Security Audit Program
Security Audit program contains over 400 unique tasks divided into 11 areas of audit focus which are the divided into 38 separate task groupings. The audit program is one that either an external auditor, internal auditor can use to validate the compliance of the Information Technology and the enterprise to ISO 27000 Series (ISO 27001 & ISO 27002), Sarbanes-Oxley, HIPAA, and PCI-DSS.
Real-ID will not be implemented until Dec 2014
The U.S. Department of Homeland Security (DHS) has granted extensions to 49 of 50 states, the District of Columbia and all five U.S. territories, putting more than 99 percent of U.S. drivers' licenses and ID cards on the path to secure identification. Congress mandated in the REAL ID Act of 2005 that state-issued identification must be REAL ID compliant to be acceptable for official purposes.
Maine is the only jurisdiction that has not yet met the security requirements needed to obtain an extension. Implementation of the bar on accepting Maine licenses will require substantial planning and effort, which will begin immediately in the absence of an agreement. Maine will have until close of business tomorrow to agree to certain security changes in order for Maine IDs to be acceptable for purposes of boarding commercial aircraft and accessing certain federal facilities after May 11, 2008.
DHS recognized earlier this year that states could not meet the full requirements of the REAL ID Act by May 11, as set by Congress. The department made extensions available for states that needed additional time to come into compliance, or to complete ongoing security measures. Initial extension requests were due by March 31. These extensions are valid until Dec. 31, 2009, when states must upgrade the security of their systems, to include a check for lawful status of all applicants, for their licenses and ID cards to be acceptable for official purposes.
The need for secure documentation was a core 9/11 Commission finding. REAL ID addresses their finding by setting specific requirements that states must adopt for compliance in four key areas: (1) information and security features that must be incorporated into each card; (2) proof of the identity and U.S. citizenship or legal status of an applicant; (3) verification of the source documents provided by an applicant; and (4) security standards for the offices that issue licenses and ID cards.
REAL ID enrollment will be completed for all individuals 50 years of age and under by Dec. 1, 2014. For all others, enrollment may be extended three additional years to Dec. 1, 2017. At that time, all state-issued drivers' licenses and identification cards intended for official purposes must be REAL ID-compliant.
It can be a struggle for a company to adhere to new compliance regulations and responsibilities. The concerns about where do we start? Can we leverage existing processes to meet these new requirements? Are obvious questions with not-so-obvious answers. What are the vulnerabilities and how can we manage compliance with SOX section 404.
As guidance and a framework for SOX compliance, the US Securities and Exchange Commission (SEC) has mandated that affected organizations use a recognized internal control framework. The SEC makes specific reference to the recommendations of the Committee of the Sponsoring Organizations of the Treadway Commission (COSO). While there are many sections within the Sarbanes-Oxley Act, the focus here is on section 404, which addresses internal control over financial reporting. This section requires the management of public companies to assess the effectiveness of the organization's internal control over financial reporting and annually report the result of that assessment.
Meeting the COSO objective means compliance with SOX section 404.
The Sarbanes-Oxley Act has fundamentally changed the business and regulatory environment. The Act aims to enhance corporate governance through measures that will strengthen internal checks and balances and, ultimately, strengthen corporate accountability. However, it is important to emphasize that section 404 does not require senior management and business process owners merely to establish and maintain an adequate internal control structure, but also to assess its effectiveness on an annual basis. This distinction is significant.