Sarbanes-Oxley Compliance Kit
Mandated regulations impact IT
The audit spotlight now shines on IT. After years of regulation and embarrassing data breaches, the highest levels of management now comfortably discuss IT controls and audit results. However, their quality expectations are rising. Where IT once performed audits annually, many now support quarterly, monthly, and ad hoc exercises. Each audit expands the scope of the technologies assessed, measured, and proven compliant. Broader scope means more complexity and more work. With the Sarbanes Oxley Compliance Kit you can increase timeliness and accuracy of audit data while reducing IT audit effort, disruption, and cost.
Sarbanes-Oxley Section 404 requires that:
- Enterprises have an enterprise wide security policy;
- Enterprises have enterprise wide classification of data for security, risk, and business impact;
- Enterprises have security related standards and procedures;
- Enterprises have formal security based documentation, auditing, and testing in place;
- Enterprise enforce separation of duties; and
- Enterprises have policies and procedures in place for Change Management, Help Desk, Service Requests, and changes to applications, policies, and procedures.
SOX adopted the COSO model of controls, which is the same model that SAS 70 audits have utilized since inception. SOX heightened the focus placed on understanding the controls over financial reporting and identified a type II SAS 70 report as the only acceptable method of obtaining third-party assurance regarding the controls at a service organization. Security "certifications" are excluded as acceptable substitutes for a type II SAS 70 audit report.
In addition the ISO 27000 standard is used in SAS 70 reports. The Security Manual Template contains an ISO 27000 Security Process Audit Checklist. These two items directly address a service organization's descriptions of controls. The auditor can use these to help them in the evaluation of the service organization's control framework.
Preparation for Disaster Recovery / Business continuation in light of SOX has two primary parts. The first is putting systems in place to completely protect all financial and other data required to meet the reporting regulations and to archive the data to meet future requests for clarification of those reports. The second is to clearly and expressly document all these procedures so that in the event of a SOX audit, the auditors clearly see that the DR plan exists and will appropriately protect the data.
To meet these needs the Sarbanes Oxley Compliance Resource Kit, which comes in four editions (Standard, Silver, Gold, and Platinum) contains:
- Security Policies (all editions);
- Threat & Vulnerability Assessment Tool (all editions);
- Business & IT Impact Questionnaire Risk Assessment Tool (all editions);
- Safety Program Template (all editions);
- Disaster Recovery Template (all editions);
- Outsourcing guide update to reflect what you vendors need to do (all editions);
- Internet and IT Job Descriptions (Silver, Gold, and Platinum Editions) and;
- IT Service Management Template (Platinum
Edition) includes
- Service Request Policy and Standard
- Help Desk Policy, Procedure, Standard, and Service Level Agreement
- Change Control Standard, Quality Assurance Standard, and Management Workbook
- Documentation Standard
- Version Control Policy and Standard
- Sensitive Information Standard
- Blog and Personal Web Site Policy
- Travel and Off-Site Meetings Security Policy
- Internet, e-mail and electronic communication Policy
See Table Below for a summary of the contents of each of the versions of the Sarbanes-Oxley Compliance kit
Security Manual
The plan is over 200 pages and includes everything needed to customize the Internet and Information Technology Security Manual to fit your specific requirement. The electronic document includes proven written text and examples for your security plan.
Disaster Recovery Plan (DRP)
This Disaster Recovery Plan (DRP) can be used as a template for any enterprise. DRP is sent to you via e-mail in WORD and/or PDF format. Included is a 13 page Business Impact Questionnaire as well as a 3 page Job Description for the Disaster Recovery Manager.
IT Job Descriptions
The 220 Internet and IT Position
Descriptions are in Word for Windows format. Includes positions
from CIO and CTO to Wireless and Metrics Managers.
IT Service Management Template
The IT Service Management Template contains policies, standards, procedures and metrics for Change Control, Help Desk and Service Request processing. ITSM template also contains several easy to implement forms and conforms with ITIL.
Practical Guide for IT Outsourcing
The guide is 91 packed pages and includes everything needed to plan for, negotiate, and manage an outsourcing process within an enterprise.
Safety Program Template
Safety Program is 60 pages and includes
everything needed to customize the Safety Program to fit your specific
requirement. The Safety
reflects the latest issues associated with the most recent
legislation (Sarbanes Oxley). According to Gazette.net, a Maryland Department of Human Resources employee
has been fired for posting about 3,000 names, Social Security numbers and other
personal information on his personal website. The information, which belonged to department clients who use food stamps,
housing programs and other social services provided by the state, had been
posted on the employee's website since April 27. The site has since been removed
and there is no indication that the information has been misused. The Baltimore Sun reports that a DHR spokeswoman, says it is unclear why
he used the data in an unauthorized way. The incident is still under investigation and no decision has been made yet
about whether criminal charges will be filed. As the importance of IT, the Internet, SmartPhones, and email has grown, its
legal status has changed with far-reaching consequences. A variety of laws and
regulations have been extended to cover all business
records, including email and all communications in both public and private
sectors. Sarbanes-Oxley (SOX) and other mandates requirements touch almost every
facet of paper and electronic data. Among other provisions, SOX requires companies to maintain all audit or
review work papers for at least five years. For registered public accounting
firms, the period is at least seven years. Penalties for noncompliance include
severe fines and even imprisonment, and intentionally altering or destroying
records can bring even more serious consequences. Consider that most work papers and records are created as emails and may
never exist in physical form. An email can be deleted in violation of SOX at the
click of a mouse. Key considerations for ensuring your company meets SOX
record-keeping requirements include: As the Obama administration and Congress propose various measures to improve
the nations cybersecurity, the Office of the Director of National Intelligence
is planning to spend "multiple billions of dollars" on cybersecurity
research. The deputy director of national intelligence for acquisition and
technology, said at a recent cybersecurity summit sponsored by
Defense Daily that her office, together with the White House Office of Science
and Technology, will be sponsoring "innovative" research addressing three areas,
the Washington Post reported: In today's
business environment, many enterprises are looking for way to reduce their expenses by cutting
overhead. Often this takes the form of reducing headcount, particularly in areas
that are regarded as ancillary or non-core components of the
enterprise. Disaster Recovery and
Business Continuity often are placed in that category and, as a result, can
be an early casualty of many cost-cutting programs. Whether it is an internal Disaster Recovery and
Business Continuity team losing
staff members, or a part-time Disaster Recovery and
Business Continuity manager with less time to spare from the day job,
Disaster Recovery and Business Continuity programs can be neglected and will
quickly become out of date and ineffective, particularly in a rapidly changing
organization. As anyone who has ever had to manage a Disaster Recovery and
Business Continuity event knows, there are few things more useless than an out
of date Disaster
Recovery and Business Continuity plan. Of course,
it is hard to make a case for Disaster Recovery and
Business Continuity at a time when core functions are under pressure, but
maybe that is just when it should be on the radar even more than usual. With
share prices shaky and credit hard to find, the last thing any organization
needs right now is the damage to its reputation and credibility that could arise
from failing to effectively manage a high profile disruptive
incident. Arguably,
during a recession companies are at their most vulnerable, which makes it the
worst time to neglect anything, which contributes to resilience or reduces risk.
However, if an organization is under financial pressure, how can it square the
circle and achieve those reductions in overhead costs while still maintaining
the effectiveness of its Disaster Recovery and
Business Continuity program. A Department of Treasury Web site hosted by a third party was hacked for a short while
redirecting visitors to a malicious site in Ukraine and later tracking IP
addresses before the Department of Treasury took the site offline. The Department of Treasury did not identify the provider that hosted the
Bureau of Engraving and Printing Web site, but did acknowledge in a statement
that it "entered the cloud
computing arena last year." The attack is bound to raise concerns about federal agencies' abilities to
secure data hosted by third-party service providers. Security remains one of the
biggest concerns in government circles as the Obama administration makes an
aggressive push for federal agencies to begin adopting cloud computing services.
The attack may also be used as a tool by legislators and policy makers to demand
tighter security requirements. The main web site of the Treasury division that prints U.S. paper currency,
the Bureau of Engraving and Printing presented would-be visitors with a 404 "not
found" error at each of the four URLs that point to the page, bep.gov,
bep.treas.gov, moneyfactory.gov, and moneyfactory.com. Cisco's ScanSafe tracked the attack to a Web site that attempts to exploit
numerous vulnerabilities in Adobe Reader, Adobe Acrobat, Internet Explorer,
Microsoft Office, Symantec AppStream, and other applications, and said that the
malicious site has targeted sites hosted by Network Solutions and GoDaddy.
The failed Times Square Car bomb shows that there is now a new class of
disaster that CIOs need to plan for.The infrastructure may be damaged,
communications may be lost, and the building may not be intact. That highlights
some things that a disaster plan needs to consider: As companies upgrade to Windows 7 and replace
older laptops there is a shortage of the latest Intel laptop PC Core i3 and Core
i5 microprocessors. The shortfall is in Intel's new laptop microprocessors codenamed Arrandale,
including some Core i3 and Core i5 chips. The shortage has caused chip buyers to
bid the price of the microprocessors up to a 20 percent premium over contract
prices on the open market, according to U.S. chip distributor Converge. The
shortage hit in March and will last throughout April, the company added in a
monthly research report.
Sarbanes Oxley Compliance News
Government employees continue to breach privacy of individuals
Record Management Needs to Include Email
- more info
Wi-Fi needs to be secure
You can secure your wireless network in
little time with these 5 simple rules:
- more info
Feds to spend billion on cybersecurity research
- more info
Disaster Recovery / Business Continuity is Not the Place to Cut Costs
Disaster Planning and Server Consolidation
The
cutting edge of virtualization technology may have set its sights on virtual
PCs, unified network fabrics and other esoteric applications, but server
consolidation remains 
the primary driver for
most data centers. In fact, only a handful of enterprises have begun the process
of virtualizing their server farms, according to most recent surveys, although
the pace is likely to pick up as energy costs and competitive pressures drive
organizations to increase performance even while paring down their hardware
infrastructures. But as those who have already taken the virtual plunge have no
doubt realized, consolidating servers is not just a matter of powering up the
virtualization layer and then pulling equipment out of racks. There is a long
list of factors to consider with any centralization project and a wide range of
land mines that need to be avoided to prevent service failures. One of the main
concerns is the resiliency of remaining hardware. - more info
NAS a good backup solution
Remote offices present IT managers with a number of technical challenges.
Traditionally, companies have relied on tape backup solutions to backup data
both at corporate headquarters as well as at remote offices. At one point in
time, tape backup was the only viable option for backing up data. That's no
longer the case. There are benefits of network-attached storage (NAS) hardware,
a completely self-contained appliance that has a built-in power supply, an
operating system, an easy-to-use management console, and network-accessible
storage. - more info
Federal cloud web site hacked
New York City Failed Bomb Highlights Disaster Planning Requirements
- more info
Intel can not meet chip demand
