Achieving your industry’s regulatory compliance (SoX, FISMA , HIPAA, ISO, FFIEC, Bassel,Auditing standards 2,5 , PCAOB, NIST, BSI, COBIT, COSO) without adding complexity and cost to your technology infrastructure.
Our open source model for security infrastructure applications and framework-based approach to build robust compliance management program represent a two-prongs initiative to help you.
From a regulatory point of view, auditors are mainly concerned with evaluating internal controls over the integrity, confidentiality and availability of data maintained in information systems.
Organizational compliance will incorporate COSO as the framework for establishing a robust internal control environment and achieving various security objectives.
The COSO Framework was established in 1992, The Committee Of Sponsoring Organization Of the Treadway commission defined internal control as a process through which an enterprise could achieve “effectiveness and efficiency of operations,reliability of financial reporting and compliance with applicable laws and regulations”. This approach has identified five principal components for internal control:
- risk assessment
- control environment
- control activities
- information and communication
- monitoring.
In june of 2003, the Securities and Exchanges Commission endorsed the COSO framework for implemeting Sarbanes-Oxley Act compliance.
Relating to the use of IT systems auditors make the distinction between general controls and applications controls.
General controls
General controls are the entity wide security management program, access control, application software development , and change control, system software control, segregation of duties and service continuity control. Application controls
Application controls are authorization control, completeness control, accuracy control, and control over integrity of processing and data files
General application controls criteria:
-data prepared for entry are complete, valid, and reliable;
-data are converted to an automated form and entered into the application accurately, completely, and on time
-data are processed by the application completely and on time, and in accordance with the established requirements
-output is protected from unauthorized modification or damage and distributed in accordance with prescribed policies.
SECURITY MANAGEMENT
these controls guarantee the effectiveness of security management.
-security management program
-periodic assessment and validation of risk
-security controls policies and procedures
-security awareness training and other security-related personnel issues
-periodic testing and evaluation of the effectiveness of information security policies, procedures and practices
-remediation of information security weaknesses
-security over activities performed by external third parties
ACCESS CONTROL
controls for ensuring that access to computer resources (data, equipment, facilities) is restricted to authorized individuals.
-protection of information systems boundaries
-identification and authentication mechanisms
-authorization controls
-protection of sensitive systems resources
-audit and monitoring capability and incident handling
-physical security controls
SEGREGATION OF DUTY
incompatible duties must be effectively segregated
-segregation of incompatible duties and responsibilities and related policies
-control of personnel activities through formal operating procedures, supervision and review
CONFIGURATION MANAGEMENT
provide assurance that changes to systems are authorized and that security configurations are effective
-configuration management policies, plans and procedures
-current configuration identification information
-proper authorization, testing, approval, and tracking of all configuration changes,
-routine monitoring of the configuration
-updating software on a timely basis to protect against known vulnerabilities
-documentation and approval of emergency changes to the configuration
CONTINGENCY PLANNING
protect information resources from the risk of unplanned interruptions while ensuring recovery of critical operations in case of interruptions
-assessment of the criticality and sensitivity of computerized operations and identification of supporting resources
-steps taken to prevent and minimize potential damage and interruption
-comprehensive contingency plan
-periodic testing of the contingency plan
OVERVIEW OF APPLICATION CONTROLS
Application controls relate directly to the business processes as implemented within the organization core systems. Such systems must incorporate controls providing reasonable assurance regarding:
-completeness for transactions being input once and whose output is properly computed
-accuracy for records of transactions and its data
-validity of transactions as having actually occurred (authentic and authorized)
-confidentiality from unauthorized access
-availability of relevant business information in a timely fashion
Employing COBIT as the framework for achieving regulatory compliance: COBIT provides a robust framework for building processes allowing organization to sustainably delivers high quality IT services. COBIT provides a very high level of control over the strategic planning part of IT, it becomes a very convincing tool for securing management approval of IT initiatives. Hence we have used the framework in support of IT governance efforts but being very comprehensive it is just as effective for IT Compliance.
COBIT offers a certain amount of flexibility as various organization do technology differently. It can adjust to size, strategies , location.
Its orchestration requires high-level managerial involvement while its depth encompasses end-users work flow.
It is therefore the primary tool allowing an organization manage risk strategically, operationally and at the user/system levels. It is the de facto framework for internal control and IT related risk management. And being a high level also helps upper management to keep the organization compliant from a regulatory side.
34 Processes (within a domain) are supported by the introduction of their organic 318 control objectives, very comprehensive
It offers visibility into the IT alignment with the business strategy, that benefits are realized from the IT orchestration, that the organization use of IT and other resources is optimized (automation for efficiency), that risk are properly managed .It also allows an organization to measure the performance of its IT This maturity model is introduced for senior manger to rate their organization on IT level of optimization. This in itself offers the flexibility and ability to govern change organization-wide to introduce innovation and adjust to business environment challenges.
The 4 domains of activities covered by Cobit 4.0: Plan & Organize, Acquire & Implement, Deliver & Support, Monitor & Evaluate. 34 processes and 318 controls objectives
Please visit our COBIT related page on IT Governance
PLEASE CONTACT US FOR FURTHER INQUIRY OR USE THE FORM BELOW
