Wednesday, March 21, 2012

COBIT Assessment Programme—Frequently Asked Questions (FAQs)

@: Why did ISACA select ISO 15504?
ISO 15504 effectively deals with a capability process assessment. It provides an understandable, logical, repeatable, reliable and robust methodology for assessing the capability of IT processes (evidentiary requirements).
@: What is the major value of using the new COBIT Assessment Programme?
a. The value derived from assessments using this approach includes reliable results that focus the enterprise on the benefits and resource implications arising from the performance and capability of its IT processes, and provide a sound basis for benchmarking and improvement, prioritization and planning.
b. There are a number of specific benefits for COBIT users in taking this approach:
- Focus first on confirming that a process is achieving its intended purpose anddelivering its required  
   outcomes as expected.
- Simplification of the content supporting process assessment.
- Improved reliability and repeatability of process capability assessment activities and evaluations, reduced 
   debates and disagreements between stakeholders on assessment results.
- Increased usability of process capability assessment results, as the new approach establishes a basis for 
   more formal, rigorous assessments to be performed, for both internal and potential external purposes such 
   as benchmarking.
- Compliance with a generally accepted process assessment standard (ISO 15504) and therefore strong 
   support for process assessment approach in the market.
@:Does the new COBIT Assessment Programme approach replace the existing COBIT 4.1CMM approach?
a. No, it does not; it is a different approach to assessing process capability that ISACA has selected to use. COBIT 4.1 CMM remains as published and the option of applying
a COBIT Assessment Programme approach as an alternative has been made available.
b. However, The CMM approach will not be offered in COBIT 5 because the new ISO
15504 approach is core to performing a capability process assessment using COBIT 5 content.
@: What is the difference between the COBIT 4.1 CMM and the new COBIT Assessment Programme approach?
a. The capability level scale is the same, i.e., 0 to 5 and some of the level names are very similar, but that is where the similarities end. The attributes assessed and measured in each approach are NOT the same nor is there a clean cut relationship between the two sets of attributes.
b. There are no specific requirements to provide evidentiary support for assessment results in the existing COBIT 4.1 CMM approach, but this is mandatory in the ISO 15504 approach. Providing such evidence in support of the assessment produces more robust, repeatable and defensible results.
c. The assessment done under the old COBIT 4.1 CMM approach will likely result in “higher scores,” due to the subjective averaging approach adopted, and also due to the more rigorous ISO 15504 requirements for level 1 in the new approach
@: Will COBIT 5 have the same process capability assessment approach using ISO 15504? And how will it differ?
a. COBIT 5 has been designed taking into account all of the ISO 15504 process capability assessment requirements. As a result the consistency of content between the COBIT 5 process content and the COBIT 5 PAM will be improved over those of COBIT 4.1.
b. For the purposes of applying the COBIT Assessment Programme approach, the only difference between COBIT 4.1 and COBIT 5 will be the level 1 content which is specific and unique to each framework version. Assessment levels 2 to 5 focus on generic process attributes (as defined in ISO 15504) and are therefore the same for both frameworks.
@:Why would you want to do a COBIT process capability assessment using COBIT 4.1 when COBIT 5 will be available in early 2012?
Enterprises have invested in using COBIT 4.1 and will continue to use it for a number of years—until a driver is encountered for them to consider a transition to COBIT 5. During this time a formal process capability assessment against COBIT 4.1 will be of value to them.
@: How is assessing cloud different from assessing other services?
There is no difference, cloud services are a subset of IT services, Infrastructure as a Service (IaaS), Platform as a Service (PaaS) and Software as a Service (SaaS). Regardless of the deployment model, private, public etc, cloud computing is a delivery of a service in the same way as any other IT service delivery; ISACA cloud publications provide a predefined selection of COBIT processes; the assessment of the processes itself will be the same for cloud as for any other IT service delivered. . For more information on
ISACA’s cloud publications visit:
@: What other models, frameworks and approaches have been aligned to ISO 15504?
a. ITIL3 has been mapped to ISO 15504 but only at level 1; i.e., a Process Reference Model (PRM) has been developed and released via a Tudor publication. However, to our knowledge no full PAM has been developed.
b. The ISO group responsible for ISO 20000 on IT service management is also in the process of developing an ISO 15504 PAM
c. COSO has also developed an ISO 15504 PRM (level 1 only) but not a full PAM.
@:How long on average does a COBIT Assessment take to execute?
a. There is no specific answer to this as it depends on the scope of the assessment; 3 processes vs. 34/37. It depends on the business need and what processes management would like to see assessed/improved.
b. ISACA has provided a scoping tool as part of its tool kit to assist organizations in selecting processes to scope. (See tool kit link on the web site.)

@: If all of the work (heavy lifting) is done to achieve level 1, which is deemed to be a
major achievement, what is the incentive to go to further levels of capability? Is it not a “nice to have’?”
a. There is always a cost/benefit trade off in how high a capability level an organization wants to achieve and indeed many organizations have focused a lot of their attention at level 1 because this is a major achievement to show that your processes are meeting fully their purpose.
b. Level 3 is seen by ISACA as the level that enterprises should aspire to for consistency in the performance of their processes irrespective of the staff involved.
c. Levels 4 and 5 will depend on the industry and product sector, so for example to meet a government contract to provide defense technology an organization may be
required to show a level 5 capability, i.e., “their processes are optimized.”
@: What tools are available to assist assessors in performing these process capability assessments?
a. ISACA has provided a tool kit for both the assessor and the self‐assessment guide.
b. There are also commercial organizations that provide ISO assessment tools both online and via software download that can be tailored to a specific organization’s needs.

Friday, March 16, 2012

PHP: Upload DBF File using Temporary Table

On this occasion I would like to share the writing of PHP programming script to import DBF file solutions. The method applied in this case is to import DBF file to a temporary table and then  stored into the next main or transactional table. The following more detailed explanation:

1. Prepare koneksi.php which serves as a database connection module and put into the LIB folder
2. Prepare the dbf_class PHP class that can be downloaded at and put into the LIB folder
3. Here is the script for the DBF file upload browse file method

<form name="form1" action="save.php" method="post" enctype="multipart/form-data" >

class timerClass
    var $startTime;
    var $started;
    function timerClass($start=true)
        $this->started = false;
        if ($start) $this->start();
    function start()
        $startMtime = explode(' ',microtime());
        $this->startTime = (double)($startMtime[0])+(double)($startMtime[1]);
        $this->started = true;
    function end($iterations=1)
        $endMtime = explode(' ',microtime());
        if ($this->started)
            $endTime = (double)($endMtime[0])+(double)($endMtime[1]);
            $dur = $endTime - $this->startTime;
            $avg = 1000*$dur/$iterations;
            $avg = round(1000*$avg)/1000;
            return "$avg milliseconds";
            return "timer not started";

if (isset($_POST['X']))
if ($_FILES['filenya']['size']>150000)
    echo "<script>alert('File to big [max150Kb]')</script>";
    $thefile = '';
    $name = $_FILES['filenya']['name'];
    if (move_uploaded_file($_FILES['filenya']['tmp_name'],"dbf/$name")) $thefile = 'dbf/'.$name;
    $timer = new timerClass();
    $timer ->start();
    $dbf = new dbf_class($dir.$thefile);
    $endexct = $timer->end();

    for($i=0; $i<$num_rec; $i++)
        if ($row = $dbf->getRow($i))
            for($j=0; $j<$field_num; $j++)
                switch ($j) {
                    case 0 : $kd_unit_tmp = substr($row[0],0,6);break;
                    case 1 : $tgl_order_tmp = $row[1];break;
                if ($dbf->dbf_names[$j]['type']=='N')
                    $sql_sintax = $sql_sintax . $row[$j] . ",";
                else if ($dbf->dbf_names[$j]['type']=='C')
                    $sql_sintax = $sql_sintax . "'" . $row[$j] . "',";
                else if ($dbf->dbf_names[$j]['type']=='D')
                    $sql_sintax = $sql_sintax . "date('" . $row[$j] . "'),";
            $pjg_query= strlen($sql_sintax);
            $sql_sintax = "INSERT INTO temp_order VALUES (" . substr($sql_sintax, 0, $pjg_query-1) . ")";
            $sql_out=mysql_query($sql_sintax) or die ("<script>alert('data doble!')</script>");
    // output from  MySQL table
    $sql_sintax = "select *    from temp_order where left(kd_order,6)='".$kd_unit_tmp."' and tgl_order=date('".$tgl_order_tmp."')";
    $sql_out=mysql_query($sql_sintax) or die ($sql_sintax);
    while ($row=mysql_fetch_array($sql_out))
        if ($header)
                echo "For HEADER display Table";

                echo "detail row";

  <div align="right">
    <input type="hidden" name="kd_unit_tmp" value="<?=$kd_unit_tmp?>">
    <input type="hidden" name="kecuali" value="<?=$kecuali?>">
    <input type="reset"  name="Cancel" value="Batal">
    <input type="submit" name="Submit" value="Konfirmasi">

 4. Here is the script for save into main or transactional table and clear the temporary table

$kecuali = $_POST['kecuali'];
echo "submit : " . $_POST['Submit'];
echo "kd_unit : " . $kd_unit;

if (isset($_POST['Submit']))
                $perintah="insert into .......( main table )";
                $hasil=mysql_query($perintah) or die ($perintah);
                // delete temporary
                $perintah="delete from temp_order where left(kd_order,6)='$kd_unit'";


<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">

<body onLoad="document.location='index.php'">


hope this article useful for you to see you at the other posts

Tuesday, March 13, 2012

PHP:Security in PHP programming

Make some PHP applications is pretty easy. Most people grasp the syntax rather quickly and will within short time be able to produce a script that works using tutorials, references, books, and help forum. The problem is that most people forget one of the most important aspects that one must consider when writing PHP applications. Many beginners forget the security aspect of PHP. Generally, your users are nice people, they will do as they are told and you will have no problem with these people whatsoever. However, some people are not quite as nice. Some people are outright malicious and are seeking to do damage on your website. They will scrutinize your application for security flaws and exploit these holes. Many times the beginner programmer did not know that these things would even be a problem and therefore it might be a problem to fix the holes. In this tutorial we will look at some of these issues so you can learn how to deal with them, and better yet, prevent them. Obviously I will not promise you that by following this tutorial you will never get successfully attacked. As you become bigger you will also become a bigger and therefore more interesting target.phpSec is a open-source PHP security library that takes care of the common security tasks a web developer faces.

phpSec is pretty plug and play there are needs some steps to take before you are ready to harness the power of phpSec. The first thing is to include phpSec into your application.

require_once 'phpsec.class.php';

You should be all set to start using phpSec on your application as below

1    require_once 'phpsec.class.php';
2    phpsec::$_dsn = 'filesystem:/var/www/phpSec/data';
3    phpsec::init();

Session Handler
All session data is encrypted using a user specific encryption key that is stored in a cookie on the users computer. This key is changed each 30 seconds. The data is saved in the phpSec store, allowing for storage in databases or flat files.
Easy to use

All you have to do to use the phpSec session handler is to add phpSec to your application as described in the getting started page. The session handler is enabled by default.
To disable just set phpsec::$_sessenable to false like this:

1    require_once 'phpsec.class.php';
2    phpsec::$_dsn = 'filesystem:/var/www/phpSec/data'; /* Note the filesystem: before the path. */
4    phpsec::$_sessenable = false; /* Disable phpSec session handler. */    
6    phpsec::init();

Encrypting data in PHP can be done easy with phpSec. phpSec implements symmetric encryption using the mcrypt library, end is extremely easy to use.
for example

1    <?php
2    $data = 'This is some extremely secret information.';
3    /* Encrypt. */
4    $encrypted = phpsecCrypt::encrypt($data, 'secret key');
5    /* Decrypt. */
6    $data = phpsecCrypt::decrypt($encrypted, 'secret key');

Password hashing
To create a salted hash we use the phpsecHash:create() method. It takes just one argument and that is the password you wish to create an hash from.

1    <?php
2    require_once 'phpsec.class.php';
3    phpsec::init();
5    $hash = phpsecHash::create('password');
6    echo $hash;

Validating passwords
When validating password we use the phpsecHash::check() method. This method takes two arguments. The first is the password we want to check, and the second is the hash we created before. phpsecHash::check() will atomatically detect the method used to create the hash.

1    <?php
2    require_once 'phpsec.class.php';
3    phpsec::init();
5    if(phpsecHash::check($_POST['password'], $hash)) {
6      echo "Valid password";
7    }

Changing hash method
There are several options you could use to tune phpsecHash the way you want it to work.


1    <?php
2    require_once 'phpsec.class.php';
3    phpsec::init();
4    phpsecHash::$_method = phpsecHash::BCRYPT;
6    $hash = phpsecHash::make('password');
7    echo $hash;

I think this is the best breakthrough in the field of PHP programming, however it is still in beta release, we will wait for the version that is even better