Document Management Process
The purpose of this document is to describe the document management procedures for all documents relating to the KPMG GSOC. The documentation will include but not be limited to policies, processes, controls and standard operating procedures.
This document covers all documentation relating to KPMG GSOC.
The responsibility of ownership and ongoing management of this document, including the processes contained therein, rests with the Head of GSOC.
The intended audience for this document is the KPMG GSOC personnel and any other document contributors.
This document must be reviewed in its entirety at least annually.
There are no exceptions permitted for this process.
Any violations to this policy should be reported directly to the GSOC Operational Manager at the following email address:
This refers to all document types that form the GSOC documentation and include but are not limited to:
- – Formally documented management expectations and intentions. Policies are used to direct decisions, and to ensure consistent and appropriate development and implementation that consist of but are not limited to processes, standards, roles, activities and IT Infrastructure.
- –A structured set of activities designed to accomplish a specific objective. A process takes one or more defined inputs and turns them into defined outputs. A process may include any of the roles, responsibilities, tools and management controls required to reliably deliver the outputs. A process may define standards, guidelines, activities, and work instructions if they are needed.
- – All documents which help to support and manage a process, and ensure that the process itself is followed poperly.
- Terms of Reference –A document specifying the scope, deliverables, resources and schedule for a project or activity.
- Requirements Document – A document specifying the requirements for a project or activity.
- Architecture Document – A document specifying the structure of a system or IT service, including the relationships of components to each other and to the environment they are in. Architecture also includes the standards and guidelines which guide the design and evolution of the system.
- Technical Design – A document that identifies the requirements of a technical activity or process and then defines a solution that is able to meet these requirements.
All documents types must follow the KPMG style guideline and it is the responsibility of each document owner to ensure compliance. Document formats may include but not be limited to Word, Excel, PowerPoint and Sharepoint.
As the number of GSOC documents grows it has been necessary to develop a document control process to manage them effectively. All GSOC documents will have a unique reference that consists of the following components: Document Type, Document Category and Document Number, giving all GSOC documents a unique reference. Below, a list of all document types and categories used to reference the GSOC documentation is outlined:
- PO – Policies
- PR – Processes/Procedures
- CO – Control
- TOR – GSOC Terms of Reference
- RD – Requirements Document
- AD – Architecture Document
- TD – Technical Design
- OP – Operation
- IN – Intelligence
- IS – IT Support
- PS – Personnel
- CM – Comms/Media
- FN – Finance
- IG – IT Governance
- LG – Logistics
Document Number: xx
Please refer to the Appendix 1 GSOC Documents for a list of all currently allocated reference numbers.
All documents which are produced under KPMG control must have a version number, which will be 0.1 for the first draft, 0.2 for the second draft etc. All core documents will need to be formally reviewed and approved for publication and when this has been done, the document should be changed to version 1.0, with ‘draft’ removed from the document. The 1.0 version will then become the benchmark and all future version numbers must follow consistent pattern of x.x.
All GSOC core documents will use standard SharePoint version control and check in/out processing to monitor their control. All core documents will also contain document control records. It is recommended that SharePoint archives are set up to hold non-current versions.
Where appropriate documents should be produced using the documentation standards as defined above. This is based on the KPMG report macro and also provides a common presented style for the front sheet, internal structure and first few pages. The rest of the content of a document is determined by the author, based on the type of document being produced.
The following table briefly describes contents of all properties that are deemed essential for GSOC core documents.
|Document Title||As allocated by the document owner.|
|Reference number||The reference number in line with the document referencing guidelines.|
|Organisation||The organisation that owns the document. This maybe on the control or guideline tab for a spreadsheet.|
|Entity||The company that the organisation belongs to, usually KPMG LLP. This maybe on the control or guideline tab for a spreadsheet.|
|Date||The issue date of this version of the document in DD XXXXXX CCYY format. While a document is in draft it is common practice to preface the date with “draft”|
|Version||The document version number.|
|Amendment History||This contains the version number, date and summary of the changes and sections that have been changed. It also includes the document review details such as reviewer’s name and date.|
The document owner is responsible for the production of GSOC documents and subsequent changes to existing documents for release into the GSOC SharePoint. Document owners can delegate responsibility for production of new documents or change requests to nominated representatives, either on a permanent basis and/or during absences (e.g. holidays). The document owner must pass the document to the Head of GSOC for it be approved.
Contributors are the subject matter experts (SME) in the relevant subject of the document or other admissible parties who are assigned by the document owner to produce or amend documents. There may be one or more contributors to a document and the contributor(s) may vary during the lifetime of the document. The contributors must work with the Document owner and the reviewer(s) to complete the document change.
GSOC documentation should be reviewed by a second person other than the creator. Reviewers should evaluate draft documentation and agree when they are suitable for authorisation and release. Reviewers represent users of the documentation; suppliers to the processes it describes; and customers affected by the products resulting from its use.
Appendix 1 – GSOC Documents
|Business Continuity Plan / Disaster Recovery Plan|
|Risks and Decisions Log|
|Access Request Form|
|Customer Satisfaction Survey Form|
|Capacity Management Plan|
|CO_CM_01||GSOC Narrative & Key Messages|
|CO_FN_01||GSOC Financial Tracker|
|CO_FN_02||GSOC Cost Model|
|CO_IG_01||Audit report template|
|CO_IG_02||MF Feedback template|
|CO_IN_01||Metrics/KPI Documentation/Definition (Use from Governance Model)|
|CO_IN_02||Threat Priority Matrix (1)|
|CO_IN_03||Dark Line Log (Audit Trail)|
|CO_IS_01||BCM/DR Actions memory aid|
|CO_IS_02||BCM/DR Call Out Roster|
|CO_IS_03||Change Request template|
|CO_LG_01||Service Level Agreement Template|
|CO_LG_02||Approved supplier List|
|CO_LG_03||GSOC Equipment Maintenance Care Log|
|CO_LG_04||Asset Inventory Log Register|
|CO_LG_05||Health & Safety Log|
|CO_OP_01||MF Consent to Monitor|
|CO_OP_02||MF Onboarding template|
|CO_OP_03||Service Request template|
|CO_PS_01||Training Catalogue (inc. Training and Qualification Process)|
|CO_PS_03||GSOC Job Descriptions|
|CO_PS_04||Skills Matrix (Resource specific)|
|CO_PS_06||Resource Onboarding Pack|
|IT Support Policy|
|PO_CM_01||External Communications and Media Policy|
|PO_IG_01||Audit and Security Testing Policy|
|PO_IG_02||Continual Service Improvement Policy|
|PO_IG_03||Document Management Policy|
|PO_IN_01||Threat Intelligence Policy|
|PO_IN_02||Dark Line Policy|
|PO_LG_01||GSOC Equipment Policy|
|PO_OP_01||GSOC Authority Policy|
|PO_OP_03||IT Incident Management Policy|
|PO_OP_05||Data Breach Policy|
|PO_OP_06||Security Incident Management Policy (inc. Global Incident Responsibility Policy)|
|PO_OP_07||Change Management Policy|
|Resource Off-boarding Process|
|PR_CM_01||Crisis Communication (Management) Plan|
|PR_CM_02||GSOC Communications Process (Communications Roster)|
|PR_FN_01||Supplier Financing & Procurement (6)|
|PR_IG_01||Document Management Process|
|PR_IG_04||Code of Conduct|
|PR_IN_01||Detection Optimisation Process|
|PR_IN_02||Intelligence Management Process (inc. Threat Intel Lifecycle)|
|PR_IN_03||Reporting Process (inc. Report Process, Member Firm Notification Process, Service Report Generation Process)|
|PR_IS_01||SECOPS Process Customization Definition|
|PR_IS_02||Change Management Process|
|PR_IS_03||Test Management (6)|
|PR_IS_04||Disaster Recovery Plan (6)|
|PR_IS_05||Backup plans (6)|
|PR_IS_06||Request Management Process (Service change, RFI, RFC)|
|PR_IS_06||Supplier Management process (6)|
|PR_LG_02||GSOC Equipment Maintenance Process (6)|
|PR_LG_03||Health & Safety process (6)|
|PR_OP_01||Content Management Process|
|PR_OP_03||SOC Escalation Process (inc. Incident Response Process, MF Escalation Process)|
|PR_OP_04||MF Onboarding Process (analyst, assets)|
|PR_OP_05||Data Handling & Privacy Process|
|PR_OP_07||Service Management Process (inc. Continual Improvement Process, SOC Environmental Process)|
|PR_OP_11||Risk Management process (6)|
|PR_OP_12||Portal IAM Process (5)|
|PR_OP_14||Dark Line / Nonattrib Process|
|PR_OP_15||Client Context Management Process|
|PR_OP_17||Security Incident Management Process|
|PR_OP_20||Discovery Process (inc. Retrospective Detection Process, Trend Analysis and Querying)|
|PR_OP_25||Service Desk Management|
|PR_OP_28||IT Incident Management Process (GSOC only – maybe rename as GSOC Platform Management)|
|PR_PS_01||Resource Onboarding (GSOC)|
|PR_PS_02||Shift Management Process (inc. Shift Handover Process)|
|PR_PS_03||Career Management (inc. Planning)|
|RD_IG_01||GSOC Baseline Reqs.|