Define the procedures
Once the business process has been agreed, each responsibility requires
a procedural control document outlining:
Steps required to fullfil responsibility
Information required to fullfil
Further participation required
Many different styles are available, the following example showing a
Figure 6: Procedural Control Document example
|Manage Credential Storage
Procedural Control Document
Objective: To keep the spare credentials in a secure location
and maintain an accurate record of the credentials movement.
Owner: Security Administration
Inputs: Token Control Spreadsheet
Outputs: Token Control Spreadsheet
SLA: 4 hours on receipt of credential
Resources: 2 part time staff
Procedures and Controls
1. On receipt of any credentials for any reason, the Security
Administrator will enter the details in the Token Control
Spreadsheet [Control Point].
2. The Security Administrator verifies if the credential is
3. Non-functioning credentials must be returned to Vendor, and
Return Receipt retained.
4. If the credentials are required immediately for use, then the
Initialise Credential procedure is to be followed [Control
5. All credentials not for immediate use are to be stored in the
Security Administrator's Credential Safe.
6. For 2-factor credentials, any printouts of the initial PINs are to
be stored in a separate PIN safe.
It is vital in defining a procedure, to make it enforceable,
since responsibility should not be given without associated
accountability. Therefore key steps can be verified to have occurred
though a process of auditing, monitoring and escalation (usually by the
process owner or internal audit function).
This is done by defining and maintaining transparency to both:
Control Points: These are points in the process where it is not
possible to proceed without the step being successfully completed. In the
above example these are clearly shown.
Deliverables: These are auditable deliveries that will be subsequently
monitored. In the above example these are shown underlined.
© 2002-2007 Codel Services Ltd
This paper has been prepared
by Codel Services Ltd to illustrate how structured business
modelling can help your organisation. Codel Services Ltd is an IT
Consultancy specialising in business modelling. If you would like further
information, please contact us at: Deryck Brailsford, Codel Services Ltd,
Dale Hill Cottage, Kirby-Le-Soken, Essex CO13 0EN,United Kingdom.
Telephone: +44 (0)1255 862354/Mobile: + 44 (0)7710 435227/e-mail: firstname.lastname@example.org