Sarbanes-Oxley Compliance Kit

Mandated regulations impact IT

The audit spotlight now shines on IT. After years of regulation and embarrassing data breaches, the highest levels of management now comfortably discuss IT controls and audit results. However, their quality expectations are rising. Where IT once performed audits annually, many now support quarterly, monthly, and ad hoc exercises. Each audit expands the scope of the technologies assessed, measured, and proven compliant. Broader scope means more complexity and more work. With the Sarbanes Oxley Compliance Kit you can increase timeliness and accuracy of audit data while reducing IT audit effort, disruption, and cost.

Sarbanes-Oxley Section 404 requires that:

• Enterprises have an enterprise wide security policy;
• Enterprises have enterprise wide classification of data for security, risk, and business impact;
• Enterprises have security related standards and procedures;
• Enterprises have formal security based documentation, auditing, and testing in place;
• Enterprise enforce separation of duties; and
• Enterprises have policies and procedures in place for Change Management, Help Desk, Service Requests, and changes to applications, policies, and procedures.

SOX adopted the COSO model of controls, which is the same model that SAS 70 audits have utilized since inception. SOX heightened the focus placed on understanding the controls over financial reporting and identified a type II SAS 70 report as the only acceptable method of obtaining third-party assurance regarding the controls at a service organization. Security "certifications" are excluded as acceptable substitutes for a type II SAS 70 audit report.

In addition the ISO 27000 standard is used in SAS 70 reports.  The Security Manual Template contains an ISO 27000 Security Process Audit Checklist.  These two items directly address a service organization's descriptions of controls.  The auditor can use these to help them in the evaluation of the service organization's control framework.

Preparation for Disaster Recovery / Business continuation in light of SOX has two primary parts. The first is putting systems in place to completely protect all financial and other data required to meet the reporting regulations and to archive the data to meet future requests for clarification of those reports. The second is to clearly and expressly document all these procedures so that in the event of a SOX audit, the auditors clearly see that the DR plan exists and will appropriately protect the data.

To meet these needs the Sarbanes Oxley Compliance Resource Kit, which comes in four editions (Standard, Silver, Gold, and Platinum) contains:

• Security Policies (all editions);
• Threat & Vulnerability Assessment Tool (all editions);
• Business & IT Impact Questionnaire Risk Assessment Tool (all editions);
• Safety Program Template (all editions);
• Disaster Recovery Template (all editions);
• Outsourcing guide update to reflect what you vendors need to do (all editions);
• Internet and IT Job Descriptions (Silver, Gold, and Platinum Editions) and;
• IT Service Management Template (Platinum Edition) includes
  • Service Request Policy and Standard
  • Help Desk Policy, Procedure, Standard, and Service Level Agreement
  • Change Control Standard, Quality Assurance Standard, and Management Workbook
  • Documentation Standard
  • Version Control Policy and Standard
  • Sensitive Information Standard
  • Blog and Personal Web Site Policy
  • Travel and Off-Site Meetings Security Policy
  • Internet, e-mail and electronic communication Policy

See Table Below for a summary of the contents of each of the versions of the Sarbanes-Oxley Compliance kit

Download Componets Table of Contents

Once you get to the download page just bookmark it and you will be able download all of the components without having to re-register.

Sarbanes Oxley Compliance News

---

Security is a concern of CIOs with the increase in use of mobile devices

May 12th, 2012

By definition, mobile devices are extending beyond corporate physical security controls and data on devices or transmitted over public Wi-Fi networks is at risk.  Security is a key concern for CIOs as they begin to implement mobile device solutions.  Over two thirds of all CIO, according to Janco Associates, Inc. , feel that security of mobile devices is the largest risk to deal with when building a mobility strategy.

Lost or stolen devices are the most common type of mobile security incident today. How many times have we heard in the media that an employee of a hardware vendor loses a device in a bar or cab before it is released?  Add to this, unauthorized applications or malware targeted at mobile devices that do put corporate systems at risk. 

- more info

---

CIOs are drivers of BYOD

April 28th, 2012

Organizations that choose to support their employees' personal devices within a secure environment will measurably increase their business productivity as well as extend their employees' flexibility. Additionally, the results underline a need for businesses to develop a platform agnostic device strategy that ensures corporate data remains secure.

Janco recommends:

• Organizations provide comprehensive support to BYOD: Employees will workaround corporate IT infrastructure in order to be productive and find ways to leverage their personal devices, regardless of if they're supported by the business or not. Supporting as many computing platforms as possible will ensure employees are accessing and sharing business data within a secure environment approved by the organization.
• CIO should focus on data when implementing BYOD: Over three quarters of all CIOs identify their role as a data custodian or someone responsible for locating content and establishing context that is aligned with associated business rules. An organization's mobile strategy therefore needs to not only enable IT professionals to effectively manage the volume of data, but also provide the solutions that allow employees to securely access and leverage data as a business asset.
• BYOD implementation should enable productivity: Identify the business applications employees rely on (such as the organization's email or social collaboration tools) and provide mobile and tablet support for these applications to ensure employees can remain productive.

- more info

---

HIPAA des not address all security issues

April 13th, 2012

HIPAA places a requirement on health care and insurance organizations to go further than simply complying with regulations to protect health information. Although those organizations deal with many types of government and professional regulations, as adoption of electronic health records (EHRs) progresses, they also need to form policies of their own to secure patient data.

Health care organizations have turned to government guidelines on security, but they need their own security measures as well. These government security guidelines include the 1996 Health Insurance Portability and Accountability Act (HIPAA) and the 2009 Health Information Technology for Economic and Clinical Health (HITECH) Act, which made penalties for data breaches more severe.

Evolving threats will always outpace even the most thorough regulatory requirements. For that reason, organizations need to constantly assess their security risk levels and evolve their policies and procedures to ensure that they are in the best possible position to protect their patients and their bottom lines.

A large number of health care breaches reported to the U.S. Department of Health and Human Services were also due to portable devices.   The expanded use of mobile devices offers new operational efficiencies and increased vulnerabilities. Security steps for mobile devices should be included in the action plans so that guidelines are set.

- more info

---

Saftey incidents need to be tracked

April 4th, 2012

Health, Safety, and Environmental Professionals can spend significant time trying to manage behavioral based safety programs.  They know that employees and supervisors should conduct behavioral based observations on an on-going basis, but the volume of observations and the data analytics required to determine trends makes this process difficult and time consuming.  By using tracking, documenting, and analyzing safety observations you can determine behavior based safety metrics and trends.

- more info

---

IT Jobs Will Grow 22% Through 2020

March 31st, 2012

The Bureau of Labor Statistics (BLS) has released its biennial employment forecasts, and this year's report has some good news for IT workers. The agency predicts that employment in all computer-related fields will grow 22 percent through 2020. Some job titles will do even better, for example software developers (28-32 percent growth), database administrators (31 percent growth), and network and systems administrators (28 percent growth).

While the forecast looks good, some experts say the U.S. IT job growth isn't as high as it needs to be. Victor Janulaitis, CEO of research firm Janco Associates, characterized the IT job growth as "anemic," saying, "When you consider the overall demand for systems and applications in high-growth markets like China and India, the BLS projections mean the U.S. will be doing a diminishing portion of the development and implementation work. If that's the case, the U.S. will no longer be the leader in IT."

    

 

He added, "The BLS projections are a bad sign for the U.S. IT graduates from universities. Those numbers do not cover the net growth necessary to give all of the graduates jobs."

- more info

---

Backup lacking in many small businesses

March 16th, 2012

In a recent survey it was found that an increasing number of professionals (80%) work remotely and rely on personal devices (many BYODs) such as smartphones - 63 %, iPads -30 %, and laptops - 80 % to access company data. Despite the expectation that professionals with sensitive client data would understand the associated risks and responsibilities, the numbers reflect that many professionals working remotely, and their companies, are either unaware or too casual about how to keep this information safe and secure. Interestingly, legal professionals trailed the field, with 78% of lawyers reporting they were either not at all concerned, not that concerned or only somewhat concerned about the security of their company data for employees using personal devices for work. 
Other findings for small-to-midsize businesses with fewer than 1,000 employees include:

• 66% of all have a formal procedure for backing up company data
• 87% have no formal policy in place regarding employees' use of personal devices for work purposes
• 32%  let employees make their own decisions about how to back up company and client data on their devices
• Over 50%  do not have backup or data recovery plans that meet current standards for data protection
• 41% store and back up company data on portable USB devices - which may be used by family members, get lost, or even stolen
• Over 30% had a hard drive crash in the last 12 months where data was not fully recovered
• 67% have a formal back up process - most are using external hard drives located locally

- more info

---

Electronic Medical Record requirement drives IT opportunities

March 1st, 2012

Electronic Health Records and Electronic Medical Records are all over the news with recent focus on Health Care Information Technology. Over the next few years, the world of medical information tech is changing as Health Care is getting a major information technology overhaul as the world moves towards a digital age in health care.

Personal mobile devices are becoming a fixture in health care as 85 percent of hospital IT departments allow doctors and staff to use personal devices at work, according to a new survey of health care IT professionals by a manufacturer of mobile networking infrastructure.

The survey showed that 83 percent of health care IT professionals allow iPads on their enterprise networks and 65 percent support iPhones and iPod Touch devices.

Meanwhile, 52 percent of hospitals support personal BlackBerry devices while other industries are not enabling access to personal BlackBerry devices as much as the health care industry is.

- more info

---

Mobile phone has hidden features

February 24th, 2012

A mobile phone can actually be a life saver or an emergency tool for survival. Here are some tips to add to your disaster recovery plans for cell phone use;

• Emergency Number - The Emergency Number worldwide for Mobile is 112. If you find yourself out of the coverage area of your mobile network and there is an Emergency, dial 112 and the mobile will search any existing network to establish the emergency number for you, and interestingly, this number 112 can be dialed even if the keypad is locked.
• Hidden Battery Power - Imagine your cell battery is very low. To activate, press the keys *3370#. Your cell phone will restart with this reserve and the instrument will show a 50% increase in battery. This reserve will get charged when you charge your cell phone next time.
• Disable a STOLEN or lost mobile phone -  To check your Mobile phone's serial number, key in the following Digits on your phone: *#06# . A 15-digit code will appear on the screen. This number is unique to your handset. Write it down and keep it somewhere safe.  If the phone is lost or stolen, you can phone your service provider and give them this code. They will then be able to block your handset so even if the thief changes the SIM card, your phone will be totally useless. You probably won't get the phone back, but at least you know that whoever stole or has it can't use/sell it either. If everybody does this, there would be no point in people stealing mobile phones.
• Free Directory Service for Mobile Phones - Telephone companies are charging us $1.00 to $1.75 or more for 411 information calls made from mobile phones. Most people do not carry a telephone directory which makes this situation a problem. When a number is need instead of 411, simply dial: (800) FREE411 or (800) 373-3411 without incurring any charge at all. Program this into your cell phone now.

- more info

---

Cybersecurity is not just an IT issue

February 16th, 2012

Putting the onuss for all data security on the IT department to address security attacks is not a successful strategy. The attackers are exploiting the end-users more and more, thus circumventing security controls altogether.

With that in mind, the two most urgent actions are for organizations to create awareness of the problem and build commitment among leadership to tackle it. A strong cybersecurity program warrants a comprehensive strategy to address any risks within the environment. These include everything from developing the strategy and a human capital plan to awareness and training.

Cybersecurity is not just an IT issue; that’s not how your adversaries are looking at it. Using IT happens to be the way they get into networks. Technology is only one aspect. Organizations need to look at it as a foreign intelligence collection effort. Bottom line, cybersecurity needs to be top-down driven, from the head of the agency or a CEO on down. Only then will the enterprise be adequately protected.

- more info

---

Mobile workforce and multiple devices concern CIOs

February 11th, 2012

CIOs have to address two fundamental end user computing challenges. CIO need to provide a secure, anytime access to an increasingly remote and mobile workforce, and manage the ever increasing diversity of devices, applications, platforms and operating systems needed to run their organization.

Traditionally CIOs and the IT departments determined the technology issued to employees and the policies strictly governing their use.  However that is an approach the may have worked for an office-bound and is no longer practical in today's highly connected, mobile, environment. In addition, with the increase in IT complexity, security challenges have become more complex and insidious. Security threats are growing in volume and sophistication at an alarming rate.

A policy is needed to deal with the mobile workforce that most organizations have.

   

- more info