Abengoa’s information systems are intended to support the company’s own general control environment. Management of Abengoa information systems is based on the various reference frameworks described below.
The Common Management Systems contain internal regulations regarding IT Resource Management. These rules are intended to fulfill four objectives:
In relation to internal control of the Information Systems, the most relevant aspects are the automatic control activities and the Information System Management process, all of which have been reinforced as a product of SOX implementation.
The automatic control activities are control mechanisms belonging to the numerous applications that make up Abengoa’s Information Systems. They minimize and prevent errors in data entry, approvals, etc. The automatic controls help to ensure the integrity and reliability of our financial information.
The Computer System Management process centers on more specific aspects of the information systems. Based on management frameworks and best market practices, such as Cobit and ITIL (Information Technology Infrastructure Library), it meets the control requirements stipulated under SOX regarding program development, program modification, operations within computer environments and system and data access.
The process involves a combination of manual and automatic activities throughout all Systems areas, including project management and control, development, support, incident management, supplier and client management, physical security, logical security and business continuity.
With the aim of managing security measures for Abengoa’s communications and corporate information systems, the company has an Information Security Management System (ISMS), which acts as a tool enabling us to fulfill our security-related objectives, with security understood to include:
This system, which is certified under ISO 27001 criteria, encompasses a policy on security, risk analysis, security controls in 11 areas, and a cycle of continuous improvement for integrating security into the work-related duties of all company employees.
The management reviews the ISMS on an annual basis, and risk analysis is repeated in each review, taking any changes to the computer environment into consideration, as well as any new threats to the information systems.
The security controls cover 11 general areas: administrative (policy on security, asset classification, security in relationships with third parties, security aspects involved in human resources), technical (physical security, security in operations and communications, access control, software development, acquisition and maintenance), operational (incident management, continuity management), and regulatory (compliance with legal requirements and provisions).
The ISMS continuous improvement cycle makes full use of corporate tools for preventive and corrective actions, thereby further integrating the system into the business.
In addition to the previously described management framework, Abengoa has a raft of applications in place to support this control environment, noteworthy among which is the Separation of Duties Application (SDA).
This system has the following objectives:
The system thus ensures that when assigning an individual to a workstation, he or she will not perform duties that are mutually incompatible. In other words, SDA provides an efficient and effective system for managing users and company access.
The company made significant inroads over 2009 in implementing the new ERP (SAP), with notable milestones including:
Design and construction of 90% of the corporate processes and specific processes for the Information Technologies, Bioenergy and Solar Business Groups.
Design work underway on the concessionaire model.
80% of the budget model designed and constructed.
The foregoing implemented in the following companies:
The schedule for implementation of the new ERP throughout the group is as follows: