|
Sarbanes-Oxley Program Efforts Must be Sustainable
The Sarbanes-Oxley Act (SOX) has significant information security implications for companies governed by the regulation. Sections 302, 404 and 409 of SOX, and corresponding SEC Rules and Regulations, have tremendous ramifications for information technology (IT) in the areas of control (internal controls), evaluation (governance, measurement and recordkeeping), and disclosure (reporting and certification). These ?control, evaluate and disclose? elements must work together as integral parts of the SOX compliance process. To meet the challenges of SOX compliance, companies need to adopt changes to corporate governance and implement configuration audit and control.
Achieving Control of IT
IT is pervasive in today?s world. These days, an effective IT solution is required for every key organizational initiative. The IT solution (i.e., its design) is also one of the key cost drivers that will impact long term success. Therefore, the IT infrastructure and its suite of applications has become a prized corporate asset that must be managed (controlled) and ?protected.?
In 2000, Gene Kim and Kevin Behr began a long term research effort to develop a clear understanding of what makes certain organizations ?high-performers.? They studied high-performing IT operations and security organizations to understand their processes and implementations. As a result, the Visible Ops methodology was developed.
The Visible Ops? Handbook: Implementing ITIL? in 4 Practical and Auditable Steps reflects the lessons learned about how leading organizations work and describes a control-based entry point into the world of ITIL. Organizations can use Visible Ops to springboard their own process improvement efforts.
In order to understand how high-performing organizations manage IT and achieve their business objectives, the IT Process Institute conducted the IT Controls Performance Study in the Fall of 2005 (www.itpi.org/home/ performance_study.php). The goal was to identify the unique practices of top performing organizations, and determine the operational improvements enabled by IT control activities.
Keeping Up Your SOX Compliance
When looking beyond the controls and metrics analyzed in the ITPI study and into the generally acknowledged practices, here?s how the high performers really set themselves apart:
1. They place significant emphasis on their change management process. In fact, high performers see their change management as a key capability that makes them high performers.
2. They place high value on understanding why change happened and what exactly happened. In order to do this, they monitor, audit, and document all changes to the infrastructure.
3. They consider the only acceptable number of unauthorized changes in a change management system is ZERO. We?ve heard time and time again that high performers recognize that they are only one change away from being a low performer and that unauthorized changes can have catastrophic impact if they?re left unattended.
4. They send the right cultural message within the organization, implement the right controls to hold people accountable for adhering to policies, and exercise appropriate disciplinary actions for non-compliance.
5. They test all changes in a preproduction environment. This discipline fosters introducing changes into the production environment in a reliable, predictable manner.
6. They have established ways of analyzing the impact of IT change before and after it occurs, allowing them to deal with incidents more effectively.
7. They track and analyze change successes and failures to capture lessons learned, share best practices, and prevent recurrence of an undesirable change incident.
|
