Keeping Up Your SOX Compliance and Turning IT into a High Performer by Improving Change Control

WHITEpaper
Keeping Up Your SOX?Compliance
And Turning IT?into a High Performer by Improving Change Control
page 3 Forward
page 4 Executive Overview
page 6 Chapter 1 - History
page 8 Chapter 2 - Overview of SOX
page 11 Chapter 3 - We Need to Ensure IT is in Control
page 12 Chapter 4 - Sustainability (and Making Your SOX Efforts a Source of Long Term "Competitive Advantage")
page 15 Chapter 5 - Other Considerations
page 17 Appendix A - References
page 19 Appendix B - Change Management "Overview" Pictorial
By Dan Swanson ©2007 Tripwire, Inc. Tripwire is a registered trademark of Tripwire, Inc. All other marks are property of their respective owners. All rights reserved. WHITE?PAPERKeeping Up Your SOX?Compliance
Forward
Organizations are exposed to governance, compliance and ethical risks daily. Coupled with the current economic, regulatory and social climate, these risks have propelled corporate governance, compliance management, and information security to be key business priorities.
Tripwire is the world's leading configuration audit and control software and services provider. The company has a clear mission: helping organizations gain control over IT. Tripwire's enterprise-strength solutions lower the risk of regulatory violations, business disruptions, security breaches, and loss of customer confidence. Tripwire software reduces operational risk and ensures the security and availability of your networks. By establishing a baseline of data in its desired state, and detecting and reporting changes to that baseline, Tripwire ensures rapid discovery and remediation when an undesired change occurs. Over time, by using Tripwire, stretched IT staffs gain increased visibility and control over change and establish a foundation for stable IT operations and systems security.
It gives me great pleasure to publish this new white paper to help you improve your governance practices and to get "IT under control." This paper provides guidance to improve your Sarbanes-Oxley program efforts and highlights key information on Tripwire and to the many ways we can support your efforts.
Regards,
Gene KimCTO, Tripwire
Page 3WHITE?PAPERKeeping Up Your SOX?Compliance
Executive Overview
Sarbanes-Oxley Program Efforts Must be SustainableThe Sarbanes-Oxley Act (SOX) has significant information security implications for companies governed by the regulation. Sections 302, 404 and 409 of SOX, and corresponding SEC Rules and Regulations, have tremendous ramifi-cations for information technology (IT) in the areas of control (internal controls), evaluation (governance, measurement and recordkeeping), and disclosure (reporting and certification). These "control, evaluate and disclose" elements must work together as integral parts of the SOX compliance process. To meet the challenges of SOX compliance, companies need to adopt changes to corporate governance and implement configuration audit and control.
Achieving Control of ITIT is pervasive in today's world. These days, an effective IT solution is required for every key organizational initiative. The IT solution (i.e., its design) is also one of the key cost drivers that will impact long term success. Therefore, the IT infrastructure and its suite of applications has become a prized corporate asset that must be managed (controlled) and "protected."
In 2000, Gene Kim and Kevin Behr began a long term research effort to develop a clear understanding of what makes certain organizations "high-performers." They studied high-performing IT operations and security organizations to understand their processes and implementations. As a result, the Visible Ops methodology was developed. T ®The Visible Ops Handbook: Implementing ITIL in 4 Practical and Auditable Steps reflects the lessons learned about how leading organizations work and describes a control-based entry point into the world of ITIL. Organizations can use Visible Ops to springboard their own process improvement efforts.
In order to understand how high-performing organizations manage IT and achieve their business objectives, the IT Process Institute conducted the IT Controls Performance Study in the Fall of 2005 (www.itpi.org/home/performance_study.php). The goal was to id... [download for more]