Blog

Blog

cobit 22-23

Posted on

Develop and Report Overall Conclusion and Recommendations

The substantiated risk of the control weaknesses must be communicated to the different stakeholders of the assurance initiative. The assurance professional should document any identified control weaknesses and resulting threats and vulnerabilities, and identify and
document the actual and potential impact. In addition, the assurance professional may provide comparative information, e.g., through benchmarks, to establish a reference framework in which the test results ought to be evaluated. The objective is to identify items of significance to be able to articulate to the stakeholder the recommended actions and reasons for taking action.

This phase includes aggregating the results of the previous phases, developing a conclusion concerning the identified control weaknesses and communicating:

• Recommended actions to mitigate the impact of the control weaknesses

• Performance comparison to standards and best practices for a relative view on the results

• The risk associated with a failure to perform the process effectively

The formulated conclusion and recommendations should allow the responsible party to take further steps and remedial actions. When the assurance initiative is performed within an assurance context, the assurance professional needs to be thoughtful of formal assurance communication and compliant with assurance reporting standards and guidelines.

EXAMPLES OF THE USE OF DETAILED ASSURANCE STEPS

The following sections provide illustrative examples of how the assurance testing steps could be applied.

Testing of Control Design

Situation: General computer controls review in a transaction processing organisation; assessment of the COBIT process AI6

Manage Changes; COBIT control objective AI6.2 Impact assessment, prioritisation and authorisation

Observations: For the selected systems (e.g., application, platform or network), the assurance professional inventoried the types of changes that can be implemented, procedures (formal or informal) currently in place, all parties involved in the change
management process, tools used, etc. This was done through interviews with involved persons and enquiries for documented procedures. The result of this work was a comprehensive and correct flowchart of the change management process.

The assurance professional reviewed the identified process flow to determine whether there was a step defined in the procedure to assess the impact of a change by a competent person or group of persons. The assurance professional observed that the template for requesting and approving changes included a section on impact assessment. However, the change management procedure did not mention that this information is mandatory, and the absence of this information did not lead to a rejection of the change request. In addition, the procedure did not mention any documentation standards or required verification and approval steps for the impact assessment.

Test Result: The design of this control is flawed, because a fundamental component of the control, i.e., impact assessment, is incomplete at best. It is possible that changes are implemented without proper risk assessment, which can lead to unplanned and difficult-to-contain operational disruptions or malfunctions.

Testing for the Effectiveness of the Control

Situation: General computer controls review in a transaction processing organisation; assessment of the COBIT process AI6

Manage Changes; COBIT control objective AI6.3 Emergency changes

Observations: As part of the evaluation of the control design, the assurance professional identified that, for all relevant change management procedures, there is a control defined to help ensure that emergency change requests are reintroduced into the normal change management cycle. In addition, the assurance professional found that there is a procedure that ensures that all emergency changes are appropriately logged in a change management tool.

As part of the control effectiveness testing, a sample of emergency change requests was selected from the change management tool and traced to their reintroduction as normal changes. This tracing included verification of whether the emergency change was actually introduced again as a normal change and whether it was processed following the
normal change management procedure.

The assurance professional observed that from the sample of 25 emergency changes selected, three were not subsequently reprocessed as normal changes. In addition, the assurance professional found that from the 22 emergency changes that had been duly reintroduced, only 10 were discussed at the change management board—or at
least that there was a trace available that indicated that the 10 changes were discussed (trace included information stored in the change management tool).

Test Result:
The emergency change procedure is not effective for two reasons:

• Not all emergency changes are reintroduced in the system, leading to a risk of losing emergency changes from sight and not learning from them.

• Emergency changes that have been reintroduced are most likely inadequately discussed and documented, leading to the same risk.

Documenting the Impact of Control Weaknesses

Situation: General computer controls review in a transaction processing organisation; assessment of the COBIT process AI6

Manage Changes; COBIT control objective AI6.3 Emergency changes

Observations: Using the situation as described, the assurance professional needed to gain additional information and perform further analysis to assess and document the impact of the control weaknesses. For the aforementioned examples, the assurance professional needed to consider the types and numbers of changes affected by the control weaknesses.

Some of the required information might/should already be gathered at the planning stage. This information should be used to evaluate the materiality of the weaknesses noted. Notably, the changes affected should be mapped back to the relevant infrastructure components and the applications/information they support/process. In addition, SLA penalties might apply. Analysis of problems noted in the past can help establish the real potential impact of the weaknesses noted.

In this case, it turns out, after discussion with the responsible change manager and confirmation with other change management board members, that the missing emergency changes relate to non-critical systems, and that the missing documentation was only a documentation issue, whereas the actual change, its cause and consequences had, indeed,
been discussed but were not formally documented.

Test Result: Although the control weaknesses remain as they have been observed, further analysis and documentation showed that the weaknesses were of a lesser importance than originally assessed.

CONCLUSION

An assurance initiative involves three phases. First, the assurance professional must develop a plan that identifies the assurance universe and uses an appropriate IT control framework to identify the assurance objectives based on a high-level risk assessment. Second, the initiative must be scoped through a top-down analysis that identifies the business goals to be examined and the IT goals that support those business goals, then identifies the IT processes and resources necessary to accomplish the IT goals and the key control objectives that must be accomplished for those processes to function effectively. Third, the initiative must be executed by refining understanding of the key control objectives within the assurance universe, evaluating the design and operational effectiveness of control procedures that address key control objectives, evaluating the impact of any deficiencies that come to light, and communicating findings and recommendations to stakeholders.

Blog

El vasco de la carretilla

Posted on

Rescato unas palabras del vasco de la carretilla.

Vivir el ritmo oculto de los campos

abiertos llenos de sol.

La emoción de la tierra argentina,

llena de generosidades.

He aquí mi objetivo.

Nadie me podrá quitar la dicha

de ser dueño de mi propio destino

(Guillermo Larregui, 17 de agosto de 1938)

Blog

Los candidatos 2.0 – Elecciones – Gob. Córdoba 2011

Posted on

Estuve escuchando por Cadena 3 un comentario acerca de las campañas en la red 2.0 y me llamó la atención de los bajos números que publicaban. No se de donde sacaron esos datos, me puse en la tarea esta tarde de chequearlos. A la fecha de hoy, cierre de campaña. Estos son los datos sacados de Facebook y Twitter.

Aguad, Oscar – Unión Cívica Radical
FB – Pagina: 4151
FB – Usuario: 5004
Twitter: 2666
Agüero, Jorge – Concentración Popular
FB – Pagina: –
FB – Usuario: –
Twitter: –
Baldata, Griselda – Coalición Cívica – ARI
FB – Pagina: 64
FB – Usuario: 2417
Twitter: 340
De la Sota, José Manuel – Unión por Córdoba
FB – Pagina: 11736
FB – Usuario: privado
Twitter: 1501
Delich, Francisco – Concertación Vecinal Es Posible
FB – Pagina: –
FB – Usuario: 60
Twitter: –
Fernández, Eduardo – Nuevo Encuentro
FB – Pagina: –
FB – Usuario: 896
Twitter: 36
González Olguín, Eduardo – Frente de Unidad Popular y Humanista
FB – Pagina: 62
FB – Usuario: 614
Twitter: –
Juez, Luis – Frente Cívico
FB – Pagina: 5744
FB – Usuario: varios perfiles
Twitter: 21778
Salas, Eduardo – Frente de Izquierda y de los Trabajadores
FB – Pagina: –
FB – Usuario: 904
Twitter: 143
Sella, Enrique – PAIS
FB – Pagina: 26
FB – Usuario: 433
Twitter: 197
Vittar, Miguel – Partido Intransigente
FB – Pagina: –
FB – Usuario: 69
Twitter: –

AIXBlog

Useful HACMP commands

Posted on
  • clstat – show cluster state and substate; needs clinfo.
  • cldump – SNMP-based tool to show cluster state.
  • cldisp – similar to cldump, perl script to show cluster state.
  • cltopinfo – list the local view of the cluster topology.
  • clshowsrv -a – list the local view of the cluster subsystems.
  • clfindres (-s) – locate the resource groups and display status.
  • clRGinfo -v – locate the resource groups and display status.
  • clcycle – rotate some of the log files.
  • cl_ping – a cluster ping program with more arguments.
  • clrsh – cluster rsh program that take cluster node names as argument.
  • clgetactivenodes – which nodes are active?
  • get_local_nodename – what is the name of the local node?
  • clconfig – check the HACMP ODM.
  • clRGmove – online/offline or move resource groups.
  • cldare – sync/fix the cluster.
  • cllsgrp – list the resource groups.
  • clsnapshotinfo – create a large snapshot of the HACMP configuration.
  • cllscf – list the network configuration of an HACMP cluster.
  • clshowres – show the resource group configuration.
  • cllsif – show network interface information.
  • cllsres – show short resource group information.
  • lssrc -ls clstrmgrES – list the cluster manager state.
  • lssrc -ls topsvcs – show heartbeat information.
  • cllsnode – list a node centric overview of the hacmp configuration.
AIXBlog

Some AIX links

Posted on

I got this links from rootvg group.
Thanks to Meyyappan Ganesh

1. http://theaix.blogspot.com/ -> Rajarathinam Sivasankaran – AIX Administrator – Well Known by most of the AIX Administrators and helping lot to the group.
2. http://www.tablespace.net/quicksheet/ – William Favorite
3. http://santosh-aix.blogspot.com/ – > Santosh Gupta’s – AIX Administrator – (Sundar’s friend)
4. http://aixduniya.blogspot.com/ – > Chetan Jain – AIX Administrator
5. http://learnitfromshiva.wordpress.com/ – Shiva – AIX Administrator
6. http://aixhelp.blogspot.com/ – Mohankumar Gandhi – (Rajarathinam Sivasankaran friend)

BlogUbuntu

New GDM in Karmic

Posted on

Since new and fresh karmic koala included GDM 2.28 all gdm themes changed.

Now, you need to run:

gksudo -u gdm dbus-launch gnome-appearance-properties

to modify gdm properties.

I don’t like at all.

If you need/want to disable users list in GDM, you need to run gconf-editor and disable that key.

Blog

Error NO_PUBKEY, solucion con script

Posted on

Siempre que actualizo Ubuntu me encuentro con los mismos errores al agregar repositorios de terceros.
La clave GPG no esta instalada en mi PC y apt-get tira un error, como el del ejemplo:


W: Error de GPG: http://ppa.launchpad.net jaunty Release Las firmas siguientes no se pudieron verificar porque su llave pública no está disponible: NO_PUBKEY 5A9BF3BB4E5E17B5

Buscando, encontre la forma de solucionarlo, pero dado que implicaba 3 pasos por cada clave, me dio un poco de fiaca y cree un script para hacerlo en un paso


leonardo@eden:~$ touch fixGPGsign.sh
leonardo@eden:~$ ls -Al *GPG*
-rw-r–r– 1 leonardo leonardo 302 2009-05-26 10:03 fixGPGsign.sh
leonardo@eden:~$ chmod +x fixGPGsign.sh
leonardo@eden:~$ ls -Al *GPG*
-rwxr-xr-x 1 leonardo leonardo 302 2009-05-26 10:03 fixGPGsign.sh

Usar el editor de texto de tu preferencia, y poner el siguiente contenido.


#!/bin/sh
echo "Downloading GPG Key"
sudo gpg --keyserver subkeys.pgp.net --recv-key $1
echo "Checking imported Key"
sudo gpg --fingerprint $1
echo "Adding Key to APT"
sudo gpg --armor --export $1| sudo apt-key add -

La forma de usarlo es pasar como parametro del script la clave que aparece en el mensaje de error, por ejemplo:


leonardo@eden:~$ ./fixGPGsign.sh 5A9BF3BB4E5E17B5
Downloading GPG Key
gpg: solicitando clave 4E5E17B5 de hkp servidor subkeys.pgp.net
gpg: clave 4E5E17B5: clave pública «Launchpad PPA for chromium-daily» importada
gpg: no se encuentran claves totalmente fiables
gpg: Cantidad total procesada: 1
gpg: importadas: 1 (RSA: 1)
Checking imported Key
pub 1024R/4E5E17B5 2009-02-25
Huella de clave = FBEF 0D69 6DE1 C72B A5A8 35FE 5A9B F3BB 4E5E 17B5
uid Launchpad PPA for chromium-daily
Adding Key to APT
OK

En caso de obtener el siguiente error:


gpg: AVISO: propiedad insegura del fichero de configuración `/home/leonardo/.gnupg/gpg.conf’
gpg: llamadas a programas externos desactivadas por permisos inseguros de ficheros.
gpg: recepción del servidor de claves fallida: Error general
gpg: recepción del servidor de claves fallida: Error general

La solucion (mas a lo bestia) que encontre fue mover el archivo de configuración de GPG de mi usuario:


mv /home/leonardo/.gnupg/gpg.conf /home/leonardo/.gnupg/gpg.conf.old

Blog

Os Tribalistas – Velha Infância

Posted on

Fuente original de la letra (con traducción incluida):
http://www.letrastraducidas.com/tribalistas/Sencillos_y_Otros/bella_infancia-14345.htm

bella infancia
Você é assim
um sonho pra mim
e quando eu não te vejo

eu penso em você
desde o amanhecer
até quando eu me deito

eu gosto de você
e gosto de ficar com você
meu riso é tão feliz contigo
o meu melhor amigo é o meu amor

seus olhos meu clarão
me guiam dentro da escuridão
seus pés me abrem o caminho
eu sigo e nunca me sinto só

Você é assim
um sonho pra mim
quero te encher de beijos
eu penso em você
desde o amanhecer
até quando eu me deito

eu gosto de você
e gosto de ficar com você
meu riso é tão feliz contigo
o meu melhor amigo é o meu amor

e a gente canta
e a gente dança
e a gente não se cansa

de ser criança
a gente brinca
na nossa velha infância

seus olhos meu clarão
me guiam dentro da escuridão
seus pés me abrem o caminho
eu sigo e nunca me sinto só
meu riso é tão feliz contigo
o meu melhor amigo é o meu amor

Blog

If Disney Horoscope exists, this should be my Goofy year :P

Posted on

Si el Horóscopo Disney existe, este debe ser mi año año Goofy (Tribilin).
El lunes pasado andando en mi moto, me acercaba a un semáforo y me levante la pantalla plástica protectora porque me hacia calor, con tanta suerte que en los 40 metros antes de llegar a la esquina me pego un bicho (un cascarudo creo) en el centro del ojo izquierdo, una suerte de perros.

Tuve que ir a verme a la guardia oftalmológica del Allende, que por cierto tardaron 45 minutos en atenderme.

Resultado: ojo anestesiado hasta la noche, parche como pirata por dicho día. Al día siguiente me dolía bastanton el ojo y me retraso el laburo de la semana.