sox & iso 27001 protect your data and be ready to be audited!!!
TRANSCRIPT
SOX & ISO 27001
Protect your data and be ready to be audited!!!
What is SOX Compliance?
Why audit IT controls?
IT Controls
Failure of SOX controls
What is ISO 27001?
Why be ISO 27001 compliant?
Certification timeline
Security Domains + More
Risk Assessment
1 of 17
Agenda
SOX Compliance
• SOX stands for “Sarbanes–Oxley”
• Legislation formed in 2002
• All about Financial Data
• It was designed to:– to protect shareholders and the general public from accounting errors and fraudulent practices in the enterprise
– Improve the accuracy of corporate disclosures.
2 of 17
Image Source: Google Images
• All public companies in the U.S.
• International companies that have registered equity or debt securities with the SEC
• Accounting firms that provide auditing services to them.
Information Source: web.cba.neu.eduImage Source: Google Images
SOX Compliance
3 of 17
Financial Data
Is the data reliable?
Is the data complete & accurate?
Can we trust the data coming out of the systems?
Why audit IT Controls?
System A
System B
4 of 17
GENERAL IT CONTROLS (GITCSs)
GITCs KEY DOMAINS
• Access to program and data
• Program Changes
• Program Development
• Computer Operations
Databases(Stores or processes
Financial data)
ReportApplication
A
E.g. “Flight tickets sold” report is complete and accurate.
Application Controls
5 of 17
IT Controls
1. Password policy (best practices)2. SoD (restricted access)3. Terminations; New Hires; Transfers
Controls tested:
IT ControlAccess to Programs & Data
1. Test of Design2. Test of Effectiveness
Steps
Key Inputs:
– Password settings– List of users/administrators with full/admin access- List of new hires/terminated/transferred users
Control is effectiveor Not effective
Outputs:
Testing technique used: Sampling
Impact on Financials?6 of 17
Changes are: 1. Tested 2. Approved
Controls tested:
7 of 17
IT ControlProgram Changes
1. Test of Design2. Test of Effectiveness
Steps
Key Inputs:
– Change Management Process– List of system generated Database changes
Outputs:
Testing technique used: Sampling
Impact on Financials?
Control is effectiveor Not effective
• Deficiency: A control breakdown prevents management or employees from preventing or detecting financial misstatements within a reasonable time frame.
• Significant deficiency: An important control is not working and the organization's ability to initiate, record, process, or report financial data to the public is compromised. In addition, a significant deficiency may prevent compliance with generally accepted accounting principles (GAAP). A significant deficiency must be reported to the audit committee of the board of directors.
• Material weakness: One or more control failures at this level will result in a 404 failure. A material weakness represents, according to the AICPA, "more than a remote likelihood that a material misstatement of the financials will not be prevented or detected." The control failure must be reported to the audit committee of the board of directors as well as the investing public (via the 10K). Material weaknesses usually, but not always, arise from business practices rather than IT control failures.
IT is expected to pass with few deficiencies, no significant deficiencies, and certainly no material weaknesses.
Source: http://www.ittoday.info
Failure of SOX Controls (IT & Non-IT)
8 of 17
Database Administrators– You are responsible for security of the databases!
– Follow enterprise wide processes for adding/removing/ updating access
– Follow enterprise wide process around Password Management
– Follow enterprise wide process for Change Management
– Do not use shared accounts
– Make sure logging/auditing is available on the databases
– Be prepared to provide audit evidence & support
9 of 17
Key Points to remember…For a successful SOX audit
ISO 270012-3 minutes break before we proceed
Image Source: http://www.glasbergen.com
10 of 17
Next Topic
What is SOX Compliance?
Why audit IT controls?
IT Controls
Failure of SOX controls
What is ISO 27001?
Why be ISO 27001 compliant?
Certification timeline
Security Domains + More
Risk Assessment
11 of 17
Agenda
ISO 27001:2013 is an information security standard
It is a specification for an information security management system (ISMS)
It is designed to protect ANY* kind of required information
*scope is defined by the organization
12 of 17
ISO 27001
Some reasons may include:
• Maintain ISO 27001 Certification
• Protect Employee PII Data
• Protect Consumer PII Data
• Comply with applicable privacy and security laws
• Satisfy contractual obligations
• Be prepared to deal with changing threats with respect to new cloud based services
• Streamline Processes and adopt best practices
13 of 17
Why be ISO 27001 compliant?
2012 Original Certification: Full Audit
2013
2014
Surveillance Audit: High level Audit
Surveillance Audit: High level Audit
2015 Re-Certification: Full Audit
Maintaining the certificate
Example timeline: 3 year cycle
14 of 17
Certification Timeline
Security Domains – ISO 27001:2013 versionAnnex A
1. Scope, Information Security Management System2. Information Security Policies (A.5)3. Organization of Information Security (A.6)4. Human Resource Security (A.7)5. Asset Management (A.8)6. Access Control (A.9)7. Cryptography (A.10)8. Physical and Environmental Security (A.11)9. Operations Security (A.12)10. Communications Security (A.13)11. System Acquisition, Development, and Maintenance (A.14)12. Supplier Relationships (A.15)13. Information Security Incident Management (A.16)14. Information Security Aspects of Business Continuity Management (A.17)15. Compliance (A.18)
& risk assessment…
Total 114Controls
15 of 17
Security Domains + more
# Document Purpose Owner
1 Asset Register Identify critical business information, where it exists, and who owns it
Database Team
2 Risk Assessment Identify potential data loss or security threats and resulting impact to the business
InfoSec, Database Team
Asset Based Risk Assessment – Applicable to the Database Team
3 Risk Treatment Plan (RTP) Define the preferred procedure the organization should follow in the event of a security breach. Additional security controls to be implemented are recommended here.
Database Team
4 Implementation Procedure Lists all current controls in place to ensure security. Once additional controls from RTP are implemented, they will be added here.
Database Team
Lists all applicable controls from the previous slide• Accept• Mitigate• Transfer• Avoid 16 of 17
Risk Assessment
Discussion
17 of 17
Image Source: http://www.glasbergen.com