VVaalliiddaattee aanndd EEnnffoorrccee
CChhaannggee PPrroocceessss ffoorr
SSOOXX CCoommpplliiaannccee
Sarbanes-Oxley and its Impact on IT management process. They also let you run workflows so that theprocess can be tracked. But none of these systems answer the"Sarbanes-Oxley Act (SOX) Section 404" requires companies to following question: Are all the changes going through the changepublish information in their annual reports concerning the scope management process?and adequacy of the internal control structure and procedures forfinancial reporting. One challenge with the SOX 404 mandate is This question is critical when it comes to SOX legislation. If thethat it offers no specifics as to what controls need to be established internal controls of financial systems are not followed, then howwithin an IT organization to comply with the legislation. Most auditors can companies sign off on the accuracy of the financial data?have adopted the Information Technology Infrastructure Library Merely having a process is not sufficient.(ITIL), Six-Sigma or Control Objectives for Information and RelatedTechnology (COBIT) as a compliance framework. Among all of For every control, COBIT requires an audit process for the control.these "best-practice" frameworks, COBIT seems to be the most Currently, the process is completely manual where administratorspopular choice among IT professionals. collect all the change tickets or "Requests for Change" from thechange management system and then attempt to map the datafound in various logs to those tickets.COBIT and Change Management Challenges
The "Manage Changes" section of the "Acquire and Implement" Questions Auditors Ask about SOX Compliancechapter of the COBIT framework mandates: Auditors using COBIT framework are asking these questions to"All changes, including emergency maintenance and patches, assess compliance:relating to infrastructure and applications within the productionenvironment must be formally managed in a controlled manner. . Are all the changes going through the change managementChanges (including those to procedures, processes, system process?and service parameters) must be logged, assessed and . Do you have a well defined emergency change process?authorised prior to implementation and reviewed against . What is the ratio of planned changes compared to emergencyplanned outcomes following implementation. This assures changes?mitigation of the risks of negatively impacting the stability or . How do you measure the effectiveness of the defined changeintegrity of the production environment." process?
Change Management Systems like those included in HP Service In summary, what they are seeking is validation that the changeManager (formerly Peregrine), BMC Remedy Service Management, management process is effectively being used within theand CA Unicenter Service Desk let you define the change organization.Validate and Enforce Change Process for SOX Compliance
S3 Control Validates and Enforces the Change Process About Solidcore Systems
Solidcore S3 ControlT tracks all changes throughout the infrastructure including those to the Solidcore is a leading provider of changeoperating system, databases (schema and critical data tables), applications, network devices control for critical systems.and directory servers. This is done in real-time, capturing detailed information about eachchange. This detail includes: Solidcore's S3 Control software is the. Who (user), industry's first and only solution to. What (the object and content changed), automate the enforcement of change. When (the exact time of the change), management policies. Solidcore. Where (the server, database or other configuration item), and automatically reconciles infrastructure. How (the method or agent used to make the change). changes against change tickets, andThis provides a single, cost-effective means for auditing all the changes that may affect provides real-time change auditing sofinancial reporting. This very detailed change information is then used to reconcile the changes enterprises can measure thewith the tickets in the change management system. Each change is either mapped to a ticket effectiveness of change managementor marked as unauthorized. The unauthorized changes can be flagged and retroactively processes and policies.documented in the change management system as emergency changes, or mark... [download for more]
