin::huh::laugh::lips::rolleyes:;-)

All my past and future presentations can be found here

Macmillan.gif
Donate now!

Hosted by Prominic.NET

Domino 7 OpenNTF BlogSphere LotusGeek RSS Feed Custom Button

Quick Bill


I'm
- a Lotus Domino Dual PCLP - that is, a SysAdmin PCLP and an AppDev PCLP (or IBM Certified Advanced Application Developer and Advanced System Administrator) in nd7, v6, v5, v4 and v3. (one of 20 worldwide!)
- an IBM Certified System Administrator - Websphere Portal v5.0
- an IBM Certified Solutions Developer - Websphere Portal v5.0
- an IBM Certified Associate Developer - Websphere Studio v5
- an IBM Certified Solutions Expert - Websphere v4.0.
- a SUN Java 2 Certified Programmer
- a (probably lapsed now) Microsoft MCSE in Windows NT4.
- a (definately) lapsed now CLP in cc:Mail v2 and v6