1 / 20

How IT is affected by Sarbanes-Oxley Act – or is it?

How IT is affected by Sarbanes-Oxley Act – or is it?. Carol Woodbury carol.woodbury@skyviewpartners.com. WEBCAST SCHEDULE. Today’s event will run one-hour long. Here are the expected times for each segment of the webcast:

atira
Download Presentation

How IT is affected by Sarbanes-Oxley Act – or is it?

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. How IT is affected by Sarbanes-Oxley Act – or is it? Carol Woodbury carol.woodbury@skyviewpartners.com www.skyviewpartners.com

  2. WEBCAST SCHEDULE Today’s event will run one-hour long. Here are the expected times for each segment of the webcast: • :00 – :05: Moderator introduces the speaker and discusses the details of the Webcast. • :05- :35: Speaker delivers a PowerPoint presentation on the webcast topic. • :35- :60: Moderator and speaker engage in a Q&A on the topic. You can submit questions to the speaker at any time during the event. Just click on the “Ask a Question” button in the lower left corner of your screen. www.skyviewpartners.com

  3. TECHNICAL FAQs Here are answers to the most common technical problems users encounter during a webcast: Q: Why can’t I hear the audio part of the webcast? A: Try increasing the volume on your computer. Q: I just entered the webcast and do not see the slide that the speaker is referring to. What should I do? A: The slides are constantly be pushed to your screen. You’ll should refresh (hit F5) to view the latest slide. If your question is still not answered, please click the “Ask a Question” button in the lower left corner of your screen and submit your problem. A technical support person will respond immediately. You can also visit the Broadcast Help page for more information or to test your browser compatibility. Click here: http://help.yahoo.com/help/bcst/ www.skyviewpartners.com

  4. How IT is affected by Sarbanes-Oxley Act – or is it? Carol Woodbury carol.woodbury@skyviewpartners.com www.skyviewpartners.com

  5. Disclaimer • This presentation is for educational purposes only and is not intended an endorsement of any vendor or vendor product mentioned during this webcast. www.skyviewpartners.com

  6. Agenda • Description of Sarbanes-Oxley Act • What we’re seeing • What this means • Tips www.skyviewpartners.com

  7. Sarbanes-Oxley Act Legislation passed in 2002 to prevent another Enron/Arthur Andersen fiasco. • Section 302 – Corporate accountability • Section 404 – Internal controls over financial reporting • Internal controls over financial reporting • Requires supporting documentation www.skyviewpartners.com

  8. Security statements in SOX www.skyviewpartners.com

  9. Accounting firms • SOX auditing firms • Must meet certain criteria and be registered as a SOX audit firm • Cannot be the same firm that remediates issues discovered • Requiring sound data security practices before signing audit www.skyviewpartners.com

  10. COBIT – process for managing risk • Provides a process to assess and manage risk and balance that risk against benefits to the business. • Centered around IT processes • Four domains • Each domain is divided into IT processes (34) • Each IT process is divided into control objectives (318) www.skyviewpartners.com

  11. ISO17799 • Implementation Guidelines for IT Security • Sections include • Security policy • Organization security • Asset classification and control • Personnel security • Physical and environmental security • Communications and operations management • Access control • System development and maintenance • Business continuity management • Compliance with legal requirements www.skyviewpartners.com

  12. What does this mean? • Need to • Assess your risks • Come up with a plan to mitigate risks • Implement sound a security scheme www.skyviewpartners.com

  13. Audit checklist • System values set to best practices • Users • Get rid of default passwords • Get rid of old profiles or accounts • Examine users that have been given privileges (special authorities). Remove if not part of user’s job function. • *ALLOBJ • *AUDIT • *SECADM • *IOSYSCFG • Object authorities • *PUBLIC(*ALL) • Authority of libraries and directories containing sensitive applications • Authority of files containing confidential or private data • TCP/IP configurations www.skyviewpartners.com

  14. What systems need to be examined? • All production systems • Production • Development when connected to the network and can access production www.skyviewpartners.com

  15. Missing documentation • Security policy • Standards • Processes • Disaster recovery plan • Steps toward remediation • Initial reports • Periodic reports • Plans and sign-offs of major changes www.skyviewpartners.com

  16. Policy Corporate Security Policy A guiding principal, typically established by senior management, that is adopted by an organization or project to influence and determine decisions Standards Mandatory requirements employed and enforced to prescribe a disciplined uniform approach to achieve an objective, that is, mandatory conventions and practices are is fact standards. Procedures A series of defined activities carried out to accomplish a task or operation Superior performance within a function independent of industry, leadership, management, or operational method or approach that lead to exceptional performance Best practices www.skyviewpartners.com

  17. Policy vs. Standard vs. Procedure • Policy • User will have a unique account • Privileges will be granted based on job classification • Access to private data will be based on business justification • Standard • User’s manager is responsible for requesting an OS/400 user profile for each employee • Default access • No special authorities • Access to Basic menu • Additional access • Approved by employee’s manager • Approved by application owner • User’s manager and HR is responsible for notifying IT that user has left the company • Procedure • Create user profile by taking Option 1 from the Administration Menu • Naming convention is first 7 characters of last name plus first letter of first name • For end users and programmers the special authorities granted are *NONE • For operators the special authorities granted are *SAVSYS and *JOBCTL www.skyviewpartners.com

  18. Security awareness training • Security tip (once a month e-mail) • Posters • Social engineering training • “Appropriate Use Statement” on all computer systems • Periodic review of security policy, especially after updates • Random re-training and acknowledgement of re-read www.skyviewpartners.com

  19. For more information Contact SkyView Partners www.skyviewpartners.com 1-425-457-4975 www.skyviewpartners.com

  20. Questions? Submit your questions now by clicking on the “Ask A Question” button in the left corner of your presentation screen. Carol will answer your questions shortly after the broadcast. www.skyviewpartners.com

More Related