|
DILIMA offers comprehensive IT policies and procedures for small
business. Establishing new controls always presents a host of
business challenges. There is often a disconnect between IT and
auditors, with IT unclear about what controls are expected. Even
when they know what to monitor, data centers are filled with a wide
range of data stores and systems from multiple vendors, including
legacy systems. Staffing, time and resources are tight.
Then there is the
challenge posed by privileged users, including system administrators
and database administrators (DBAs) responsible for key facility
operations. To address compliance issues, some organizations have
actually curtailed privileges for such users. Yet this is clearly
counter-productive to a facility’s operational efficiency. Instead,
organizations need strategies that allow them to demonstrate to
auditors that data integrity is being protected, without hindering
privileged users’ access to the data they need to do their jobs.
Overcoming these
challenges can pay significant dividends. Implementing effective
controls for ensuring the integrity of financial information,
sensitive customer and employee information, and other critical
corporate data can provide enormous business benefits; including
better security, more consistent business processes and improved
documentation. In short, compliance helps demonstrate to customers
and business partners that your organization can be trusted. And in
today’s corporate world, trust is the coin of the realm.
Two Important
Roadmaps
But where do
organizations begin? What IT controls are most important for SOX
compliance and for establishing a foundation for data governance? A
growing number of IT organizations are finding at least some of the
answers in recent versions of two venerable standards frameworks:
COBIT 4.1 and ISO 17799:2005.
|
COBIT 4.1
Control Objectives
for Information and related Technologies (COBIT) is an open standard
published by the IT Governance Institute and the Information Systems
Audit and Control Association (ISACA). The latest version recently
published, COBIT 4.1, emphasizes regulatory compliance as it relates
to IT governance. ISACA describes COBIT as “an IT governance
framework and supporting toolset that allows managers to bridge the
gap between control requirements, technical issues and business
risks.”
COBIT provides a
best practice framework for how to control, manage and measure 34
key IT practices. This framework includes high-level and detailed
control objectives for each process, management guidelines
(including process inputs and outputs, roles and responsibilities,
and metrics), and process maturity models. A core emphasis of COBIT
is aligning IT operations with strategic enterprise objectives and
priorities to improve IT value delivery, resource management,
business performance, efficiency and risk management.
ISO
17799:2005
The ISO 17799:2005
standard is the most recently published revision of ISO’s global
security framework. It significantly improves upon the already
well-respected and comprehensive “Code of Practice for Information
Security Management.” ISO 17799:2005 provides principles and
guidelines for initiating, implementing, maintaining, and improving
information security management throughout the enterprise. This
includes best practices, control objectives and controls for a range
of IT functions related to protecting information.
The ISO 17799:2005 standard includes extensions that strengthen
controls designed to protect the integrity of information—from asset
|
management and
access control, to human resources security, security incident
management and business continuity management. An important new
requirement is an increased emphasis on the capability to validate
the integrity of regulated information. It mandates validation
through systematic auditing and monitoring of activity to prevent
unauthorized access to sensitive corporate and customer information.
Just as ISO 9000/9001 is used universally as a measure of production
quality, ISO 17799:2005 is poised to play a similar role in the area
of information integrity assurance.
IT Best
Practices for Data Integrity
Both COBIT 4.1 and
ISO 17799/2005 provide guidelines that are useful in helping
companies determine how to think about the root requirements of
compliance regulations and managing data risks. Developed
specifically for IT organizations, they provide specific best
practices for controls aimed at ensuring the integrity of
information assets.
What specific
controls should IT managers be focusing on for achieving SOX
compliance, while moving toward data governance? While these vary
depending on the business, the following IT controls consistent with
both COBIT and ISO 17799:2005 are important building blocks for
protecting the integrity of critical data and documenting that
protection. |