IT Governance, Controls and Security:
description
Transcript of IT Governance, Controls and Security:
IT Governance, Controls and Security:
Supporting Sarbanes-Oxley, Gramm-Leach-Bliley and HIPAA Compliance
Jim Haggard
Inovis
Topics
• Current State of Compliance• Regulatory Requirements• Security and Privacy Tenants• Sarbanes Oxley• Sarbanes-Oxley Compliance Frameworks• Solutions for Data/Document Security and
Integrity
Current State of Compliance
• Has your organization been working hard over the past year (or more) to comply with government compliance mandates?
• Do the terms Sarbanes-Oxley, HIPAA, Gramm-Leach-Bliley, COSO and COBiT sound familiar?
• Are the IT controls currently in place within your company lacking in areas that raise serious questions?
Current State of Compliance
• How many security gaps exist because of multiple systems with little to no integration and less than adequate data security?
• How many different technology solutions addressing the same purpose are implemented throughout your company?
• How many processes and systems may compromise the integrity of the data?
• How many possible points of failure may negatively impact the flow and integrity of data that will ultimately be used to produce financial reports?
• How many technology vendors are you dealing with?
Regulatory Requirements
• Sarbanes-Oxley Act (SOX)– Holds Senior Executives accountable (CEO and CFO) – Includes implementation of Controls and Procedures– SOX applies directly to public companies– Public companies are scrutinizing private companies
• Gramm-Leach-Bliley (GLB)– “Financial Privacy Rule” and “Safeguards Rule” – Applies directly to Financial organizations– GLB may impact companies in the extended Financial Services Value
Chain (FSVC)
• HIPAA– Privacy of personal health information– Applies to all companies/organizations that maintain or exchange personal
health information
Key Security and Privacy Tenants
• Privacy – Message content privacy is provided via data encryption
• Authentication – Provided via the Sender’s digital signature
• Integrity – Hash totals are enclosed in Message Disposition
Notifications (MDNs)
• Non-repudiation – Provided via signed MDN receipt acknowledgment
Key Infrastructure Security Fundamentals
• User login, authentication, password/access policy
• Connections to internal systems are NOT initiated from the DMZ
• Connections through the firewall MUST be managed from inside the firewall
• HTTP messages (data/documents) are NOT stored on the hard disk in the DMZ
• Messages (data/documents) MUST be pulled inside the firewall, NOT pushed in
H-R 3763: “Sarbanes-Oxley Act of 2002”
• Purpose: Executive accountability
• Why: Reaction to corporate scandals
• What: Requires high levels of accountability from companies and their senior executives
• Who: Publicly traded companies and near IPO companies, and specifically named CEO and CFO
Sarbanes-Oxley Titles
• I - Public Company Accounting Oversight Board
• II - Auditor Independence
• III - Corporate Responsibility
• IV - Enhanced Financial Disclosures
• V - Analyst Conflicts of Interest
• VI - Commissions Resources and Authority
• VII - Studies and Reports
• VIII - Corporate and Criminal Fraud Accountability
• IX - White Collar Crime Penalty Enhancements
• X - Corporate Tax Returns
• XI - Corporate Fraud Accountability
SOX Title I:Public Company Accounting Oversight Board
BriefDescription
• Establish and Oversight Board• Audit quality, standards, investigation and
disciplinary actions• Accounting standards, foreign public
accounting FundingIT Issues • Section 103: IT can contribute to the quality
control and related security and systems needed to maintain source data that could be accessed and used for audit purposes
SOX Title III:Corporate Responsibility
BriefDescription
• CEO and CFO (signing officers) are required to sign and attest to the accuracy of financial reports
• The signing officers are responsible for internal controls and for disclosing any internal control shortcomings
IT Issues • Section 302: Corporate Responsibility for Financial Reporting, implies that the CEO and CFO will require IT to provide strong proof that internal controls are in place
SOX Title IV:Enhanced Financial Disclosures
BriefDescription
• Title IV establishes requirements for enhanced disclosures in financial reports includes conflict of interest provisions
• Disclosures of transactions and management assessment of internal controls
IT Issues • Section 404: The most important Sarbanes-Oxley provision as it applies to IT - Control structures and procedures on the transport, exchange, processing, tracking, security and integrity of data/ documents
SOX Notes
• Will vary from industry to industry and on the ability of a company to address “internal controls” (plans and execution)
• Conservative and risk adverse interpretation:
– Any internal control structure or procedure that may have an impact on the financial reporting
– Any internal control structure and procedure that may impact a companies ability to operate
– Applies to supporting IT infrastructure, data security, auditablity
• Applies to mission critical systems/apps such as:
– Financial software applications
– Applications that handle the data/file transfer of business docs & transactions (intra/inter-company)
Compliance Frameworks
• COSO • Committee of Sponsoring Organizations of the
Treadway Commission
• Originally formed 1985 to study and define practices to preserve accuracy in financial reporting.
• PCAOB (formed by the Sarbanes-Oxley Act) determined that COSO would be used as the primary set of guidelines & framework for SOX
• For more information on COSO:– The COSO website at www.coso.org
Compliance Framework
• COBiT • Control Objectives for Information and Related
Technology• An internationally accepted standard presented in non-
technical language. • COBiT has been crossed referenced directly to COSO • COBiT controls and procedures extend beyond the COSO• For more information on COBiT:
– The IT Governance Institute website at www.itgi.org – The Information Systems Audit and Control Association website
at www.isaca.org/cobit
Compliance Frameworks
This chart is provided courtesy of the IT Governance Institute the Information Systems Audit and Control Association.
Compliance Framework
• SAS-70• Statement on Auditing Standards No 70 (SAS 70)• Defined by American Institute of Certified Public
Accountants (AICPA)• For all entities that use a service company for conducting
transactions and maintaining related accountability and/or for recording transactions and information processing
• Provides guidelines to auditors engaged by service organizations to report on the internal control policies and procedures
• For more information on SAS-70:– The AICPA website at www.aicpa.org
B2B Gateway - Business Integration
• A B2B gateway provides more than operational efficiency
• Backbone for the secure exchange of documents/data
• Internal and external integration• Secure managed file transfer• Audit trail of document flow and setup changes• Will interact with a myriad of business
processes• Will handle all business integration
– Application-to-application– Internal department-to-department– Business-to-business with external parties
Benefits of a B2B Gateway
• Focus resources
• Streamline operations
• Real-time visibility into business activities
• Real-time event management & alerts
• Audit trail & dashboard
• Improve security and control
• IT Control for Sarbanes-Oxley
Secure File and Data Transfer
Transaction Management
Community Management
Data Mapping and Transformation
Rules Event Mgmt
Process Mgmt Workflow
AnalysisBAM
Performance Mgmt
Dashboards
J2EE Compatible Service Oriented Architecture
Adaptive Layer
Internal Infrastructure and Systems
Perimeter Security Services
External Trading and Business Partners
Inovis BizManager
• Supports IT governance, controls and security needed for Sarbanes-Oxley, HIPAA and Gramm-Leach-Bliley
• Audit trail of all business data/documents exchanged • Integrated business-to-business and secure file transfer• Several secure managed file transfer options:
– Secure transports that include AS2, AS3, FTP/s, HTTP/s, ebXML
– Secure transaction mailbox (MailLink)
• Non-repudiation with proof of transmission and receipt– Message Disposition Notifications and mailbox
acknowledgements
• Integrity of business data/documents– Signed and encrypted documents – Encrypted HTTP/s and FTP/s connections
BizManager: Business Benefits
• Cut inefficiencies and reduce cycle times• Minimize transaction-processing costs• Decrease operational costs• Address security and IT control issues related to
Sarbanes Oxley and other regulatory initiatives
• Perform real-time, any-to-any “secure” data/document exchange
• Consolidate systems, control and management• Simplify business trading community management with
integrated solutions• Gain real-time visibility into business activity and
performance• Plan for future growth with a flexible, scalable solution for
companies of any size
Inovis Solution Set
BizManager
IT Governance, Controls and Security:
Supporting Sarbanes-Oxley, Gramm-Leach-Bliley and HIPAA Compliance
Jim HaggardInovis