Jingga/Organization-Guide
1
0
Fork 0
mirror of https://github.com/Karaka-Management/Organization-Guide.git synced 2026-01-11 21:08:41 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

cleanup and process drafting started

Browse Source
This commit is contained in:
Dennis Eichhorn 2022-04-03 20:25:34 +02:00
parent 1b9b20a941
commit dffc9eb029
34 changed files with 602 additions and 221 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

0
Policies & Guidelines/IT/Backup and Datarecovery.md Normal file
View File

0
Policies & Guidelines/IT/Change Management.md Normal file
View File

0
Policies & Guidelines/IT/Database Guidelines.md Normal file
View File

0
Policies & Guidelines/IT/Development and Maintenance.md Normal file
View File

0
Policies & Guidelines/IT/General Employee Guideline.md Normal file
View File

0
Policies & Guidelines/IT/Jobs.md Normal file
View File

0
Policies & Guidelines/IT/Operations Guidelines.md Normal file
View File

0
Policies & Guidelines/IT/Password Guideline.md Normal file
View File

0
Policies & Guidelines/IT/Software Guidelines.md Normal file
View File

46
Processes/COSO/CLC.md Normal file
View File

@ -0,0 +1,46 @@
# Company Level Controls (CLC)
| No. | Component | Control Area | Question | Answer | Evidence |
| ---- | ----------------------------- | ------------------------------------- | ------------------------------------------------------------ | ------ | -------- |
| | Control Environment | Principle of financial reporting | Do you have basic financial reporting policies? | | |
| | Control Environment | Understanding accounting policies | Are the selected accounting principles approved? | | |
| | Control Environment | Management philosophy and application | Does management determine the management philosophy, operating style and code of ethics and manifest them to employees? | | |
| | Control Environment | Management philosophy and application | Do you have any procedures or processes to remediate detected behaviors deviating from the management philosophy, operating style and code of ethics | | |
| | Control Environment | Management philosophy and application | In case you find deviations from the principles, do you deal with them according to the predetermined procedures or processes? | | |
| | Control Environment | Director | Do you have any company rules to clearly specify that the board of directors or a director in charge have responsibilities for appropriately supervising and monitoring the management in regard to the financial reporting and relevant internal controls? | | |
| | Control Environment | Director | Does the board of directors or corporate auditors supervise the performance of management regard the financial reporting and relevant internal controls? | | |
| | Control Environment | Organization | Does the management appropriately improve organizational structures or practices to resolve existing problems considering the size, content of the operations and business objectives of the company? | | |
| | Control Environment | Organization | Does the management assign roles in regard to each function and activity unit in the company? | | |
| | Control Environment | Organization | Do you have any rules to clarify segregation of duties and appropriately delegate authority and responsibilities to personnel in charge of each function and activity unit in the company? | | |
| | Control Environment | Organization | Does the management assign a person in charge for each role? | | |
| | Control Environment | Power | Are the assignment of responsibilities and delegation of authority made clear to all employees? | | |
| | Control Environment | Power | Is the delegation of responsibilities and authority to employees, etc. kept at appropriate levels, not without limitation? | | |
| | Control Environment | Power | Are the delegation of responsibilities and authority to employees, etc. updated on a timely basis in case organizational structures or other fundamentals of the company are changed? | | |
| | Control Activities | Business procedure | Are policies and procedures or operating manuals established to ensure the performance of control activities that sufficiently mitigate and address the risks in business operations, especially in regard to the reliability of the financial reporting? | | |
| | Control Activities | Business procedure | How do you confirm if employees perform their operations in compliance with policies and procedures or operating manuals? | | |
| | Control Environment | Personnel deployment and training | Does the management identify the competencies necessary for the company and procure/dispatch qualified personnel | | |
| | Control Environment | Personnel deployment and training | Are the competencies necessary reviewed regularly and maintained appropriately? | | |
| | Control Environment | Personnel deployment and training | Does the management provide employees, etc. with the means, training etc. necessary to fulfill their duties and support them in the improvement of their abilities? | | |
| | Control Environment | Personnel evaluation | Do you have personnel evaluation standards? | | |
| | Control Environment | Personnel evaluation | Are the personnel evaluation standards regularly reviewed and updated appropriately? | | |
| | Risk Assessment and Response | Risk assessment structure | Is there an effective risk assessment system that involves appropriate levels of the management and managers? | | |
| | Risk Assessment and Response | Risk assessment structure | Does the management asses the risk considering not only superficial facts but also backgrounds, incidents and other substantial elements? | | |
| | Risk Assessment and Response | Risk assessment structure | Does the management appropriately assess and address fraud risks based on not only superficial facts regarding fraud, but also incentives, causes, backgrounds and other factors that may result in fraud? | | |
| | Risk Assessment and Response | Risk assessment structure | Does the management reassess the risk and take appropriate measures whenever changes occur that may have a significant impact on the company? | | |
| | Communication and information | Communicating information | Are the management's or supervisor's instruction communicated to all employees? | | |
| | Communication and information | Communicating information | Is a system set in place to ensure that external information on internal controls is properly utilized and adequately communicated to the management or internal audit section? | | |
| | Communication and information | Internal reporting | Do you have the Whistleblower System or other internal reporting program? | | |
| | Communication and information | Internal reporting | Is the system or program in operation according to its original design? | | |
| | Communication and information | Financial information | How does the management acquire or access the accounting and financial information of the company? | | |
| | Communication and information | Financial information | How are the accounting and financial information or data from relevant business processes input to your accounting system or application? | | |
| | Communication and information | Information sharing with managements | Do you have any internal rules documents which stipulate that the managements should share business an other information with each other | | |
| | Communication and information | Information sharing with managements | Does your management share information with each other in actual business? | | |
| | Monitoring | Ongoing monitoring | Are ongoing monitoring activities appropriately embedded within the company's overall business operations? | | |
| | Monitoring | Ongoing monitoring | Are the ongoing monitoring activities operated appropriately according to the original designs and purposes? | | |
| | Monitoring | Independent monitoring | Do you have any independent monitoring system other than ongoing monitoring activities embedded within the company's business operations, such as internal audits? | | |
| | Monitoring | Independent monitoring | Are the ongoing monitoring activities operated appropriately according to the original designs and purposes | | |
| | Monitoring | Response to results of monitoring | Are errors, material weakness of internal controls, etc. detected through the performance of control activities or noticed from outside the company timely reported to the management or senior managers and appropriately investigated and properly addressed? | | |
2022.01.01 - Version 1.0

113
Processes/COSO/ITGC.md Normal file
View File

@ -0,0 +1,113 @@
# IT General Controls (ITGC)
## Abbreviations
* No.: Number
* A: Application
* OS: Operating System
* DB: DBMS
* N: Network
* O: Others
## General
| No. | Component | Control Area | Question | Answer | Evidence |
| ---- | --------- | ------------ | ------------------------------------------------------------ | ------ | -------- |
| | IT | IT Strategy | Do you have a IT investment strategy or plan? | | |
| | IT | IT Strategy | Are the IT investment strategies or plans reviewed and approved by the management? | | |
## System Development and Maintenance
### Points to consider
| Overview | Component | Situation | Evidence |
| -------------------- | --------- | ------------------------------------------------------------ | -------- |
| Frequency of changes | A | Often changes are required for various reasons (e.g. functionality enhancement changes in business processes, etc.) | |
| Frequency of changes | OS, DB | Changes are made for each release of security patches/upgrades | |
| Frequency of changes | N, O | Changes are made for each release of patches/upgrades | |
### Assessment of Design Effectiveness
| No. | Question | Component | Situation | Evidence |
| ---- | ------------------------------------------------------------ | --------------- | ------------------------------------------------------------ | -------- |
| 1 | Policies and procedures for development and maintenance are described in a formal way | A, OS, DB, N, O | Documentations are prepared by the IT team and authorized by the head of IT | |
| 2 | Roles and responsibilities concerning development and maintenance are clearly defined | A, OS, DB, N, O | IT personnel incl. service vendors perform changes | |
| 3 | Changes are tested and their results are approved | A, OS, DB, N, O | | |
| 4 | Changes are approved for their migration to the production environment | | | |
| 5 | Procedures are in place for preventing/detecting unauthorized changes to the production environment | | | |
## System Security (Access Control)
### Points to consider
| Question | Component | Situation | Evidence |
| ------------------------------------------------------------ | ------------ | ------------------------------------------------------------ | -------- |
| Number of users | A | Large number of users in large number of user locations/departments | |
| Number of users | OS, DB, N, O | Number of users and user locations/departments is limited | |
| Frequency of "direct data change"<br /><br />("direct data change" means to change data with the utilities such as SQL software) | N | No direct change to data has been required since its implementation, as the system has been in stable operation | |
### Assessment of Design Effectiveness
| No. | Question | Component | Situation | Evidence |
| ---- | ------------------------------------------------------------ | --------------- | ------------------------------------------------------------ | -------- |
| 1 | User authentication is required | A, OS, DB, N, O | User-ID and password are assigned on an individual basis | |
| 2 | User and access rights granted to each user are documented | A | A list of users is prepared with the rights granted to each user. This list is generated from the system | |
| 2 | User and access rights granted to each user are documented | A, OS, DB, N, O | A list of users is prepared with the rights granted to each user | |
| 3 | Policies and procedures for user-ID administration (add, change, remove, and periodic user validation) are described in an authorized documentation | A, OS, DB, N, O | The documentation is prepared and authorized by the head of IT | |
| 4 | Periodic user validation is performed, this means each user's access rights are reviewed on a periodic basis | A, OS, DB, N, O | Performed both in terms of existence of user and the detailed access rights granted to each user-ID on an annual basis by the head of IT | |
| 5 | User-ID administration requests are approved by managers in user dpt. and/or IT dpt, as appropriate | A, OS, DB, N, O | Records are maintained in the change management | |
| 6 | Access to privileged IT functions is restricted to appropriate personnel | A, OS, DB, N, O | These functions are restricted to IT personnel. Logs of the use of such privileged user-IDs are reviewed annualy | |
| 7 | The level of complexity in password settings are appropriate | A, OS, DB, N, O | Password complexity is configured based on a minimum length of 8, at least one upper case letter, at least one lower case letter, at least one special character and at least one numeric value. Password changes must happen every 3 months | |
| 8 | Policies and procedures for direct change to data are descripted in a documentation | DB | Only the head of IT may perform and authorize direct changes to the data | |
| 9 | Direct change to data are authorized | DB | No direct changes to data where made | |
| 10 | Direct change to data are tested | DB | No direct changes to data where made | |
| 11 | Access to DB and/or utilities for direct change to data is restricted to appropriate personnel | DB | Only the head of IT has write/change permissions to the DB | |
| 12 | Physical access to computer hardware is restricted to appropriate personnel | A, OS | Data and programs are in a stand-alone PC in control of the user. User permissions for Applications and OS are restricted appropriately | |
| 12 | Physical access to computer hardware is restricted to appropriate personnel | DB | Server(s) are located in a machine room with appropriate physical access control | |
## System Operation and Administration
### Points to consider
| Question | Situation | Evidence |
| ------------------------------------- | ------------------------------------------------------------ | -------- |
| Frequency of problems/incidents | Material failure such as miscalculation or malfunction of the system has not occurred. | |
| Frequency of changes to job schedules | Changes to job schedules occur frequently but most of them are those in execution date | |
| Frequency of Non/Scheduled job | Non/Scheduled job is required in some cases but its frequency is low | |
### Assessment of Design Effectiveness
| No. | Question | Situation | Evidence |
| ---- | ------------------------------------------------------------ | ----------------------------------------------------------- | -------- |
| 1 | Poliicies and procedures for backups | Exists | |
| 2 | Completion of backup is ensured | All backup job records are reviewed by monitoring personnel | |
| 3 | Backup and recovery are periodically tested | | |
| 4 | Policies and procedures for job operation are described in a documentation | | |
| 5 | Job schedule changes are approved | | |
| 6 | Procedures are in place for preventing/detecting unauthorized changes to job schedules | | |
| 7 | Completion of job execution is ensured | | |
| 8 | Requests for non-scheduled job execution are authorized | | |
| 9 | Policies and procedures for identifying, resolving, reviewing, and analyzing IT operations problems or incidents are described in a documentation | | |
| 10 | IT operations problems or incidents are identified, resolved, reviewed, analyzed, and follow-ups are evidenced in a timely manner | | |
## Outsourcing Contract Management
### Points to consider
| Question | Situation | Evidence |
| ---------------------------- | ------------------------------------------------------------ | -------- |
| What services are outsourced | Some of the services are outsourced concerning development/maintenance related to ITGCs | |
### Assessment of Design Effectiveness
| No. | Question | Situation | Evidence |
| ---- | ------------------------------------------------------------ | --------- | -------- |
| 1 | Outsourced service are clearly defined and agreed with the service vendor in writing e.g. in contract and/or SLA | | |
| 2 | Service vendor's compliance to the service level is periodically reviewed | | |
| 3 | Regular review of service vendors is conducted in terms of appropriateness of the services defined, service vendor's ability to render the required service level, etc. | | |
2022.01.01 - Version 1.0

0
Processes/COSO/PLC/Development.md Normal file
View File

0
Processes/COSO/PLC/Inventory.md Normal file
View File

0
Processes/COSO/PLC/Payroll.md Normal file
View File

0
Processes/COSO/PLC/Purchase.md Normal file
View File

0
Processes/COSO/PLC/Sales.md Normal file
View File

77
Processes/COSO/Risk Management/Risk Management Review Template.md Normal file
View File

@ -0,0 +1,77 @@
# Risk Management Review Template
## Risk Identification
### New risks
| Risk No. | R | Category | Risk Event | L | C | O | Mitigation Strategy | L* | C* | Changes | Comments | ES | EY |
| -------- | ---- | -------- | ---------- | ---- | ---- | ---- | ------------------- | ---- | ---- | ------- | -------- | ---- | ---- |
| | | | | | | | | | | | | | |
Abbreviations:
* R: Responsible
* L: Likelihood (1-5)
* C: Consequence (1-5)
* L\*/C\*: Likelihood and Consequence after mitigation
* O: Occurrence (many times a day, daily, weekly, monthly, annually)
* ES: Effective
* EY: Efficient
### Old risks (no longer applicable)
| Risk No. | R | Category | Risk Event | Reason for removal |
| -------- | ---- | -------- | ---------- | ------------------ |
| | | | | |
Abbreviations:
* R: Responsible
## Risk Monitoring
For details see the risk register.
### Key Risks
#### Risk XXX
#### Risk XXX
#### Risk XXX
#### Risk XXX
#### Risk XXX
### Key Changes
#### Risk XXX
#### Risk XXX
#### Risk XXX
#### Risk XXX
#### Risk XXX
## Effectiveness
The risk mitigation strategies are very effective as no damages from identified risks occurred and no significant unidentified risks were found.
The risk management operates as designed and is effective.
## Efficiency
The risk management is implemented with reasonable amounts of human resources, low costs due to internal risk management and very good preventing and discovering results as seen in the effectiveness.
## Summary
<Name, Last name>
2022.12.31

26
Strategy/Risk Management.md → Processes/COSO/Risk Management/Risk Management.md
View File

@ -4,7 +4,7 @@
### Risk
Risks are characterized by probability of occurrence and consequence. Through risk management, GDF applies resources to lessen the likelihood of a future event occurring and/or the consequence should it occur. As risks increase in probability, GDF should anticipate that the events will occur and should put plans in place early to mitigate the consequences.
Risks are characterized by probability of occurrence and consequence. Through risk management, the company applies resources to lessen the likelihood of a future event occurring and/or the consequence should it occur. As risks increase in probability, the company should anticipate that the events will occur and should put plans in place early to mitigate the consequences.
### Risk Components
@ -52,6 +52,8 @@ The intent of risk identification is to answer the question “What can go wrong
Risk identification is the activity that examines each element of the company to identify associated causes, begin their documentation, and set the stage for their successful management. Risk identification begins as early as possible and continues with regular analyses.
**Company:** The identification is performed constantly, however formally once a year.
### Risk Categories
* Operational Risk
@ -143,27 +145,15 @@ Risk monitoring includes a continuous process to systematically track and evalua
Risk monitoring includes recording, maintaining, and reporting risks, risk analysis, risk mitigation, and tracking results. If a risk changes significantly, the company should adjust the risk mitigation strategy accordingly. If the risk is lower than previously analyzed, the company may reduce or cancel risk mitigation activities and consider freeing resources for other uses. If risk severity increases, appropriate risk mitigation efforts should be developed and implemented.
**Company:** The monitoring is performed constantly, however formally once a year.
## Review
The Risk Management System needs to be reviewed on a regular basis in terms of effectiveness and efficiency. The review should be performed by independent personnel (either internal or external) and adjusted to changes accordingly.
The Risk Management System needs to be reviewed on a regular basis in terms of effectiveness and efficiency. The review should be performed by independent personnel (either internal or external) and adjusted to changes accordingly.
The review should be performed on an annual basis.
**Company:** The review is performed annually.
## Risk Register
The risk register is a central repository to describe and track risks as well as record actions. It includes information for each risk such as risk category, likelihood, consequence, mitigation measures, risk owner and documentation of changes.
| Risk No. | O | Category | S | Risk Event | L | C | Mitigation Strategy | Changes | Comments |
| -------- | ---- | ---------------- | ------ | ------------------------------------------------------------ | ---- | ---- | ------------------------------------------------------------ | ------- | ------------------------------------------------------------ |
| 1 | DE | Operational Risk | Active | Loss of source code | 1 | 5 | Avoiding: Store source code in cloud (github). At least one local developer PC and project server. | | |
| 2 | DE | Operational Risk | Active | Source code leak | 5 | 1 | Controlling: The programming language is compiled at runtime. The value of the software lies in the updates, support and licenses. | | Many companies transferred the revenue model to subscriptions (e.g. Adobe, Microsoft) in order to avoid similar problems. |
| 3 | DE | Operational Risk | Active | User acquires additional permissions without authorization (every software which uses permissions) | 2 | 5 | Avoiding: Permissions can only be granted by users which have received the permissions to do so. Users which can change permissions may also only have the permission to change specific users/permissions (single application elements, not the whole application.). We provide a documentation on who to manage permissions incl. best practices. Customers with a maintenance contract also receive additional advice based on their account permission handling. We also check regularly if features can be used by default without the necessary permissions. | | The consequences or severities depend on the permissions which can be acquired. |
| 4 | DE | Operational Risk | Active | User code execution (every software which allows data upload/input) | 3 | 5 | Avoiding: User provided code is a critical part of some modules (e.g. Helper, Job). These modules provided by OMS execute code user code in iframes. We provide guidelines regarding this sensitive topic which explains that only developers in a company should have access to such functionalities. | | |
| 5 | DE | Operational Risk | Active | Data leak (e.g. database data, file uploads) (every software which stores data) | 2 | 5 | Avoiding: We regularly check if users have access to data without the necessary permissions. Our modules may use encryption for extremely sensitive data. Media files are only accessible through the media module which allows to check the necessary reading permissions. We also provide a general policy for customers who to secure and maintain their servers. | | This is a big problem for almost every company working with data. The biggest known leaks happened among others to Adobe, ebay, Equifax, LinkedIn, Yahoo, ... |
| 6 | DE | Operational Risk | Active | Corrupt/malicious data injection (every software which accepts data input) | 3 | 3 | Avoiding: Data is validated client side (minimal protection) and server side. Generally, user input is only accepted if it matches the specified allowed format. Data is usually not sanitized to avoid mistakes during the sanitizing process. Database query statements are prepared and encoded. | | |
2022.01.01 - Version 1.0
Abbreviations:
* O: Owner
* L: Likelihood
* C: Consequence

31
Processes/COSO/Risk Management/Risk Register.md Normal file
View File

@ -0,0 +1,31 @@
# Risk Register
The risk register is a central repository to describe and track risks as well as record actions. It includes information for each risk such as risk category, likelihood, consequence, mitigation measures, risk owner and documentation of changes.
| Risk No. | R | Category | Risk Event | L | C | O | Mitigation Strategy | L* | C* | Changes | Comments | ES | EY |
| -------- | ---- | ---------------- | ------------------------------------------------------------ | ---- | ---- | ---- | ------------------------------------------------------------ | ---- | ---- | ------- | ------------------------------------------------------------ | ---- | ---- |
| 1 | DE | Operational Risk | Loss of source code | 1 | 5 | | Avoiding: Store source code in cloud (github). At least one local developer PC and project server. | | | | | yes | yes |
| 2 | DE | Operational Risk | Source code leak | 5 | 1 | | Controlling: The programming language is compiled at runtime. The value of the software lies in the updates, support and licenses. | | | | Many companies transferred the revenue model to subscriptions (e.g. Adobe, Microsoft) in order to avoid similar problems. | yes | yes |
| 3 | DE | Operational Risk | User acquires additional permissions without authorization (every software which uses permissions) | 2 | 5 | | Avoiding: Permissions can only be granted by users which have received the permissions to do so. Users which can change permissions may also only have the permission to change specific users/permissions (single application elements, not the whole application.). We provide a documentation on who to manage permissions incl. best practices. Customers with a maintenance contract also receive additional advice based on their account permission handling. We also check regularly if features can be used by default without the necessary permissions. | | | | The consequences or severities depend on the permissions which can be acquired. | yes | yes |
| 4 | DE | Operational Risk | User code execution (every software which allows data upload/input) | 3 | 5 | | Avoiding: User provided code is a critical part of some modules (e.g. Helper, Job). These modules provided by OMS execute code user code in iframes. We provide guidelines regarding this sensitive topic which explains that only developers in a company should have access to such functionalities. | | | | | yes | yes |
| 5 | DE | Operational Risk | Data leak (e.g. database data, file uploads) (every software which stores data) | 2 | 5 | | Avoiding: We regularly check if users have access to data without the necessary permissions. Our modules may use encryption for extremely sensitive data. Media files are only accessible through the media module which allows to check the necessary reading permissions. We also provide a general policy for customers who to secure and maintain their servers. | | | | This is a big problem for almost every company working with data. The biggest known leaks happened among others to Adobe, ebay, Equifax, LinkedIn, Yahoo, ... | yes | yes |
| 6 | DE | Operational Risk | Corrupt/malicious data injection (every software which accepts data input) | 3 | 3 | | Avoiding: Data is validated client side (minimal protection) and server side. Generally, user input is only accepted if it matches the specified allowed format. Data is usually not sanitized to avoid mistakes during the sanitizing process. Database query statements are prepared and encoded. | | | | | yes | yes |
## Abbreviations
* R: Responsible
* L: Likelihood (1-5)
* C: Consequence (1-5)
* L\*/C\*: Likelihood and Consequence after mitigation
* O: Occurrence (many times a day, daily, weekly, monthly, annually)
* ES: Effective
* EY: Efficient
## Responsible
* DE: Dennis Eichhorn
2022.01.01

13
Processes/Development.md Normal file
View File

@ -0,0 +1,13 @@
# Development
| No. | Process step | Risks/Things to consider | Checks/Risk mitigation | R | O |
| ---- | ------------ | ------------------------ | ---------------------- | ---- | ---- |
| | | | | | |
| | | | | | |
| | | | | | |
Abbreviations:
* R: Responsible
* O: Occurrence

13
Processes/Inventory.md Normal file
View File

@ -0,0 +1,13 @@
# Inventory
| No. | Process step | Risks/Things to consider | Checks/Risk mitigation | R | O |
| ---- | ------------ | ------------------------ | ---------------------- | ---- | ---- |
| | | | | | |
| | | | | | |
| | | | | | |
Abbreviations:
* R: Responsible
* O: Occurrence

95
Processes/Maintenance Checklist.md
View File

@ -1,95 +0,0 @@
# Maintenance Checklist
## Security
### Functions
- [ ] The application has disabled function calls
- [ ] The application has deprecated function calls
### Integrity
#### Frameworks
- [ ] PHP framework integrity is valid
- [ ] JS framework integrity is valid
#### Modules
- [ ] Module models integrity is valid
- [ ] Module views integrity is valid
- [ ] Module controller integrity is valid
- [ ] Module themes integrity is valid
#### Application
- [ ] Core application integrity is valid
- [ ] Core model integrity is valid
- [ ] Default applications integrity is valid (e.g. API, Backend)
### Unicode
#### Frameworks
- [ ] PHP framework has no unicode
- [ ] JS framework has no unicode
#### Modules
- [ ] Module models have no unicode
- [ ] Module views have no unicode
- [ ] Module controller have no unicode
- [ ] Module themes have no unicode
#### Application
- [ ] Core application has no unicode
- [ ] Core models have no unicode
- [ ] Default applications have no unicode
## Database
- [ ] Database seems healthy
- [ ] If cache is used, at least 50% of the requests hit the cache (query cache, data cache)
- [ ] Average database response times are less than 50ms
- [ ] The server hardware and assigned resources fulfill the recommendations
## Application
- [ ] The application usage feels normal (decent response time, no errors, etc.)
- [ ] The server has at least 50% of free storage space available
### Updates
- [ ] The application has the newest version
- [ ] The customer requested to update the application
- [ ] The customer is informed to create a backup first
- [ ] The application is updated during the maintenance
### Logs
- [ ] Has logs: _____________________________________________
- [ ] Logs are sent to OMS after approval from customer for further checks
#### Levels
| Level | Count |
| ----------- | ----- |
| Emergencies | |
| Criticals | |
| Errors | |
| Warnings | |
| Alerts | |
| Notices | |
| Info | |
| Debug | |
## Closing
Date:
Performed by (OMS):
Customer name:
Supervised by (customer):

13
Processes/Management.md Normal file
View File

@ -0,0 +1,13 @@
# Management
| No. | Process step | Risks/Things to consider | Checks/Risk mitigation | R | O |
| ---- | ------------ | ------------------------ | ---------------------- | ---- | ---- |
| | | | | | |
| | | | | | |
| | | | | | |
Abbreviations:
* R: Responsible
* O: Occurrence

40
Processes/Onboarding/Equipment & Material.md Normal file
View File

@ -0,0 +1,40 @@
# Equipment & Material
## IT
* Laptop up to 1,500 EUR (new)
* Docking station (may already exist)
* 2 Monitors (21" up to 150 EUR per monitor, may already exist)
* Keyboard up to 150 EUR (new)
* Mouse up to 50 EUR (new)
* 2x USB Stick (new)
## Office
* Post it (soft cover)
* College Block Wire O-Binding block (soft cover)
* Pen
* Mouse pad
* Table calendar
* Wall calendar (4 month)
## Swag
### Clothes
* Polo Shirt (1x) (can choose color)
* Jacket (softshell) (1x) (can choose color)
* Shirt (1x) (can choose color)
### General
* Shoulder bag or Backpack
* Key Chain
* Mug
* Jug
* Glass
*\*All prices in net*

5
Processes/Onboarding/Onboarding Cheat-Sheet.md
View File

@ -18,7 +18,7 @@ php: PHPUnit
js: Jasmine
**How to run unit tests?**
**How to run unit/integration tests?**
* php:
* run in main directory: `php -d pcov.enabled=1 vendor/bin/phpunit -c tests/phpunit_no_coverage.xml `
@ -27,7 +27,8 @@ js: Jasmine
**How to run code inspection?**
* run phpstan + phpcs: `Build/Helper/testreport.sh`
* run phpstan + phpcs + eslint: `Build/Helper/testreport.sh`
* run phpstan: `php vendor/bin/phpstan analyse --autoload-file=phpOMS/Autoloader.php -l 8 -c Build/Config/phpstan.neon ./`
* run phpcs: `php vendor/bin/phpcs ./ --standard="Build/Config/phpcs.xml" -s --report-junit=Build/test/junit_phpcs.xml`
* run eslint: `npx eslint jsOMS/ -c Build/Config/.eslintrc.json`

13
Processes/Onboarding/Onboarding Q&A.md
View File

@ -30,26 +30,26 @@ In the respective Application (e.g. Backend/Application)
**Which frameworks are used for this project?**
Only the in-house frameworks (phpOMS, jsOMS, cssOMS)
Only the in-house frameworks (phpOMS, jsOMS, cssOMS, cOMS)
**Does the project use external / third-party resources?**
**Does the release version (not the development tools) use external / third-party resources?**
Yes, although only very few libraries.
Yes, although only very few libraries. They can be found in Resources/ and Libraries/.
## Code Inspections
**How can you check the code style for code you wrote?**
* Guidelines
* Just run the phpcs dev tool with the provided config
* Just run the phpcs and eslint dev tool with the provided config
* run: `Build/Helper/testreport.sh`
**How can you check the code quality for code you wrote?**
* Guidelines
* Unit / integration tests (php: PHPUnit, js: jasmine)
* Static code analysis (phpstan)
* run: Build/Helper/testreport.sh
* Static code analysis (phpstan, eslint)
* run: `Build/Helper/testreport.sh`
* run: `php -d pcov.enabled=1 vendor/bin/phpunit tests/phpunit_default.xml`
* It's recommended to run this in the Karaka/* main directory
* Running this in the main directory will run all tests, also for the submodules (e.g. phpOMS, Modules, ...)
@ -58,4 +58,5 @@ Yes, although only very few libraries.
* phpcs: Build repository
* phpstan: Build repository
* eslint: Build repository
* PHPUnit: respective repository

13
Processes/Payroll.md Normal file
View File

@ -0,0 +1,13 @@
# Payroll
| No. | Process step | Risks/Things to consider | Checks/Risk mitigation | R | O |
| ---- | ------------ | ------------------------ | ---------------------- | ---- | ---- |
| | | | | | |
| | | | | | |
| | | | | | |
Abbreviations:
* R: Responsible
* O: Occurrence

13
Processes/Purchase.md Normal file
View File

@ -0,0 +1,13 @@
# Purchase
| No. | Process step | Risks/Things to consider | Checks/Risk mitigation | R | O |
| ---- | ------------ | ------------------------ | ---------------------- | ---- | ---- |
| | | | | | |
| | | | | | |
| | | | | | |
Abbreviations:
* R: Responsible
* O: Occurrence

13
Processes/Sales.md Normal file
View File

@ -0,0 +1,13 @@
# Sales
| No. | Process step | Risks/Things to consider | Checks/Risk mitigation | R | O |
| ---- | ------------ | ------------------------ | ---------------------- | ---- | ---- |
| | | | | | |
| | | | | | |
| | | | | | |
Abbreviations:
* R: Responsible
* O: Occurrence

13
Processes/Support.md Normal file
View File

@ -0,0 +1,13 @@
# Support
| No. | Process step | Risks/Things to consider | Checks/Risk mitigation | R | O |
| ---- | ------------ | ------------------------ | ---------------------- | ---- | ---- |
| | | | | | |
| | | | | | |
| | | | | | |
Abbreviations:
* R: Responsible
* O: Occurrence

152
Processes/Support/Maintenance Checklist.md Normal file
View File

@ -0,0 +1,152 @@
# Maintenance Checklist
## General
- [ ] The application usage feels normal (decent response time, no errors, etc.)
**Comment:**
> ...
### Hardware & Software
* OS:
* CPU:
* GPU:
* Database:
* Storage space:
* PHP:
- [ ] The server hardware, software and assigned resources fulfill the recommendations
**Comment:**
> ...
### Application statistics
* Application version:
* Active employee accounts:
* Active accounts:
* Storage usage:
**Comment:**
> ...
### Updates
- [ ] The application has the newest version
- [ ] The customer wishes to remain on the current version
- [ ] The customer requests to update the application
- [ ] The customer is informed to create a backup first
- [ ] The application is successfully updated
**Comment:**
> ...
### Logs
- [ ] Has logs: _____________________________________________
- [ ] Logs are sent to OMS after approval from customer for further checks
**Comment:**
> ...
#### Levels
| Level | Count |
| ----------- | ----- |
| Emergencies | |
| Criticals | |
| Errors | |
| Warnings | |
| Alerts | |
| Notices | |
| Info | |
| Debug | |
## Tests
- [ ] PHP framework tests pass
- [ ] JS framework tests pass
- [ ] Modules tests pass
- [ ] Applications tests pass
**Comment:**
> ...
## Database
- [ ] Database seems healthy
- [ ] If cache is used, at least 50% of the requests hit the cache (query cache, data cache)
- [ ] Average database response times are less than 50ms
**Comment:**
> ...
## Security
### Functions
- [ ] The application has disabled function calls
- [ ] The application has deprecated function calls
**Comment:**
> ...
### Integrity
- [ ] PHP framework integrity is valid
- [ ] JS framework integrity is valid
- [ ] Modules integrity is valid
- [ ] Applications integrity is valid
**Comment:**
> ...
### Unicode
- [ ] PHP framework has no unicode
- [ ] JS framework has no unicode
- [ ] Modules have no unicode
- [ ] Applications have no unicode
**Comment:**
> ...
## Closing
### Remark
*It is recommended to upgrade the server storage space to XXX GB*
*It is recommended to upgrade the application to the newest version for security reasons*
### Report
Date:
Performed by (OMS):
Customer:
Supervised by (customer):
2022.01.01 - Version 1.0

34
Processes/Support/Ticket Template.md Normal file
View File

@ -0,0 +1,34 @@
# Ticket
**Date/Time:** 2022.01.01 - 11:00
**Customer:** 123456 - Test customer
**Contact person:** Name of the contact person
**Communication:** customer@email.com | +49 1234-567890
**Issue title:** Test title for the issue
**Category:** Support request | Feature request | Bug report | Customization request | Other
**Sub-Category:** Frontend | Backend | Tool | Documentation | Other
**Application:** Module name | Tool name | Backend | Api | Cli | Framework | Application name | Other
## Issue description
## Response / Solution
**Closed at:** 2022.01.01 - 13:30
2022.01.01 - Version 1.0

66
Strategy/Domains.md
View File

@ -1,66 +0,0 @@
# Domains
The following list shows the domains and their purpose/reasoning:
### orange-management.org
Organization page
### orange-management.net
Same as .org. Maybe this tld will be used as some form of collection of domains (e.g. stackexchange)
### orange-management.dev
Used for development information such as:
* Online dev environments (internal & external)
* Dev documentations
### orange-management.app
Used as demo url.
### orange-management.business
Provided services specifically for businesses. In the beginning this will be the same as .org for marketing reasons. This tld may receive a different purpose later.
### orange-management.email
Used for all emails of the organization.
### orange-management.info
Used for documentation.
### orange-management.live
Used for videos and streaming.
### orange-management.services
Used for services (microservices) or services provided by the organization (e.g. maintenance, server management etc.). The final decission what it will be used for is till open.
### orange-management.shop
Shop to purchase the application and modules.
Categories:
* Basic packages
* Modules
* Services
* Merch
### orange-management.solutions
Same as .org just for marketing reasons
### orange-management.support
Used by the support
### orange-management.systems
Same as .org just for marketing reasons but maybe used server environment in the future.

34
Strategy/Marketing/New Employees.md
View File

@ -1,34 +0,0 @@
# Employees
## Material & Equipment
### Clothes
* Polo Shirt (2x) (can choose color)
* Jacket (softshell) (1x) (can choose color)
* Shirt (3x) (can choose color)
### Calendar
* Table calendar
* Wall calendar (4 month)
### Office
* Post it (soft cover)
* College Block Wire O-Binding block (soft cover)
* Pen
* Mouse pad
### IT
* USB Stick
### General
* Shoulder bag or Backpack
* Key Chain
* Mug
* Jug
* Glass
* Umbrella