Enterprises have an enterprise wide security
policy;
Enterprises have enterprise wide
classification of data for security, risk, and business impact;
Enterprises have security related standards
and procedures;
Enterprises have formal security based
documentation, auditing, and testing in place;
Enterprise enforce separation of duties; and
Enterprises have policies and procedures in
place for Change Management, Help Desk, Service Requests, and changes to
applications, policies, and procedures.
SOX adopted the
COSO
model of controls, which is the same model that SAS 70 audits have
utilized since inception. SOX heightened the focus placed on
understanding the controls over financial reporting and identified a
type II SAS 70 report as the only acceptable method of obtaining
third-party assurance regarding the controls at a service
organization. Security "certifications" are excluded as acceptable
substitutes for a type II SAS 70 audit report.
In
addition the ISO 27000 standard is used in SAS 70
reports. The Security Manual Template contains an ISO 27000
Security Process Audit Checklist.
These two items directly address a service organization's
descriptions of controls. The auditor can use these to help them in
the evaluation of the service organization's control framework.
Preparation for Disaster Recovery / Business
continuation in light of SOX has two primary
parts. The first is putting systems in place
to completely protect all financial and
other data required to meet the reporting
regulations and to archive the data to meet
future requests for clarification of those
reports. The second is to clearly and
expressly document all these procedures so
that in the event of a SOX audit, the
auditors clearly see that the DR plan exists
and will appropriately protect the data.
To meet these needs the Sarbanes Oxley
Compliance Resource Kit, which comes in four editions (Standard, Silver, Gold,
and Platinum) contains:
Business & IT Impact Questionnaire Risk
Assessment Tool (all editions);
Safety Program Template (all editions);
Disaster Recovery Template (all editions);
Outsourcing guide update to reflect what you
vendors need to do (all editions);
Software tool to monitor key data files (all
editions);
Internet and IT Job Descriptions (Silver,
Gold, and Platinum Editions) and;
IT Service Management Template (Platinum
Edition) includes
Service Request Policy and Standard
Help Desk Policy, Procedure, Standard, and
Service Level Agreement
Change Control Standard, Quality Assurance
Standard, and Management Workbook
Documentation Standard
Version Control Policy and Standard
Sensitive Information Standard
Blog and Personal Web Site Policy
Travel and Off-Site Meetings Security Policy
Internet, e-mail and electronic
communication Policy
See Table Below
Component
Standard
Silver
Gold
Platinum
Security Manual Template
x
x
x
x
Threat & Vulnerability Assessment Tool
x
x
x
x
Business & IT Impact Questionnaire Risk
Assessment Tool
x
x
x
x
Safety Program Template
x
x
x
x
Outsourcing guide
x
x
x
x
DiskMonitor (Desktop)
x
x
x
x
Internet and IT Job Descriptions (PDF
Format)
x
x
x
Internet and IT Job Descriptions (Word
Format)
x
x
Internet and IT Job Description
HandiGuide (PDF Format)
x
Service Request Policy and Standard
x
Help Desk Policy, Procedure, Standard, and
Service Level Agreement
x
Change Control Standard, Quality Assurance
Standard, and Management Workbook
x
Documentation Standard
x
Version Control Policy and Standard
x
Sensitive Information Standard
x
Blog and Personal Web Site Policy
x
Travel and Off-Site Meetings Security Policy
x
Internet, e-mail and electronic
communication Policy
x
Security Manual
The plan is over 215 pages and includes
everything needed to customize the Internet and Information Technology
Security Manual to fit your specific
requirement. The electronic document includes proven written text and
examples for your security plan.
Disaster Recovery Plan (DRP)
This Disaster Recovery Plan (DRP) can
be used as a template for any enterprise. DRP is sent to you via e-mail in WORD
and/or PDF format. Included is a 13 page Business Impact Questionnaire
as well as a 3 page Job Description for the Disaster Recovery Manager.
IT Job Descriptions
The 192 Internet and IT Position
Descriptions are in Word for Windows format. Includes positions
from CIO and CTO to Wireless and Metrics Managers.
The
IT Service Management Template
The IT Service Management Template contains policies, standards, procedures
and metrics for Change Control, Help Desk and Service
Request processing. ITSM template also contains
several easy to implement forms and conforms
with ITIL.
Practical Guide for IT Outsourcing
The guide is 91 packed pages and includes
everything needed to plan for, negotiate, and manage an outsourcing
process within an enterprise.
Safety
Program Template
Safety Program is 60 pages and includes
everything needed to customize the Safety Program to fit your specific
requirement. The Safety was updated in December of 2004 and
reflects the latest issues associated with the most recent
legislation (Sarbanes Oxley).
DiskMonitor
Network Administrators,
DRP
Coordinators, and Security Managers -
can use DiskMonitor (DSM) to view drive and
folder usage. Local drives as well as network shares are supported. UNC pathing and Drive$ shares are supported as well.
Sarbanes-Oxley Analyst
Robert Half Management Resources is looking for a Sarbanes-Oxley analyst for a Portland area public company that has a need for an experienced Sarbanes Oxley analyst to assist with the review and implementation of their controls testing ...more Sarbanes-Oxley: It's Delicious and (Mostly) Good for You
oversight needed to be relaxed, otherwise the US -- New York City in particular -- the SOX-ripping still continues. Tuesday, the National Venture Capital Association that 57 percent of its members.
more Sarbanes-Oxley: It’s Delicious and (Mostly) Good for You
Zubin Jelveh submits: On the day Treasury Secretary Paulson calls for tougher banking regulation, it's worth remembering that less than two years ago, the Paulson-backed Committee on Capital Markets Regulation was campaigning for the ...more Sarbanes-Oxley: helps big businesses, stifles small ones
The ginormous costs inflicted by Sarbanes-Oxley have killed going public for many startups. Companies now face a couple million bucks a year in new compliance costs and pervasive controls over just about everything they do on top of all ...more Sarbanes-Oxley: It's Delicious, and (Mostly) Good for You
Yesterday, the National Venture Capital Association said that 57 percent of its members blamed Sarbanes-Oxley for the lack of venture-backed IPOs in the just-ended 2nd quarter. It was the first time in 30 years that a quarter didn't ...more Sarbanes-Oxley Compliance Easier
Is it possible that Sarbanes-Oxley compliance is becoming a little easier? According to a new survey from Protiviti Inc., organizations today are realizing tangible benefits from updated regulatory rules and guidance pertaining to ...more Sarbanes-Oxley boosts shredding business
Plenty has been written about Sarbanes-Oxley being a licence to print money for accountants. But it's also done wonderful things for the shredding business, according to this news report. Since Sarbanes-Oxley, and various other laws, ...more SharePoint and Sarbanes-Oxley
Found an awesome Technical discussion guide titled: Addressing Sarbanes-Oxley Challanges Using the Microsoft Office System. A good read for SharePoint enthusiasts.
more Survey Shows New Guidance From SEC And PCAOB Having Positive ...
According to a new survey from Protiviti Inc., organizations today are realizing tangible benefits from updated regulatory rules and guidance pertaining to Section 404 of the Sarbanes-Oxley Act that were issued in May of 2007 by the ...more Financial Controls Manager II - Sarbanes Oxley
GENERAL FUNCTION: Has a key role in risk management and financial controls for the Bancorp. Supervises and directs Financial Controls employees. Assumes ownership over comprehensive, complex departmental processes with particular ...more
Safety
Program Template