|
Recent corporate financial scandals and increased concerns over privacy of user information are factors that have led to a rise in governmental laws and industry regulations around financial reporting, security and data privacy. These factors create compliance pressures that place heavy burdens on internal IT groups. Failure to secure sensitive information can result in irreparable damage to the corporate reputation, and failure to achieve compliance has financial consequences as well. While governmental regulations cover a wide range of target areas, regulations that impact IT generally fall into one of three major categories:
- Governance. These regulations deal with issues related to the transparency and accuracy of financial records, the retention of records within the corporation, and requirements of disaster recovery and business continuity. Most notably with SOX, this type of regulation was heavily driven by corporate scandals and financial fraud cases.
- Privacy. These regulations are often specific to a single vertical market, and dictate how a user’s personal information must be handled by the corporation. There are regulations that specify what type of personal information may be kept, how that information may be handled (including who, if anyone, it may be given to), and what actions are required in the event of a breach of established privacy restrictions.
- Security. These regulations are intended to protect a corporation’s critical infrastructure, and specify how users will be identified, how their access to sensitive resources must be controlled, and how that access may be tracked and audited.
Figure 1 illustrates these three primary areas of compliance, and highlights some of the major regulations in each area. Note that some regulations fall into multiple categories. While there are a large number and wide variety of regulations, each has unique requirements for compliance, many of which cannot be solved merely through technology and/or procedural changes. However, one element common to all regulations is the need for strong and effective controls over various enterprise business processes. A control is a set of procedures or steps that can be used to ensure the successful operation of a business practice or transaction. These controls ensure, for example, that private customer data is not accessed by unauthorized people, that platforms and systems are protected from breach, and that all data and applications are protected from inappropriate access. Internal controls can be weak, strong, or anywhere in-between. It is the job of compliance auditors to ensure and attest that these controls are effective enough to meet the requirements of the regulation.
Generally, a governmental regulation does not specify what technology is required in order to meet its requirements. In fact, many regulations do not even specify any details of an effective internal control. Therefore, administrators and compliance officers are left to determine what methods they will use to meet the often vague requirements within each regulation. In the area of overall corporate governance, the internal control framework developed by the Committee of Sponsoring Organizations of the Treadway Commission (COSO) has become widely adopted. Although COSO contains requirements for a range of areas of governance, there is little in the COSO framework regarding specific IT controls. Given this, management should either look to industry ”best practices,” which are often subjective, or look to another controls-oriented framework from an authoritative source.
To solve this problem, many companies have begun to look to the Control Objectives for Information and related Technology (COBIT) framework published by the IT Governance Institute, which is affiliated with the Information Systems Audit and Control Association (ISACA). COBIT contains a broad set of IT control objectives that provide statements of “the desired result or purpose to be achieved by implementing control procedures in a particular IT activity.” Among these IT controls are many that are directly related to security management processes and systems.
Other IT frameworks exist (for example, ITIL, SAS 70, ISO 17799, and others), and their use is dependent on whether they can help establish (to the auditors) a strong case for successful compliance.
Let’s look at COBIT in more detail, since it has emerged as a widely adopted framework for IT controls. The COBIT control objectives are organized into four areas:
- Planning and Organization
- Acquisition and Implementation
- Delivery and Support
- Monitoring.
One of the key activities within the Delivery and Support area of COBIT is an activity entitled “Ensure Systems Security”. The purpose of this activity is to “provide controls that safeguard information against unauthorized use, disclosure or modification, damage or loss through logical access controls that ensure access to systems, data and programs is restricted to authorized users.”
|
