File Name / BiSL_BP056 BBI.doc
Change Date / 13-07-2009
Content Description / Example process descriptionfor Business Data Management activities
Document Category / Draft
BiSL processes / BusinessData Management
Remarks
ASL BiSL Foundation
PO Box9769
3506 GE Utrecht
The Netherlands
T+31 (0) 30 753 1424
F+31 (0) 30 755 1502
I
Process DescriptionBusiness Data ManagementExample
Location / City
Date / dd mm yyyy
Author / Author
Status / Status
Version History
Version / Date / Author / DescriptionDistribution List
Version / Date / RecipientTable of contents
1Introduction
1.1Aim
1.2Scope
1.3Result
1.4Target Group
1.5Relationships with other processes
1.6Principles and prerequisites
1.7Management of this document
1.8Abbreviations
2Process descriptions
2.1Introduction
2.2Process “2.1 Table Administration”
2.3Process “2.2 Authorization Administration”
2.4Process “2.3 Meta Data Management”
2.5Process “2.4 Data Supply”
3RACI matrix
1Introduction
1.1Aim
The “Business Data Management” processaims at:
managing the operational, logical information within the existing provision of information;
managing system authorizations;
controlled execution of table modifications on system tables.
1.2Scope
The scope of this process covers all requests for authorization and table modifications received by the authorization administrator or table administrator. The appraisal of these requests takes place in this process; actual settlement can also take place outside this process.
1.3Result
This process delivers settled authorization requests and table modification requests either settled or beingprocessed.
1.4Target Group
This process description is relevant tothe following parties (roles):
Rol / HoedanigheidAuthorizationAdministrator / Receives authorization requests and assesses them.
Service Manager / Receives information requests and authorization requests as a task for the supplier
Business InformationManager / Forwards authorization requests and processing requests coming from the user support process, executes them in this process or forwards them to the service manager.
User Organisation / Issues requests for modification of system parameters and receives information on the settlement of requests for processing.
Release Manager / Receives requests for modifying system parameters which have been hard coded within the software.
1.5Relationships with other processes
The process “2. Business Data Management” on the operational level is related to the followingprocesses:
process / ExplanationOperational Level
1. End User Support / The End User Support process generates processing tasks and authorization requests. Through the End User Support process the applicant is informed about the settlement of the request.
3. Operational ICT Supervision / The Operational ICT Supervision process ensures that task requests for processing are forwarded.
Connecting processes – Operational Level
4. Change Management / The Change Management process receives requests for change of hard coded systemparameters.
Connecting processes – Operational Level
25. Security Management / The Security Management process checks requested profile modifications.
1.6Principlesand prerequisites
The description of this process is based on the following principles andprerequisites:
Business Data Management concerns steering information such as tariffs, policy parameters, etc. (often laid down in tables) and company data regarding process execution (queries).
Periodically, checks take place on the correctness and completeness of company information (steering information). The table owner is responsible for control execution.
Periodically, checks take place on the correctness and completeness of granted authorizations. The business is responsible for monitoring the correctness of users and roles.
1.7Management of this document
The management of this document is a responsibility of the process owner and modification proposals must be submitted in writing to the process owner.
1.8Abbreviations
In this document the following abbreviations are used:
Abbreviation / MeaningUS / User Support / End User Support
ISP / Information Security Policy
ISM / Information Security Manager
PO / Process Owner
QM / Quality Manager
RM / Release Manager
SM / Service Manager
2Process descriptions
2.1Introduction
The process “2. Business Data Management” envelops 4 sub processes:
2.1Table Administration
2.2Authorization Administration
2.3Metadata Management
2.4Information Provisioning
2.2Process “2.1 Table Administration”
ProcessCharacteristics
Aim: / Processing requests concerning system parameter modifications.Entry point: / Reception of a request for modification of system parameters.
Frequency: / Ad hoc
Executed by: / Business information manager
Security issues: / -
Methods/techniques: / -
Tooling: / -
Performance indicators: / -
Standards: / -
ProcessDescription
1.Request Assessment
A request concerns a table modification (request table modification) of a certain information system. Table modification requests are submitted by End User Support (see process 1. End User Support). Here these requests are received and registered as a call.
Because only authorised entities (persons, departments) may submit such claims, the responsible table administrator checks whether the applicant is authorised against an authorization list[1]. Requests that come from non-authorized departments, are rejected. This is communicated back to the applicant by End User Support (request status account).
Accepted table modification requestsare processed in process step “2. Table Modification”.
2.Table Modification
The table administrator investigates whether he is able to carry out the table modification request himself, based on a management function. In that case the table administrator modifies the table.
The data to be modified can also be hard coded. If this is the case a change request is issues to change the software accordingly. The request table modificationis assessed by the business information manager(assessment modification request), process 4. Change Management, and passed on to the supplier.
3.Table Modification Check
This process step is carried out after a table modification has been carried out. In the event the table administrator has carried out the modification, a collegial test is performed by another table administrator. This check results in a control report (check results table modification) that contains screen prints of the situation before and after the modificationas well as the names of both the executing and the checking table administrator.
In case the table modification is processed through a request for change, the Release Coordinator issues a completion report table modification whereupon acheck is done by the same table administrator who submitted the request for change. The check is done on the basis of the original request (request table modification).
The applicant is informed by End User Support (process 1. End User Support) on the final status of the request (request status account) and the request is archived (request table modification).
4.Table Modification Overviews
Periodically the table modifications that were carried out are checked by the table owner. For this an overview is made of all settled table modification requests (request table modification)and checked against the values in the system tables (reflecting the situation before and after the modification). The results of the check are archived (check results table modification).
Input
Information flow / Origin / ExplanationAutorisation List / Internal data collection / List with names of authorised requesters containing:
The name of the table
The name of the table owner
The name of the person authorised to request table modifications
Status account / Release Coordinator / Reports a modification actually carried out.
Request for table modification / End User Support
Process “1. End User Support” / The table modification request
Output
Information flow / Destination / ExplanationRequest for change / Release Coordinator
Process “4. Change Management” / A prioritized request for changing program code concerning a hard coded parameter.
Control results / Internal data collection / The set of checked tale modifications
Request status account / End User Support
Process “1. End User Support” / Status information on the settlement of requests
Table modifications / Internal data collection / Collection of all table modifications carried out by the table administrator.
Modification
Information flow / ExplanationNone.
2.3Process “2.2 Authorization Administration”
Process Characteristics
Aim: / Authorizing users in accordance with the submitted authorization requestEntry point: / Reception of an authorization request
Frequency: / Ad hoc
Executed by: / Authorization Administrator
Security issues: / -
Methods/techniques: / -
Tooling: / -
Performance indicators: / -
Standards: / -
ProcessDescription
1.Request Assessment
This process receives and processes authorization requests and profile modifications.
An authorization request is a request to grant rights to a specific user. The request describes the user and the profile to be granted. In casean authorization request concerns a profile modification, then the authorization request is treated as a profile modification.
A profile modification concerns changing an existing authorization profile or creating a new authorization profile.
Authorization requests and profile modifications are supplied by End User Support (see process 1. End User Support). Here these requests are received and registered as a call. For registration and processing of this type of tasks LAVA3 is used as a tool.
Because only authorised persons may submit such requests, the authorization administrator checks whether the applicant is authorised for that purpose by means of an authorization list. Requests submitted by non-authorized persons are rejected. This is communicated back to the applicant by End User Support (request settlement report; see process 1. End User Support).
Profile modifications are processed in process step “3. Profile Modification Assessment”. Authorization requests are processed in process step “2. processing Authorization Requests”
2.Processing Authorization Request
The Authorization Administrator processes the authorization request and reports back to the applicant through End User Support (request status account). This finishes the authorization process.
3.Profile Modification Assessment
Because multiple users can be attached to a profile, a profile modification applies to all attached users. As in this case the impact is larger, the applicant is informed through End User Support (request status account). The applicant can then still decide to withdraw the request.
The authorization administrator sends the profile modification request to the Information Security Manager (process 25. Security Management) for checking. The Information Security Manager checks for conflicts of roles and returns the check result to the Authorization Administrator. In case of a negative advice from the Information Security Manager, processing the request is terminated and this is communicated back to the applicant by End User Support (request settlement report). The applicant can then decide to reformulate and resubmit the request.
In case of a positive advice from the Information Security Manager, the Authorization Administrator requests the supplier to carry out the profile modification (profile modification request).
4.Check Profile Modification
The suppliermodifies the profile and reports back tot the Authorization Administrator (modified profile). When the modification has been carried out the applicant is informed by End User Support (request settlement report;process “1. End User Support”).
5.Overview Authorization Requests
Periodically and on request of the business (request overview authorizations) an overview (overview authorizations) is made of the authorization requests and profile modifications that were carried out. The business checks this overview and discusses the results with the Authorization Administrator who records the results for status accounting purposes (controlresults).
Input
Information flow / Origin / ExplanationAuthorization Request / End User Support
Process “1. End User Support” / Request tot grant a specific authorization or profile to a user or user group.
Authorization List / Internal data collection / List with names of authorised requesters
Modified Profile / Supplier / A modified or newly created authorization profile
Profile modification / End User Support
Process “1. End User Support” / Request to modify a profile or to create a new profile for a user or user group.
Check result / Information Security Manager
Process “25. Security Management” / Recommendation by the Information Security Manager concerning a requested profile modification.
Output
Information flow / Destination / ExplanationAuthorization and profile modifications requests / Internal data collection / All authorization and profile modification requests processed by the Authorization Administrator.
Control results / Internal data collection / Report on the executed check on all granted authorizations.
Requestedprofile modification / Information Security Manager
Process “25. Security Management” / Request tot assess arequested profile modificationagainst the ISP.
Request status account / End User Support
Process “1. End User Support” / Information on the settlement of the submitted authorization requests.
Profile Modification Request / Supplier / Request to the supplier to modify a profile or to create a new profile.
Modification
Information flow / ExplanationNone
2.4Process “2.3 Meta Data Management”
This process is still under construction. In this process the user metadata models are maintained.
2.5Process “2.4 Data Supply”
This process is still under construction. This process describes the planned and unplanned queries that prove data consistency and integrity. As soon as these requirements are clear, this process will be developed further.
3RACImatrix
RACI-matrixBusiness Information Management / Business / Supplier / DIM PV,
FB OPS, FB L&P
Table Owner / Supplier / Authorization Administrator (*) / End User Support (*) / Information Security Manager / Release Coordinator (*) / Table Administrator (*)
2.1 Table Administration / C / I / I / RAC
2.2 Authorization Administration / I / RA / I / C
The table above indicates who in the process is R(esponsible), A(ccountable), C(onsulted) or I(nformed).
(*)Role of the Business Information Manager
1/16[1] Setting up, distributing and managing the authorization list is the responsibility of the user organisation.