As mentioned earlier there are other standards of internal controls and risk assessment methodologies specific to Information Technology, which you can utilize for compliance to Section 404. The websites for the following standards are listed in APPENDIX C
C O B I T ® Is a robust internal control framework focusing specifically on Information Systems.
CobiT® is a system of internal controls standard that has been adopted by IT departments in many large and small organizations. The CobiT® framework is specifically targeted for Information Systems processes and functions which can help you identify the various control processes you should be aware of for Sarbanes Oxley Section 404 compliance. The CobiT®
steering committee and the IT Governance Institute released CobiT® standards in 1993.
If your department has a full implementation of the CobiT® framework your IT department is most likely already in compliance with Sarbanes Oxley Section 404 rules.
I S O / I E C S T A N D A R D S Another group of standards that can be useful in establishing your IT internal control system are the ISO standards that offer guidance on many best practices for various IT functions.
The International Organization for Standardization offers several standards for network security management, software development and quality control in addition to thousands of other standards for various business and government functions. This organization has been in existence since 1947. The 9000 standard series for quality control and 17799 standards for security are those most applicable to Information Services controls and Sarbanes Oxley Section 404 compliance.
The standard doesn’t include an implementation project plan on how to go about instituting ISO standards. There are toolkits available for implementation of ISO standards that provide templates and written descriptions of procedures that can be easily incorporated into your existing documentation. A simple Internet search on the standards will give a listing of vendors’ offerings.
17 Auditing Standard No. 2 – An Audit of Internal Control Over Financial Reporting Performed in Conjunction with An Audit of Financial Statements [Effective pursuant to SEC Release No. 34-49884; File No. PCAOB-2004-03, June 17, 2004]
http://www.pcaobus.org
None of the information is offered for free at the ISO site. You must pay for the standards documentation.
B S 7 7 9 9 Is a standard specification for an Information Security Management Systems (ISMS) developed in Great Britain. It uses the ISO/IEC 17799 security standards as the baseline measure of the ISMS model and certification.
BS7799-2: 2002 instructs you how to apply ISO/IEC 17799 and how to build, operate, maintain and improve ISMS.
A company can also apply for certification for BS799. In order to be awarded a certification, a BS7799 assessor audits your SMS similar to the SEI Capability Maturity Model certifications that Carnegie Mellon awards to companies implementing SEI standards.
S E I M A T U R I T Y M O D E L S The Software Engineering Institute at Carnegie Mellon University is a government-sponsored organization with several relevant standards and models to choose from. SEI promotes standards, educational courses and certifications related software engineering. It’s most well known work is the Capability Maturity Model or CMM and more recently the CMMI Capability Maturity Model Integration. The Cobit®
maturity model is derived from the SEI/CMM as are most other maturity models in
existence today. Since 1986 they on a yearly basis publish a large number of technical reports pertaining to among other things best practices in software engineering.
C E R T ® Affiliated with the Software Engineering Institute is the CERT® Coordination Center that specializes in systems security. It is an advisory service that also publishes more than 50 security practices for information systems that you can utilize for your compliance efforts.
CERT® offers training, evaluations, alerts and information related to Information Systems security. The site is an excellent resource that can be used as a monitoring tool and can be utilized by any organization to comply with the monitoring COSO component.
C I S The Center for Internet Security is an independent organization, which provides methods and tools to improve, measure, monitor, and compare the security status of your Internet connected systems. The benchmarks they provide are excellent tools for
establishing information systems security standards and self-assessments.
CIS is not tied to any proprietary product or service. Members of CIS identify security threats and then participate in the development of methods to mitigate security threats. They also provide useful automated tools for every operating system, which can be used for monitoring and evaluating your Internet security status. These tools are free of charge and are widely used by many of the world’s largest companies.
I E E E The Institute of Electrical and Electronics Engineers, Inc., is a non-profit professional organization that is a leading authority in several technical areas including computer engineering, biomedical technology and telecommunications, to electric power, aerospace and consumer electronics et al.
They claim to be responsible for 30% of the world’s published literature on electrical engineering and computers and control technology. They have almost 900 active standards now in existence and several hundred more under development.
IEEE standards most applicable to Sarbanes Oxley Section 404 compliance include:
Software Design and Development
Software Quality Control
Security
Internal Controls
Like ISO there is no free information available from IEEE. Do not let this deter you from visiting the site, as the IEEE standards are widely accepted and extremely useful for Sarbanes Oxley Section 404 compliance.
I T I L I T F R A M E W O R K The IT Infrastructure Library, ITIL®, is a series of documents that are used to aid the implementation of a framework for IT Service Management (ITSM). This framework defines how Service Management is applied within specific organizations. Because it is a framework, it is completely customizable for application within any type of business or organization that has a reliance on IT infrastructure.
The ITIL Library consists of 7 categories: Service Support, Service Delivery, Planning to Implement Service Management, ICT Infrastructure Management, Applications Management, Security Management and the Business Perspective.
It was created by the British government and has attained world wide acceptance representing best practices for many IT functions including:
Configuration Management
Incident Management
Change Management
Release Management
Service/Help Desk
Software Release Management
Like Cobit® ITIL® is an extremely robust framework which includes IT internal controls that are suitable to use for Sarbanes Oxley Section 404 compliance. Many SOX projects are using a combination of Cobit and ITIL frameworks for 404 compliance.
Note
The design of your internal controls needs to conform to the COSO model. Be sure that whatever IT control framework you use that you map it with the COSO requirements.
O W A S P Primarily focused on the open source community The Open Web Application Security Project (OWASP) is an all-volunteer group that produces free, professional-quality, open-source documentation, tools, and standards. They publish articles on a wide variety of topics not just security. Anyone using open source technology such as Linux and will find this site very useful.
There is a good deal of published advice and guides for programmers of web applications who are using non-Microsoft solutions, which provides solid tips for avoiding problems. This is especially important for those companies deploying open source applications as Sarbanes Oxley Section 404 and the PCAOB will view those applications whether developed in-house or not as home grown, meaning they will be scrutinized most carefully.
N I S T The National Institute of Science and Technology has many useful tools and standards for everything from software development, security, data storage, quality control to tools and techniques for website testing and evaluation. (Risk Assessment and Controls)
If you are not already familiar with the NIST you are missing out on an enormously valuable free resource for many of your IT functions.
S A N S SysAdmin, Audit, Network, and Security Institute was established in 1989 as a cooperative research and education organization.
SANS provides many resources, such as the weekly vulnerability digest (@RISK), the weekly news digest (NewsBites), the Internet's early warning system (Internet Storm Center), flash security alerts and hundreds of research papers and booklets on information systems security.
SANS also offers training programs and certifications in systems security. In 1999, SANS founded GIAC, the Global Information Assurance Certification. Thousands of IT security professionals have this certification. GIAC also offers certifications that address multiple specialty areas: security essentials, intrusion detection, incident handling, firewalls and perimeter protection, operating system security, and more.
Recommendation:
Explore these resources. The website links are listed in APPENDIX C. For the most part much of the information is freely available. Becoming familiar with these organizations will save you time and money with your Section 404 compliance efforts.
Give thought to becoming a member of some of these organizations. Get on their mailing lists.
Many of the sites offer alerts on topics, which can be useful to you and your staff. In addition memberships can provide a monitoring function via free tools or email alerts that can show evidence to auditors that you are keeping abreast of important issues related to information technology.