Laboratory Information System Project
Large-scale pharmaceutical project implementing LabWare.

Business Intelligence Project
A project for creating a BI environment to support Priority ERP

Intelligent Traffic Analysis
Creating an intelligent platform for analyzing traffic loads, combining five technologies

Software management Lifecycle Project
The project was led by Dr. Adi Perry in a large financial institution.

Regulation Management

KDE Group´s expertise in project management and regulation:

Representing the customers in front of the CPA auditors.

Supporting the customers in meeting regulatory requirements and closing gaps (mapping risk areas in the organization, performance audits to assess the effectiveness of existing controls, guidance and advice to management in correcting the deficiencies and gaps in controls) .

Mapping the gaps versus SOX and ISOX regulatory requirements and supervision instruction. The mapping obtained at the end of a strategic work plan includes the level of risk exposure and a measuring scale of gaps.

Writing procedures and policies on various topics (Information security, change management, operations, hiring employees, monitoring and control , etc.) that comply with regulatory requirements .

Analyzing cross-organizational processes.

Consulting on the selection and implementation of regulation management complementary products (GRC solutions).

• Following methodologies such as CobiT and meeting the Best practice in this field.

KDE Advantages:

Experienced staff with expertise in different disciplines (System analysis , accounting, industrial engineering and more). KDE Group advised, inter alia, the following companies: Menora-Mivtahim pensions, Leumi Bank, Partner and more.

Experience in working with the largest CPA firms in the Israeli market.

Excellent familiarity with regulatory requirements and constant monitoring of developments and changes in the field.

We advise companies which regulatory requirements are mandatory to implement and which are only
recommended, thus saving the company significant expenses.

Differentiation between important gaps that need attendance in order to pass the audit and less important gaps which are only recommended for repair with no obligation to do that.

We advise how to implement the technology to meet the requirements .

• We represent the client side and save him costs.

Examples of KDE´s regulation activities:

We advise on how to build systems that manage the development lifecycle according to the audits requirements including workflow management and system portfolio.

We design processes by formulating procedures regarding information security, ongoing operations in a corporate environment and work processes in the organization.

We serve as referents of the Information Systems division in front of the auditors, review the audits and transfer them to the accountants.

We document new or additional IT processes for the SOX procedure.

• We prepare our clients for the annual audits performed by the CPA firms (the external auditors).

Key points to consider in a SOX project development:

Decision on SOX process control: defining a minimal number of processes, preferably during the implementation phase. KDE Group has the best practices for development, information management, operations and ELC that have been approved by consulting agencies like EY (It is possible to rely on existing materials and save costs).

An accurate definition of the size of the project will determine the lifecycle management and hence the investment is derived. Only a short process is needed for the small changes. For example :

A change of up to 11 man-hours: A requirement is written, no need to write a specification document and no need for delivery tests. Acceptance tests will be performed.

A change of 11-100 man-hours: A requirement, a specification test and a specification approval are written. Acceptance tests will be performed.

A change of over 100 man-hours: full process will be carried out.

A definition of the process and the regulation model. KDE Group already implemented such processes and thus can save costs.

•Exceptions must be defined for acceptance tests such as infrastructure components changes and development of control stages.

• An automated cataloging process should be defined and must include a control path for the changes management system. For example: The number of a certain requirement managed by the system.

• An integration process for a shelf system is required and should include a version update process.

• It is required to define a compensating control system after developers are getting involved in the production process. A pre-control process should be included. An approval for department manager´s temporary entry to the production and control areas requires a retroactive authorization that should be given by the operation manager.

• After setting the rules, the process should be sent to the supervisor of the employee working on the process. The process log should include time stamp, program name, user name, type of operation, the library where it was stored in the process table. It should be considered to enter the field that describes the tool with which the process was performed.

Key points for Information Security in a SOX project:

All authorizations of employees who received ALL OBJECT authorization should be cancelled .

A criteria for integrating Information Security into the development processes should be set.

An authorization review process should be defined (preferably automated) , so as an automated and documented authorization process. A dedicated team for authorization management should be established.

It is required to carry out a full risk assessment on all enterprise systems, which is based on risk review.

All generic users should be cancelled.

A secured process for strong identification for connection from outside the organization via an RDP connection should be defined. It is required to set up a remote login process including monitoring to support the company´s suppliers.

It is not recommended to include physical security inside the catalog .

• It is required to set password management systems that comply with the standards, or alternatively to manage users by LDAP / SSO configuration.

onenet web apps