SARBOX is US only, but the concept of SOD is universal. I don't think the tool NEEDS to enforce that policy, but it would be nice if it COULD support it if you wanted OOB.
Lyle -----Original Message----- From: Action Request System discussion list(ARSList) [mailto:arsl...@arslist.org] On Behalf Of Tommy Morris Sent: Tuesday, March 30, 2010 8:16 AM To: arslist@ARSLIST.ORG Subject: Re: Change Manager - Change Implementer Isn't SARBOX a US only control? I don't see BMC creating a SARBOX compliant application when they are multinational. I would be more interested in a better tested/less buggy product that I can create some workflow to manage process'. SARBOX is also pretty loose as far as each company creating its own process to remain compliant and I really would hate for BMC to start dictating that too. -----Original Message----- From: Action Request System discussion list(ARSList) [mailto:arsl...@arslist.org] On Behalf Of Guillaume Rheault Sent: Monday, March 29, 2010 11:07 AM To: arslist@ARSLIST.ORG Subject: Re: Change Manager - Change Implementer I cannot agree more. I think the next frontier is to be SARBOX compliant, in addition to be ITIL compliant. Now that would be a very competitive edge for BMC Guillaume ________________________________________ From: Action Request System discussion list(ARSList) [arsl...@arslist.org] on behalf of Chowdhury, Tauf [tauf.chowdh...@frx.com] Sent: Monday, March 29, 2010 11:44 AM To: arslist@ARSLIST.ORG Subject: Re: Change Manager - Change Implementer >From our experience in recently implementing CHM 7.0.3, relying on business process as your ONLY means of enforcement of segregation of duties is something that sounds good on paper but not on the pavement. As in previous posts, we've had to use custom filters to enforce the business process of not having the same Change Manager also being the Assignee/Implementer. IMO, the tool enforcement needs to be in place when dealing with SOX and any other audit requirements. Tauf Chowdhury | Forest Laboratories, Inc. Analyst, Service Management Mobile:646.483.2779 -----Original Message----- From: Action Request System discussion list(ARSList) [mailto:arsl...@arslist.org] On Behalf Of Marsh, Lee Sent: Monday, March 29, 2010 11:40 AM To: arslist@ARSLIST.ORG Subject: Re: Change Manager - Change Implementer Can't you still separate roles using Remedy change configuration rules, approval mappings, and AP-administration? The software is not the process nor does it control the process. The organization still has its own processes and rules. ITSM is a way to capture the data for service management purposes. For example, you can implement an organizational policy that says financial changes have to have a particular approval from a particular non-IT, accounting staff member. His signed authorization is a required approval for anyone in IT implementing that change. I don't see where Remedy ITSM is not SARBOX compliant. It supports SARBOX policies and processes which is what you want for an IT Service Management package. You want to have historical record of the changes to all the systems and how they were implemented. The degree and complexity of SOD is up to the organization, its structure, and its business needs. ITSM just records and helps automate the capture and processing of the service and process related data. For example, if your accounting application development team propose a change, Remedy CM is there to record the reviews and approvals by the parties. I would assume it would include your IT technical staff but would also include your accounting staff. The accounting staff may also want an outside auditor to review and approve the change. ITSM CM would capture the process related data. It can organize the related communications in the work information records and capture the dates and times the approvals are processed. A change review board can pull up copies of all the various ITSM CM records related to the change process, review them for approval and risk management. SarbOx is not my area of expertise so maybe I'm missing something. Lee Marsh. ************************************* Lee Marsh Remedy Administrator BAE Systems Office Automation Systems Team Antitrust Division, U.S. Department of Justice Phone: 202-305-9725 Cell: 202-528-1749 Email: lee.ma...@usdoj.gov ************************************* From: Action Request System discussion list(ARSList) [mailto:arsl...@arslist.org] On Behalf Of Guillaume Rheault Sent: Monday, March 29, 2010 10:42 AM To: arslist@ARSLIST.ORG Subject: Re: Change Manager - Change Implementor ** Now, the ironic thing, is that for organizations to be SARBOX compliant, they need to implement a change mgmt process (and tool therefore), which would be ITIL compliant. but OOTB, the ITIL tool is not SARBOX complaint!! so we're coming full circle. Ironic isn't it? _____ From: Action Request System discussion list(ARSList) [arsl...@arslist.org] on behalf of Guillaume Rheault [guilla...@dcshq.com] Sent: Monday, March 29, 2010 10:41 AM To: arslist@ARSLIST.ORG Subject: Re: Change Manager - Change Implementor ** Financial applications are defined in our environment as Application CIs. These applications run on databases and servers which are also in the CMDB. So here is a very simple scenario: If you follow Sarbanes Oxley rules, you cannot approve and implement changes for financial applications: these two duties (or roles) need to be segregated If you make a change against a database that stores the data for financial applications, same thing. If you make a change for a server that runs financial applications, same thing So issue is not ITIL "proper", it is the regulations that need to be adhered to such as Sarbanes Oxley. Guillaume _____ From: Action Request System discussion list(ARSList) [arsl...@arslist.org] on behalf of strauss [stra...@unt.edu] Sent: Monday, March 29, 2010 10:15 AM To: arslist@ARSLIST.ORG Subject: Re: Change Manager - Change Implementor ** Where do SOD (segregation of duties??) rules come from?? It looks like it is from the financial world, not ITIL, since there is no mention of them whatsoever in the book I am reading on "Implementing ITIL Change and Release Management" by Larry Klosterboer. ITIL does not appear to prohibit people from having multiple roles, so it is not surprising that an ITIL-compliant app like ITSM would not prohibit them either. If you are trying to get ITSM to enforce rules that are beyond the scope of ITIL, then I would expect that you would have to customize the application. Maybe BMC could add it as a configuration item - locking roles in some manner, but most IT organizations would have to be able to keep them unlocked since our staff members typically function in many different roles. Christopher Strauss, Ph.D. Call Tracking Administration Manager University of North Texas Computing & IT Center http://itsm.unt.edu/ From: Action Request System discussion list(ARSList) [mailto:arsl...@arslist.org] On Behalf Of Guillaume Rheault Sent: Monday, March 29, 2010 8:45 AM To: arslist@ARSLIST.ORG Subject: Re: Change Manager - Change Implementor ** Actually, the same person can be the change requester, change manager, change assignee and change implementer (or task implementer), on top of approving/rejecting the change request. This very "open" OOTB design and lack of rules has created issues for us, and we had to create customizations to make it more restrictive, to adhere to SOD rules. I wish BMC would take a look at this and make the Change Mgmt application more compliant with SOD OOTB. Guillaume _____ From: Action Request System discussion list(ARSList) [arsl...@arslist.org] on behalf of Roger Justice [rjust2...@aol.com] Sent: Friday, March 26, 2010 10:50 AM To: arslist@ARSLIST.ORG Subject: Re: Change Manager - Change Implementor ** All 3 roles can be the same person. The problem is who is responsible for the Change who is responsible for the work and who does the work. -----Original Message----- From: John Kelley <john.kel...@dunkinbrands.com> To: arslist@ARSLIST.ORG Sent: Fri, Mar 26, 2010 10:01 am Subject: Change Manager - Change Implementor List Just a conversation to understand Segregation of duties Can a Change Manager be a Change Implementor without breaking the rules? I guess the Manager could approve the request and implement that change. Is it morally right? The Change assignee is someone different so there is an other person involved. JK ************************************************************* This e-mail message, including any attachments, is for the sole use of the addressee(s) to whom it has been sent, and may contain information that is confidential or legally protected. If you are not the intended recipient or have received this message in error, you are not authorized to copy, distribute, or otherwise use this message or its attachments. Please notify the sender immediately by return e-mail and permanently delete this message and any attachments. Dunkin' Brands Inc. makes no warranty that this e-mail is error or virus free. _attend WWRUG10 www.wwrug.com ARSlist: "Where the Answers Are"_ _attend WWRUG10 www.wwrug.com ARSlist: "Where the Answers Are"_ _attend WWRUG10 www.wwrug.com ARSlist: "Where the Answers Are"_ _attend WWRUG10 www.wwrug.com ARSlist: "Where the Answers Are"_ _attend WWRUG10 www.wwrug.com ARSlist: "Where the Answers Are"_ ________________________________________________________________________ _______ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org attend wwrug10 www.wwrug.com ARSlist: "Where the Answers Are" ********************************************************************** This e-mail and its attachments may contain Forest Laboratories, Inc. proprietary information that is privileged, confidential or subject to copyright belonging to Forest Laboratories, Inc. This e-mail is intended solely for the use of the individual or entity to which it is addressed. If you are not the intended recipient of this e-mail, or the employee or agent responsible for delivering this e-mail to the intended recipient, you are hereby notified that any dissemination, distribution, copying or action taken in relation to the contents of and attachments to this e-mail is strictly prohibited and may be unlawful. If you have received this e-mail in error, please notify the sender immediately and permanently delete the original and any copy of this e-mail and any printout. ________________________________________________________________________ _______ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org attend wwrug10 www.wwrug.com ARSlist: "Where the Answers Are" ________________________________________________________________________ _______ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org attend wwrug10 www.wwrug.com ARSlist: "Where the Answers Are" _______________________________________________________________________________ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org attend wwrug10 www.wwrug.com ARSlist: "Where the Answers Are" NOTICE: This email message is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply email and destroy all copies of the original message. _______________________________________________________________________________ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org attend wwrug10 www.wwrug.com ARSlist: "Where the Answers Are"
